chore(deps): bump astro from 5.17.1 to 6.1.8 in /site#23
Closed
dependabot[bot] wants to merge 1 commit into
Closed
chore(deps): bump astro from 5.17.1 to 6.1.8 in /site#23dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) from 5.17.1 to 6.1.8. - [Release notes](https://github.com/withastro/astro/releases) - [Changelog](https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md) - [Commits](https://github.com/withastro/astro/commits/astro@6.1.8/packages/astro) --- updated-dependencies: - dependency-name: astro dependency-version: 6.1.8 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Contributor
Author
|
Superseded by #27. |
adrianwedd
added a commit
that referenced
this pull request
May 10, 2026
Adds an `overrides` block to site/package.json to pull build-time transitive dependencies forward to patched versions. All packages here are build-toolchain only — none ship to the browser from a static Astro site, so dependabot's `scope:runtime` flag (just "in dependencies, not devDependencies") is misleading for our build. Per the 2026-05-11 dependabot triage (research/intelligence/dependabot_failurefirst_triage_2026-05-11.md in the private repo), this is the IGNORE-DEVDEP / IGNORE-NO-CONTEXT hygiene sweep. The bump is hygiene, not risk reduction — none of these attack vectors apply to a static-site `astro build` pipeline. Closed alerts (GHSA → resolved version): - #10 rollup GHSA-mw96-cpmx-2vgc → 4.60.3 (^4.59.0) - #11 fast-xml-parser GHSA-fj3w-jwp8-x2g3 → 5.7.3 (^5.7.0) - #12 svgo GHSA-xpqw-6gx7-v673 → 4.0.1 (^4.0.1) - #13 devalue GHSA-cfw5-2vxh-hr84 → 5.8.0 (^5.6.4) - #14 devalue GHSA-mwv9-gp5h-frr4 → 5.8.0 (^5.6.4) - #16 h3 GHSA-wr4h-v87w-p3r7 → 1.15.11 (^1.15.9, 1.x backport) - #17 h3 GHSA-22cc-p3c6-wpvm → 1.15.11 (^1.15.9, 1.x backport) - #19 h3 GHSA-72gr-qfp7-vwhw → 1.15.11 (^1.15.9) - #20 h3 GHSA-4hxc-9384-m385 → 1.15.11 (^1.15.9, 1.x backport) - #21 fast-xml-parser GHSA-8gc5-j5rx-235r → 5.7.3 (^5.7.0) - #23 picomatch GHSA-c2c7-rcm5-vvqj → 4.0.4 (^4.0.4) - #24 picomatch GHSA-3v7f-55p6-f55p → 4.0.4 (^4.0.4) - #26 picomatch GHSA-c2c7-rcm5-vvqj → 2.3.2 (^2.3.2, 2.x line) - #27 picomatch GHSA-3v7f-55p6-f55p → 2.3.2 (^2.3.2, 2.x line) - #28 defu GHSA-737v-mqg7-c878 → 6.1.7 (^6.1.5) - #29 vite GHSA-p9ff-h696-f583 → 6.4.2 (^6.4.2, 6.x backport) - #30 fast-xml-parser GHSA-jp2q-39xq-3w4g → 5.7.3 (^5.7.0) - #31 vite GHSA-4w7w-66w2-5vf9 → 6.4.2 (^6.4.2, 6.x backport) - #34 fast-xml-parser GHSA-gh4j-gqv2-49f6 → 5.7.3 (^5.7.0) - #35 postcss GHSA-qx2v-qp2m-jg93 → 8.5.14 (^8.5.10) Notes on dependabot fix-version vs override-target divergence: - vite: dependabot lists fix=8.0.5 (the latest line); 6.4.2 is the in-line backport per the GHSA advisory (`>= 6.4.2` patches the 6.x line). We stay on vite 6 because Astro 5 pulls vite 6. - h3: dependabot lists 2.0.1-rc.15; we use 1.15.9 per the GHSA advisory (`>= 1.15.6` and `>= 1.15.9` are the documented 1.x backports). h3 2.x is still rc. - picomatch: split override (^2 and ^4) because both major lines are pulled in transitively by separate consumers; both have CVEs. Deferred (NEEDS-REVIEW, separate PR): - #33 astro define:vars XSS — requires Astro 6 major bump, deferred pending define:vars usage audit. Verification: - npm install — clean - npm run build — 1137 pages, build complete, no errors - npm audit — 1 moderate (the deferred Astro 6 alert) remaining
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps astro from 5.17.1 to 6.1.8.
Release notes
Sourced from astro's releases.
... (truncated)
Changelog
Sourced from astro's changelog.
... (truncated)
Commits
63c5c85[ci] release (#16356)71c93ca[ci] format5a84551Improves Vue scoped style handling in DEV mode during client router navigatio...ba2dbf1refactor(astro): correct Fixture type signatures in test-utils (#16380)217c5b3perf(core): cache crawl result (#16381)6e5bc17chore: absorb tests into others (#16365)dc8a01dchore: reduce fixtures by merging them (#16364)bb0ff91refactor(astro): migrate error tests to typescript (#16377)a6866a7fix(core): clean chunk name (#16367)811015dchore: remove lone fixtures (#16363)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.