chore: coordinated Svelte 5 + Vite 8 migration

[rdemeritt]

Context

Dependabot PRs #100, #101, and #102 were closed in favour of this coordinated migration. These PRs cannot be merged individually — they cause npm ERESOLVE peer dependency failures and Vite 5→8 is a 3-major jump that requires joint migration with Svelte 5.

Scope

Bump the following packages in lockstep on a single migration branch:

• svelte 4 → 5
• vite 5 → 8
• @sveltejs/vite-plugin-svelte 4 → 7
• @sveltejs/kit → latest
• svelte-check → ^4
• @sveltejs/adapter-node → latest

Prerequisites

• Node 20.19+ is required by Vite 8 — verify .github/workflows/ci.yml node-version before starting

Migration Steps

• Verify CI matrix uses Node 20.19+
• Bump all packages in lockstep in a single branch
• Run npx sv migrate svelte-5 codemod on src/
• Fix any remaining Svelte 5 breaking changes (dispatchers, slots, $$props, stores)
• Update vite.config.ts for Vite 8 (splitVendorChunkPlugin removed, new env API)
• Run full build: npm run build
• Run Playwright suite against localhost stack
• Security review on migration PR before merge

Security Review Note

Security Reviewer must re-review the migration PR prior to merge:

• XSS surface changes with new Svelte 5 template syntax (runes, snippets)
• CSP impact from the Rolldown bundler introduced in Vite 8

References

• Closed Dependabot PRs: chore(deps): bump esbuild from 0.21.5 to removed in the npm_and_yarn group across 1 directory #100, chore(deps-dev): bump vite from 5.4.21 to 8.0.10 in the npm_and_yarn group across 1 directory #101, chore(deps-dev): bump svelte from 4.2.20 to 5.55.5 in the npm_and_yarn group across 1 directory #102