Skip to content

Bump vite, @astrojs/react, @astrojs/starlight, @cloudflare/vitest-pool-workers, astro, astro-breadcrumbs, @astro-community/astro-embed-twitter, @astro-community/astro-embed-youtube and vitest#43

Open
dependabot[bot] wants to merge 1 commit into
productionfrom
dependabot/npm_and_yarn/multi-91de669532
Open

Bump vite, @astrojs/react, @astrojs/starlight, @cloudflare/vitest-pool-workers, astro, astro-breadcrumbs, @astro-community/astro-embed-twitter, @astro-community/astro-embed-youtube and vitest#43
dependabot[bot] wants to merge 1 commit into
productionfrom
dependabot/npm_and_yarn/multi-91de669532

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown

Bumps vite to 8.1.0 and updates ancestor dependencies vite, @astrojs/react, @astrojs/starlight, @cloudflare/vitest-pool-workers, astro, astro-breadcrumbs, @astro-community/astro-embed-twitter, @astro-community/astro-embed-youtube and vitest. These dependencies need to be updated together.

Updates vite from 6.3.6 to 8.1.0

Release notes

Sourced from vite's releases.

create-vite@8.1.0

Please refer to CHANGELOG.md for details.

plugin-legacy@8.1.0

Please refer to CHANGELOG.md for details.

v8.1.0

Please refer to CHANGELOG.md for details.

plugin-legacy@8.1.0-beta.0

Please refer to CHANGELOG.md for details.

v8.1.0-beta.0

Please refer to CHANGELOG.md for details.

v8.0.16

Please refer to CHANGELOG.md for details.

v8.0.15

Please refer to CHANGELOG.md for details.

v8.0.14

Please refer to CHANGELOG.md for details.

v8.0.13

Please refer to CHANGELOG.md for details.

v8.0.12

Please refer to CHANGELOG.md for details.

v8.0.11

Please refer to CHANGELOG.md for details.

v8.0.10

Please refer to CHANGELOG.md for details.

v8.0.9

Please refer to CHANGELOG.md for details.

v8.0.8

Please refer to CHANGELOG.md for details.

v8.0.7

Please refer to CHANGELOG.md for details.

v8.0.6

Please refer to CHANGELOG.md for details.

v8.0.5

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

8.1.0 (2026-06-23)

Features

Bug Fixes

  • bundled-dev: errors should be kept when incremental build fails (#22617) (9a0dd48)
  • cache falsy values in perEnvironmentState (#22715) (0e91e79)
  • glob: respect caseSensitive option in hmr matcher (#22711) (65f525e)
  • html: omit nonce on import map when cspNonce is unset (#22713) (8340bb5)
  • optimizer: skip null-valued exports in expandGlobIds glob resolution (#22611) (8b9f5cd)
  • resolved build options should be kept as a getter (#22691) (3527191)
  • server: handle malformed URI in memory files middleware (#22714) (df9e0a5)
  • use literal envPrefix queries for Vite Task (#22706) (da72733)
  • warn on deprecated envFile (#22555) (ed7b283)

Code Refactoring

8.1.0-beta.0 (2026-06-15)

Features

  • import.meta.glob support caseSensitive option (#21707) (2ad6737)
  • add warning to discourage Vite with yarn pnp (#21906) (3fbb55a)
  • build: chunk importmap (#21580) (e180312)
  • css: support lightningcss plugin dependency (#21748) (0b7aaed)
  • deps: bump @​vitejs/devtools peer dependency version (#22542) (d2c2bc0)
  • html: add html.additionalAssetSources option (#21412) (a41404b)
  • integrate with Vite Task for zero-config build caching (#22453) (f8d75f7)
  • rename server.hmr options to server.ws options (#21357) (9ce3036)
  • server: support multiple hosts in __VITE_ADDITIONAL_SERVER_ALLOWED_HOSTS (#21501) (735f9a1)
  • track dependencies when loading config with native (#22602) (a7e2da8)
  • types: add more precise typing for known query types to match known as types (#21863) (cc39e55)
  • update rolldown to 1.1.1 (#22593) (8a13d63)
  • wasm: direct .wasm imports (WASM ESM Integration) (#21779) (c23d85b)

Bug Fixes

  • apply correct fs restrictions for pnpm gvs (#22415) (092320b)
  • css: support external CSS with lightningcss (#18389) (d64a1a5)
  • deps: update all non-major dependencies (#22637) (44bb9d9)
  • deps: update all non-major dependencies (#22681) (f4f0633)
  • html: insert import map before modulepreload that is not self-close tag (#21409) (e399c89)
  • optimizer: preserve sourcemaps for transformed optimized deps with follow-up transforms (#22428) (1298951)

... (truncated)

Commits

Updates @astrojs/react from 4.2.5 to 6.0.0

Release notes

Sourced from @​astrojs/react's releases.

@​astrojs/react@​6.0.0

Major Changes

Minor Changes

  • #17093 4585fe5 Thanks @​Princesseuh! - Replaces the import entrypoint of getContainerRenderer()

    A new container-renderer entrypoint exporting getContainerRenderer() has been added to the following integrations: React, Preact, Svelte, SolidJS, Vue, and MDX. This prevents bundlers from trying to bundle unrelated exports from the package root when only the Container API is used.

    If you are using the Container API, update your import statements to use the new entrypoint. The following example updates the getContainerRenderer() import for React:

    - import { getContainerRenderer } from '@astrojs/react';
    + import { getContainerRenderer } from '@astrojs/react/container-renderer';

    Importing getContainerRenderer() from the package root still works, but is now deprecated and logs a warning.

Patch Changes

@​astrojs/react@​6.0.0-beta.2

Minor Changes

  • #17093 4585fe5 Thanks @​Princesseuh! - Replaces the import entrypoint of getContainerRenderer()

    A new container-renderer entrypoint exporting getContainerRenderer() has been added to the following integrations: React, Preact, Svelte, SolidJS, Vue, and MDX. This prevents bundlers from trying to bundle unrelated exports from the package root when only the Container API is used.

    If you are using the Container API, update your import statements to use the new entrypoint. The following example updates the getContainerRenderer() import for React:

    - import { getContainerRenderer } from '@astrojs/react';
    + import { getContainerRenderer } from '@astrojs/react/container-renderer';

    Importing getContainerRenderer() from the package root still works, but is now deprecated and logs a warning.

@​astrojs/react@​6.0.0-beta.1

Patch Changes

@​astrojs/react@​5.0.7

Patch Changes

... (truncated)

Changelog

Sourced from @​astrojs/react's changelog.

6.0.0

Major Changes

Minor Changes

  • #17093 4585fe5 Thanks @​Princesseuh! - Replaces the import entrypoint of getContainerRenderer()

    A new container-renderer entrypoint exporting getContainerRenderer() has been added to the following integrations: React, Preact, Svelte, SolidJS, Vue, and MDX. This prevents bundlers from trying to bundle unrelated exports from the package root when only the Container API is used.

    If you are using the Container API, update your import statements to use the new entrypoint. The following example updates the getContainerRenderer() import for React:

    - import { getContainerRenderer } from '@astrojs/react';
    + import { getContainerRenderer } from '@astrojs/react/container-renderer';

    Importing getContainerRenderer() from the package root still works, but is now deprecated and logs a warning.

Patch Changes

6.0.0-beta.2

Minor Changes

  • #17093 4585fe5 Thanks @​Princesseuh! - Replaces the import entrypoint of getContainerRenderer()

    A new container-renderer entrypoint exporting getContainerRenderer() has been added to the following integrations: React, Preact, Svelte, SolidJS, Vue, and MDX. This prevents bundlers from trying to bundle unrelated exports from the package root when only the Container API is used.

    If you are using the Container API, update your import statements to use the new entrypoint. The following example updates the getContainerRenderer() import for React:

    - import { getContainerRenderer } from '@astrojs/react';
    + import { getContainerRenderer } from '@astrojs/react/container-renderer';

    Importing getContainerRenderer() from the package root still works, but is now deprecated and logs a warning.

6.0.0-beta.1

Patch Changes

6.0.0-alpha.0

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​astrojs/react since your current version.


Updates @astrojs/starlight from 0.36.0 to 0.41.1

Release notes

Sourced from @​astrojs/starlight's releases.

@​astrojs/starlight@​0.41.1

Patch Changes

@​astrojs/starlight@​0.41.0

Minor Changes

  • #3951 1202dd4 Thanks @​HiDeoo! - Adds support for Astro v7, drops support for Astro v6.

    Upgrade Astro and dependencies

    ⚠️ BREAKING CHANGE: Astro v6 is no longer supported. Make sure you update Astro and any other official integrations at the same time as updating Starlight:

    npx @astrojs/upgrade

    Community Starlight plugins and Astro integrations may also need to be manually updated to work with Astro v7. If you encounter any issues, please reach out to the plugin or integration author to see if it is a known issue or if an updated version is being worked on.

    ⚠️ BREAKING CHANGE: This release drops official support for Chromium-based browsers prior to version 111 (released 07 March 2023) and Safari-based browsers prior to version 16.4 (released 27 March 2023). You can find a list of currently supported browsers and their versions using this browserslist query.

Patch Changes

  • #3953 a935d33 Thanks @​HiDeoo! - Fixes Starlight Markdown processing being potentially applied to files that should not be processed.

@​astrojs/starlight@​0.40.0

Minor Changes

  • #3923 edf2e6b Thanks @​Princesseuh! - Adds support for Astro 6.4 and the new Sätteri Markdown processor.

    It is now possible to opt into using Astro's 6.4 Sätteri Markdown processor by installing the @astrojs/markdown-satteri package and configuring it in your astro.config.mjs file:

    // astro.config.mjs
    import { defineConfig } from 'astro/config';
    import { satteri } from '@​astrojs/markdown-satteri';
    export default defineConfig({
    markdown: {
    processor: satteri(),
    },
    });

... (truncated)

Changelog

Sourced from @​astrojs/starlight's changelog.

0.41.1

Patch Changes

0.41.0

Minor Changes

  • #3951 1202dd4 Thanks @​HiDeoo! - Adds support for Astro v7, drops support for Astro v6.

    Upgrade Astro and dependencies

    ⚠️ BREAKING CHANGE: Astro v6 is no longer supported. Make sure you update Astro and any other official integrations at the same time as updating Starlight:

    npx @astrojs/upgrade

    Community Starlight plugins and Astro integrations may also need to be manually updated to work with Astro v7. If you encounter any issues, please reach out to the plugin or integration author to see if it is a known issue or if an updated version is being worked on.

    ⚠️ BREAKING CHANGE: This release drops official support for Chromium-based browsers prior to version 111 (released 07 March 2023) and Safari-based browsers prior to version 16.4 (released 27 March 2023). You can find a list of currently supported browsers and their versions using this browserslist query.

Patch Changes

  • #3953 a935d33 Thanks @​HiDeoo! - Fixes Starlight Markdown processing being potentially applied to files that should not be processed.

0.40.0

Minor Changes

  • #3923 edf2e6b Thanks @​Princesseuh! - Adds support for Astro 6.4 and the new Sätteri Markdown processor.

    It is now possible to opt into using Astro's 6.4 Sätteri Markdown processor by installing the @astrojs/markdown-satteri package and configuring it in your astro.config.mjs file:

    // astro.config.mjs
    import { defineConfig } from 'astro/config';
    import { satteri } from '@​astrojs/markdown-satteri';
    export default defineConfig({
    markdown: {
    processor: satteri(),
    },

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​astrojs/starlight since your current version.


Updates @cloudflare/vitest-pool-workers from 0.9.11 to 0.16.20

Release notes

Sourced from @​cloudflare/vitest-pool-workers's releases.

@​cloudflare/vitest-pool-workers@​0.16.20

Patch Changes

  • #14398 c5014cc Thanks @​apeacock1991! - Add evictDurableObject and evictAllDurableObjects test helpers to cloudflare:test

    These helpers let you exercise how a Durable Object behaves across evictions in your tests. Eviction is graceful: durable storage is preserved, in-memory state is reset by tearing down the instance, hibernatable WebSockets are hibernated rather than closed, and eviction waits for in-flight requests to drain.

    import { evictDurableObject, evictAllDurableObjects } from "cloudflare:test";
    import { env } from "cloudflare:workers";
    const id = env.COUNTER.idFromName("my-counter");
    const stub = env.COUNTER.get(id);
    // Evict the Durable Object instance pointed to by a specific stub
    await evictDurableObject(stub);
    await evictDurableObject(stub, { webSockets: "close" });
    // Evict all currently-running Durable Objects in evictable namespaces
    await evictAllDurableObjects();

  • #14394 8a5cf8c Thanks @​Partha-Shankar! - fix(d1): escape migrationsTableName and filenames in SQLite queries

    D1 migration commands in both wrangler and @cloudflare/vitest-pool-workers interpolated the migrationsTableName config value and migration filenames directly into SQL strings without any escaping. This meant:

    • A table name such as my"table would produce invalid SQL in CREATE TABLE, SELECT, and INSERT statements, and
    • A migration filename containing an apostrophe (e.g. what's-new.sql) would break the INSERT INTO ... VALUES ('...') statement appended after each migration in wrangler.

    Both identifiers are now properly escaped before interpolation: migrationsTableName is wrapped in double-quotes with internal double-quotes doubled (SQL-standard identifier quoting), and migration filenames used as string literals have their single-quotes doubled before insertion.

  • Updated dependencies [5f40dd5, 34e0cef, 3b743c1, daa5389, 8a5cf8c]:

    • wrangler@4.105.0
    • miniflare@4.20260625.0

@​cloudflare/vitest-pool-workers@​0.16.19

Patch Changes

@​cloudflare/vitest-pool-workers@​0.16.18

Patch Changes

@​cloudflare/vitest-pool-workers@​0.16.17

... (truncated)

Changelog

Sourced from @​cloudflare/vitest-pool-workers's changelog.

0.16.20

Patch Changes

  • #14398 c5014cc Thanks @​apeacock1991! - Add evictDurableObject and evictAllDurableObjects test helpers to cloudflare:test

    These helpers let you exercise how a Durable Object behaves across evictions in your tests. Eviction is graceful: durable storage is preserved, in-memory state is reset by tearing down the instance, hibernatable WebSockets are hibernated rather than closed, and eviction waits for in-flight requests to drain.

    import { evictDurableObject, evictAllDurableObjects } from "cloudflare:test";
    import { env } from "cloudflare:workers";
    const id = env.COUNTER.idFromName("my-counter");
    const stub = env.COUNTER.get(id);
    // Evict the Durable Object instance pointed to by a specific stub
    await evictDurableObject(stub);
    await evictDurableObject(stub, { webSockets: "close" });
    // Evict all currently-running Durable Objects in evictable namespaces
    await evictAllDurableObjects();

  • #14394 8a5cf8c Thanks @​Partha-Shankar! - fix(d1): escape migrationsTableName and filenames in SQLite queries

    D1 migration commands in both wrangler and @cloudflare/vitest-pool-workers interpolated the migrationsTableName config value and migration filenames directly into SQL strings without any escaping. This meant:

    • A table name such as my"table would produce invalid SQL in CREATE TABLE, SELECT, and INSERT statements, and
    • A migration filename containing an apostrophe (e.g. what's-new.sql) would break the INSERT INTO ... VALUES ('...') statement appended after each migration in wrangler.

    Both identifiers are now properly escaped before interpolation: migrationsTableName is wrapped in double-quotes with internal double-quotes doubled (SQL-standard identifier quoting), and migration filenames used as string literals have their single-quotes doubled before insertion.

  • Updated dependencies [5f40dd5, 34e0cef, 3b743c1, daa5389, 8a5cf8c]:

    • wrangler@4.105.0
    • miniflare@4.20260625.0

0.16.19

Patch Changes

0.16.18

Patch Changes

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​cloudflare/vitest-pool-workers since your current version.


Updates astro from 5.13.7 to 7.0.3

Release notes

Sourced from astro's releases.

astro@7.0.3

Patch Changes

  • #17189 24d2c9e Thanks @​astrobot-houston! - Fixes a bug where an error thrown inside one route's getStaticPaths() would prevent other valid routes from being matched in dev mode

  • #16932 8f4a3db Thanks @​fkatsuhiro! - Fixes HMR for action files during development. Editing files in src/actions/ now takes effect on the next request without requiring a dev server restart.

  • #17087 fb0ab02 Thanks @​jp-knj! - Fixes localized custom error pages in i18n projects so routes like /pt/404 are used for missing localized pages and return the correct status code

astro@7.0.2

Patch Changes

  • Updated dependencies [3b5e994]:
    • @​astrojs/markdown-satteri@​0.3.2

astro@7.0.1

Patch Changes

  • #17151 ccceda3 Thanks @​matthewp! - Fixes astro dev incorrectly starting in background mode for Warp terminal users. Hybrid environments like Warp are no longer treated as AI agents for auto-background detection.

  • #17158 164df87 Thanks @​ematipico! - Fixes astro dev --background --host not listing the network addresses. The background server start output and astro dev status now show every exposed network URL, matching the foreground dev server.

  • #17141 d785b9d Thanks @​astrobot-houston! - Fixes responsive image CSS overriding user styles defined inside CSS @layer blocks. The generated image styles are now wrapped in @layer astro.images, ensuring they have lower cascade priority than user-defined layers.

  • #17150 1a61386 Thanks @​matthewp! - Fixes astro dev --background failing on Windows with "Failed to spawn background dev server process"

astro@7.0.0

Major Changes

  • #15819 cafec4e Thanks @​delucis! - Upgrade to Vite v8

  • #16965 57ead0d Thanks @​Princesseuh! - Makes 'jsx' the default value for compressHTML

    Astro now strips whitespace from your HTML using JSX rules by default, the same way frameworks like React do. Whitespace and line breaks around elements are removed, but meaningful whitespace within a single line — like a space between two inline elements — is preserved. To keep a space that would otherwise be removed, write it explicitly in your source, for example with {" "}.

    This can change rendered output where whitespace between inline elements was previously meaningful. To keep Astro's earlier behavior, set compressHTML: true for HTML-aware compression, or compressHTML: false to preserve all whitespace.

  • #16610 c63e7e4 Thanks @​matthewp! - Adds background dev server management for AI coding agents.

    When an AI coding agent is detected, astro dev now automatically starts the dev server as a detached background process. This prevents the dev server from blocking the agent's terminal and allows it to continue working while the server runs.

    A lock file (.astro/dev.json) is written when the dev server starts, recording the server's URL, port, and PID. This prevents duplicate servers from being started for the same project.

    New flag and subcommands

    • astro dev --background — Start the dev server as a background process (this is what runs automatically when an agent is detected).
    • astro dev stop — Stop a running background dev server.
    • astro dev status — Check if a dev server is running and display its URL, PID, and uptime.
    • astro dev logs — View logs from a background dev server. Use --follow (-f) to stream new output as it's written.

... (truncated)

Changelog

Sourced from astro's changelog.

7.0.3

Patch Changes

  • #17189 24d2c9e Thanks @​astrobot-houston! - Fixes a bug where an error thrown inside one route's getStaticPaths() would prevent other valid routes from being matched in dev mode

  • #16932 8f4a3db Thanks @​fkatsuhiro! - Fixes HMR for action files during development. Editing files in src/actions/ now takes effect on the next request without requiring a dev server restart.

  • #17087 fb0ab02 Thanks @​jp-knj! - Fixes localized custom error pages in i18n projects so routes like /pt/404 are used for missing localized pages and return the correct status code

7.0.2

Patch Changes

  • Updated dependencies [3b5e994]:
    • @​astrojs/markdown-satteri@​0.3.2

7.0.1

Patch Changes

  • #17151 ccceda3 Thanks @​matthewp! - Fixes astro dev incorrectly starting in background mode for Warp terminal users. Hybrid environments like Warp are no longer treated as AI agents for auto-background detection.

  • #17158 164df87 Thanks @​ematipico! - Fixes astro dev --background --host not listing the network addresses. The background server start output and astro dev status now show every exposed network URL, matching the foreground dev server.

  • #17141 d785b9d Thanks @​astrobot-houston! - Fixes responsive image CSS overriding user styles defined inside CSS @layer blocks. The generated image styles are now wrapped in @layer astro.images, ensuring they have lower cascade priority than user-defined layers.

  • #17150 1a61386 Thanks @​matthewp! - Fixes astro dev --background failing on Windows with "Failed to spawn background dev server process"

7.0.0

Major Changes

  • #15819 cafec4e Thanks @​delucis! - Upgrade to Vite v8

  • #16965 57ead0d Thanks @​Princesseuh! - Makes 'jsx' the default value for compressHTML

    Astro now strips whitespace from your HTML using JSX rules by default, the same way frameworks like React do. Whitespace and line breaks around elements are removed, but meaningful whitespace within a single line — like a space between two inline elements — is preserved. To keep a space that would otherwise be removed, write it explicitly in your source, for example with {" "}.

    This can change rendered output where whitespace between inline elements was previously meaningful. To keep Astro's earlier behavior, set compressHTML: true for HTML-aware compression, or compressHTML: false to preserve all whitespace.

  • Description has been truncated

…l-workers, astro, astro-breadcrumbs, @astro-community/astro-embed-twitter, @astro-community/astro-embed-youtube and vitest

Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) to 8.1.0 and updates ancestor dependencies [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite), [@astrojs/react](https://github.com/withastro/astro/tree/HEAD/packages/integrations/react), [@astrojs/starlight](https://github.com/withastro/starlight/tree/HEAD/packages/starlight), [@cloudflare/vitest-pool-workers](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/vitest-pool-workers), [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro), [astro-breadcrumbs](https://github.com/felix-berlin/astro-breadcrumbs), [@astro-community/astro-embed-twitter](https://github.com/delucis/astro-embed/tree/HEAD/packages/astro-embed-twitter), [@astro-community/astro-embed-youtube](https://github.com/delucis/astro-embed/tree/HEAD/packages/astro-embed-youtube) and [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). These dependencies need to be updated together.


Updates `vite` from 6.3.6 to 8.1.0
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/create-vite@8.1.0/packages/vite)

Updates `@astrojs/react` from 4.2.5 to 6.0.0
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/main/packages/integrations/react/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/@astrojs/react@6.0.0/packages/integrations/react)

Updates `@astrojs/starlight` from 0.36.0 to 0.41.1
- [Release notes](https://github.com/withastro/starlight/releases)
- [Changelog](https://github.com/withastro/starlight/blob/main/packages/starlight/CHANGELOG.md)
- [Commits](https://github.com/withastro/starlight/commits/@astrojs/starlight@0.41.1/packages/starlight)

Updates `@cloudflare/vitest-pool-workers` from 0.9.11 to 0.16.20
- [Release notes](https://github.com/cloudflare/workers-sdk/releases)
- [Changelog](https://github.com/cloudflare/workers-sdk/blob/main/packages/vitest-pool-workers/CHANGELOG.md)
- [Commits](https://github.com/cloudflare/workers-sdk/commits/@cloudflare/vitest-pool-workers@0.16.20/packages/vitest-pool-workers)

Updates `astro` from 5.13.7 to 7.0.3
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/astro@7.0.3/packages/astro)

Updates `astro-breadcrumbs` from 3.3.1 to 3.4.1
- [Release notes](https://github.com/felix-berlin/astro-breadcrumbs/releases)
- [Changelog](https://github.com/felix-berlin/astro-breadcrumbs/blob/main/CHANGELOG.md)
- [Commits](felix-berlin/astro-breadcrumbs@v3.3.1...v3.4.1)

Updates `@astro-community/astro-embed-twitter` from 0.5.8 to 0.5.11
- [Release notes](https://github.com/delucis/astro-embed/releases)
- [Changelog](https://github.com/delucis/astro-embed/blob/main/packages/astro-embed-twitter/CHANGELOG.md)
- [Commits](https://github.com/delucis/astro-embed/commits/@astro-community/astro-embed-twitter@0.5.11/packages/astro-embed-twitter)

Updates `@astro-community/astro-embed-youtube` from 0.5.6 to 0.5.10
- [Release notes](https://github.com/delucis/astro-embed/releases)
- [Changelog](https://github.com/delucis/astro-embed/blob/main/packages/astro-embed-youtube/CHANGELOG.md)
- [Commits](https://github.com/delucis/astro-embed/commits/@astro-community/astro-embed-youtube@0.5.10/packages/astro-embed-youtube)

Updates `vitest` from 2.1.6 to 4.1.9
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/vitest)

---
updated-dependencies:
- dependency-name: vite
  dependency-version: 8.1.0
  dependency-type: indirect
- dependency-name: "@astrojs/react"
  dependency-version: 6.0.0
  dependency-type: direct:development
- dependency-name: "@astrojs/starlight"
  dependency-version: 0.41.1
  dependency-type: direct:development
- dependency-name: "@cloudflare/vitest-pool-workers"
  dependency-version: 0.16.20
  dependency-type: direct:development
- dependency-name: astro
  dependency-version: 7.0.3
  dependency-type: direct:development
- dependency-name: astro-breadcrumbs
  dependency-version: 3.4.1
  dependency-type: direct:development
- dependency-name: "@astro-community/astro-embed-twitter"
  dependency-version: 0.5.11
  dependency-type: indirect
- dependency-name: "@astro-community/astro-embed-youtube"
  dependency-version: 0.5.10
  dependency-type: indirect
- dependency-name: vitest
  dependency-version: 4.1.9
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 30, 2026
@socket-security

Copy link
Copy Markdown

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @emnapi/runtime is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/vitest@4.1.9npm/@astrojs/react@6.0.0npm/@astrojs/starlight@0.41.1npm/@cloudflare/vitest-pool-workers@0.16.20npm/astro@7.0.3npm/vite-tsconfig-paths@5.1.4npm/sharp@0.34.3npm/wrangler@4.40.2npm/@emnapi/runtime@1.11.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm astro is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/astro@7.0.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/astro@7.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants