chore(deps): update astro monorepo

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@astrojs/mdx (source)	4.3.10 -> 4.3.12
astro (source)	5.15.4 -> 5.16.2

---

Release Notes

withastro/astro (@​astrojs/mdx)

v4.3.12

Compare Source

Patch Changes

• #​14813 e1dd377 Thanks @​ematipico! - Removes picocolors as dependency in favor of the fork piccolore.

v4.3.11

Compare Source

Patch Changes

• Updated dependencies []:
  • @​astrojs/markdown-remark@​6.3.9

withastro/astro (astro)

v5.16.2

Compare Source

Patch Changes

• #​14876 b43dc7f Thanks @​florian-lefebvre! - Fixes a vite warning log during builds when using npm

• #​14884 10273e0 Thanks @​florian-lefebvre! - Fixes a case where setting the status of a page to 404 in ssr would show an empty page (or 404.astro page if provided) instead of using the current page

v5.16.1

Compare Source

Patch Changes

• #​14769 b43ee71 Thanks @​adriandlam! - Fixes an unhandled rejection issue when using Astro with Vercel Workflow DevKit

• #​14761 345eb22 Thanks @​ooga! - Updates button attributes types to allow command and commandfor

• #​14866 65e214b Thanks @​GameRoMan! - Fixes Astro.glob to be correctly marked as deprecated

• #​14894 1ad9a5b Thanks @​delucis! - Fixes support for Astro component rendering in Vitest test suites using a “client” environment such as happy-dom or jsdom

• #​14782 abed929 Thanks @​florian-lefebvre! - Improves syncing

v5.16.0

Compare Source

Minor Changes

• #​13880 1a2ed01 Thanks @​azat-io! - Adds experimental SVGO optimization support for SVG assets

  Astro now supports automatic SVG optimization using SVGO during build time. This experimental feature helps reduce SVG file sizes while maintaining visual quality, improving your site's performance.

  To enable SVG optimization with default settings, add the following to your astro.config.mjs:

  import { defineConfig } from 'astro/config';
  
  export default defineConfig({
    experimental: {
      svgo: true,
    },
  });

  To customize optimization, pass a SVGO configuration object:

  export default defineConfig({
    experimental: {
      svgo: {
        plugins: [
          'preset-default',
          {
            name: 'removeViewBox',
            active: false,
          },
        ],
      },
    },
  });

  For more information on enabling and using this feature in your project, see the experimental SVG optimization docs.

• #​14810 2e845fe Thanks @​ascorbic! - Adds a hint for code agents to use the --yes flag to skip prompts when running astro add

• #​14698 f42ff9b Thanks @​mauriciabad! - Adds the ActionInputSchema utility type to automatically infer the TypeScript type of an action's input based on its Zod schema

  For example, this type can be used to retrieve the input type of a form action:

  import { type ActionInputSchema, defineAction } from 'astro:actions';
  import { z } from 'astro/zod';
  
  const action = defineAction({
    accept: 'form',
    input: z.object({ name: z.string() }),
    handler: ({ name }) => ({ message: `Welcome, ${name}!` }),
  });
  
  type Schema = ActionInputSchema<typeof action>;
  // typeof z.object({ name: z.string() })
  
  type Input = z.input<Schema>;
  // { name: string }

• #​14574 4356485 Thanks @​jacobdalamb! - Adds new CLI shortcuts available when running astro preview:

  • o + enter: open the site in your browser
  • q + enter: quit the preview
  • h + enter: print all available shortcuts

Patch Changes

• #​14813 e1dd377 Thanks @​ematipico! - Removes picocolors as dependency in favor of the fork piccolore.

• #​14609 d774306 Thanks @​florian-lefebvre! - Improves astro info

• #​14796 c29a785 Thanks @​florian-lefebvre! - BREAKING CHANGE to the experimental Fonts API only

  Updates the default subsets to ["latin"]

  Subsets have been a common source of confusion: they caused a lot of files to be downloaded by default. You now have to manually pick extra subsets.

  Review your Astro config and update subsets if you need, for example if you need greek characters:

  import { defineConfig, fontProviders } from "astro/config"
  
  export default defineConfig({
      experimental: {
          fonts: [{
              name: "Roboto",
              cssVariable: "--font-roboto",
              provider: fontProviders.google(),
  +            subsets: ["latin", "greek"]
          }]
      }
  })

v5.15.9

Compare Source

Patch Changes

• #​14786 758a891 Thanks @​mef! - Add handling of invalid encrypted props and slots in server islands.

• #​14783 504958f Thanks @​florian-lefebvre! - Improves the experimental Fonts API build log to show the number of downloaded files. This can help spotting excessive downloading because of misconfiguration

• #​14791 9e9c528 Thanks @​Princesseuh! - Changes the remote protocol checks for images to require explicit authorization in order to use data URIs.

  In order to allow data URIs for remote images, you will need to update your astro.config.mjs file to include the following configuration:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  
  export default defineConfig({
    images: {
      remotePatterns: [
        {
          protocol: 'data',
        },
      ],
    },
  });

• #​14787 0f75f6b Thanks @​matthewp! - Fixes wildcard hostname pattern matching to correctly reject hostnames without dots

  Previously, hostnames like localhost or other single-part names would incorrectly match patterns like *.example.com. The wildcard matching logic has been corrected to ensure that only valid subdomains matching the pattern are accepted.

• #​14776 3537876 Thanks @​ktym4a! - Fixes the behavior of passthroughImageService so it does not generate webp.

• Updated dependencies [9e9c528, 0f75f6b]:

  • @​astrojs/internal-helpers@​0.7.5
  • @​astrojs/markdown-remark@​6.3.9

v5.15.8

Compare Source

Patch Changes

• #​14772 00c579a Thanks @​matthewp! - Improves the security of Server Islands slots by encrypting them before transmission to the browser, matching the security model used for props. This improves the integrity of slot content and prevents injection attacks, even when component templates don't explicitly support slots.

  Slots continue to work as expected for normal usage—this change has no breaking changes for legitimate requests.

• #​14771 6f80081 Thanks @​matthewp! - Fix middleware pathname matching by normalizing URL-encoded paths

  Middleware now receives normalized pathname values, ensuring that encoded paths like /%61dmin are properly decoded to /admin before middleware checks. This prevents potential security issues where middleware checks might be bypassed through URL encoding.

v5.15.7

Compare Source

Patch Changes

• #​14765 03fb47c Thanks @​florian-lefebvre! - Fixes a case where process.env wouldn't be properly populated during the build

• #​14690 ae7197d Thanks @​fredriknorlin! - Fixes a bug where Astro's i18n fallback system with fallbackType: 'rewrite' would not generate fallback files for pages whose filename started with a locale key.

v5.15.6

Compare Source

Patch Changes

• #​14751 18c55e1 Thanks @​delucis! - Fixes hydration of client components when running the dev server and using a barrel file that re-exports both Astro and UI framework components.

• #​14750 35122c2 Thanks @​florian-lefebvre! - Updates the experimental Fonts API to log a warning if families with a conflicting cssVariable are provided

• #​14737 74c8852 Thanks @​Arecsu! - Fixes an error when using transition:persist with components that use declarative Shadow DOM. Astro now avoids re-attaching a shadow root if one already exists, preventing "Unable to re-attach to existing ShadowDOM" navigation errors.

• #​14750 35122c2 Thanks @​florian-lefebvre! - Updates the experimental Fonts API to allow for more granular configuration of remote font families

  A font family is defined by a combination of properties such as weights and styles (e.g. weights: [500, 600] and styles: ["normal", "bold"]), but you may want to download only certain combinations of these.

  For greater control over which font files are downloaded, you can specify the same font (ie. with the same cssVariable, name, and provider properties) multiple times with different combinations. Astro will merge the results and download only the required files. For example, it is possible to download normal 500 and 600 while downloading only italic 500:

  // astro.config.mjs
  import { defineConfig, fontProviders } from 'astro/config';
  
  export default defineConfig({
    experimental: {
      fonts: [
        {
          name: 'Roboto',
          cssVariable: '--roboto',
          provider: fontProviders.google(),
          weights: [500, 600],
          styles: ['normal'],
        },
        {
          name: 'Roboto',
          cssVariable: '--roboto',
          provider: fontProviders.google(),
          weights: [500],
          styles: ['italic'],
        },
      ],
    },
  });

v5.15.5

Compare Source

Patch Changes

• #​14712 91780cf Thanks @​florian-lefebvre! - Fixes a case where build's process.env would be inlined in the server output

• #​14713 666d5a7 Thanks @​florian-lefebvre! - Improves fallbacks generation when using the experimental Fonts API

• #​14743 dafbb1b Thanks @​matthewp! - Improves X-Forwarded header validation to prevent cache poisoning and header injection attacks. Now properly validates X-Forwarded-Proto, X-Forwarded-Host, and X-Forwarded-Port headers against configured allowedDomains patterns, rejecting malformed or suspicious values. This is especially important when running behind a reverse proxy or load balancer.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: d3951f5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.69%. Comparing base (e73a6d5) to head (d3951f5).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #148   +/-   ##
=======================================
  Coverage   91.69%   91.69%           
=======================================
  Files          20       20           
  Lines         301      301           
  Branches       62       62           
=======================================
  Hits          276      276           
  Misses         25       25           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.