chore(deps): bump the nonmajor group across 1 directory with 11 updates

[dependabot]

Bumps the nonmajor group with 11 updates in the / directory:

Package	From	To
@iconify-json/lucide	1.2.90	1.2.95
@iconify-json/simple-icons	1.2.70	1.2.72
astro	5.17.2	5.18.0
astro-compressor	1.2.0	1.3.0
fs-extra	11.3.3	11.3.4
google-auth-library	10.5.0	10.6.1
postcss-custom-media	12.0.0	12.0.1
postcss-preset-env	11.1.3	11.2.0
@types/node	25.2.3	25.3.3
autoprefixer	10.4.24	10.4.27
postcss	8.5.6	8.5.8

Updates @iconify-json/lucide from 1.2.90 to 1.2.95

Commits

• See full diff in compare view

Updates @iconify-json/simple-icons from 1.2.70 to 1.2.72

Commits

• See full diff in compare view

Updates astro from 5.17.2 to 5.18.0

Release notes

Sourced from astro's releases.

astro@5.18.0

Minor Changes

• #15589 b7dd447 Thanks @​qzio! - Adds a new security.actionBodySizeLimit option to configure the maximum size of Astro Actions request bodies.

  This lets you increase the default 1 MB limit when your actions need to accept larger payloads. For example, actions that handle file uploads or large JSON payloads can now opt in to a higher limit.

  If you do not set this option, Astro continues to enforce the 1 MB default to help prevent abuse.

  // astro.config.mjs
  export default defineConfig({
    security: {
      actionBodySizeLimit: 10 * 1024 * 1024, // set to 10 MB
    },
  });

Patch Changes

• #15594 efae11c Thanks @​qzio! - Fix X-Forwarded-Proto validation when allowedDomains includes both protocol and hostname fields. The protocol check no longer fails due to hostname mismatch against the hardcoded test URL.

astro@5.17.3

Patch Changes

• #15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #15569 e01e98b Thanks @​matthewp! - Respect image allowlists when inferring remote image sizes and reject remote redirects.

Changelog

Sourced from astro's changelog.

5.18.0

Minor Changes

• #15589 b7dd447 Thanks @​qzio! - Adds a new security.actionBodySizeLimit option to configure the maximum size of Astro Actions request bodies.

  This lets you increase the default 1 MB limit when your actions need to accept larger payloads. For example, actions that handle file uploads or large JSON payloads can now opt in to a higher limit.

  If you do not set this option, Astro continues to enforce the 1 MB default to help prevent abuse.

  // astro.config.mjs
  export default defineConfig({
    security: {
      actionBodySizeLimit: 10 * 1024 * 1024, // set to 10 MB
    },
  });

Patch Changes

• #15594 efae11c Thanks @​qzio! - Fix X-Forwarded-Proto validation when allowedDomains includes both protocol and hostname fields. The protocol check no longer fails due to hostname mismatch against the hardcoded test URL.

5.17.3

Patch Changes

• #15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #15569 e01e98b Thanks @​matthewp! - Respect image allowlists when inferring remote image sizes and reject remote redirects.

Commits

• 011f061 [ci] release (#15597)
• efae11c fix: X-Forwarded-Proto rejected when allowedDomains includes protocol… (#15594)
• 751ccf0 Update actionBodySizeLimit changeset and make minor (#15600)
• b7dd447 make actionBodySizeLimit configurable (#15589)
• e0f1a2b [ci] release (#15571)
• 522f880 Limit action request body size (#15564)
• 436962a chore: Upgrade Vite and esbuild (#15554)
• e01e98b Respect remote image allowlists (#15569)
• See full diff in compare view

Updates astro-compressor from 1.2.0 to 1.3.0

Release notes

Sourced from astro-compressor's releases.

v1.3.0

2026-03-04

Summary

This release adds better default compression for zstd and brotli, and better handling of compression options. Thanks to @​Daniel15 for this contribution.

Commits

• [9d97f8a] Use a separate release pipeline
• [09f173b] Run 'pnpm fix' in pre-commit hook
• [34e8ca2] Drop @​tsconfig packages
• [d48d4a9] Force NO_COLOR in tests to avoid ANSI shenanigans
• [f0816b8] Refactor the build setup slightly
• [ff616ca] Move to oxlint and oxfmt
• [98cc08f] Bump all packages, fix type errors
• [de315e0] Improve handling of default options @​Daniel15
• [9878779] Set default compression levels for Brotli and zstd @​Daniel15
• [f3cf8dc] Bump actions/checkout from 5 to 6
• [3330a3c] We now use trusted publishing, remove tokens

Changelog

Sourced from astro-compressor's changelog.

v1.3.0

2026-03-04

Summary

This release adds better default compression for zstd and brotli, and better handling of compression options. Thanks to @​Daniel15 for this contribution.

Commits

• [9d97f8a] Use a separate release pipeline
• [09f173b] Run 'pnpm fix' in pre-commit hook
• [34e8ca2] Drop @​tsconfig packages
• [d48d4a9] Force NO_COLOR in tests to avoid ANSI shenanigans
• [f0816b8] Refactor the build setup slightly
• [ff616ca] Move to oxlint and oxfmt
• [98cc08f] Bump all packages, fix type errors
• [de315e0] Improve handling of default options @​Daniel15
• [9878779] Set default compression levels for Brotli and zstd @​Daniel15
• [f3cf8dc] Bump actions/checkout from 5 to 6
• [3330a3c] We now use trusted publishing, remove tokens

Commits

• 1c2e76e Release v1.3.0
• 550f749 Use a separate release pipeline
• 09f173b Run 'pnpm fix' in pre-commit hook
• 34e8ca2 Drop @​tsconfig packages
• d48d4a9 Force NO_COLOR in tests to avoid ANSI shenanigans
• f0816b8 Refactor the build setup slightly
• ff616ca Move to oxlint and oxfmt
• 98cc08f Bump all packages, fix type errors
• de315e0 Improve handling of default options
• 9878779 Set default compression levels for Brotli and zstd
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for astro-compressor since your current version.

Updates fs-extra from 11.3.3 to 11.3.4

Changelog

Sourced from fs-extra's changelog.

11.3.4 / 2026-03-03

• Fix bug where calling ensureSymlink/ensureSymlinkSync with a relative srcPath would fail if the symlink already existed (#1038, #1064)

Commits

• 353a29b 11.3.4
• 3e65fbe fix(ensureSymlink): resolve relative srcpath correctly when symlink exists (#...
• e2615e5 Fix git URL in package.json (#1062)
• See full diff in compare view

Updates google-auth-library from 10.5.0 to 10.6.1

Release notes

Sourced from google-auth-library's releases.

google-auth-library: v10.6.1

10.6.1 (2026-02-20)

Bug Fixes

• DefaultAwsSecurityCredentialSupplier fetches aws-credentials correctly from credential-url (#901) (8c50526)

google-auth-library: v10.6.0

10.6.0 (2025-12-17)

Features

• auth: Use gtoken from internal class instead of dependency (#815) (a38857c)

Changelog

Sourced from google-auth-library's changelog.

10.6.1 (2026-02-20)

Bug Fixes

• DefaultAwsSecurityCredentialSupplier fetches aws-credentials correctly from credential-url (#901) (8c50526)

10.6.0 (2025-12-17)

Features

• auth: Use gtoken from internal class instead of dependency (#815) (a38857c)

Commits

• 8144256 chore: release main
• 8c50526 fix: defaultAwsSecurityCredentialSupplier fetches aws-credentials correctly f...
• d173996 chore(deps): update dependency mocha to v10 (#878)
• ee618f6 delete more configs
• 93ca4c5 chore: upgrade sinon, node types (#864)
• 383aa51 chore: release main
• a38857c feat(auth): use gtoken from internal class instead of dependency (#815)
• c27f023 build(auth): added full implementation of GoogleToken (#814)
• 8f8b2a5 build(auth): add token handler for GoogleToken. (#805)
• 552f153 build(auth): add getToken function for the usage of GoogleToken (#806)
• Additional commits viewable in compare view

Updates postcss-custom-media from 12.0.0 to 12.0.1

Changelog

Sourced from postcss-custom-media's changelog.

12.0.1

February 21, 2026

• Fix importance of custom media in anonymous cascade layers.

Commits

• See full diff in compare view

Updates postcss-preset-env from 11.1.3 to 11.2.0

Changelog

Sourced from postcss-preset-env's changelog.

11.2.0

February 21, 2026

• Added @csstools/postcss-font-width-property Check the plugin README for usage details.
• Updated cssdb to 8.8.0

Commits

• See full diff in compare view

Updates @types/node from 25.2.3 to 25.3.3

Commits

• See full diff in compare view

Updates autoprefixer from 10.4.24 to 10.4.27

Release notes

Sourced from autoprefixer's releases.

10.4.27

• Removed development key from package.json.

10.4.26

• Reduced package size.

10.4.25

• Fixed broken gradients on CSS Custom Properties (by @​serger777).

Changelog

Sourced from autoprefixer's changelog.

10.4.27

• Removed development key from package.json.

10.4.26

• Reduced package size.

10.4.25

• Fixed broken gradients on CSS Custom Properties (by @​serger777).

Commits

• 360f2d9 Release 10.4.27 version
• ab5260c Update clean-publish
• 09e9dd1 Release 10.4.26 version
• ec75540 Ignore local patches
• 59601b8 Update c8 and clean-publish
• 06ea988 Release 10.4.25 version
• 47d8a5b Update dependencies and fix Node.js 25
• 51c596e Add Node.js 25 and 24 to CI
• 5239823 Fix CSS variables in gradients (#1515) (#1544)
• See full diff in compare view

Updates postcss from 8.5.6 to 8.5.8

Release notes

Sourced from postcss's releases.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

Changelog

Sourced from postcss's changelog.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

Commits

• 65de537 Release 8.5.8 version
• b2c6d97 Run git hook register
• 0ae0a49 Update Processor#version
• 6ee9f14 Release 8.5.7 version
• 3fbc951 Fix uvu Node.js 25 support
• 52db53e Update dependencies
• 497daef Speed up source map annotation cleaning by moving from RegExp
• 41e739a Remove banner
• 1329142 chore: speed up space-only string check in lib/parser.js (#2064)
• 23beff9 Update dependencies
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[chuangcaleb]

@dependabot recreate

[github-actions]

❌ Build Failed - Manual Review Required

This dependency update failed CI, so it was not auto-merged to .

Action needed:

• Review CI logs to identify the failure
• Confirm whether the failure is related to this dependency update
• Fix issues (or recreate the PR) and re-run checks
• Manually merge when all checks pass

[chuangcaleb]

@dependabot recreate

[github-actions]

❌ Build Failed - Manual Review Required

This dependency update failed CI, so it was not auto-merged to .

Action needed:

• Review CI logs to identify the failure
• Confirm whether the failure is related to this dependency update
• Fix issues (or recreate the PR) and re-run checks
• Manually merge when all checks pass

[chuangcaleb]

@dependabot recreate

[github-actions]

❌ Build Failed - Manual Review Required

This dependency update failed CI, so it was not auto-merged to .

Action needed:

• Review CI logs to identify the failure
• Confirm whether the failure is related to this dependency update
• Fix issues (or recreate the PR) and re-run checks
• Manually merge when all checks pass

[chuangcaleb]

@depenabot recreate

[github-actions]

❌ Build Failed - Manual Review Required

This dependency update failed CI, so it was not auto-merged to .

Action needed:

• Review CI logs to identify the failure
• Confirm whether the failure is related to this dependency update
• Fix issues (or recreate the PR) and re-run checks
• Manually merge when all checks pass

[chuangcaleb]

@dependabot recreate

[github-actions]

❌ Build Failed - Manual Review Required

This dependency update failed CI, so it was not auto-merged to .

Action needed:

• Review CI logs to identify the failure
• Confirm whether the failure is related to this dependency update
• Fix issues (or recreate the PR) and re-run checks
• Manually merge when all checks pass