[Aikido] Fix 8 security issues in esbuild, devalue, astro

[aikido-autofix]

Upgrade esbuild, devalue, and astro to fix binary execution, memory exhaustion, SSRF, and reflected XSS vulnerabilities. This update includes breaking changes that require manual migration.

⚠️ Code affected by breaking changes.

⚠️ The Astro upgrade from 5.18.1 to 6.4.6 introduces a critical breaking change that affects this codebase:

Node.js Version Requirement (Breaking Change)

• Where your code is affected: The entire project is affected. The package.json file does not specify an engines field, and Astro 6.0.0 now requires Node.js version >=22.12.0 (previously supported 18.20.8 || ^20.3.0 || >=22.0.0). The package-lock.json shows that @astrojs/prism and other Astro 6.x dependencies now enforce "node": ">=22.12.0".

• Impact: The project will fail to install or run if the Node.js version is below 22.12.0. This is a hard requirement enforced by the package's engines field.

• Remediation: Upgrade the Node.js runtime environment to version 22.12.0 or higher before upgrading Astro. Add an engines field to package.json to document this requirement and prevent installation on incompatible Node.js versions.

Note: While Astro 6.0 includes many other breaking changes (TypeScript configuration changes, Vite 7 upgrade, Zod v4 upgrade, etc.), none of the other breaking changes affect this codebase because:

• The codebase uses import.meta.env.BASE_URL which continues to work (only ASSETS_PREFIX was deprecated)

• No content collections, integrations hooks, adapter APIs, or other advanced Astro features are used

• The configuration file is already in ESM format (.mjs)

• The TypeScript config extends astro/tsconfigs/strict which will be automatically updated by Astro

The esbuild upgrade (0.27.7 => 0.28.1) does not introduce breaking changes that affect this codebase.

All breaking changes by upgrading esbuild from version 0.27.7 to 0.28.1 (CHANGELOG)

Version	Description
0.28.0	Integrity check hashes for all platform-specific binary packages are now embedded in the top-level esbuild package, which could affect the fallback download path during installation

All breaking changes by upgrading astro from version 5.18.1 to 6.4.8 (CHANGELOG)

Version	Description
6.0.0	Removes entryPoints on astro:build:ssr hook (Integration API)
6.0.0	Deprecates loadManifest() and loadApp() from astro/app/node (Adapter API)
6.0.0	Removes session test driver
6.0.0	Renames entryType to entrypointResolution in Adapter API and updates possible values: legacy-dynamic becomes explicit, self becomes auto
6.0.0	Removes the deprecated emitESMImage() function
6.0.0	Deprecates session driver string signature
6.0.0	Adds support for converting SVGs to raster images (PNGs, WebP, etc) to the default Sharp image service
6.0.0	Removes routes on astro:build:done hook (Integration API)
6.0.0	Throws an error when getImage() from astro:assets is called on the client
6.0.0	Removes the old app.render() signature (Adapter API)
6.0.0	Upgrades to Zod v4 for schema validation
6.0.0	Updates how schema types are inferred for content loaders with schemas (Loader API)
6.0.0	Removes support for CommonJS config files
6.0.0	Removes prefetch() with option
6.0.0	Removes support for routes with percent-encoded percent signs (e.g. %25)
6.0.0	Deprecates Astro in getStaticPaths()
6.0.0	Removes the option to define dynamic schemas in content loaders as functions and adds a new equivalent createSchema() property (Loader API)
6.0.0	Updates trailing slash behavior of endpoint URLs
6.0.0	Updates Markdown heading ID generation
6.0.0	Deprecates import.meta.env.ASSETS_PREFIX
6.0.0	Changes the values allowed in params returned by getStaticPaths()
6.0.0	Changes TypeScript configuration
6.0.0	Removes the previously deprecated Astro.glob()
6.0.0	Removes the ability to render Astro components in Vitest client environments
6.0.0	Deprecates createExports() and start() (Adapter API)
6.0.0	Deprecates NodeApp from astro/app/node (Adapter API)
6.0.0	Removes the handleForms prop for the <ClientRouter /> component
6.0.0	Increases minimum Node.js version to 22.12.0
6.0.0	Adds frontmatter parsing support to renderMarkdown in content loaders - frontmatter is now extracted and excluded from HTML output
6.0.0	Removes the deprecated <ViewTransitions /> component
6.0.0	Removes RouteData.generate from the Integration API
6.0.0	Changes the default routing configuration value of i18n.routing.redirectToDefaultLocale from true to false
6.0.0	Deprecates exposed astro:transitions internals
6.0.0	Updates dependency shiki to v4
6.0.0	Removes the setManifestData method from App and NodeApp (Adapter API)
6.0.0	Removes rewrite() from Actions context
6.0.0	Removes the experimental.failOnPrerenderConflict flag and replaces it with a new configuration option prerenderConflictBehavior
6.0.0	Deprecates astro:schema and z from astro:content in favor of astro/zod
6.0.0	Removes exposed astro:actions internals
6.0.0	Changes the shape of SSRManifest properties and adds several new required properties in the Adapter API
6.0.0	Allows Astro.csp and context.csp to be undefined instead of throwing errors when csp: true is not configured - methods must now be accessed conditionally
6.0.0	Upgrades to Vite v7.0 as the development server and production bundler
6.0.0	Changes how styles of responsive images are emitted
6.0.0	Changes integration hooks and HMR access patterns in the Integration API
6.0.0	Removes the unused astro:ssr-manifest virtual module
6.0.0	Updates import.meta.env values to always be inlined
6.0.0	Updates <script> and <style> tags to render in the order they are defined
6.0.0	Removes legacy content collection support
6.0.0	Removes the experimental.fonts flag and replaces it with a new configuration option fonts
6.0.0	Removes the experimental.csp flag and replaces it with a new configuration option security.csp

✅ 8 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
AIKIDO-2026-445064	HIGH	[esbuild] A vulnerability allows attackers to redirect binary downloads to malicious sources by manipulating the NPM_CONFIG_REGISTRY environment variable, enabling remote code execution since downloaded binaries lack SHA-256 integrity verification before execution.
CVE-2026-42570	HIGH	[devalue] Deserialization of sparse arrays causes excessive memory allocation due to JavaScript engine quirks, leading to denial of service through memory exhaustion.
CVE-2026-54299	HIGH	[astro] SSR apps with prerendered error pages fetch them over HTTP using an unvalidated Host header, allowing attackers to redirect the fetch to arbitrary hosts and read responses. This affects deployments using createRequestFromNodeRequest without overriding prerenderedErrorPageFetch.
CVE-2026-50146	HIGH	[astro] Astro fails to HTML-escape slot names in data-astro-template attributes when using client:* directives, allowing attackers to inject arbitrary HTML and execute reflected XSS attacks during server-side rendering.
AIKIDO-2026-10849	MEDIUM	[astro] Unescaped slot names in server-rendered hydrated components allow attackers to inject HTML/JavaScript into SSR responses, enabling reflected XSS attacks when user-controlled input is used as slot names.
CVE-2026-41067	MEDIUM	[astro] A case-sensitive regex in the defineScriptVars function fails to sanitize script tag closures, allowing attackers to bypass sanitization using case variations or whitespace (e.g., </Script>, </script >) to inject arbitrary HTML/JavaScript via the define:vars directive.
CVE-2026-45028	MEDIUM	[astro] Encryption replay vulnerability in server island props and slots allows attackers to swap encrypted values between components, potentially leading to XSS when slots containing unescaped HTML are substituted with user-controlled props.
CVE-2026-54298	MEDIUM	[astro] Attribute names in spread syntax are not escaped, allowing attackers to inject malicious HTML attributes and event handlers when object keys come from untrusted sources. This enables arbitrary JavaScript execution (XSS) in victim browsers.

🤖 Remediation details

Fix security vulnerabilities in esbuild, devalue, and astro

Short summary

This PR remediates high- and medium-severity vulnerabilities in three packages: astro, devalue, and esbuild. The fix involves a major-version bump of the direct astro dependency in the root package.json (from the 5.x to 6.x line), which also pulls in a patched devalue transitively. An overrides entry was added to the root package.json to force all esbuild instances below 0.28.1 up to the patched version, since no stable parent-chain path could deliver esbuild ≥ 0.28.1 through either the astro-nested or root vite copies. The package-lock.json was updated accordingly.

astro

astro is a direct dependency declared in the root package.json. Its declared range was raised from ^5.7.10 to ^6.4.6, resolving to 6.4.8 in the lockfile. The entire 5.x line is vulnerable across multiple CVEs spanning versions up to 6.4.5; the 6.x line beginning at 6.1.6 (and fully patched at 6.4.6) is required to satisfy all advisories simultaneously. This is a semver-major bump but is the minimum change that clears all reported astro vulnerabilities.

devalue

devalue is a transitive dependency pulled in by astro. No direct declaration exists in any workspace manifest; the fix is entirely a consequence of bumping astro to 6.4.8, which declares devalue ^5.8.1 and resolves it to 5.8.1 in the lockfile. The previously resolved 5.7.1 is vulnerable; 5.8.1 is the patched floor.

esbuild

esbuild appears as a transitive dependency under two separate parent chains: astro → astro/node_modules/vite@7.3.5 → esbuild and the root vite@6.4.3 → esbuild. Both chains were stuck below 0.28.1—astro 6.x nests vite ^7.3.2 (no stable astro release upgrades this to vite 8.x), and the root vite is pinned to 6.x by @astrojs/react@4.4.2's peer dependency (no stable @astrojs/react release supports vite 8.x). After exhausting all parent-bump paths, a selector-pattern override "esbuild@<0.28.1": "0.28.1" was added to the root package.json, which consolidates all three previously separate esbuild instances into a single node_modules/esbuild@0.28.1 entry in the lockfile.

Version changes

Package	From	To	Why updated
astro	^5.7.10 → 5.18.1 resolved	^6.4.6 → 6.4.8 resolved	Direct CVE fix (major bump)
devalue	5.7.1	5.8.1	Transitive CVE fix after astro parent bump
esbuild	0.27.7 (astro chain) / 0.25.12 (vite chain)	0.28.1 (consolidated)	CVE fix via override (esbuild@<0.28.1) — no viable parent-bump path

[aikido-autofix]

Closed by Aikido: a new AutoFix has been created → #8