Skip to content

Update all non-major dependencies#385

Merged
renovate[bot] merged 1 commit into
mainfrom
renovate/all-minor-patch
Jul 6, 2026
Merged

Update all non-major dependencies#385
renovate[bot] merged 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change OpenSSF
astro (source) dependencies patch 7.0.57.0.6 OpenSSF Scorecard
github/codeql-action action patch v4.36.2v4.36.3 OpenSSF Scorecard

Release Notes

withastro/astro (astro)

v7.0.6

Compare Source

Patch Changes
  • #​17261 79aa99c Thanks @​astrobot-houston! - Fixes a false deprecation warning for markdown.gfm and markdown.smartypants when using the Container API

  • #​17247 f94280d Thanks @​chatman-media! - Fixes route generation throwing "Missing parameter" (or silently dropping the segment) when a dynamic param's value is 0. The generator used truthy checks instead of checking for undefined, so paginate(posts, { params: { categoryId: 0 } }) would crash even though 0 is a perfectly valid param value.

  • #​17278 6f11739 Thanks @​astrobot-houston! - Fixes missing CSS for virtual style modules (e.g., responsive image layout styles) in dev mode when JavaScript is disabled

  • #​17250 0b30b35 Thanks @​matthewp! - Fixes the security.checkOrigin check so it is applied consistently to Astro Actions and on-demand endpoints, regardless of how the request pipeline is composed. Previously, the origin check could be skipped in the composable astro/hono pipeline depending on the order of the middleware() primitive (or when it was omitted).

  • #​17274 8c3579b Thanks @​astrobot-houston! - Fixes missing render() type overload for live collection entries. Previously, calling render() on a LiveDataEntry produced a TypeScript error when using only live.config.ts without a content.config.ts.

  • #​17257 4208297 Thanks @​astrobot-houston! - Fixes astro check failing to find @astrojs/check and typescript when astro is installed in a directory outside the project tree (e.g. pnpm virtual store)

  • #​17272 b428648 Thanks @​matthewp! - Fixes island component paths so that extensionless imports (e.g. import { Counter } from '../components/Counter') resolve to the real file on disk, matching Vite's extension order and directory index resolution. This makes the include/exclude options of JSX renderer integrations (React, Preact, Solid) match components imported without a file extension, and removes the spurious React 19 "Invalid hook call" warning logged on every request in dev when include was set alongside another JSX renderer

  • #​17279 2aeaa44 Thanks @​astrobot-houston! - Fixes a bug where <Picture inferSize> with a remote image could fail with FailedToFetchRemoteImageDimensions when the image server rate-limits requests (e.g. HTTP 429). Remote dimensions are now resolved once per render instead of once per output format.

  • #​17251 5240e26 Thanks @​matthewp! - Hardens the handling of attribute rendering when using with custom elements.

  • #​17248 429bd62 Thanks @​astrobot-houston! - Fixes a crash when using Astro's getViteConfig with Vitest browser mode (e.g., Storybook vitest runner). Astro now skips dev server setup inside Vitest, preventing errors.

  • #​17260 14524c0 Thanks @​matthewp! - Fixes a regression where a <script> inside a component rendered through Astro.slots.render() was hoisted out of its original position instead of staying next to its component content

  • Updated dependencies [eb6f97e]:

github/codeql-action (github/codeql-action)

v4.36.3

Compare Source

No user facing changes.


Configuration

📅 Schedule: (in timezone Europe/London)

  • Branch creation
    • Between 06:00 PM and 11:59 PM (* 18-23 * * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Jul 5, 2026
@renovate renovate Bot requested a review from Jamesking56 as a code owner July 5, 2026 17:00
@renovate renovate Bot enabled auto-merge (squash) July 5, 2026 17:00
@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Jul 5, 2026
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 29c8a7c to 23e2643 Compare July 5, 2026 20:34
@renovate renovate Bot changed the title Update github/codeql-action action to v4.36.3 Update all non-major dependencies Jul 5, 2026
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedastro@​7.0.5 ⏵ 7.0.68810088 +198100

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm astro is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/astro@7.0.6

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/astro@7.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@renovate renovate Bot merged commit 7cc22dd into main Jul 6, 2026
10 checks passed
@renovate renovate Bot deleted the renovate/all-minor-patch branch July 6, 2026 03:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants