Skip to content

chore(deps)(deps): Bump the "weekly-dependency-refresh" group with 2 updates across multiple ecosystems#191

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/weekly_dependency_refresh-1a6c8e1d96
Open

chore(deps)(deps): Bump the "weekly-dependency-refresh" group with 2 updates across multiple ecosystems#191
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/weekly_dependency_refresh-1a6c8e1d96

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps the weekly-dependency-refresh group with 1 update: actions/checkout.

Updates actions/checkout from 6 to 7

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Bumps the weekly-dependency-refresh group with 5 updates:

Package From To
@sentry/astro 10.57.0 10.59.0
astro 6.4.6 6.4.8
@playwright/test 1.60.0 1.61.0
typescript-eslint 8.61.0 8.61.1
vitest 4.1.8 4.1.9

Updates @sentry/astro from 10.57.0 to 10.59.0

Release notes

Sourced from @​sentry/astro's releases.

10.59.0

Important Changes

  • feat(react-router): Add support for React Router v8 (#21633)

    The SDK now supports React Router v8, in both the framework and SPA (@sentry/react) modes.

  • feat(react): Add version-agnostic React Router SPA exports (#21633)

    @sentry/react now exports version-agnostic wrappers for React Router v6+ SPA instrumentation. The new exports replace the version-specific V6/V7 variants, which are now deprecated:

    Deprecated New
    reactRouterV6BrowserTracingIntegration / V7 reactRouterBrowserTracingIntegration
    withSentryReactRouterV6Routing / V7 wrapReactRouterRouting
    wrapCreateBrowserRouterV6 / V7 wrapCreateBrowserRouter
    wrapCreateMemoryRouterV6 / V7 wrapCreateMemoryRouter
    wrapUseRoutesV6 / V7 wrapUseRoutes

    The deprecated exports continue to work and will be removed in the next major version.

Other Changes

  • feat(aws-serverless): Instrument aws-sdk clients >= 3.1046.0 (#21548)
  • feat(bun): Add orchestrion bun build plugin (#21410)
  • feat(cloudflare): Instrument sync KV (#21316)
  • feat(core): Disable gen_ai message truncation by default when streamGenAiSpans is enabled (#21603)
  • feat(deno): Add orchestrion deno runtime hook (#21451)
  • feat(hono): Extend peer dependency range (#21550)
  • feat(node): Collapse orchestrion opt-in to a single option (#20900)
  • fix: Diagnostics channel Node v18 (#21631)
  • fix(browser): Clean up pageload readystatechange listener (#21632)
  • fix(core): Capture scopes on span before emitting spanStart event (#21644)
  • fix(core): Defer TwP sampling by reading trace state from the scope (#21549)
  • fix(core): Prevent outgoing HTTP instrumentation from crashing on // request paths (#21645)
  • fix(core): Set production as default sentry.environment attribute value on streamed spans (#21637)
  • fix(nextjs): Register safe random ID context at module load (#21573)
  • chore: Change deprecation/deprecation to oxlint equivalent (#21604)
  • chore: Switch license headers to SPDX format (#21357)
  • chore(deps-dev): Bump esbuild from 0.20.0 to 0.28.1 (#21511)
  • chore(deps): Bump esbuild from 0.25.0 to 0.28.1 in /dev-packages/e2e-tests/test-applications/node-profiling-esm (#21514)
  • chore(deps): Bump react-router-6 to 6.30.4 (#21566)
  • ci: Assign server team as codeowner for server-utils package (#21601)
  • ci: Dedup flaky test issues across esm/cjs variants (#21595)
  • ci: Do not apply Bug label to flaky test issues (#21593)

... (truncated)

Changelog

Sourced from @​sentry/astro's changelog.

10.59.0

Important Changes

  • feat(react-router): Add support for React Router v8 (#21633)

    The SDK now supports React Router v8, in both the framework and SPA (@sentry/react) modes.

  • feat(react): Add version-agnostic React Router SPA exports (#21633)

    @sentry/react now exports version-agnostic wrappers for React Router v6+ SPA instrumentation. The new exports replace the version-specific V6/V7 variants, which are now deprecated:

    Deprecated New
    reactRouterV6BrowserTracingIntegration / V7 reactRouterBrowserTracingIntegration
    withSentryReactRouterV6Routing / V7 wrapReactRouterRouting
    wrapCreateBrowserRouterV6 / V7 wrapCreateBrowserRouter
    wrapCreateMemoryRouterV6 / V7 wrapCreateMemoryRouter
    wrapUseRoutesV6 / V7 wrapUseRoutes

    The deprecated exports continue to work and will be removed in the next major version.

Other Changes

  • feat(aws-serverless): Instrument aws-sdk clients >= 3.1046.0 (#21548)
  • feat(bun): Add orchestrion bun build plugin (#21410)
  • feat(cloudflare): Instrument sync KV (#21316)
  • feat(core): Disable gen_ai message truncation by default when streamGenAiSpans is enabled (#21603)
  • feat(deno): Add orchestrion deno runtime hook (#21451)
  • feat(hono): Extend peer dependency range (#21550)
  • feat(node): Collapse orchestrion opt-in to a single option (#20900)
  • fix: Diagnostics channel Node v18 (#21631)
  • fix(browser): Clean up pageload readystatechange listener (#21632)
  • fix(core): Capture scopes on span before emitting spanStart event (#21644)
  • fix(core): Defer TwP sampling by reading trace state from the scope (#21549)
  • fix(core): Prevent outgoing HTTP instrumentation from crashing on // request paths (#21645)
  • fix(core): Set production as default sentry.environment attribute value on streamed spans (#21637)
  • fix(nextjs): Register safe random ID context at module load (#21573)
  • chore: Change deprecation/deprecation to oxlint equivalent (#21604)
  • chore: Switch license headers to SPDX format (#21357)
  • chore(deps-dev): Bump esbuild from 0.20.0 to 0.28.1 (#21511)
  • chore(deps): Bump esbuild from 0.25.0 to 0.28.1 in /dev-packages/e2e-tests/test-applications/node-profiling-esm (#21514)
  • chore(deps): Bump react-router-6 to 6.30.4 (#21566)
  • ci: Assign server team as codeowner for server-utils package (#21601)
  • ci: Dedup flaky test issues across esm/cjs variants (#21595)

... (truncated)

Commits
  • 2cb0ef6 release: 10.59.0
  • f77b265 Merge pull request #21655 from getsentry/prepare-release/10.59.0
  • 8e32a8d meta(changelog): Update changelog for 10.59.0
  • 50fe5d9 fix: Diagnostics channel Node v18 (#21631)
  • 9c765e0 feat(react-router): support react router v8 (#21633)
  • 815c1cf feat(deps): Bump @​babel/core from 7.29.0 to 7.29.6 (#21574)
  • a520447 ref(tanstackstart-react): Use @sentry/conventions (#21498)
  • 38a0485 test(cloudflare): Remove mock in DO tests (#21634)
  • cb69761 feat(deno): Add orchestrion deno runtime hook (#21451)
  • 1e057ba chore(deps): Bump esbuild from 0.25.0 to 0.28.1 in /dev-packages/e2e-tests/te...
  • Additional commits viewable in compare view

Updates astro from 6.4.6 to 6.4.8

Release notes

Sourced from astro's releases.

astro@6.4.8

Patch Changes

astro@6.4.7

Patch Changes

  • #17035 197e50e Thanks @​astrobot-houston! - Fixes getRelativeLocaleUrl, getAbsoluteLocaleUrl, and getAbsoluteLocaleUrlList to strip trailing slashes when trailingSlash: 'never' is configured

  • #16967 3719765 Thanks @​astrobot-houston! - Fixes double URL-encoded paths returning 400 Bad Request on on-demand routes

    Previously, any URL containing a double-encoded character (like %255B, which is [ encoded twice) was unconditionally rejected with a 400 Bad Request before middleware or route handlers could run. This broke embedded tools like Sanity Studio whose client-side router legitimately produces double-encoded URLs.

    The fix replaces the rejection approach with iterative decoding — multi-level percent-encoding is now fully resolved to its canonical form before being passed to middleware and route matching. This preserves the security fix for CVE-2025-66202 (middleware authorization bypass via double encoding) because middleware now always sees the fully decoded path, making bypass impossible. For example, /api/%2561dmin is decoded to /api/admin, which middleware can correctly block.

  • #17066 2f4d92a Thanks @​matthewp! - Fixes prerendered redirect targets being incorrectly bundled into the SSR function in hybrid mode, causing massive bundle size inflation

  • #16882 621beb7 Thanks @​jettwayio! - fix(render): honour compressHTML when joining head elements

  • #16892 8d753b0 Thanks @​astrobot-houston! - Fixes custom elements in MDX having their children's slot attribute stripped by the JSX runtime

    When custom elements (tags with hyphens like <my-element>) are used in MDX files, the slot HTML attribute on their children is now correctly preserved. Previously, the shared JSX runtime would treat slot as an Astro slot assignment and remove it from the output, breaking Shadow DOM named slot distribution for web components.

  • #16957 544ee76 Thanks @​thelazylamaGit! - Fixes stale inline CSS in server-rendered HTML after CSS file edits during dev

    When editing a CSS file (.css, .scss, etc.) during development, the inline <style> tags in server-rendered HTML would retain old CSS content instead of updating. This caused a brief flash of old CSS (FOUC) on fresh page loads before Vite's client-side HMR corrected the styles.

    The fix ensures that Astro's per-route dev CSS virtual modules are invalidated in both the SSR module graph and the module runner's evaluation cache when a style file changes, so the next page render picks up the fresh CSS.

  • #17044 2220d22 Thanks @​astrobot-houston! - Fixes CSS from client:only islands leaking to unrelated pages when Rollup bundles non-CSS-importing modules into the same chunk as CSS-importing modules

  • #17040 7c4763d Thanks @​astrobot-houston! - Fixes HMR not triggering for files inside the src/middleware/ directory during dev

  • #16672 52fc862 Thanks @​martinheidegger! - Fixes support for numeric IDs in YAML frontmatter when using content collection references

  • #16762 9de80ae Thanks @​alexanderdombroski! - Adds a JSON schema to the Wrangler configuration file generated when running astro add cloudflare

  • #17046 ef771ec Thanks @​ematipico! - Improves the diagnostics emitted when Astro parses incorrect .astro files.

Changelog

Sourced from astro's changelog.

6.4.8

Patch Changes

6.4.7

Patch Changes

  • #17035 197e50e Thanks @​astrobot-houston! - Fixes getRelativeLocaleUrl, getAbsoluteLocaleUrl, and getAbsoluteLocaleUrlList to strip trailing slashes when trailingSlash: 'never' is configured

  • #16967 3719765 Thanks @​astrobot-houston! - Fixes double URL-encoded paths returning 400 Bad Request on on-demand routes

    Previously, any URL containing a double-encoded character (like %255B, which is [ encoded twice) was unconditionally rejected with a 400 Bad Request before middleware or route handlers could run. This broke embedded tools like Sanity Studio whose client-side router legitimately produces double-encoded URLs.

    The fix replaces the rejection approach with iterative decoding — multi-level percent-encoding is now fully resolved to its canonical form before being passed to middleware and route matching. This preserves the security fix for CVE-2025-66202 (middleware authorization bypass via double encoding) because middleware now always sees the fully decoded path, making bypass impossible. For example, /api/%2561dmin is decoded to /api/admin, which middleware can correctly block.

  • #17066 2f4d92a Thanks @​matthewp! - Fixes prerendered redirect targets being incorrectly bundled into the SSR function in hybrid mode, causing massive bundle size inflation

  • #16882 621beb7 Thanks @​jettwayio! - fix(render): honour compressHTML when joining head elements

  • #16892 8d753b0 Thanks @​astrobot-houston! - Fixes custom elements in MDX having their children's slot attribute stripped by the JSX runtime

    When custom elements (tags with hyphens like <my-element>) are used in MDX files, the slot HTML attribute on their children is now correctly preserved. Previously, the shared JSX runtime would treat slot as an Astro slot assignment and remove it from the output, breaking Shadow DOM named slot distribution for web components.

  • #16957 544ee76 Thanks @​thelazylamaGit! - Fixes stale inline CSS in server-rendered HTML after CSS file edits during dev

    When editing a CSS file (.css, .scss, etc.) during development, the inline <style> tags in server-rendered HTML would retain old CSS content instead of updating. This caused a brief flash of old CSS (FOUC) on fresh page loads before Vite's client-side HMR corrected the styles.

    The fix ensures that Astro's per-route dev CSS virtual modules are invalidated in both the SSR module graph and the module runner's evaluation cache when a style file changes, so the next page render picks up the fresh CSS.

  • #17044 2220d22 Thanks @​astrobot-houston! - Fixes CSS from client:only islands leaking to unrelated pages when Rollup bundles non-CSS-importing modules into the same chunk as CSS-importing modules

  • #17040 7c4763d Thanks @​astrobot-houston! - Fixes HMR not triggering for files inside the src/middleware/ directory during dev

  • #16672 52fc862 Thanks @​martinheidegger! - Fixes support for numeric IDs in YAML frontmatter when using content collection references

  • #16762 9de80ae Thanks @​alexanderdombroski! - Adds a JSON schema to the Wrangler configuration file generated when running astro add cloudflare

  • #17046 ef771ec Thanks @​ematipico! - Improves the diagnostics emitted when Astro parses incorrect .astro files.

Commits

Updates @playwright/test from 1.60.0 to 1.61.0

Release notes

Sourced from @​playwright/test's releases.

v1.61.0

🔑 WebAuthn passkeys

New Credentials virtual authenticator, available via browserContext.credentials, lets tests register passkeys and answer navigator.credentials.create() / navigator.credentials.get() ceremonies in the page — no real hardware key required, works in all browsers:

const context = await browser.newContext();
// Seed a passkey your backend provisioned for a test user.
await context.credentials.create('example.com', {
id: credentialId,
userHandle,
privateKey,
publicKey,
});
await context.credentials.install();
const page = await context.newPage();
await page.goto('https://example.com/login');
// The page's navigator.credentials.get() is answered with the seeded passkey.

You can also let the app register a passkey once in a setup test, read it back with credentials.get(), and seed it into later tests — see Credentials for details.

🗃️ Web Storage

New WebStorage API, available via page.localStorage and page.sessionStorage, reads and writes the page's storage for the current origin:

await page.localStorage.setItem('token', 'abc');
const token = await page.localStorage.getItem('token');
const items = await page.sessionStorage.items();

New APIs

Network

Browser and Screencast

  • New option artifactsDir in browserType.connectOverCDP() controls where artifacts such as traces and downloads are stored when attached to an existing browser.
  • New option cursor in screencast.showActions() controls the cursor decoration rendered for pointer actions.
  • The onFrame callback in screencast.start() now receives a timestamp of when the frame was presented by the browser.

Test runner

  • The testOptions.video option now supports the same set of modes as trace: new 'on-all-retries', 'retain-on-first-failure' and 'retain-on-failure-and-retries' values. See the video modes table for which runs are recorded and kept in each mode.
  • Supported expect.soft.poll(...).
  • New fullConfig.argv — a snapshot of process.argv from the runner process, handy for reading custom arguments passed after the -- separator.
  • New fullConfig.failOnFlakyTests mirrors the config option, so reporters can explain why a flaky run failed.
  • testInfo.errors now lists each sub-error of an AggregateError as a separate entry.

... (truncated)

Commits
  • 1cc5a90 cherry-pick(#41295): chore: PLAYWRIGHT_TRACING_NO_WEBSOCKET_FRAMES and PLAYWR...
  • a6772bd cherry-pick(#41280): Revert "fix(trace-viewer): add keyboard navigation to `N...
  • 8133dcf cherry-pick(#41283): docs: add Ubuntu 26.04 and Node.js 26.x to system requir...
  • 812432e chore: mark v1.61.0 (#41277)
  • ac05145 fix(fetch): report serverAddr and securityDetails for reused sockets (#41267)
  • 056efc9 fix(trace-viewer): add keyboard navigation to NetworkFilters component (#41...
  • 41f7b9a chore: fixes uncovered by the .NET 1.61 roll (#41266)
  • ba50778 fix(mcp): assign caps as array for legacy --vision flag (#41253)
  • b8ee5ae docs: release notes for v1.61 (#41261)
  • 49c1f69 fix(trace viewer): load trace from a local file (#41263)
  • Additional commits viewable in compare view

Updates typescript-eslint from 8.61.0 to 8.61.1

Release notes

Sourced from typescript-eslint's releases.

v8.61.1

8.61.1 (2026-06-15)

🩹 Fixes

  • eslint-plugin: [consistent-indexed-object-style] do not remove comments when fixing (#12396, #10577)
  • eslint-plugin: [no-unnecessary-type-assertion] avoid false positive for template literal expressions (#12281)
  • eslint-plugin: [no-unnecessary-type-assertion] wrap object literal in parens when removing TSTypeAssertion in arrow body (#12394, #12393)
  • eslint-plugin: [no-unnecessary-boolean-literal-compare] fix precedence bug in autofix (#12413)
  • eslint-plugin: [no-unnecessary-template-expression] respect ECMAScript line terminators (#12388)

❤️ Thank You

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from typescript-eslint's changelog.

8.61.1 (2026-06-15)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

Updates vitest from 4.1.8 to 4.1.9

Release notes

Sourced from vitest's releases.

v4.1.9

🐞 Bug Fixes

View changes on GitHub
Commits
  • a7a61e7 chore: release v4.1.9 (#10598)
  • 934b0f5 fix(pool): prevent test run hang on worker crash (#10543) [backport to v4] (#...
  • 7fb2965 fix(browser): wait for orchestrator readiness before resolving browser sessio...
  • a518019 fix: fix importOriginal with optimizer and query import [backport to v4] (#...
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps)(deps): bump actions/checkout
2402f89 
Bumps the weekly-dependency-refresh group with 1 update: [actions/checkout](https://github.com/actions/checkout).


Updates `actions/checkout` from 6 to 7
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)
chore(deps)(deps): bump the weekly-dependency-refresh group with 5 updates

Bumps the weekly-dependency-refresh group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [@sentry/astro](https://github.com/getsentry/sentry-javascript) | `10.57.0` | `10.59.0` |
| [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) | `6.4.6` | `6.4.8` |
| [@playwright/test](https://github.com/microsoft/playwright) | `1.60.0` | `1.61.0` |
| [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.61.0` | `8.61.1` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.1.8` | `4.1.9` |


Updates `@sentry/astro` from 10.57.0 to 10.59.0
- [Release notes](https://github.com/getsentry/sentry-javascript/releases)
- [Changelog](https://github.com/getsentry/sentry-javascript/blob/develop/CHANGELOG.md)
- [Commits](getsentry/sentry-javascript@10.57.0...10.59.0)

Updates `astro` from 6.4.6 to 6.4.8
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/astro@6.4.8/packages/astro/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/astro@6.4.8/packages/astro)

Updates `@playwright/test` from 1.60.0 to 1.61.0
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](microsoft/playwright@v1.60.0...v1.61.0)

Updates `typescript-eslint` from 8.61.0 to 8.61.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.61.1/packages/typescript-eslint)

Updates `vitest` from 4.1.8 to 4.1.9
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/vitest)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: weekly-dependency-refresh
- dependency-name: "@sentry/astro"
  dependency-version: 10.59.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: weekly-dependency-refresh
- dependency-name: astro
  dependency-version: 6.4.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: weekly-dependency-refresh
- dependency-name: "@playwright/test"
  dependency-version: 1.61.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: weekly-dependency-refresh
- dependency-name: typescript-eslint
  dependency-version: 8.61.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: weekly-dependency-refresh
- dependency-name: vitest
  dependency-version: 4.1.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: weekly-dependency-refresh
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: ci. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

cursor[bot]
cursor Bot reviewed Jun 22, 2026
View reviewed changes

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security review: no high-confidence vulnerabilities found

Scope: dependency-only PR (package.json, package-lock.json, GitHub Actions workflow pins). No application source, auth, or runtime configuration changes.

Summary

This PR bumps routine patch/minor versions and does not introduce confirmed vulnerabilities. Several updates are security improvements.

Change Security impact
actions/checkout@v6v7 Improvement — blocks unsafe fork PR checkout in pull_request_target / workflow_run (pwn-request mitigation). This repo's workflows use push, pull_request, schedule, and workflow_dispatch only; no pull_request_target or workflow_run triggers are present.
astro@6.4.66.4.8 Improvement — hardens URL percent-decoding limits (follow-up to CVE-2025-66202 middleware bypass class). Relevant if middleware or on-demand routes are added later; this site is currently static.
@sentry/astro@10.57.010.59.0 Neutral — internal package rename (@sentry-internal/*@sentry/*); no new attack surface identified.
@playwright/test, vitest, typescript-eslint Dev/test-only; no production runtime exposure.

Supply-chain / audit

  • npm audit (full tree): 39 vulnerabilities (5 low, 32 moderate, 2 high) — unchanged vs base (e9460f18).
  • npm audit --omit=dev: 27 vulnerabilitiesunchanged vs base.
  • Existing advisories (e.g. esbuild dev-server file read on Windows, js-yaml DoS, launch-editor UNC path) are pre-existing; this PR does not worsen them.
  • package.json overrides for hono and vite are unchanged.

Checklist (no findings)

  • Injection / traversal / SSRF / XSS: No new code paths; no changes to user input handling.
  • Authn/authz: No auth logic touched.
  • Secrets / logging: No token or credential handling changes.
  • Deserialization / CSRF: Not applicable to this diff.

Residual (informational, not introduced by this PR)

Pre-existing transitive advisories remain in the lockfile. Address separately if desired; they are outside this PR's scope.

Verdict: Safe to merge from a security perspective.

Open in Web View Automation 

Sent by Cursor Automation: Find vulnerabilities

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants