Skip to content

chore(deps): update all dependencies #83

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update all dependencies #83

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Oct 30, 2025
edited
Loading

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence Type Update
@astrojs/check (source) 0.9.5 -> 0.9.6 age confidence devDependencies patch
@astrojs/mdx (source) 4.3.9 -> 4.3.12 age confidence dependencies patch
@astrojs/rss (source) 4.0.13 -> 4.0.14 age confidence dependencies patch
@eslint/eslintrc 3.3.1 -> 3.3.3 age confidence devDependencies patch
@eslint/js (source) 9.38.0 -> 9.39.1 age confidence devDependencies minor
@typescript-eslint/eslint-plugin (source) 8.46.2 -> 8.48.1 age confidence devDependencies minor
@typescript-eslint/parser (source) 8.46.2 -> 8.48.1 age confidence devDependencies minor
actions/checkout v5 -> v6 age confidence action major
astro (source) 5.15.2 -> 5.16.4 age confidence dependencies minor
autoprefixer 10.4.21 -> 10.4.22 age confidence dependencies patch
eslint-plugin-astro (source) 1.4.0 -> 1.5.0 age confidence devDependencies minor
globals 16.4.0 -> 16.5.0 age confidence devDependencies minor
pnpm (source) 10.20.0+sha512.cf9998222162dd85864d0a8102e7892e7ba4ceadebbf5a31f9c2fce48dfce317a9c53b9f6464d1ef9042cba2e02ae02a9f7c143a2b438cd93c91840f0192b9dd -> 10.24.0 age confidence packageManager minor
prettier (source) 3.6.2 -> 3.7.4 age confidence devDependencies minor
sharp (source, changelog) 0.34.4 -> 0.34.5 age confidence dependencies patch
typescript-eslint (source) 8.46.2 -> 8.48.1 age confidence devDependencies minor

Release Notes

withastro/astro (@​astrojs/check)

v0.9.6

Patch Changes
withastro/astro (@​astrojs/mdx)

v4.3.12

Compare Source

Patch Changes

v4.3.11

Compare Source

Patch Changes

v4.3.10

Compare Source

Patch Changes

  • #​14715 3d55c5d Thanks @​ascorbic! - Adds support for client hydration in getContainerRenderer()

    The getContainerRenderer() function is exported by Astro framework integrations to simplify the process of rendering framework components when using the experimental Container API inside a Vite or Vitest environment. This update adds the client hydration entrypoint to the returned object, enabling client-side interactivity for components rendered using this function. Previously this required users to manually call container.addClientRenderer() with the appropriate client renderer entrypoint.

    See the container-with-vitest demo for a usage example, and the Container API documentation for more information on using framework components with the experimental Container API.

withastro/astro (@​astrojs/rss)

v4.0.14

Compare Source

Patch Changes
eslint/eslintrc (@​eslint/eslintrc)

v3.3.3

Compare Source

Bug Fixes
eslint/eslint (@​eslint/js)

v9.39.1

Compare Source

v9.39.0

Compare Source

typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)

v8.48.1

Compare Source

🩹 Fixes
  • eslint-plugin: [restrict-template-expressions] check base types in allow list (#​11764, #​11759)
  • eslint-plugin: honor ignored base types on generic classes (#​11767)
  • eslint-plugin: [consistent-type-exports] check value flag before resolving alias (#​11769)
❤️ Thank You

You can read about our versioning strategy and releases on our website.

v8.48.0

Compare Source

🚀 Features
  • eslint-plugin: [no-redundant-type-constituents] use assignability checking for redundancy checks (#​10744)
🩹 Fixes
  • typescript-estree: disallow binding patterns in parameter properties (#​11760)
  • eslint-plugin: [consistent-generic-constructors] ignore when constructor is typed array (#​10477)
❤️ Thank You

You can read about our versioning strategy and releases on our website.

v8.47.0

Compare Source

🚀 Features
  • eslint-plugin: [no-unused-private-class-members] new extension rule (#​10913)
❤️ Thank You

You can read about our versioning strategy and releases on our website.

v8.46.4

Compare Source

🩹 Fixes
  • parser: error when both projectService and project are set (#​11333)
  • eslint-plugin: handle override modifier in promise-function-async fixer (#​11730)
  • eslint-plugin: [no-deprecated] fix double-report on computed literal identifiers (#​11006, #​10958)
❤️ Thank You

You can read about our versioning strategy and releases on our website.

v8.46.3

Compare Source

🩹 Fixes
  • eslint-plugin: [no-duplicate-enum-values] support signed numbers (#​11722, #​11723)
  • eslint-plugin: [no-misused-promises] expand union type to retrieve target property (#​11706)
❤️ Thank You

You can read about our versioning strategy and releases on our website.

typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v8.48.1

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v8.48.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v8.47.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v8.46.4

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v8.46.3

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

actions/checkout (actions/checkout)

v6

Compare Source

withastro/astro (astro)

v5.16.4

Compare Source

Patch Changes

  • #​14940 2cf79c2 Thanks @​ematipico! - Fixes a bug where Astro didn't properly combine CSP resources from the csp configuration with those added using the runtime API (Astro.csp.insertDirective()) to form grammatically correct CSP headers

    Now Astro correctly deduplicate CSP resources. For example, if you have a global resource in the configuration file, and then you add a
    a new one using the runtime APIs.

v5.16.3

Compare Source

Patch Changes

  • #​14889 4bceeb0 Thanks @​florian-lefebvre! - Fixes actions types when using specific TypeScript configurations

  • #​14929 e0f277d Thanks @​matthewp! - Fixes authentication bypass via double URL encoding in middleware

    Prevents attackers from bypassing path-based authentication checks using multi-level URL encoding (e.g., /%2561dmin instead of /%61dmin). Pathnames are now validated after decoding to ensure no additional encoding remains.

v5.16.2

Compare Source

Patch Changes

v5.16.1

Compare Source

Patch Changes

v5.16.0

Compare Source

Minor Changes

  • #​13880 1a2ed01 Thanks @​azat-io! - Adds experimental SVGO optimization support for SVG assets

    Astro now supports automatic SVG optimization using SVGO during build time. This experimental feature helps reduce SVG file sizes while maintaining visual quality, improving your site's performance.

    To enable SVG optimization with default settings, add the following to your astro.config.mjs:

    import { defineConfig } from 'astro/config';

export default defineConfig({
  experimental: {
    svgo: true,
  },
});

    To customize optimization, pass a SVGO configuration object:

    export default defineConfig({
  experimental: {
    svgo: {
      plugins: [
        'preset-default',
        {
          name: 'removeViewBox',
          active: false,
        },
      ],
    },
  },
});

    For more information on enabling and using this feature in your project, see the experimental SVG optimization docs.

  • #​14810 2e845fe Thanks @​ascorbic! - Adds a hint for code agents to use the --yes flag to skip prompts when running astro add

  • #​14698 f42ff9b Thanks @​mauriciabad! - Adds the ActionInputSchema utility type to automatically infer the TypeScript type of an action's input based on its Zod schema

    For example, this type can be used to retrieve the input type of a form action:

    import { type ActionInputSchema, defineAction } from 'astro:actions';
import { z } from 'astro/zod';

const action = defineAction({
  accept: 'form',
  input: z.object({ name: z.string() }),
  handler: ({ name }) => ({ message: `Welcome, ${name}!` }),
});

type Schema = ActionInputSchema<typeof action>;
// typeof z.object({ name: z.string() })

type Input = z.input<Schema>;
// { name: string }

  • #​14574 4356485 Thanks @​jacobdalamb! - Adds new CLI shortcuts available when running astro preview:

    • o + enter: open the site in your browser
    • q + enter: quit the preview
    • h + enter: print all available shortcuts
Patch Changes

  • #​14813 e1dd377 Thanks @​ematipico! - Removes picocolors as dependency in favor of the fork piccolore.

  • #​14609 d774306 Thanks @​florian-lefebvre! - Improves astro info

  • #​14796 c29a785 Thanks @​florian-lefebvre! - BREAKING CHANGE to the experimental Fonts API only

    Updates the default subsets to ["latin"]

    Subsets have been a common source of confusion: they caused a lot of files to be downloaded by default. You now have to manually pick extra subsets.

    Review your Astro config and update subsets if you need, for example if you need greek characters:

    import { defineConfig, fontProviders } from "astro/config"

export default defineConfig({
    experimental: {
        fonts: [{
            name: "Roboto",
            cssVariable: "--font-roboto",
            provider: fontProviders.google(),
+            subsets: ["latin", "greek"]
        }]
    }
})

v5.15.9

Compare Source

Patch Changes

  • #​14786 758a891 Thanks @​mef! - Add handling of invalid encrypted props and slots in server islands.

  • #​14783 504958f Thanks @​florian-lefebvre! - Improves the experimental Fonts API build log to show the number of downloaded files. This can help spotting excessive downloading because of misconfiguration

  • #​14791 9e9c528 Thanks @​Princesseuh! - Changes the remote protocol checks for images to require explicit authorization in order to use data URIs.

    In order to allow data URIs for remote images, you will need to update your astro.config.mjs file to include the following configuration:

    // astro.config.mjs
import { defineConfig } from 'astro/config';

export default defineConfig({
  images: {
    remotePatterns: [
      {
        protocol: 'data',
      },
    ],
  },
});

  • #​14787 0f75f6b Thanks @​matthewp! - Fixes wildcard hostname pattern matching to correctly reject hostnames without dots

    Previously, hostnames like localhost or other single-part names would incorrectly match patterns like *.example.com. The wildcard matching logic has been corrected to ensure that only valid subdomains matching the pattern are accepted.

  • #​14776 3537876 Thanks @​ktym4a! - Fixes the behavior of passthroughImageService so it does not generate webp.

  • Updated dependencies [9e9c528, 0f75f6b]:

v5.15.8

Compare Source

Patch Changes

  • #​14772 00c579a Thanks @​matthewp! - Improves the security of Server Islands slots by encrypting them before transmission to the browser, matching the security model used for props. This improves the integrity of slot content and prevents injection attacks, even when component templates don't explicitly support slots.

    Slots continue to work as expected for normal usage—this change has no breaking changes for legitimate requests.

  • #​14771 6f80081 Thanks @​matthewp! - Fix middleware pathname matching by normalizing URL-encoded paths

    Middleware now receives normalized pathname values, ensuring that encoded paths like /%61dmin are properly decoded to /admin before middleware checks. This prevents potential security issues where middleware checks might be bypassed through URL encoding.

v5.15.7

Compare Source

Patch Changes

v5.15.6

Compare Source

Patch Changes

  • #​14751 18c55e1 Thanks @​delucis! - Fixes hydration of client components when running the dev server and using a barrel file that re-exports both Astro and UI framework components.

  • #​14750 35122c2 Thanks @​florian-lefebvre! - Updates the experimental Fonts API to log a warning if families with a conflicting cssVariable are provided

  • #​14737 74c8852 Thanks @​Arecsu! - Fixes an error when using transition:persist with components that use declarative Shadow DOM. Astro now avoids re-attaching a shadow root if one already exists, preventing "Unable to re-attach to existing ShadowDOM" navigation errors.

  • #​14750 35122c2 Thanks @​florian-lefebvre! - Updates the experimental Fonts API to allow for more granular configuration of remote font families

    A font family is defined by a combination of properties such as weights and styles (e.g. weights: [500, 600] and styles: ["normal", "bold"]), but you may want to download only certain combinations of these.

    For greater control over which font files are downloaded, you can specify the same font (ie. with the same cssVariable, name, and provider properties) multiple times with different combinations. Astro will merge the results and download only the required files. For example, it is possible to download normal 500 and 600 while downloading only italic 500:

    // astro.config.mjs
import { defineConfig, fontProviders } from 'astro/config';

export default defineConfig({
  experimental: {
    fonts: [
      {
        name: 'Roboto',
        cssVariable: '--roboto',
        provider: fontProviders.google(),
        weights: [500, 600],
        styles: ['normal'],
      },
      {
        name: 'Roboto',
        cssVariable: '--roboto',
        provider: fontProviders.google(),
        weights: [500],
        styles: ['italic'],
      },
    ],
  },
});

v5.15.5

Compare Source

Patch Changes

  • #​14712 91780cf Thanks @​florian-lefebvre! - Fixes a case where build's process.env would be inlined in the server output

  • #​14713 666d5a7 Thanks @​florian-lefebvre! - Improves fallbacks generation when using the experimental Fonts API

  • #​14743 dafbb1b Thanks @​matthewp! - Improves X-Forwarded header validation to prevent cache poisoning and header injection attacks. Now properly validates X-Forwarded-Proto, X-Forwarded-Host, and X-Forwarded-Port headers against configured allowedDomains patterns, rejecting malformed or suspicious values. This is especially important when running behind a reverse proxy or load balancer.

v5.15.4

Compare Source

Patch Changes

  • #​14703 970ac0f Thanks @​ArmandPhilippot! - Adds missing documentation for some public utilities exported from astro:i18n.

  • #​14715 3d55c5d Thanks @​ascorbic! - Adds support for client hydration in getContainerRenderer()

    The getContainerRenderer() function is exported by Astro framework integrations to simplify the process of rendering framework components when using the experimental Container API inside a Vite or Vitest environment. This update adds the client hydration entrypoint to the returned object, enabling client-side interactivity for components rendered using this function. Previously this required users to manually call container.addClientRenderer() with the appropriate client renderer entrypoint.

    See the container-with-vitest demo for a usage example, and the Container API documentation for more information on using framework components with the experimental Container API.

  • #​14711 a4d284d Thanks @​deining! - Fixes typos in documenting our error messages and public APIs.

  • #​14701 9be54c7 Thanks @​florian-lefebvre! - Fixes a case where the experimental Fonts API would filter available font files too aggressively, which could prevent the download of woff files when using the google provider

v5.15.3

Compare Source

Patch Changes

  • #​14627 b368de0 Thanks @​matthewp! - Fixes skew protection support for images and font URLs

    Adapter-level query parameters (assetQueryParams) are now applied to all image and font asset URLs, including:

    • Dynamic optimized images via /_image endpoint
    • Static optimized image files
    • Font preload tags and font requests when using the experimental Fonts API

  • #​14631 3ad33f9 Thanks @​KurtGokhan! - Adds the astro/jsx-dev-runtime export as an alias for astro/jsx-runtime

postcss/autoprefixer (autoprefixer)

v10.4.22

Compare Source

  • Fixed stretch prefixes on new Can I Use database.
  • Updated fraction.js.
ota-meshi/eslint-plugin-astro (eslint-plugin-astro)

v1.5.0

Compare Source

Minor Changes
sindresorhus/globals (globals)

v16.5.0

Compare Source

pnpm/pnpm (pnpm)

v10.24.0

Compare Source

v10.23.0: pnpm 10.23

Compare Source

Minor Changes

  • Added --lockfile-only option to pnpm list #​10020.

Patch Changes

  • pnpm self-update should download pnpm from the configured npm registry #​10205.
  • pnpm self-update should always install the non-executable pnpm package (pnpm in the registry) and never the @pnpm/exe package, when installing v11 or newer. We currently cannot ship @pnpm/exe as pkg doesn't work with ESM #​10190.
  • Node.js runtime is not added to "dependencies" on pnpm add, if there's a engines.runtime setting declared in package.json #​10209.
  • The installation should fail if an optional dependency cannot be installed due to a trust policy check failure #​10208.
  • pnpm list and pnpm why now display npm: protocol for aliased packages (e.g., foo npm:is-odd@3.0.1) #​8660.
  • Don't add an extra slash to the Node.js mirror URL #​10204.
  • pnpm store prune should not fail if the store contains Node.js packages #​10131.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

v10.22.0: pnpm 10.22

Compare Source

Minor Changes

  • Added support for trustPolicyExclude #​10164.

    You can now list one or more specific packages or versions that pnpm should allow to install, even if those packages don't satisfy the trust policy requirement. For example:

    trustPolicy: no-downgrade
trustPolicyExclude:
  - chokidar@4.0.3
  - webpack@4.47.0 || 5.102.1

  • Allow to override the engines field on publish by the publishConfig.engines field.

Patch Changes

  • Don't crash when two processes of pnpm are hardlinking the contents of a directory to the same destination simultaneously #​10179.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

v10.21.0

Compare Source

prettier/prettier (prettier)

v3.7.4

Compare Source

diff

LWC: Avoid quote around interpolations (#​18383 by @​kovsu)
<!-- Input -->
<div foo={bar}>   </div>

<!-- Prettier 3.7.3 (--embedded-language-formatting off) -->
<div foo="{bar}"></div>

<!-- Prettier 3.7.4 (--embedded-language-formatting off) -->
<div foo={bar}></div>
TypeScript: Fix comment inside union type gets duplicated (#​18393 by @​fisker)
// Input
type Foo = (/** comment */ a | b) | c;

// Prettier 3.7.3
type Foo = /** comment */ (/** comment */ a | b) | c;

// Prettier 3.7.4
type Foo = /** comment */ (a | b) | c;
TypeScript: Fix unstable comment print in union type comments (#​18395 by @​fisker)
// Input
type X = (A | B) & (
  // comment
  A | B
);

// Prettier 3.7.3 (first format)
type X = (A | B) &
  (// comment
  A | B);

// Prettier 3.7.3 (second format)
type X = (
  | A
  | B // comment
) &
  (A | B);

// Prettier 3.7.4
type X = (A | B) &
  // comment
  (A | B);

v3.7.3

Compare Source

diff

API: Fix prettier.getFileInfo() change that breaks VSCode extension (#​18375 by @​fisker)

An internal refactor accidentally broke the VSCode extension plugin loading.

v3.7.2

Compare Source

diff

JavaScript: Fix string print when switching quotes (#​18351 by @​fisker)
// Input
console.log("A descriptor\\'s .kind must be \"method\" or \"field\".")

// Prettier 3.7.1
console.log('A descriptor\\'s .kind must be "method" or "field".');

// Prettier 3.7.2
console.log('A descriptor\\\'s .kind must be "method" or "field".');
JavaScript: Preserv

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title chore(deps): update dependency astro to v5.15.3 chore(deps): update all dependencies Oct 31, 2025
@renovate renovate bot force-pushed the renovate/all branch 5 times, most recently from 63af526 to fc521db Compare November 6, 2025 20:36
@renovate renovate bot force-pushed the renovate/all branch 7 times, most recently from 5a6077b to 38f2595 Compare November 15, 2025 17:11
@renovate renovate bot force-pushed the renovate/all branch 5 times, most recently from f2e6f35 to a8323ca Compare November 24, 2025 17:26
@renovate renovate bot force-pushed the renovate/all branch 9 times, most recently from a6dd5ca to 4805923 Compare December 2, 2025 14:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant