Skip to content

build(deps): bump astro from 6.4.4 to 6.4.6#210

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/astro-6.4.5
Closed

build(deps): bump astro from 6.4.4 to 6.4.6#210
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/astro-6.4.5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps astro from 6.4.4 to 6.4.6.

Release notes

Sourced from astro's releases.

astro@6.4.6

Patch Changes

  • #16765 b10e86e Thanks @​fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.

  • #17026 add3df1 Thanks @​matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)

  • #17033 ffda27b Thanks @​matthewp! - Validates the request origin against allowedDomains before fetching prerendered error pages. When allowedDomains is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to localhost.

astro@6.4.5

Patch Changes

  • #16985 4ecff32 Thanks @​maximslo! - Fixes the experimental.logger destination not being used for the "Server listening on..." startup message. The logger is now resolved before the server starts listening, and adapterLogger re-creates itself when the underlying logger changes so the startup message uses the correct destination.

  • #16947 e0703a6 Thanks @​ematipico! - Fixes Astro.request.url not reflecting validated X-Forwarded-Proto/X-Forwarded-Host headers when security.allowedDomains is configured. Previously, only Astro.url was updated with the forwarded origin while Astro.request.url retained the socket-derived URL, causing the two to diverge behind TLS-terminating proxies.

  • #16997 dc45246 Thanks @​matthewp! - Reverts a change to isNode runtime detection that caused a significant build time regression for Cloudflare adapter users with large prerendered sites

Changelog

Sourced from astro's changelog.

6.4.6

Patch Changes

  • #16765 b10e86e Thanks @​fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.

  • #17026 add3df1 Thanks @​matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)

  • #17033 ffda27b Thanks @​matthewp! - Validates the request origin against allowedDomains before fetching prerendered error pages. When allowedDomains is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to localhost.

6.4.5

Patch Changes

  • #16985 4ecff32 Thanks @​maximslo! - Fixes the experimental.logger destination not being used for the "Server listening on..." startup message. The logger is now resolved before the server starts listening, and adapterLogger re-creates itself when the underlying logger changes so the startup message uses the correct destination.

  • #16947 e0703a6 Thanks @​ematipico! - Fixes Astro.request.url not reflecting validated X-Forwarded-Proto/X-Forwarded-Host headers when security.allowedDomains is configured. Previously, only Astro.url was updated with the forwarded origin while Astro.request.url retained the socket-derived URL, causing the two to diverge behind TLS-terminating proxies.

  • #16997 dc45246 Thanks @​matthewp! - Reverts a change to isNode runtime detection that caused a significant build time regression for Cloudflare adapter users with large prerendered sites

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 10, 2026
@dependabot dependabot Bot requested a review from theagenticguy as a code owner June 10, 2026 08:15
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 10, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/astro-6.4.5 branch from 975c233 to 713ca57 Compare June 10, 2026 16:06
@dependabot dependabot Bot changed the title build(deps): bump astro from 6.4.4 to 6.4.5 build(deps): bump astro from 6.4.4 to 6.4.6 Jun 10, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/astro-6.4.5 branch 5 times, most recently from 01fb126 to 91e1c76 Compare June 11, 2026 17:24
@dependabot
build(deps): bump astro from 6.4.4 to 6.4.6
49c5337 
Bumps [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) from 6.4.4 to 6.4.6.
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/astro@6.4.6/packages/astro)

---
updated-dependencies:
- dependency-name: astro
  dependency-version: 6.4.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/astro-6.4.5 branch from 91e1c76 to 49c5337 Compare June 11, 2026 17:31
@theagenticguy theagenticguy mentioned this pull request Jun 13, 2026
Merged
@theagenticguy

theagenticguy commented Jun 13, 2026

Copy link
Copy Markdown
Owner

Superseded by #230, which folds this bump into a single consolidated dependency-refresh branch (strict + linear-history branch protection makes 5 separate merges cascade lock-file rebases). This PR will be closed once #230 merges.

theagenticguy added a commit that referenced this pull request Jun 13, 2026
@theagenticguy
fix(deps): refresh dependencies + clear esbuild CVE (GHSA-g7r4-m6w7-qqqr
75b687f 
) (#230)

## Summary

Consolidated dependency refresh that clears the open esbuild CVE and
folds in all 5 open Dependabot PRs (#210#214) plus the remaining
outdated minors/patches.

**Why one branch instead of merging the 5 Dependabot PRs:** branch
protection on `main` is `strict` + linear-history + squash-only. Merging
the 5 PRs one at a time forces each survivor to rebase against a changed
`pnpm-lock.yaml` and re-run the full CI matrix — a 5-cycle cascade.
Folding them into one validated branch is a single CI cycle; the
Dependabot PRs then close as superseded.

## Security
- **esbuild → 0.28.1** via pnpm override (`>=0.27.3 <0.28.1` → `0.28.1`)
— clears **GHSA-g7r4-m6w7-qqqr** (LOW, dev-server path traversal via `\`
on Windows). Dependabot **could not** auto-fix this: `astro` pins
`esbuild@^0.27.3` and never widens it, so the security update returned
`security_update_not_possible`. Override follows the existing `devalue`
security-override pattern in `pnpm-workspace.yaml`. OSV scan after the
bump: **no issues**.

## Bumps (none breaking)
| Package | From | To | Covered Dependabot PR |
|---|---|---|---|
| astro | 6.4.4 | 6.4.6 | #210 |
| @astrojs/starlight | 0.39.3 | 0.40.0 | #211 |
| @aws-sdk/client-bedrock-runtime | 3.1064.0 | 3.1068.0 | #212 |
| @aws-sdk/client-sagemaker-runtime | 3.1064.0 | 3.1068.0 | #213 |
| starlight-page-actions | 0.6.0 | 0.6.1 | #214 |
| @biomejs/biome | 2.4.16 | 2.5.0 | — |
| @ladybugdb/core | 0.16.1 | 0.17.1 | — |
| piscina | 5.1.4 | 5.2.0 | — |
| sharp | 0.34.5 | 0.35.1 | — |
| starlight-links-validator | 0.24.0 | 0.24.1 | — |
| @types/node | 25.9.2 | 25.9.3 | — |
| commitizen | 4.3.1 | 4.3.2 | — |

Ran `biome migrate` for the 2.5.0 bump: `recommended: true` → `preset:
"recommended"`, schema → 2.5.0.

## Held — both require Node 24; repo is Node 22 + `engine-strict=true`
- **license-checker-rseidelsohn 4 → 5**: engines `node >=24`. Powers the
required `licenses` CI gate, which runs on Node 22 → install would fail.
**Hard blocker until the repo baselines to Node 24.**
- **write-file-atomic 7 → 8**: only change is narrowing the Node floor
to `^22.22.2`, conflicting with the declared `engines.node: >=22.12.0`;
no functional or security benefit.

## Validation (local, mirrors required CI checks)
| Gate | Result |
|---|---|
| frozen-lockfile install | ✅ no drift |
| build (all packages) | ✅ |
| lint (biome 2.5.0) | ✅ 0 infos |
| typecheck (CI-mirror, excl. docs) | ✅ |
| test (19 packages) | ✅ 0 fail, 0 `not ok` |
| banned-strings | ✅ |
| license allowlist | ✅ |
| OSV scan | ✅ no issues |
| astro docs build | ✅ 64 pages, links valid |

## After merge
Close #210#214 as superseded (the squash commit folds them all in). The
esbuild override resolves itself when astro widens its esbuild range
(likely 6.5+); revisit then.

🤖 Generated with [Bonk](https://github.com/theagenticguy/opencodehub) —
OpenCodeHub nightly maintenance
@dependabot @github

dependabot Bot commented on behalf of github Jun 13, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/astro-6.4.5 branch June 13, 2026 13:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@theagenticguy theagenticguy Awaiting requested review from theagenticguy theagenticguy is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@theagenticguy