Apply all open Dependabot dependency updates for /client

[Copilot]

Four open Dependabot PRs recommended npm dependency updates in /client. All have been consolidated into a single update, including resolution of a high severity security vulnerability in rollup.

Dependency updates

Package	From	To
astro	^5.15.1	^5.17.2
@astrojs/node	^9.5.2	^9.5.3
svelte	^5.49.1	^5.53.6
@types/node	^24.3.1	^25.2.2
rollup (transitive)	4.35.0	4.59.0

⚠️ Security: rollup high severity CVE

Dependabot PR #174 surfaced a high severity vulnerability in rollup 4.0.0–4.58.0: GHSA-mw96-cpmx-2vgc — Arbitrary File Write via Path Traversal. Since rollup is a transitive dependency (pulled in by vite/astro), it was not pinned in package.json and was not updated by npm install alone. npm audit fix was required to force resolution to 4.59.0 where the vulnerability is patched.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• telemetry.astro.build
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node /home/REDACTED/work/pets-workshop/pets-workshop/client/node_modules/.bin/astro build (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.