Bump the workspace-deps group with 6 updates

[dependabot]

Bumps the workspace-deps group with 6 updates:

Package	From	To
typescript-eslint	8.59.2	8.59.3
astro	6.3.1	6.3.3
puppeteer-core	24.43.0	25.0.2
tinybench	6.0.1	6.0.2
@types/node	25.6.2	25.8.0
@google-cloud/bigquery	8.3.0	8.3.1

Updates typescript-eslint from 8.59.2 to 8.59.3

Release notes

Sourced from typescript-eslint's releases.

v8.59.3

8.59.3 (2026-05-11)

This was a version bump only, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from typescript-eslint's changelog.

8.59.3 (2026-05-11)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• 48e13c0 chore(release): publish 8.59.3
• 44f9625 chore(deps): update vitest monorepo to v4.1.5 (#12307)
• See full diff in compare view

Updates astro from 6.3.1 to 6.3.3

Release notes

Sourced from astro's releases.

astro@6.3.3

Patch Changes

• #16737 bd84f33 Thanks @​matthewp! - Fixes a reflected XSS vulnerability where slot names on hydrated components were not HTML-escaped in SSR output

astro@6.3.2

Patch Changes

• #16675 11d4592 Thanks @​ascorbic! - Fixes a regression where Astro.cache was undefined when experimental.cache was not configured.

  The previous documented behavior is for Astro.cache to always be defined as a no-op shim: cache.set() warns once, cache.invalidate() throws and cache.enabled can be used to gate. This allows library and user code can call cache methods without conditional checks. The cache provider registration was being gated at the call site on experimental.cache being configured, which meant the disabled shim branch inside the provider was unreachable and the Astro.cache getter was never attached to the context.

• #16691 0f0a4ce Thanks @​matthewp! - Fixes HTMLElement is not defined error during HMR when using components with client-side scripts (e.g. Starlight <Tabs>) and the Cloudflare adapter

• #16562 07529ec Thanks @​matthewp! - Fixes non-prerendered routes failing when a dynamic prerendered route exists in the same project with prerenderEnvironment: 'node'

• #16638 272185b Thanks @​ematipico! - Fixes a bug where the Astro compiler wasn't freed at the end of the build. After the fix, the memory used by the compiler is now correctly freed at the end of the build.

• #16544 d365c97 Thanks @​matthewp! - Tightens isRemotePath() to reject control characters after a leading slash and fixes the dev image endpoint origin check

• #16685 889e748 Thanks @​farrosfr! - Improve validation messages for security.csp.directives when script-src or style-src are incorrectly placed in the directives array.

• #16605 772f13a Thanks @​rururux! - Fixes assetsPrefix not being available on build from astro:config/server.

• #16556 f38dec7 Thanks @​matthewp! - Rejects double-encoded URL paths with a 400 response instead of silently falling back to partial decoding

• #16659 38bcb25 Thanks @​jsparkdev! - Fixes & characters appearing as raw entity strings (e.g. &[#38](https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/38);) in <meta> tags when viewed in link previews or raw HTML.

• Updated dependencies [d365c97, 9256345]:

  • @​astrojs/internal-helpers@​0.9.1
  • @​astrojs/markdown-remark@​7.1.2

Changelog

Sourced from astro's changelog.

6.3.3

Patch Changes

• #16737 bd84f33 Thanks @​matthewp! - Fixes a reflected XSS vulnerability where slot names on hydrated components were not HTML-escaped in SSR output

6.3.2

Patch Changes

• #16675 11d4592 Thanks @​ascorbic! - Fixes a regression where Astro.cache was undefined when experimental.cache was not configured.

  The previous documented behavior is for Astro.cache to always be defined as a no-op shim: cache.set() warns once, cache.invalidate() throws and cache.enabled can be used to gate. This allows library and user code can call cache methods without conditional checks. The cache provider registration was being gated at the call site on experimental.cache being configured, which meant the disabled shim branch inside the provider was unreachable and the Astro.cache getter was never attached to the context.

• #16691 0f0a4ce Thanks @​matthewp! - Fixes HTMLElement is not defined error during HMR when using components with client-side scripts (e.g. Starlight <Tabs>) and the Cloudflare adapter

• #16562 07529ec Thanks @​matthewp! - Fixes non-prerendered routes failing when a dynamic prerendered route exists in the same project with prerenderEnvironment: 'node'

• #16638 272185b Thanks @​ematipico! - Fixes a bug where the Astro compiler wasn't freed at the end of the build. After the fix, the memory used by the compiler is now correctly freed at the end of the build.

• #16544 d365c97 Thanks @​matthewp! - Tightens isRemotePath() to reject control characters after a leading slash and fixes the dev image endpoint origin check

• #16685 889e748 Thanks @​farrosfr! - Improve validation messages for security.csp.directives when script-src or style-src are incorrectly placed in the directives array.

• #16605 772f13a Thanks @​rururux! - Fixes assetsPrefix not being available on build from astro:config/server.

• #16556 f38dec7 Thanks @​matthewp! - Rejects double-encoded URL paths with a 400 response instead of silently falling back to partial decoding

• #16659 38bcb25 Thanks @​jsparkdev! - Fixes & characters appearing as raw entity strings (e.g. &[#38](https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/38);) in <meta> tags when viewed in link previews or raw HTML.

• Updated dependencies [d365c97, 9256345]:

  • @​astrojs/internal-helpers@​0.9.1
  • @​astrojs/markdown-remark@​7.1.2

Commits

• 5ec95d0 [ci] release (#16736)
• bce5c34 [ci] format
• bd84f33 fix(security): escape slot names in hydration template attributes to prevent ...
• 42e7eec refactor: fix flaky view-transitions e2e test (#16735)
• 33b54c4 [ci] format
• 0f868b0 chore: remove redundant server assertions (#16721)
• e345bcd [ci] release (#16653)
• 04fdbb2 Update pnpm to v11 (#16716)
• 772f13a fix(astro): correctly export build.assetsPrefix from astro:config/server ...
• d1c258a test: isolate fixture cache dirs for shared fixtures (#16689)
• Additional commits viewable in compare view

Updates puppeteer-core from 24.43.0 to 25.0.2

Release notes

Sourced from puppeteer-core's releases.

puppeteer-core: v25.0.2

25.0.2 (2026-05-15)

🛠️ Fixes

• update docs text (#14992) (36527b8)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 3.0.1 to 3.0.2

puppeteer-core: v25.0.1

25.0.1 (2026-05-13)

🛠️ Fixes

• enabled features should take precedence over disabled features (#14985) (f6fd7c2)
• roll to Chrome 148.0.7778.167 (#14980) (84c46fe)
• roll to Firefox 150.0.3 (#14983) (872f778)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 3.0.0 to 3.0.1

puppeteer-core: v25.0.0

25.0.0 (2026-05-12)

⚠ BREAKING CHANGES

• remove deprecated Puppeteer.product (#14977)
• bump min NodeJS to 22 (#14973)
• return a Promise for executablePath, defaultArgs (#14965)
• remove deprecated MouseOptions.clickCount (#13865)
• update min version - Node v20.19 and Typescript v5.0.1 (#14364)
• remove deprecated Browser.isConnected() (#14910)
• move packages to ESM only (#14355)
• puppeteer-core: Remove Cookie attribute sameParty (#14545)
• normalize newline-separated headers to comma-separated format (#14492)

🎉 Features

... (truncated)

Changelog

Sourced from puppeteer-core's changelog.

25.0.2 (2026-05-15)

♻️ Chores

• puppeteer: Synchronize puppeteer versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 3.0.1 to 3.0.2

🛠️ Fixes

• update docs text (#14992) (36527b8)

25.0.1 (2026-05-13)

♻️ Chores

• puppeteer: Synchronize puppeteer versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 3.0.0 to 3.0.1

🛠️ Fixes

• enabled features should take precedence over disabled features (#14985) (f6fd7c2)
• roll to Chrome 148.0.7778.167 (#14980) (84c46fe)
• roll to Firefox 150.0.3 (#14983) (872f778)

25.0.0 (2026-05-12)

⚠ BREAKING CHANGES

• remove deprecated Puppeteer.product (#14977)
• bump min NodeJS to 22 (#14973)
• return a Promise for executablePath, defaultArgs (#14965)

... (truncated)

Commits

• 3aadc38 chore: release main (#14993)
• 36527b8 fix: update docs text (#14992)
• 3ea7bd5 fix: capitalize "Chrome" in troubleshooting.md (#14991)
• ae72fdb chore: Tiny punctuation update in troubleshooting.md (#14990)
• 1597fde chore: release main (#14982)
• f6fd7c2 fix: enabled features should take precedence over disabled features (#14985)
• bf05fb9 fix: update browsers to trigger release (#14984)
• 872f778 fix: roll to Firefox 150.0.3 (#14983)
• 84c46fe fix: roll to Chrome 148.0.7778.167 (#14980)
• ee655d8 chore(main): release ng-schematics 0.8.0 (#14978)
• Additional commits viewable in compare view

Updates tinybench from 6.0.1 to 6.0.2

Release notes

Sourced from tinybench's releases.

v6.0.2

   🐞 Bug Fixes

• lint: Add promise recommended config and jsdoc check-tag-names rule  -  by @​jerome-benoit (124e4)

    View changes on GitHub

Commits

• 72d7d53 chore: release v6.0.2
• fe73bb8 chore(deps): lock file maintenance (#553)
• 06ed214 chore(deps): update all non-major dependencies (#555)
• ad7f879 chore(deps): update all non-major dependencies (#554)
• 124e4d0 fix(lint): add promise recommended config and jsdoc check-tag-names rule
• ac47e7c chore(deps): update vitest to v4.1.6 and workspace overrides
• 74bcfe9 chore: disable simple-git-hooks build script in allowBuilds
• 93ba1c2 chore(deps): update pnpm to v11 (#550)
• fe0a6f9 build: keep minify with readable output (strip comments, keep whitespace) (#552)
• dcc9499 chore: update pnpm to v11 (#551)
• Additional commits viewable in compare view

Updates @types/node from 25.6.2 to 25.8.0

Commits

• See full diff in compare view

Updates @google-cloud/bigquery from 8.3.0 to 8.3.1

Release notes

Sourced from @​google-cloud/bigquery's releases.

bigquery: v8.3.1

8.3.1 (2026-05-11)

Bug Fixes

• bigquery: Run npm run types in correct directory in owlbot (#8061) (0948b35)
• Bump all node submodules (#8178) (9fd76ef)
• Pin @​sinonjs/fake-timers to unblock build in bigquery (#8121) (374167b)

Changelog

Sourced from @​google-cloud/bigquery's changelog.

8.3.1 (2026-05-11)

Bug Fixes

• bigquery: Run npm run types in correct directory in owlbot (#8061) (0948b35)
• Bump all node submodules (#8178) (9fd76ef)
• Pin @​sinonjs/fake-timers to unblock build in bigquery (#8121) (374167b)

Commits

• 92b328b chore: release main (#8242)
• 0ad39e4 chore: update owlbot configs (#8229)
• 9fd76ef fix: bump all node submodules (#8178)
• 374167b fix: pin @​sinonjs/fake-timers to unblock build in bigquery (#8121)
• 0948b35 fix(bigquery): run npm run types in correct directory in owlbot (#8061)
• ca7959c build: pin packages to sinon 21.0.3 for now to dodge a build error (#8053)
• f6f8d0f chore(main): release bigquery 8.3.0 (#7900)
• 7fad2f6 fix: Unblock the releases on Node Bigquery (#7946)
• e500d40 feat(bigquery): allow the user to ask for skipping parsing rows when querying...
• 51d569e test: trim the unit tests to only capture important cases (#7303)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[cloudflare-workers-and-pages]

Deploying framework-tracker with    Cloudflare Pages

Latest commit:	37d5732
Status:	✅  Deploy successful!
Preview URL:	https://b9548014.framework-tracker.pages.dev
Branch Preview URL:	https://dependabot-npm-and-yarn-work-b9av.framework-tracker.pages.dev

View logs