will do a separte PR for changes which would require code changes so
it's easier to review , didn't upgrade any deps for `@uppy/aws-s3` since
we'll merge the rewrite so I think we should do that upgrade in the
rewrite branch before merging.
update : Dependency upgrades which required code changes were raised
separately
- #6309
- #6310
---------
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Bumps
[@sveltejs/kit](https://github.com/sveltejs/kit/tree/HEAD/packages/kit)
from 2.20.7 to 2.49.5.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/sveltejs/kit/releases"><code>@sveltejs/kit</code>'s
releases</a>.</em></p>
<blockquote>
<h2><code>@sveltejs/kit</code><a
href="https://github.com/2"><code>@2</code></a>.49.5</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: avoid overriding Vite default <code>base</code> when running
Vitest 4 (<a
href="https://redirect.github.com/sveltejs/kit/pull/14866">#14866</a>)</p>
</li>
<li>
<p>fix: ensure url decoded pathnames are not mistaken as rerouted
requests (<a
href="d9ae9b00b1"><code>d9ae9b0</code></a>)</p>
</li>
<li>
<p>fix: add length checks to remote forms (<a
href="8ed8155215"><code>8ed8155</code></a>)</p>
</li>
</ul>
<h2><code>@sveltejs/kit</code><a
href="https://github.com/2"><code>@2</code></a>.49.4</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: support instrumentation for <code>vite preview</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15105">#15105</a>)</p>
</li>
<li>
<p>fix: support for <code>URLSearchParams.has(name, value)</code>
overload (<a
href="https://redirect.github.com/sveltejs/kit/pull/15076">#15076</a>)</p>
</li>
<li>
<p>fix: put forking behind <code>experimental.forkPreloads</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15135">#15135</a>)</p>
</li>
</ul>
<h2><code>@sveltejs/kit</code><a
href="https://github.com/2"><code>@2</code></a>.49.3</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: avoid false-positive Vite config overridden warning when using
Vitest 4 (<a
href="https://redirect.github.com/sveltejs/kit/pull/15121">#15121</a>)</p>
</li>
<li>
<p>fix: add <code>typescript</code> as an optional peer dependency (<a
href="https://redirect.github.com/sveltejs/kit/pull/15074">#15074</a>)</p>
</li>
<li>
<p>fix: use hasOwn check when deep-setting object properties (<a
href="https://redirect.github.com/sveltejs/kit/pull/15127">#15127</a>)</p>
</li>
</ul>
<h2><code>@sveltejs/kit</code><a
href="https://github.com/2"><code>@2</code></a>.49.2</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: Stop re-loading already-loaded CSS during server-side route
resolution (<a
href="https://redirect.github.com/sveltejs/kit/pull/15014">#15014</a>)</p>
</li>
<li>
<p>fix: posixify the instrumentation file import on Windows (<a
href="https://redirect.github.com/sveltejs/kit/pull/14993">#14993</a>)</p>
</li>
<li>
<p>fix: Correctly handle shared memory when decoding binary form data
(<a
href="https://redirect.github.com/sveltejs/kit/pull/15028">#15028</a>)</p>
</li>
</ul>
<h2><code>@sveltejs/kit</code><a
href="https://github.com/2"><code>@2</code></a>.49.1</h2>
<h3>Patch Changes</h3>
<ul>
<li>fix: suppress <code>state_referenced_locally</code> warnings in
<code>.svelte-kit/generated/root.svelte</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15013">#15013</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/sveltejs/kit/blob/main/packages/kit/CHANGELOG.md"><code>@sveltejs/kit</code>'s
changelog</a>.</em></p>
<blockquote>
<h2>2.49.5</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: avoid overriding Vite default <code>base</code> when running
Vitest 4 (<a
href="https://redirect.github.com/sveltejs/kit/pull/14866">#14866</a>)</p>
</li>
<li>
<p>fix: ensure url decoded pathnames are not mistaken as rerouted
requests (<a
href="d9ae9b00b1"><code>d9ae9b0</code></a>)</p>
</li>
<li>
<p>fix: add length checks to remote forms (<a
href="8ed8155215"><code>8ed8155</code></a>)</p>
</li>
</ul>
<h2>2.49.4</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: support instrumentation for <code>vite preview</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15105">#15105</a>)</p>
</li>
<li>
<p>fix: support for <code>URLSearchParams.has(name, value)</code>
overload (<a
href="https://redirect.github.com/sveltejs/kit/pull/15076">#15076</a>)</p>
</li>
<li>
<p>fix: put forking behind <code>experimental.forkPreloads</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15135">#15135</a>)</p>
</li>
</ul>
<h2>2.49.3</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: avoid false-positive Vite config overridden warning when using
Vitest 4 (<a
href="https://redirect.github.com/sveltejs/kit/pull/15121">#15121</a>)</p>
</li>
<li>
<p>fix: add <code>typescript</code> as an optional peer dependency (<a
href="https://redirect.github.com/sveltejs/kit/pull/15074">#15074</a>)</p>
</li>
<li>
<p>fix: use hasOwn check when deep-setting object properties (<a
href="https://redirect.github.com/sveltejs/kit/pull/15127">#15127</a>)</p>
</li>
</ul>
<h2>2.49.2</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: Stop re-loading already-loaded CSS during server-side route
resolution (<a
href="https://redirect.github.com/sveltejs/kit/pull/15014">#15014</a>)</p>
</li>
<li>
<p>fix: posixify the instrumentation file import on Windows (<a
href="https://redirect.github.com/sveltejs/kit/pull/14993">#14993</a>)</p>
</li>
<li>
<p>fix: Correctly handle shared memory when decoding binary form data
(<a
href="https://redirect.github.com/sveltejs/kit/pull/15028">#15028</a>)</p>
</li>
</ul>
<h2>2.49.1</h2>
<h3>Patch Changes</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="80ffb53382"><code>80ffb53</code></a>
Version Packages (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15162">#15162</a>)</li>
<li><a
href="8ed8155215"><code>8ed8155</code></a>
Merge commit from fork</li>
<li><a
href="d9ae9b00b1"><code>d9ae9b0</code></a>
Merge commit from fork</li>
<li><a
href="ec4596a066"><code>ec4596a</code></a>
chore: Upgrade devalue (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15172">#15172</a>)</li>
<li><a
href="81cd545dd7"><code>81cd545</code></a>
fix: avoid overriding Vite default <code>base</code> when running Vitest
4 (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/14866">#14866</a>)</li>
<li><a
href="6cf9491ccd"><code>6cf9491</code></a>
chore: remove unused is_http_method helper and method set to (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15152">#15152</a>)</li>
<li><a
href="3305022433"><code>3305022</code></a>
Revert "breaking: remove <code>buttonProps</code> from experimental
remote form function...</li>
<li><a
href="4f9870dd9d"><code>4f9870d</code></a>
breaking: remove <code>buttonProps</code> from experimental remote form
functions (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/14622">#14622</a>)</li>
<li><a
href="c8e4017c3c"><code>c8e4017</code></a>
Version Packages (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15129">#15129</a>)</li>
<li><a
href="50bf727f59"><code>50bf727</code></a>
chore: fix prettier ignoring source code in with build in the name (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15133">#15133</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/sveltejs/kit/commits/@sveltejs/kit@2.49.5/packages/kit">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by [GitHub Actions](<a
href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a>
Actions), a new releaser for <code>@sveltejs/kit</code> since your
current version.</p>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
To resolve security advisories. Should be merged after #6085
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> Upgrades Playwright to 1.57.0 across examples and packages, updating
corresponding yarn.lock entries.
>
> - **Dependencies**:
> - Bump `playwright` to `1.57.0` in `examples/react/package.json`,
`examples/sveltekit/package.json`, `examples/vue/package.json`,
`packages/@uppy/dashboard/package.json`, and
`packages/@uppy/url/package.json`.
> - Update `yarn.lock` to `playwright@1.57.0` and
`playwright-core@1.57.0`.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
fa35f7b7ea. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
1. don't run browser tests in `headless` mode by default when running
tests individually. because when writing/running tests, i usually want
to see/debug using the browser. if one still wants headless, it's as
easy as: `yarn workspace @uppy/xyz test --browser.headless`. instead
append the `headless` mode when running all tests together - it doesn't
make sense to run all projects' tests without headless mode.
2. don't always run browser tests with `watch`: watch doesn't make sense
when running multiple projects in turbo (one project just blocks the
rest watching for changes). if one still wants to run a single test with
watch mode, it's as easy as: `yarn workspace @uppy/xyz test --watch`
3. don't cache test runs: if I run the `test` command. most of the time
I want to actually run tests (not skip them if they already ran last
time)
4. output logs when running tests. it's nice to see that the tests have
actually run (also on CI)
5. when running all tests, use concurrency=1, because the tests also
includes e2e tests, running multiple browsers in parallel really just
makes the test fail on my computer (and uses a lot of memory)
current output is not very informative:
<img width="840" height="410" alt="Screenshot 2025-10-17 at 17 09 55"
src="https://github.com/user-attachments/assets/9ca8278c-f160-478c-87e2-2ef861ba4bb1"
/>
with this PR:
<img width="672" height="495" alt="Screenshot 2025-10-17 at 17 20 49"
src="https://github.com/user-attachments/assets/1339c96b-d0c1-42e1-8fa1-d5a4a36ea42a"
/>
The fix in #5872 was not enough
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> Fix props reactivity in Svelte components by updating plugin options
reactively and add example + tests validating Dashboard/StatusBar prop
changes.
>
> - **Svelte components (@uppy/svelte)**:
> - **Reactivity fix**: In `components/Dashboard.svelte`,
`DashboardModal.svelte`, and `StatusBar.svelte`, switch reactive updates
from `uppy.setOptions(...)` to `plugin?.setOptions(...)` to ensure
`props` changes are applied.
> - **Examples/Tests**:
> - Add `examples/sveltekit/src/components/test/props-reactivity.svelte`
demonstrating toggling `props` for `Dashboard` and `StatusBar`.
> - Extend `examples/sveltekit/test/index.test.ts` with tests verifying
Dashboard `ariaDisabled` toggles and StatusBar `hideUploadButton`
reactivity.
> - **Changeset**:
> - Patch release for `"@uppy/svelte"` noting props reactivity fix.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
5a9c4ef00f. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
fixes#5946
Root Cause :
`createDropzone` used a single global `id` for the file input
(`'uppy-dropzone-file-input'`) Clicking any `<Dropzone />` did
`document.getElementById(<global-id>).click()`, which always targeted
the first input in the DOM, so files were added to the first Uppy
instance.
9bac4c8398/packages/%40uppy/components/src/hooks/dropzone.ts (L73-L77)
**Solutions :**
Simplest solution would have been to just make the input id unique per
Uppy instance using `ctx.uppy.getID()`, and click that specific input.
```typescript
const fileInputId = 'uppy-dropzone-file-input-' + ctx.uppy.getID()
```
**Caveats**:
If users don’t pass a custom id to `new Uppy()`, all instances default
to uppy, so ids still collide across instances.
Multiple Dropzones under one instance still share the same id.
Switched to a ref-based approach so clicks trigger the input directly,
without relying on `document.getElementById` lookups. It still falls
back to a DOM click for backward compatibility.
**StackBlitz Link :**
https://stackblitz.com/github/qxprakash/uppy/tree/debug_dropzone/examples/react?file=package.json&embed=1&view=editor&showSidebar=1&hideTerminal=1
**Update: Went for the ID based solution upon discussion with the team
as it's simpler.**
StackBlitz examples took **146+ seconds** to start due to heavy dev
dependencies
### Optimizations
- Eliminate heavy dev deps like `playwright (~200MB)` `@vitest/browser`
`vitest`
- Aggressive install flags: `--prefer-offline --reporter=silent
--ignore-scripts --no-optional`
- use pnpm
- Results **React example: 146s → ~25s (83% faster)**
- Add .stackblitzrc configuration file for StackBlitz environment setup
for
- Add prepare-stackblitz.js script to replace `workspace:*` dependencies
with "latest"
- Configure StackBlitz to run preparation script before installing
dependencies
- Change CSS import paths in examples from `@uppy/react/css/style.css`
to `@uppy/react/dist/styles.css` temporarily (will need to revert after
we release 5.0)
- added export maps to all the @uppy packages .
- imports remain unaffected except for peerDep packages in `@uppy/react`
`@uppy/svelte` and `@uppy/vue3`.
- export maps added for index files , css , and package.json.
- Added side effects for all the packages.
---------
Co-authored-by: Mikael Finstad <finstaden@gmail.com>
Co-authored-by: Merlijn Vos <merlijn@soverin.net>
- Remove `e2e` folder entirely
- Remove all hacky resolutions and yarn patches
- Remove `@types/jasmine`, `js2ts` (convert a JS file to TS), and
`vue-template-compiler` from `private/`
- Remove e2e CI job
- Add browsers tests for vue, svelte, and react headless components and
hooks.
- Add new (browser) tests for transloadit, aws-s3, and dashboard.
- Remove final useless scripts from `package.json`, use direct
references in CI.
- Fix Dropzone component accessibility discovered during testing
- Clean up github workflows (move linters.yml into ci.yml, update
e2e.yml)
**Why Vitest Browser Mode?**
We could have used playwright but vitest browser mode uses it under the
hood and we get the use the vitest we know a love. No two entirely
different setups, no different assertions to relearn, write e2e tests as
if you're writing unit tests. Easy, fast, beautiful.
https://vitest.dev/guide/browser/
**Has every single e2e test been rewritten?**
No there were quite a few tests that have a lot overlap with existing or
newly added tests. There were also some tests that were so heavily
mocked inside and out you start to wonder what the value still is. Open
to discuss which tests still need to be added.