build(deps): bump astro from 5.17.1 to 5.18.1 in /site#17
Closed
dependabot[bot] wants to merge 1 commit into
Closed
build(deps): bump astro from 5.17.1 to 5.18.1 in /site#17dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
dependabot
Bot
added
dependencies
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/site/astro-5.18.1
branch
2 times, most recently
from
795e347 to
d4c9e97
Compare
Bumps [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) from 5.17.1 to 5.18.1. - [Release notes](https://github.com/withastro/astro/releases) - [Changelog](https://github.com/withastro/astro/blob/astro@5.18.1/packages/astro/CHANGELOG.md) - [Commits](https://github.com/withastro/astro/commits/astro@5.18.1/packages/astro) --- updated-dependencies: - dependency-name: astro dependency-version: 5.18.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/site/astro-5.18.1
branch
from
d4c9e97 to
8f6442d
Compare
Contributor
Author
|
Superseded by #23. |
adrianwedd
added a commit
that referenced
this pull request
May 10, 2026
Adds an `overrides` block to site/package.json to pull build-time transitive dependencies forward to patched versions. All packages here are build-toolchain only — none ship to the browser from a static Astro site, so dependabot's `scope:runtime` flag (just "in dependencies, not devDependencies") is misleading for our build. Per the 2026-05-11 dependabot triage (research/intelligence/dependabot_failurefirst_triage_2026-05-11.md in the private repo), this is the IGNORE-DEVDEP / IGNORE-NO-CONTEXT hygiene sweep. The bump is hygiene, not risk reduction — none of these attack vectors apply to a static-site `astro build` pipeline. Closed alerts (GHSA → resolved version): - #10 rollup GHSA-mw96-cpmx-2vgc → 4.60.3 (^4.59.0) - #11 fast-xml-parser GHSA-fj3w-jwp8-x2g3 → 5.7.3 (^5.7.0) - #12 svgo GHSA-xpqw-6gx7-v673 → 4.0.1 (^4.0.1) - #13 devalue GHSA-cfw5-2vxh-hr84 → 5.8.0 (^5.6.4) - #14 devalue GHSA-mwv9-gp5h-frr4 → 5.8.0 (^5.6.4) - #16 h3 GHSA-wr4h-v87w-p3r7 → 1.15.11 (^1.15.9, 1.x backport) - #17 h3 GHSA-22cc-p3c6-wpvm → 1.15.11 (^1.15.9, 1.x backport) - #19 h3 GHSA-72gr-qfp7-vwhw → 1.15.11 (^1.15.9) - #20 h3 GHSA-4hxc-9384-m385 → 1.15.11 (^1.15.9, 1.x backport) - #21 fast-xml-parser GHSA-8gc5-j5rx-235r → 5.7.3 (^5.7.0) - #23 picomatch GHSA-c2c7-rcm5-vvqj → 4.0.4 (^4.0.4) - #24 picomatch GHSA-3v7f-55p6-f55p → 4.0.4 (^4.0.4) - #26 picomatch GHSA-c2c7-rcm5-vvqj → 2.3.2 (^2.3.2, 2.x line) - #27 picomatch GHSA-3v7f-55p6-f55p → 2.3.2 (^2.3.2, 2.x line) - #28 defu GHSA-737v-mqg7-c878 → 6.1.7 (^6.1.5) - #29 vite GHSA-p9ff-h696-f583 → 6.4.2 (^6.4.2, 6.x backport) - #30 fast-xml-parser GHSA-jp2q-39xq-3w4g → 5.7.3 (^5.7.0) - #31 vite GHSA-4w7w-66w2-5vf9 → 6.4.2 (^6.4.2, 6.x backport) - #34 fast-xml-parser GHSA-gh4j-gqv2-49f6 → 5.7.3 (^5.7.0) - #35 postcss GHSA-qx2v-qp2m-jg93 → 8.5.14 (^8.5.10) Notes on dependabot fix-version vs override-target divergence: - vite: dependabot lists fix=8.0.5 (the latest line); 6.4.2 is the in-line backport per the GHSA advisory (`>= 6.4.2` patches the 6.x line). We stay on vite 6 because Astro 5 pulls vite 6. - h3: dependabot lists 2.0.1-rc.15; we use 1.15.9 per the GHSA advisory (`>= 1.15.6` and `>= 1.15.9` are the documented 1.x backports). h3 2.x is still rc. - picomatch: split override (^2 and ^4) because both major lines are pulled in transitively by separate consumers; both have CVEs. Deferred (NEEDS-REVIEW, separate PR): - #33 astro define:vars XSS — requires Astro 6 major bump, deferred pending define:vars usage audit. Verification: - npm install — clean - npm run build — 1137 pages, build complete, no errors - npm audit — 1 moderate (the deferred Astro 6 alert) remaining
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps astro from 5.17.1 to 5.18.1.
Release notes
Sourced from astro's releases.
Changelog
Sourced from astro's changelog.
Commits
434d9cc[ci] release (#15829)c2cd371fix(helpers): Backport remote patterns segments fix (#15828)011f061[ci] release (#15597)efae11cfix: X-Forwarded-Proto rejected when allowedDomains includes protocol… (#15594)751ccf0Update actionBodySizeLimit changeset and make minor (#15600)b7dd447make actionBodySizeLimit configurable (#15589)e0f1a2b[ci] release (#15571)522f880Limit action request body size (#15564)436962achore: Upgrade Vite and esbuild (#15554)e01e98bRespect remote image allowlists (#15569)