Bump astro, @astrojs/starlight, astro-breadcrumbs, @astro-community/astro-embed-twitter and @astro-community/astro-embed-youtube

[dependabot]

Bumps astro to 6.4.8 and updates ancestor dependencies astro, @astrojs/starlight, astro-breadcrumbs, @astro-community/astro-embed-twitter and @astro-community/astro-embed-youtube. These dependencies need to be updated together.

Updates astro from 5.13.7 to 6.4.8

Release notes

Sourced from astro's releases.

astro@6.4.8

Patch Changes

• #17109 27c80ea Thanks @​ematipico! - Harden the limits on the number of decoding on the URL.

astro@6.4.7

Patch Changes

• #17035 197e50e Thanks @​astrobot-houston! - Fixes getRelativeLocaleUrl, getAbsoluteLocaleUrl, and getAbsoluteLocaleUrlList to strip trailing slashes when trailingSlash: 'never' is configured

• #16967 3719765 Thanks @​astrobot-houston! - Fixes double URL-encoded paths returning 400 Bad Request on on-demand routes

  Previously, any URL containing a double-encoded character (like %255B, which is [ encoded twice) was unconditionally rejected with a 400 Bad Request before middleware or route handlers could run. This broke embedded tools like Sanity Studio whose client-side router legitimately produces double-encoded URLs.

  The fix replaces the rejection approach with iterative decoding — multi-level percent-encoding is now fully resolved to its canonical form before being passed to middleware and route matching. This preserves the security fix for CVE-2025-66202 (middleware authorization bypass via double encoding) because middleware now always sees the fully decoded path, making bypass impossible. For example, /api/%2561dmin is decoded to /api/admin, which middleware can correctly block.

• #17066 2f4d92a Thanks @​matthewp! - Fixes prerendered redirect targets being incorrectly bundled into the SSR function in hybrid mode, causing massive bundle size inflation

• #16882 621beb7 Thanks @​jettwayio! - fix(render): honour compressHTML when joining head elements

• #16892 8d753b0 Thanks @​astrobot-houston! - Fixes custom elements in MDX having their children's slot attribute stripped by the JSX runtime

  When custom elements (tags with hyphens like <my-element>) are used in MDX files, the slot HTML attribute on their children is now correctly preserved. Previously, the shared JSX runtime would treat slot as an Astro slot assignment and remove it from the output, breaking Shadow DOM named slot distribution for web components.

• #16957 544ee76 Thanks @​thelazylamaGit! - Fixes stale inline CSS in server-rendered HTML after CSS file edits during dev

  When editing a CSS file (.css, .scss, etc.) during development, the inline <style> tags in server-rendered HTML would retain old CSS content instead of updating. This caused a brief flash of old CSS (FOUC) on fresh page loads before Vite's client-side HMR corrected the styles.

  The fix ensures that Astro's per-route dev CSS virtual modules are invalidated in both the SSR module graph and the module runner's evaluation cache when a style file changes, so the next page render picks up the fresh CSS.

• #17044 2220d22 Thanks @​astrobot-houston! - Fixes CSS from client:only islands leaking to unrelated pages when Rollup bundles non-CSS-importing modules into the same chunk as CSS-importing modules

• #17040 7c4763d Thanks @​astrobot-houston! - Fixes HMR not triggering for files inside the src/middleware/ directory during dev

• #16672 52fc862 Thanks @​martinheidegger! - Fixes support for numeric IDs in YAML frontmatter when using content collection references

• #16762 9de80ae Thanks @​alexanderdombroski! - Adds a JSON schema to the Wrangler configuration file generated when running astro add cloudflare

• #17046 ef771ec Thanks @​ematipico! - Improves the diagnostics emitted when Astro parses incorrect .astro files.

astro@6.4.6

Patch Changes

• #16765 b10e86e Thanks @​fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.

• #17026 add3df1 Thanks @​matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)

• #17033 ffda27b Thanks @​matthewp! - Validates the request origin against allowedDomains before fetching prerendered error pages. When allowedDomains is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to localhost.

astro@6.4.5

... (truncated)

Changelog

Sourced from astro's changelog.

6.4.8

Patch Changes

• #17109 27c80ea Thanks @​ematipico! - Harden the limits on the number of decoding on the URL.

6.4.7

Patch Changes

• #17035 197e50e Thanks @​astrobot-houston! - Fixes getRelativeLocaleUrl, getAbsoluteLocaleUrl, and getAbsoluteLocaleUrlList to strip trailing slashes when trailingSlash: 'never' is configured

• #16967 3719765 Thanks @​astrobot-houston! - Fixes double URL-encoded paths returning 400 Bad Request on on-demand routes

  Previously, any URL containing a double-encoded character (like %255B, which is [ encoded twice) was unconditionally rejected with a 400 Bad Request before middleware or route handlers could run. This broke embedded tools like Sanity Studio whose client-side router legitimately produces double-encoded URLs.

  The fix replaces the rejection approach with iterative decoding — multi-level percent-encoding is now fully resolved to its canonical form before being passed to middleware and route matching. This preserves the security fix for CVE-2025-66202 (middleware authorization bypass via double encoding) because middleware now always sees the fully decoded path, making bypass impossible. For example, /api/%2561dmin is decoded to /api/admin, which middleware can correctly block.

• #17066 2f4d92a Thanks @​matthewp! - Fixes prerendered redirect targets being incorrectly bundled into the SSR function in hybrid mode, causing massive bundle size inflation

• #16882 621beb7 Thanks @​jettwayio! - fix(render): honour compressHTML when joining head elements

• #16892 8d753b0 Thanks @​astrobot-houston! - Fixes custom elements in MDX having their children's slot attribute stripped by the JSX runtime

  When custom elements (tags with hyphens like <my-element>) are used in MDX files, the slot HTML attribute on their children is now correctly preserved. Previously, the shared JSX runtime would treat slot as an Astro slot assignment and remove it from the output, breaking Shadow DOM named slot distribution for web components.

• #16957 544ee76 Thanks @​thelazylamaGit! - Fixes stale inline CSS in server-rendered HTML after CSS file edits during dev

  When editing a CSS file (.css, .scss, etc.) during development, the inline <style> tags in server-rendered HTML would retain old CSS content instead of updating. This caused a brief flash of old CSS (FOUC) on fresh page loads before Vite's client-side HMR corrected the styles.

  The fix ensures that Astro's per-route dev CSS virtual modules are invalidated in both the SSR module graph and the module runner's evaluation cache when a style file changes, so the next page render picks up the fresh CSS.

• #17044 2220d22 Thanks @​astrobot-houston! - Fixes CSS from client:only islands leaking to unrelated pages when Rollup bundles non-CSS-importing modules into the same chunk as CSS-importing modules

• #17040 7c4763d Thanks @​astrobot-houston! - Fixes HMR not triggering for files inside the src/middleware/ directory during dev

• #16672 52fc862 Thanks @​martinheidegger! - Fixes support for numeric IDs in YAML frontmatter when using content collection references

• #16762 9de80ae Thanks @​alexanderdombroski! - Adds a JSON schema to the Wrangler configuration file generated when running astro add cloudflare

• #17046 ef771ec Thanks @​ematipico! - Improves the diagnostics emitted when Astro parses incorrect .astro files.

6.4.6

Patch Changes

• #16765 b10e86e Thanks @​fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.

• #17026 add3df1 Thanks @​matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)

... (truncated)

Commits

• 3ec2c10 [ci] release (#17110)
• 27c80ea fix(core): encoded URLs (#17109)
• 910e121 [ci] release (#17036)
• ef771ec fix: improve diagnostics (#17046)
• 0537f5c [ci] format
• 2f4d92a Fix prerendered redirect targets inflating SSR bundle in hybrid mode (#17066)
• 360fa3f docs: fix grammar in container API JSDoc comments (#16984)
• bbe0e54 [ci] format
• 52fc862 Supporting numeric id references (#16672)
• 9de80ae feat(cli): Adds wrangler schema to generated wrangler.jsonc file when running...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for astro since your current version.

Updates @astrojs/starlight from 0.36.0 to 0.40.0

Release notes

Sourced from @​astrojs/starlight's releases.

@​astrojs/starlight@​0.40.0

Minor Changes

• #3923 edf2e6b Thanks @​Princesseuh! - Adds support for Astro 6.4 and the new Sätteri Markdown processor.

  It is now possible to opt into using Astro's 6.4 Sätteri Markdown processor by installing the @astrojs/markdown-satteri package and configuring it in your astro.config.mjs file:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  import { satteri } from '@​astrojs/markdown-satteri';
  export default defineConfig({
  markdown: {
  processor: satteri(),
  },
  });

  ⚠️ BREAKING CHANGE: The minimum supported version of Astro is now v6.4.5.

  Please update Starlight and Astro together:

  npx @astrojs/upgrade

  Community Starlight plugins and Astro integrations may also need to be manually updated to work with Sätteri. If you encounter any issues, please reach out to the plugin or integration author to see if it is a known issue or if an updated version is being worked on.

Patch Changes

• #3923 edf2e6b Thanks @​Princesseuh! - Updates Expressive Code to version 0.43.1.

@​astrojs/starlight@​0.39.3

Patch Changes

• #3910 dddf405 Thanks @​andreialba! - Improves Romanian UI translations

• #3924 02f2ce1 Thanks @​BouRock! - Improves Turkish UI translations

• #3928 11a7ed2 Thanks @​delucis! - Updates Pagefind to v1.5 and adds support for Pagefind’s new diacriticSimilarity and metaWeights advanced ranking options

• #3927 e944870 Thanks @​HiDeoo! - Refactors internal file path handling for Starlight content collections.

@​astrojs/starlight@​0.39.2

Patch Changes

• #3890 2d05e18 Thanks @​tats-u! - Fixes CSS selector for text-autospace styles in Chromium browsers

... (truncated)

Changelog

Sourced from @​astrojs/starlight's changelog.

0.40.0

Minor Changes

• #3923 edf2e6b Thanks @​Princesseuh! - Adds support for Astro 6.4 and the new Sätteri Markdown processor.

  It is now possible to opt into using Astro's 6.4 Sätteri Markdown processor by installing the @astrojs/markdown-satteri package and configuring it in your astro.config.mjs file:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  import { satteri } from '@​astrojs/markdown-satteri';
  export default defineConfig({
  markdown: {
  processor: satteri(),
  },
  });

  ⚠️ BREAKING CHANGE: The minimum supported version of Astro is now v6.4.5.

  Please update Starlight and Astro together:

  npx @astrojs/upgrade

  Community Starlight plugins and Astro integrations may also need to be manually updated to work with Sätteri. If you encounter any issues, please reach out to the plugin or integration author to see if it is a known issue or if an updated version is being worked on.

Patch Changes

• #3923 edf2e6b Thanks @​Princesseuh! - Updates Expressive Code to version 0.43.1.

0.39.3

Patch Changes

• #3910 dddf405 Thanks @​andreialba! - Improves Romanian UI translations

• #3924 02f2ce1 Thanks @​BouRock! - Improves Turkish UI translations

• #3928 11a7ed2 Thanks @​delucis! - Updates Pagefind to v1.5 and adds support for Pagefind’s new diacriticSimilarity and metaWeights advanced ranking options

• #3927 e944870 Thanks @​HiDeoo! - Refactors internal file path handling for Starlight content collections.

0.39.2

Patch Changes

... (truncated)

Commits

• 79897a3 [ci] release (#3944)
• edf2e6b feat: add support for Astro 6.4 and Sätteri (#3923)
• 668a467 [ci] release (#3913)
• 11a7ed2 Add support for new Pagefind ranking options (#3928)
• 02f2ce1 Update Turkish translations (#3924)
• e944870 Refactor getCollectionPosixPath() (#3927)
• dddf405 fix: improve Romanian UI translations (#3910)
• 1b5f399 CI/E2E tests improvements (#3901)
• d1d7452 Fix inaccurate comment on :lang selectors (#3893)
• 76ff51e [ci] release (#3891)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​astrojs/starlight since your current version.

Updates astro-breadcrumbs from 3.3.1 to 3.4.0

Release notes

Sourced from astro-breadcrumbs's releases.

v3.4.0

3.4.0 (2026-03-11)

Features

• add astro v6 support; update all dependencies (bf54fbf)

v3.4.0-beta.1

3.4.0-beta.1 (2026-02-20)

Bug Fixes

• add missing type exports (2f9eb90)
• correct import paths for breadcrumbs types and ensure boolean return in truncatedButtonVisible (77d95ca)
• types file name (ecc82e9)
• update astro-breadcrumbs dependency to use workspace protocol (2133145)

Features

• add support for custom CSS classes and disable default styles in Breadcrumb components (46aaa7e)
• add TypeScript support for .astro files and update tsconfig (1364028)

v3.3.3

3.3.3 (2025-12-13)

Bug Fixes

• update repository URL format in package.json (22d2007)

v3.3.2

3.3.2 (2025-12-13)

Bug Fixes

• update condition to check crumbs length and add test for implicit index in mergeCustomizedLinks (0c3cf8b)

Changelog

Sourced from astro-breadcrumbs's changelog.

3.4.0 (2026-03-11)

Features

• add astro v6 support; update all dependencies (bf54fbf)

3.3.3 (2025-12-13)

Bug Fixes

• update repository URL format in package.json (22d2007)

3.3.2 (2025-12-13)

Bug Fixes

• update condition to check crumbs length and add test for implicit index in mergeCustomizedLinks (0c3cf8b)

Commits

• d858f16 chore(release): publish version 3.4.0
• 607bf13 Merge pull request #658 from felix-berlin/feature/astro-6-support
• 3af7416 test: fix test env
• 3679d47 build: update astro-matomo
• bf54fbf feat: add astro v6 support; update all dependencies
• 29d2a3e Merge pull request #657 from felix-berlin/renovate/astrojs-starlight-0.x-lock...
• e068d45 chore(deps): update dependency @​astrojs/starlight to v0.37.7
• bf2a3f0 chore(deps): update dependency astro to v5.18.0 (#656)
• ade73b1 chore(deps): update pnpm to v10.30.3 (#655)
• 5275851 chore(deps): update pnpm to v10.30.1 (#654)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for astro-breadcrumbs since your current version.

Updates @astro-community/astro-embed-twitter from 0.5.8 to 0.5.11

Release notes

Sourced from @​astro-community/astro-embed-twitter's releases.

@​astro-community/astro-embed-twitter@​0.5.11

Patch Changes

• #259 71b2af0 Thanks @​delucis! - Caches requests to the Twitter embed API for repeated requests for the same tweet

@​astro-community/astro-embed-twitter@​0.5.10

Patch Changes

• #227 a2201be Thanks @​delucis! - Removes unnecessary astro peer dependency

• Updated dependencies [a186fa1]:

  • @​astro-community/astro-embed-utils@​0.2.0

@​astro-community/astro-embed-twitter@​0.5.9

Patch Changes

• #219 d90ce7a Thanks @​delucis! - No code changes. This release is the first published using OIDC trusted publisher configuration for improved security.

• Updated dependencies [d90ce7a]:

  • @​astro-community/astro-embed-utils@​0.1.5

Changelog

Sourced from @​astro-community/astro-embed-twitter's changelog.

0.5.11

Patch Changes

• #259 71b2af0 Thanks @​delucis! - Caches requests to the Twitter embed API for repeated requests for the same tweet

0.5.10

Patch Changes

• #227 a2201be Thanks @​delucis! - Removes unnecessary astro peer dependency

• Updated dependencies [a186fa1]:

  • @​astro-community/astro-embed-utils@​0.2.0

0.5.9

Patch Changes

• #219 d90ce7a Thanks @​delucis! - No code changes. This release is the first published using OIDC trusted publisher configuration for improved security.

• Updated dependencies [d90ce7a]:

  • @​astro-community/astro-embed-utils@​0.1.5

Commits

• 9a90f3f Version Packages (#260)
• 71b2af0 Use safeGet in \<Tweet> component (#259)
• b72b973 Add type checking to CI (#256)
• 29dad63 Version Packages (#228)
• 4add652 Update prettier to latest (#230)
• a2201be Drop official support for older versions of Astro (#227)
• 9d00c69 Version Packages (#221)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​astro-community/astro-embed-twitter since your current version.

Updates @astro-community/astro-embed-youtube from 0.5.6 to 0.5.10

Release notes

Sourced from @​astro-community/astro-embed-youtube's releases.

@​astro-community/astro-embed-youtube@​0.5.10

Patch Changes

• #227 a2201be Thanks @​delucis! - Removes unnecessary astro peer dependency

@​astro-community/astro-embed-youtube@​0.5.9

Patch Changes

• #219 d90ce7a Thanks @​delucis! - No code changes. This release is the first published using OIDC trusted publisher configuration for improved security.

@​astro-community/astro-embed-youtube@​0.5.8

Patch Changes

• #217 4668c58 Thanks @​Mikescops! - Fixes compatibility with the latest release of lite-youtube-embed to make sure the play button displays

@​astro-community/astro-embed-youtube@​0.5.7

Patch Changes

• #202 c00ac0ab0253d7439d57de0b986317f55c66f291 Thanks @​echolocator! - Add support for style attribute in <YouTube> component

Changelog

Sourced from @​astro-community/astro-embed-youtube's changelog.

0.5.10

Patch Changes

• #227 a2201be Thanks @​delucis! - Removes unnecessary astro peer dependency

0.5.9

Patch Changes

• #219 d90ce7a Thanks @​delucis! - No code changes. This release is the first published using OIDC trusted publisher configuration for improved security.

0.5.8

Patch Changes

• #217 4668c58 Thanks @​Mikescops! - Fixes compatibility with the latest release of lite-youtube-embed to make sure the play button displays

0.5.7

Patch Changes

• #202 c00ac0ab0253d7439d57de0b986317f55c66f291 Thanks @​echolocator! - Add support for style attribute in <YouTube> component

Commits

• 29dad63 Version Packages (#228)
• a2201be Drop official support for older versions of Astro (#227)
• 9d00c69 Version Packages (#221)
• 75a2c07 Version Packages (#213)
• 4668c58 Fix the youtube playbutton display (#217)
• 29bc022 Version Packages (#203)
• c00ac0a Add YouTube style prop, following example from Vimeo (#202)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​astro-community/astro-embed-youtube since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​astro-breadcrumbs@​3.3.1 ⏵ 3.4.0	-5		+2	+2
	npm/​@​astrojs/​starlight@​0.36.0 ⏵ 0.40.0			+1	+2
	npm/​astro@​5.13.7 ⏵ 6.4.8	-8	+40	+1	+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm astro is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/astro@6.4.8 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/astro@6.4.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm js-yaml is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/@astrojs/starlight@0.40.0 → npm/astro@6.4.8 → npm/@apidevtools/swagger-parser@12.0.0 → npm/eslint@9.35.0 → npm/js-yaml@4.2.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@4.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report