[Aikido] Fix 8 security issues in esbuild, devalue, astro

[aikido-autofix]

Upgrade esbuild, devalue, and astro to fix binary execution, memory exhaustion, SSRF, and reflected XSS vulnerabilities.

✅ Code not affected by breaking changes.

✅ No breaking changes from either the esbuild (0.27.7 => 0.28.1) or Astro (5.18.1 => 6.4.6) upgrades affect this codebase.

Key findings:

1. Node.js version requirement (Astro 6.0.0): The codebase has no explicit Node.js version constraint in package.json. The package-lock.json shows Astro 6 requires Node.js >=22.12.0, but this is a runtime requirement, not a breaking code change.

2. import.meta.env.BASE_URL usage: The codebase uses import.meta.env.BASE_URL extensively (found in 17+ files), but does NOT use the deprecated import.meta.env.ASSETS_PREFIX, so the deprecation doesn't affect it.

3. Configuration format: The project uses astro.config.mjs (ES modules), not CommonJS, so the removal of CommonJS config support doesn't apply.

4. TypeScript configuration: Uses the simple extends: "astro/tsconfigs/strict" pattern, which will automatically adapt to Astro 6's TypeScript changes.

5. No affected APIs: The codebase doesn't use any of the deprecated or removed APIs:

   • No Integration API hooks (astro:build:ssr, astro:build:done)

   • No Adapter API usage (loadManifest(), loadApp(), NodeApp, etc.)

   • No content collections or Zod schemas (astro:content, astro:schema)

   • No Astro.glob(), ViewTransitions, ClientRouter, or Actions

   • No session drivers, CSP configuration, or experimental flags

   • No getStaticPaths() usage

   • No <script> or <style> tags that would be affected by rendering order changes

6. esbuild changes: The integrity check hash changes only affect installation fallback paths, not runtime behavior.

The codebase is a straightforward static site using Astro with React integration, and none of the breaking changes in Astro 6 affect its current implementation.

All breaking changes by upgrading esbuild from version 0.27.7 to 0.28.1 (CHANGELOG)

Version	Description
0.28.0	Integrity check hashes for all platform-specific binary packages are now embedded in the top-level esbuild package, which could affect the fallback download path during installation

All breaking changes by upgrading astro from version 5.18.1 to 6.4.8 (CHANGELOG)

Version	Description
6.0.0	Removes entryPoints on astro:build:ssr hook (Integration API)
6.0.0	Deprecates loadManifest() and loadApp() from astro/app/node (Adapter API)
6.0.0	Removes session test driver
6.0.0	Renames entryType to entrypointResolution in Adapter API and updates possible values: legacy-dynamic becomes explicit, self becomes auto
6.0.0	Removes the deprecated emitESMImage() function
6.0.0	Deprecates session driver string signature
6.0.0	Adds support for converting SVGs to raster images (PNGs, WebP, etc) to the default Sharp image service
6.0.0	Removes routes on astro:build:done hook (Integration API)
6.0.0	Throws an error when getImage() from astro:assets is called on the client
6.0.0	Removes the old app.render() signature (Adapter API)
6.0.0	Upgrades to Zod v4 for schema validation
6.0.0	Updates how schema types are inferred for content loaders with schemas (Loader API)
6.0.0	Removes support for CommonJS config files
6.0.0	Removes prefetch() with option
6.0.0	Removes support for routes with percent-encoded percent signs (e.g. %25)
6.0.0	Deprecates Astro in getStaticPaths()
6.0.0	Removes the option to define dynamic schemas in content loaders as functions and adds a new equivalent createSchema() property (Loader API)
6.0.0	Updates trailing slash behavior of endpoint URLs
6.0.0	Updates Markdown heading ID generation
6.0.0	Deprecates import.meta.env.ASSETS_PREFIX
6.0.0	Changes the values allowed in params returned by getStaticPaths()
6.0.0	Changes TypeScript configuration
6.0.0	Removes the previously deprecated Astro.glob()
6.0.0	Removes the ability to render Astro components in Vitest client environments
6.0.0	Deprecates createExports() and start() (Adapter API)
6.0.0	Deprecates NodeApp from astro/app/node (Adapter API)
6.0.0	Removes the handleForms prop for the <ClientRouter /> component
6.0.0	Increases minimum Node.js version to 22.12.0
6.0.0	Adds frontmatter parsing support to renderMarkdown in content loaders - frontmatter is now extracted and excluded from HTML output
6.0.0	Removes the deprecated <ViewTransitions /> component
6.0.0	Removes RouteData.generate from the Integration API
6.0.0	Changes the default routing configuration value of i18n.routing.redirectToDefaultLocale from true to false
6.0.0	Deprecates exposed astro:transitions internals
6.0.0	Updates dependency shiki to v4
6.0.0	Removes the setManifestData method from App and NodeApp (Adapter API)
6.0.0	Removes rewrite() from Actions context
6.0.0	Removes the experimental.failOnPrerenderConflict flag and replaces it with a new configuration option prerenderConflictBehavior
6.0.0	Deprecates astro:schema and z from astro:content in favor of astro/zod
6.0.0	Removes exposed astro:actions internals
6.0.0	Changes the shape of SSRManifest properties and adds several new required properties in the Adapter API
6.0.0	Allows Astro.csp and context.csp to be undefined instead of throwing errors when csp: true is not configured - methods must now be accessed conditionally
6.0.0	Upgrades to Vite v7.0 as the development server and production bundler
6.0.0	Changes how styles of responsive images are emitted
6.0.0	Changes integration hooks and HMR access patterns in the Integration API
6.0.0	Removes the unused astro:ssr-manifest virtual module
6.0.0	Updates import.meta.env values to always be inlined
6.0.0	Updates <script> and <style> tags to render in the order they are defined
6.0.0	Removes legacy content collection support
6.0.0	Removes the experimental.fonts flag and replaces it with a new configuration option fonts
6.0.0	Removes the experimental.csp flag and replaces it with a new configuration option security.csp

✅ 8 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
AIKIDO-2026-445064	HIGH	[esbuild] A vulnerability allows attackers to redirect binary downloads to malicious sources by manipulating the NPM_CONFIG_REGISTRY environment variable, enabling remote code execution since downloaded binaries lack SHA-256 integrity verification before execution.
CVE-2026-42570	HIGH	[devalue] Deserialization of sparse arrays causes excessive memory allocation due to JavaScript engine quirks, leading to denial of service through memory exhaustion.
CVE-2026-54299	HIGH	[astro] SSR apps with prerendered error pages fetch them over HTTP using an unvalidated Host header, allowing attackers to redirect the fetch to arbitrary hosts and read responses. This affects deployments using createRequestFromNodeRequest without overriding prerenderedErrorPageFetch.
CVE-2026-50146	HIGH	[astro] Astro fails to HTML-escape slot names in data-astro-template attributes when using client:* directives, allowing attackers to inject arbitrary HTML and execute reflected XSS attacks during server-side rendering.
AIKIDO-2026-10849	MEDIUM	[astro] Unescaped slot names in server-rendered hydrated components allow attackers to inject HTML/JavaScript into SSR responses, enabling reflected XSS attacks when user-controlled input is used as slot names.
CVE-2026-41067	MEDIUM	[astro] A case-sensitive regex in the defineScriptVars function fails to sanitize script tag closures, allowing attackers to bypass sanitization using case variations or whitespace (e.g., </Script>, </script >) to inject arbitrary HTML/JavaScript via the define:vars directive.
CVE-2026-45028	MEDIUM	[astro] Encryption replay vulnerability in server island props and slots allows attackers to swap encrypted values between components, potentially leading to XSS when slots containing unescaped HTML are substituted with user-controlled props.
CVE-2026-54298	MEDIUM	[astro] Attribute names in spread syntax are not escaped, allowing attackers to inject malicious HTML attributes and event handlers when object keys come from untrusted sources. This enables arbitrary JavaScript execution (XSS) in victim browsers.

🤖 Remediation details

Fix security vulnerabilities in esbuild, devalue, and astro

Short summary

This PR remediates vulnerabilities in three npm packages — esbuild, devalue, and astro — by updating direct dependencies in the root package.json and refreshing package-lock.json. Because devalue and esbuild are transitive dependencies pulled in through astro and vite, the fixes required bumping astro and @astrojs/react to new major versions, and adding a targeted overrides entry for esbuild where no stable parent-bump path existed.

astro

astro is declared directly in the root package.json and was resolved at 5.18.1, which falls within the vulnerable range for multiple advisories. The declared spec was updated from ^5.7.10 to ^6.4.6, resolving to 6.4.8 in the lockfile. This is a major-version bump (5 → 6) and is the minimum change that satisfies all patched-version requirements for astro itself.

devalue

devalue is a transitive dependency pulled in by astro (spec ^5.6.2 in astro 5.x). Bumping astro to ^6.4.6 caused npm to resolve devalue to 5.8.1 (astro 6.x declares ^5.8.1), which satisfies the patched-version floor. No direct manifest change to devalue was needed; the fix flows entirely from the astro parent bump.

esbuild

esbuild is a transitive dependency with two resolution paths. The first path ran through astro → vite (nested); bumping astro to 6.x caused it to pull in vite 7.x as the hoisted copy, which eliminated the separate node_modules/vite/node_modules/esbuild instance at 0.25.12. However, vite 7.x still declares esbuild as ^0.27.0 (a 0.x caret range that caps at <0.28.0), so the resolved version remained 0.27.7 — below the patched floor of 0.28.1. No stable parent version (astro 7.x is pre-release; vite 8.x requires it) could widen that range, so a targeted override "esbuild@<0.28.1": "0.28.1" was added to the root package.json as a last resort. Additionally, @astrojs/react was bumped from ^4.2.1 to ^5.0.0 (major bump) because @astrojs/react 4.x declared vite ^6.4.1, which kept a separate vite 6.x instance (with its own nested esbuild 0.25.x) hoisted; @astrojs/react 5.x declares ^7.3.2, consolidating all consumers onto the single vite 7.x copy and removing the vulnerable nested esbuild instance entirely.

Version changes

Package	From	To	Why updated
astro	^5.7.10 / 5.18.1	^6.4.6 / 6.4.8	Direct CVE fix (major bump)
@astrojs/react	^4.2.1 / 4.4.2	^5.0.0 / 5.0.7	Parent bump required to eliminate vite 6.x / nested esbuild 0.25.x instance
devalue	5.7.1	5.8.1	Transitive fix after astro parent bump
esbuild	0.27.7 + 0.25.12 (two instances)	0.28.1 (one instance)	Override (esbuild@<0.28.1) after all parent-bump paths exhausted; nested 0.25.x instance removed by @astrojs/react bump
vite	6.4.2 (hoisted)	7.3.5 (hoisted)	Transitive after @astrojs/react parent bump; eliminates nested esbuild 0.25.x
@vitejs/plugin-react	4.7.0	5.2.0	Transitive after @astrojs/react parent bump

[aikido-autofix]

Closed by Aikido: a new AutoFix has been created → #10