Skip to content

build(deps): bump astro from 6.3.1 to 6.3.3#103

Merged
theagenticguy merged 1 commit into
mainfrom
dependabot/npm_and_yarn/astro-6.3.1
May 14, 2026
Merged

build(deps): bump astro from 6.3.1 to 6.3.3#103
theagenticguy merged 1 commit into
mainfrom
dependabot/npm_and_yarn/astro-6.3.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 13, 2026
edited
Loading

Bumps astro from 6.3.1 to 6.3.3.

Release notes

Sourced from astro's releases.

astro@6.3.3

Patch Changes

  • #16737 bd84f33 Thanks @​matthewp! - Fixes a reflected XSS vulnerability where slot names on hydrated components were not HTML-escaped in SSR output

astro@6.3.2

Patch Changes

  • #16675 11d4592 Thanks @​ascorbic! - Fixes a regression where Astro.cache was undefined when experimental.cache was not configured.

    The previous documented behavior is for Astro.cache to always be defined as a no-op shim: cache.set() warns once, cache.invalidate() throws and cache.enabled can be used to gate. This allows library and user code can call cache methods without conditional checks. The cache provider registration was being gated at the call site on experimental.cache being configured, which meant the disabled shim branch inside the provider was unreachable and the Astro.cache getter was never attached to the context.

  • #16691 0f0a4ce Thanks @​matthewp! - Fixes HTMLElement is not defined error during HMR when using components with client-side scripts (e.g. Starlight <Tabs>) and the Cloudflare adapter

  • #16562 07529ec Thanks @​matthewp! - Fixes non-prerendered routes failing when a dynamic prerendered route exists in the same project with prerenderEnvironment: 'node'

  • #16638 272185b Thanks @​ematipico! - Fixes a bug where the Astro compiler wasn't freed at the end of the build. After the fix, the memory used by the compiler is now correctly freed at the end of the build.

  • #16544 d365c97 Thanks @​matthewp! - Tightens isRemotePath() to reject control characters after a leading slash and fixes the dev image endpoint origin check

  • #16685 889e748 Thanks @​farrosfr! - Improve validation messages for security.csp.directives when script-src or style-src are incorrectly placed in the directives array.

  • #16605 772f13a Thanks @​rururux! - Fixes assetsPrefix not being available on build from astro:config/server.

  • #16556 f38dec7 Thanks @​matthewp! - Rejects double-encoded URL paths with a 400 response instead of silently falling back to partial decoding

  • #16659 38bcb25 Thanks @​jsparkdev! - Fixes & characters appearing as raw entity strings (e.g. &[#38](https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/38);) in <meta> tags when viewed in link previews or raw HTML.

  • Updated dependencies [d365c97, 9256345]:

    • @​astrojs/internal-helpers@​0.9.1
    • @​astrojs/markdown-remark@​7.1.2
Changelog

Sourced from astro's changelog.

6.3.3

Patch Changes

  • #16737 bd84f33 Thanks @​matthewp! - Fixes a reflected XSS vulnerability where slot names on hydrated components were not HTML-escaped in SSR output

6.3.2

Patch Changes

  • #16675 11d4592 Thanks @​ascorbic! - Fixes a regression where Astro.cache was undefined when experimental.cache was not configured.

    The previous documented behavior is for Astro.cache to always be defined as a no-op shim: cache.set() warns once, cache.invalidate() throws and cache.enabled can be used to gate. This allows library and user code can call cache methods without conditional checks. The cache provider registration was being gated at the call site on experimental.cache being configured, which meant the disabled shim branch inside the provider was unreachable and the Astro.cache getter was never attached to the context.

  • #16691 0f0a4ce Thanks @​matthewp! - Fixes HTMLElement is not defined error during HMR when using components with client-side scripts (e.g. Starlight <Tabs>) and the Cloudflare adapter

  • #16562 07529ec Thanks @​matthewp! - Fixes non-prerendered routes failing when a dynamic prerendered route exists in the same project with prerenderEnvironment: 'node'

  • #16638 272185b Thanks @​ematipico! - Fixes a bug where the Astro compiler wasn't freed at the end of the build. After the fix, the memory used by the compiler is now correctly freed at the end of the build.

  • #16544 d365c97 Thanks @​matthewp! - Tightens isRemotePath() to reject control characters after a leading slash and fixes the dev image endpoint origin check

  • #16685 889e748 Thanks @​farrosfr! - Improve validation messages for security.csp.directives when script-src or style-src are incorrectly placed in the directives array.

  • #16605 772f13a Thanks @​rururux! - Fixes assetsPrefix not being available on build from astro:config/server.

  • #16556 f38dec7 Thanks @​matthewp! - Rejects double-encoded URL paths with a 400 response instead of silently falling back to partial decoding

  • #16659 38bcb25 Thanks @​jsparkdev! - Fixes & characters appearing as raw entity strings (e.g. &[#38](https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/38);) in <meta> tags when viewed in link previews or raw HTML.

  • Updated dependencies [d365c97, 9256345]:

    • @​astrojs/internal-helpers@​0.9.1
    • @​astrojs/markdown-remark@​7.1.2
Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 13, 2026
@dependabot dependabot Bot requested a review from theagenticguy as a code owner May 13, 2026 08:35
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 13, 2026
@theagenticguy theagenticguy mentioned this pull request May 14, 2026
Merged
7 tasks
theagenticguy added a commit that referenced this pull request May 14, 2026
@theagenticguy
build(deps): unify dependabot bumps for npm + GitHub Actions (#109)
86bfc62 
## Summary

Consolidates all 11 open Dependabot PRs into one unified update so the
lockfile resolves once, CI runs once, and review is a single place.

**Supersedes:** #98, #99, #100, #101, #102, #103, #104, #105, #106,
#107, #108.

### npm_and_yarn group

- `@biomejs/biome` 2.4.14 → 2.4.15 (root)
- `@commitlint/cli` 21.0.0 → 21.0.1 (root)
- `@commitlint/config-conventional` 20.5.3 → 21.0.1 (root)
- `@types/node` 25.6.0 / 25.6.2 → 25.7.0 (root + 17 workspace packages)
- `@astrojs/starlight` ^0.38.4 → ^0.39.2 (packages/docs)
- `astro` ^6.2.1 → ^6.3.1 (packages/docs)
- `playwright` ^1.59.1 → ^1.60.0 (packages/docs)
- `starlight-llms-txt` ^0.8.1 → ^0.9.0 (packages/docs)
- `fast-xml-parser` 5.7.3 → 5.8.0 (packages/ingestion)
- `yaml` 2.8.4 → 2.9.0 (cli, frameworks, policy, sarif)
- `@chonkiejs/core` ^0.0.9 → ^0.0.10 (packages/pack)

### github_actions group

- `actions/cache` v4.2.3 → v5.0.5
(`.github/workflows/och-self-scan.yml`)
- `sigstore/cosign-installer` v3.7.0 → v4.1.2
(`.github/workflows/release.yml`)

### Follow-ups (required for Starlight 0.39)

- `biome.json`: bump `$schema` URL to `2.4.15` so Biome stops emitting
the
  mismatch info diagnostic.
- `packages/docs/astro.config.mjs`: migrate sidebar groups to the
  v0.39 shape (`items: [{ autogenerate: { directory: ... } }]`).
  Starlight 0.39 removed support for `autogenerate` on a label-only
  group; the docs build fails without this change.

## Test plan

- [x] `pnpm install --lockfile-only` regenerates the lockfile cleanly.
- [x] `pnpm install` succeeds (no peer-dep breakage).
- [x] `pnpm typecheck` passes across all 19 workspace projects.
- [x] `pnpm lint` passes (Biome 2.4.15 — 0 findings after `$schema`
bump).
- [x] `pnpm -r build` passes, including `@opencodehub/docs` on Starlight
0.39.2.
- [x] `pnpm -r test` passes (full suite green; the earlier storage
failure
  was stale `dist/` from the prior lockfile — rebuilt and re-tested).
- [x] Pre-push hook (`verdict` + `typecheck` + `test`) passed on the
final push.
@dependabot dependabot Bot changed the title build(deps): bump astro from 6.2.1 to 6.3.1 build(deps): bump astro from 6.3.1 to 6.3.3 May 14, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/astro-6.3.1 branch from 3ab69ad to 6dcd4da Compare May 14, 2026 14:23
@theagenticguy
Copy link
Copy Markdown
Owner

theagenticguy commented May 14, 2026

@dependabot rebase

@dependabot
build(deps): bump astro from 6.3.1 to 6.3.3
20f957e 
Bumps [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) from 6.3.1 to 6.3.3.
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/astro@6.3.3/packages/astro)

---
updated-dependencies:
- dependency-name: astro
  dependency-version: 6.3.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/astro-6.3.1 branch from 6dcd4da to 20f957e Compare May 14, 2026 17:07
@theagenticguy theagenticguy merged commit bf18da6 into main May 14, 2026
37 checks passed
@theagenticguy theagenticguy deleted the dependabot/npm_and_yarn/astro-6.3.1 branch May 14, 2026 17:58
@theagenticguy theagenticguy mentioned this pull request May 15, 2026
Merged
2 tasks
theagenticguy added a commit that referenced this pull request May 15, 2026
@theagenticguy
build(deps): override devalue to 5.8.1 (GHSA-77vg-94rm-hx3p) (#112)
a8a0aa7 
## Summary

Pins \`devalue\` to 5.8.1+ via pnpm-workspace.yaml overrides. Versions
5.6.3..5.8.0 are vulnerable to **GHSA-77vg-94rm-hx3p** (HIGH, 7.5) —
DoS via sparse-array deserialization. Advisory published 2026-05-14
20:23 UTC, ~3.5h after #103 (astro 6.3.1 → 6.3.3) merged.

## Impact path

\`devalue\` is pulled in transitively by \`astro@6.3.3\` → consumed only
by \`@opencodehub/docs\` (\`"private": true\`, builds the static docs
site, never published). None of the 17 published \`@opencodehub/*\`
tarballs depend on devalue. **Runtime exposure to the published
artifacts is zero.**

## Why this PR exists

The release pipeline (\`release.yml\`) does not run \`pnpm audit\`, so
the CVE wouldn't actually break a release. But the **pre-release
gate** on release-please PRs *does* run \`pnpm audit --audit-level=high
--prod\`, and that's currently failing on #97 (the release PR for
\`root-v0.4.0\` + \`cli-v0.3.0\`). Patching devalue cleanly is the
defensible engineering move:

1. Eliminates the audit failure on #97 without bypassing branch
protection.
2. Closes Dependabot alert #44.
3. Auto-reverts once astro ships a version that already pins
   \`devalue >= 5.8.1\` (the override is keyed on \`devalue@<5.8.1\`).

## Verified locally

- \`pnpm install --frozen-lockfile\` → ok
- \`pnpm audit --audit-level=high --prod\` → "No known vulnerabilities
found"
- \`pnpm typecheck\` → green across all 19 workspace projects
- \`pnpm --filter @opencodehub/docs build\` → 63 pages, completes
- \`pnpm why devalue\` → resolves to 5.8.1 (was 5.8.0)

## Test plan

- [x] CI must surface \`pnpm audit (high+)\` and \`osv\` as PASSING on
      this branch (both are non-required but currently failing on
      #97; this PR is the fix).
- [x] Typecheck and full test suite must remain green.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@theagenticguy theagenticguy Awaiting requested review from theagenticguy theagenticguy is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@theagenticguy