Bump astro from 6.4.2 to 6.4.4 by dependabot[bot] · Pull Request #738 · PlayForm/WebSite

dependabot · 2026-06-04T03:16:43Z

Bumps astro from 6.4.2 to 6.4.4.

Release notes

astro@6.4.4

Patch Changes

#16926 1b39ae8 Thanks @narendraio! - Prevents App.match() from throwing on request paths that contain an invalid percent-sequence.

#16924 2c0bc94 Thanks @astrobot-houston! - Fixes an issue where editing a client-side component (e.g. with client:idle, client:load, etc.) caused an unnecessary full program reload of the backend during development.

#16958 2c1d50f Thanks @fkatsuhiro! - Fixes a bug where static file endpoints using getStaticPaths with .html in dynamic param values (e.g. { path: 'file.html' }) would fail with a NoMatchingStaticPathFound error during build. The .html suffix is no longer incorrectly stripped from endpoint route pathnames.

#16855 c610cda Thanks @astrobot-houston! - Fixes dynamic routes returning 500 "TypeError: Missing parameter" when using domain-based i18n routing in SSR.

#16946 606c37b Thanks @ematipico! - Fixes Astro.routePattern to preserve original casing of dynamic parameter names from filenames. Previously, a file at src/pages/blog/[postId].astro would return /blog/[postid] for Astro.routePattern due to an internal .toLowerCase() call. It now correctly returns /blog/[postId].

#16720 16d49b6 Thanks @thomas-callahan-collibra! - Fix an issue where dynamic routes would return the string [object Object] instead of the expected content, in certain runtimes.

#16703 17390a6 Thanks @henrybrewer00-dotcom! - Fixes styles being stripped when the project root is started with a path whose case differs from the actual filesystem case (e.g. running astro dev from d:\dev\app while the folder on disk is D:\dev\app).

#16855 c610cda Thanks @astrobot-houston! - Fixes Astro.currentLocale returning the default locale instead of the domain's locale on dynamic routes served from a mapped domain.

astro@6.4.3

Patch Changes

#16900 17a0fbd Thanks @ocavue! - Bumps devalue dependency to v5.8.1

#16016 0d85e1b Thanks @felmonon! - Fix a false positive in the dev toolbar accessibility audit for anchors with text inside closed <details> elements.

#16911 79c6c46 Thanks @astrobot-houston! - Fixes a bug where experimental.advancedRouting with astro/hono handlers threw TypeError: Cannot read properties of undefined (reading 'route') for unmatched routes instead of rendering the custom 404 page.

#16899 239c469 Thanks @matthewp! - Fixes a false "does not call the middleware() handler" warning when using astro() in a custom src/app.ts and the first request is a redirect route.

#16887 493acdb Thanks @astrobot-houston! - Fixes redirectToDefaultLocale not working after the Advanced Routing refactoring.

#16908 ef53ab9 Thanks @florian-lefebvre! - Improves optimized fallbacks generation when using the Fonts API by using better metrics for bold variants

Changelog

Sourced from astro's changelog.

6.4.4

Patch Changes

#16926 1b39ae8 Thanks @narendraio! - Prevents App.match() from throwing on request paths that contain an invalid percent-sequence.

#16924 2c0bc94 Thanks @astrobot-houston! - Fixes an issue where editing a client-side component (e.g. with client:idle, client:load, etc.) caused an unnecessary full program reload of the backend during development.

#16958 2c1d50f Thanks @fkatsuhiro! - Fixes a bug where static file endpoints using getStaticPaths with .html in dynamic param values (e.g. { path: 'file.html' }) would fail with a NoMatchingStaticPathFound error during build. The .html suffix is no longer incorrectly stripped from endpoint route pathnames.

#16855 c610cda Thanks @astrobot-houston! - Fixes dynamic routes returning 500 "TypeError: Missing parameter" when using domain-based i18n routing in SSR.

#16946 606c37b Thanks @ematipico! - Fixes Astro.routePattern to preserve original casing of dynamic parameter names from filenames. Previously, a file at src/pages/blog/[postId].astro would return /blog/[postid] for Astro.routePattern due to an internal .toLowerCase() call. It now correctly returns /blog/[postId].

#16720 16d49b6 Thanks @thomas-callahan-collibra! - Fix an issue where dynamic routes would return the string [object Object] instead of the expected content, in certain runtimes.

#16703 17390a6 Thanks @henrybrewer00-dotcom! - Fixes styles being stripped when the project root is started with a path whose case differs from the actual filesystem case (e.g. running astro dev from d:\dev\app while the folder on disk is D:\dev\app).

#16855 c610cda Thanks @astrobot-houston! - Fixes Astro.currentLocale returning the default locale instead of the domain's locale on dynamic routes served from a mapped domain.

6.4.3

Patch Changes

#16900 17a0fbd Thanks @ocavue! - Bumps devalue dependency to v5.8.1

#16016 0d85e1b Thanks @felmonon! - Fix a false positive in the dev toolbar accessibility audit for anchors with text inside closed <details> elements.

#16911 79c6c46 Thanks @astrobot-houston! - Fixes a bug where experimental.advancedRouting with astro/hono handlers threw TypeError: Cannot read properties of undefined (reading 'route') for unmatched routes instead of rendering the custom 404 page.

#16899 239c469 Thanks @matthewp! - Fixes a false "does not call the middleware() handler" warning when using astro() in a custom src/app.ts and the first request is a redirect route.

#16887 493acdb Thanks @astrobot-houston! - Fixes redirectToDefaultLocale not working after the Advanced Routing refactoring.

#16908 ef53ab9 Thanks @florian-lefebvre! - Improves optimized fallbacks generation when using the Fonts API by using better metrics for bold variants

Commits

fd7784e [ci] release (#16950)
c610cda Fix dynamic route parameters in domain-based i18n routing (#16855)
29b01ee [ci] format
1b39ae8 fix(astro): guard App.match() against malformed request URIs (#16926)
16d49b6 Fix issue with dynamic routes in complex projects using workerd (#16720)
1adb876 [ci] format
2c1d50f fix(routing): preserve .html in pathname for endpoint routes with dynamic par...
556b013 docs(astro): fix allows to grammar in two source comments (#16959)
17390a6 fix(astro): match case-mismatched project paths in normalizeFilename (#16703)
2c0bc94 Fix unnecessary backend reloads when editing client-side components (#16924)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) from 6.4.2 to 6.4.4. - [Release notes](https://github.com/withastro/astro/releases) - [Changelog](https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md) - [Commits](https://github.com/withastro/astro/commits/astro@6.4.4/packages/astro) --- updated-dependencies: - dependency-name: astro dependency-version: 6.4.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

socket-security · 2026-06-04T03:17:18Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	astro@6.4.2 ⏵ 6.4.4			⁺¹	⁺¹

View full report

socket-security · 2026-06-04T03:17:20Z

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Block		Network access: npm `@capsizecss/unpack` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/astro@6.4.4` → `npm/@capsizecss/unpack@4.0.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@capsizecss/unpack@4.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `h3` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/astro@6.4.4` → `npm/h3@1.15.11` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/h3@1.15.11`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `lru-cache` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/astro@6.4.4` → `npm/lru-cache@11.5.1` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/lru-cache@11.5.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Dynamic code execution: npm `magicast` Eval Type: Function Location: Package overview From: `?` → `npm/astro@6.4.4` → `npm/magicast@0.5.3` ℹ Read more on: This package \| This alert \| What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/magicast@0.5.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `node-fetch-native` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/astro@6.4.4` → `npm/node-fetch-native@1.6.7` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/node-fetch-native@1.6.7`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `ofetch` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/astro@6.4.4` → `npm/ofetch@1.5.1` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ofetch@1.5.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `unifont` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/astro@6.4.4` → `npm/unifont@0.7.4` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/unifont@0.7.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm `@astrojs/markdown-remark` reads ASTRO_PERFORMANCE_BENCHMARK Env Vars: ASTRO_PERFORMANCE_BENCHMARK Location: Package overview From: `?` → `npm/astro@6.4.4` → `npm/@astrojs/markdown-remark@7.2.0` ℹ Read more on: This package \| This alert \| What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@astrojs/markdown-remark@7.2.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm `@astrojs/telemetry` URLs: https://telemetry.astro.build/api/v1/record Location: Package overview From: `?` → `npm/astro@6.4.4` → `npm/@astrojs/telemetry@3.3.2` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@astrojs/telemetry@3.3.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm `@shikijs/core` with markup.underline.link URLs: markup.underline.link Location: Package overview From: `?` → `npm/astro@6.4.4` → `npm/@shikijs/core@4.2.0` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@shikijs/core@4.2.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm `@shikijs/langs` URLs: https://github.com/ionide/ionide-fsgrammar/issues/155 Location: Package overview From: `?` → `npm/astro@6.4.4` → `npm/@shikijs/langs@4.2.0` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@shikijs/langs@4.2.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm `@shikijs/vscode-textmate` reads VSCODE_TEXTMATE_DEBUG Env Vars: VSCODE_TEXTMATE_DEBUG Location: Package overview From: `?` → `npm/astro@6.4.4` → `npm/@shikijs/vscode-textmate@10.0.2` ℹ Read more on: This package \| This alert \| What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@shikijs/vscode-textmate@10.0.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm `argparse` reads COLUMNS Env Vars: COLUMNS Location: Package overview From: `?` → `npm/astro@6.4.4` → `npm/argparse@2.0.1` ℹ Read more on: This package \| This alert \| What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/argparse@2.0.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Filesystem access: npm `argparse` with module fs Module: fs Location: Package overview From: `?` → `npm/astro@6.4.4` → `npm/argparse@2.0.1` ℹ Read more on: This package \| This alert \| What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/argparse@2.0.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Unmaintained: npm `argparse` was last published 6 years ago Last Publish: 8/28/2020, 9:14:26 PM From: `?` → `npm/astro@6.4.4` → `npm/argparse@2.0.1` ℹ Read more on: This package \| This alert \| What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/argparse@2.0.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm `astro` URLs: https://docs.astro.build/en/guides/actions., https://docs.astro.build/en/guides/endpoints/#server-endpoints-api-routes, 127.0.0.1, https://docs.netlify.com/configure-builds/manage-dependencies/#node-js-and-javascript, https://docs.github.com/en/actions/guides/building-and-testing-nodejs#specifying-the-nodejs-version, https://vercel.com/docs/runtimes#official-runtimes/node-js/node-js-version, https://docs.astro.build/en/guides/deploy/, https://astro.build/integrations, https://astro.build/config, https://astro.build/db/config, https://astro.build/db/seed, https://docs.astro.build/en/guides/integrations-guide/tailwind/, https://docs.astro.build/en/guides/integrations/, https://docs.astro.build/en/guides/typescript/#errors-typing-multiple-jsx-frameworks-at-the-same-time, https://docs.astro.build/en/reference/cli-reference/#astro-dev, https://docs.astro.build/en/reference/cli-reference/#astro-preview, https://example.com, https://example.com/, https://registry.npmjs.org, https://docs.astro.build/, example.com, https://docs.astro.build/en/reference/experimental-flags/, https://docs.astro.build/en/guides/troubleshooting/#document-or-window-is-not-defined, https://astro.build/issues/compiler., https://docs.astro.build/en/guides/on-demand-rendering/, https://docs.astro.build/en/guides/on-demand-rendering/#response, https://docs.astro.build/en/reference/integrations-reference/#addrenderer-option, https://docs.astro.build/en/reference/routing-reference/#getstaticpaths, https://docs.astro.build/en/guides/imports/#other-assets, https://docs.astro.build/en/reference/modules/astro-assets/#getimage, https://docs.astro.build/en/guides/images/#images-in-content-collections, https://docs.astro.build/en/reference/modules/astro-assets/#src-required, https://vite.dev/guide/features.html#glob-import, https://sharp.pixelplumbing.com/install., https://docs.astro.build/en/reference/errors/missing-sharp, https://docs.astro.build/en/guides/images/#default-image-service, https://docs.astro.build/en/guides/imports/#glob-patterns, https://docs.astro.build/en/guides/internationalization, https://github.com/withastro/astro/issues., https://docs.astro.build/en/guides/markdown-content/#modifying-frontmatter-programmatically, https://docs.astro.build/en/guides/integrations-guide/mdx/, https://docs.astro.build/en/guides/upgrade-to/v6/#removed-legacy-content-collections, https://docs.astro.build/en/guides/content-collections/, https://docs.astro.build/en/reference/modules/astro-content/#definelivecollection, https://github.com/rich-harris/devalue, https://docs.astro.build/en/reference/api-reference/#callaction, https://docs.astro.build/en/guides/sessions/, https://docs.astro.build/en/reference/experimental-flags/route-caching/., https://developer.mozilla.org/en-US/docs/Web/API/Response, https://docs.astro.build/en/guides/framework-components/, https://docs.astro.build/en/reference/directives-reference/#clientonly, https://docs.astro.build/en/guides/routing/#dynamic-routes, https://docs.astro.build/en/reference/content-loader-reference/#file-loader, https://developer.mozilla.org/en-US/docs/Web/CSS/ident., import.meta.env.SITE, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Error, https://docs.astro.build/en/reference/errors/, http://www.w3.org/2000/svg, https://astro.build, https://docs.astro.build/en/reference/configuration-reference/#securitycsp, https://docs.astro.build/en/guides/upgrade-to/v6/#deprecated-session-driver-string-signature, https://docs.astro.build/en/guides/environment-variables/#variable-types, https://astro.build/api/v1/dev-overlay/, https://github.com/withastro/astro/issues/new/choose, https://github.com/withastro/roadmap/discussions/new/choose, https://docs.astro.build, https://astro.build/chat, https://astro.build/integrations/, https://docs.astro.build/en/reference/cli-reference/#astro-preferences, https://astro.build/chat., https://docs.astro.build/en/reference/configuration-reference/#trailingslash, https://astro.build/telemetry, https://astro.build/issues Location: Package overview From: package.json → `npm/astro@6.4.4` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/astro@6.4.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm `ci-info` Location: Package overview From: `?` → `npm/astro@6.4.4` → `npm/ci-info@4.4.0` ℹ Read more on: This package \| This alert \| What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ci-info@4.4.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Minified code present: npm `clsx` with 100.0% likelihood Confidence: 1.00 Location: Package overview From: `?` → `npm/astro@6.4.4` → `npm/clsx@2.1.1` ℹ Read more on: This package \| This alert \| What's wrong with minified code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: In many cases minified code is harmless, however minified code can be used to hide a supply chain attack. Consider not shipping minified code on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/clsx@2.1.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Minified code present: npm `es-module-lexer` with 100.0% likelihood Confidence: 1.00 Location: Package overview From: `?` → `npm/astro@6.4.4` → `npm/es-module-lexer@2.1.0` ℹ Read more on: This package \| This alert \| What's wrong with minified code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: In many cases minified code is harmless, however minified code can be used to hide a supply chain attack. Consider not shipping minified code on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/es-module-lexer@2.1.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Unmaintained: npm `escape-string-regexp` was last published 5 years ago Last Publish: 4/17/2021, 3:45:50 PM From: `?` → `npm/astro@6.4.4` → `npm/escape-string-regexp@5.0.0` ℹ Read more on: This package \| This alert \| What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/escape-string-regexp@5.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Unmaintained: npm `extend` was last published 8 years ago Last Publish: 7/19/2018, 10:12:43 PM From: `?` → `npm/astro@6.4.4` → `npm/extend@3.0.2` ℹ Read more on: This package \| This alert \| What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/extend@3.0.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Minified code present: npm `github-slugger` with 99.0% likelihood Confidence: 0.99 Location: Package overview From: `?` → `npm/astro@6.4.4` → `npm/github-slugger@2.0.0` ℹ Read more on: This package \| This alert \| What's wrong with minified code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: In many cases minified code is harmless, however minified code can be used to hide a supply chain attack. Consider not shipping minified code on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/github-slugger@2.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm `h3` URLs: EmergencyCallData.eCall.MSD, vnd.adobe.flash.movie, vnd.ahead.space, vnd.apache.arrow.stream, vnd.dece.data, vnd.desmume.movie, vnd.eudora.data, vnd.f-secure.mobile, vnd.gmx, vnd.ipld.car, vnd.muvee.style, vnd.nokia.n-gage.data, vnd.oasis.opendocument.graphics, vnd.previewsystems.box, vnd.rainstor.data, vnd.ruckus.download, vnd.sealed.net, vnd.uplanet.channel, vnd.youtube.yt, vnd.dece.audio, vnd.hns.audio, vnd.rip, vnd.abc, vnd.fly, vnd.in3d.spot, vnd.wap.si, vnd.wap.sl, vnd.dece.mobile, vnd.dece.sd, vnd.dece.video, vnd.hns.video, vnd.motorola.video, vnd.sealedmedia.softseal.mov, vnd.vivo Location: Package overview From: `?` → `npm/astro@6.4.4` → `npm/h3@1.15.11` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/h3@1.15.11`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm `hast-util-from-html` URLs: https://html.spec.whatwg.org/multipage/parsing.html#parse-error- Location: Package overview From: `?` → `npm/astro@6.4.4` → `npm/hast-util-from-html@2.0.3` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/hast-util-from-html@2.0.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Unmaintained: npm `html-escaper` was last published 5 years ago Last Publish: 2/18/2021, 8:35:19 AM From: `?` → `npm/astro@6.4.4` → `npm/html-escaper@3.0.3` ℹ Read more on: This package \| This alert \| What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/html-escaper@3.0.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm `is-wsl` reads __IS_WSL_TEST__ Env Vars: IS_WSL_TEST Location: Package overview From: `?` → `npm/astro@6.4.4` → `npm/is-wsl@3.1.1` ℹ Read more on: This package \| This alert \| What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/is-wsl@3.1.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 22 more rows in the dashboard

View full report

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 4, 2026

dependabot Bot mentioned this pull request Jun 4, 2026

Bump astro from 6.4.2 to 6.4.3 #737

Closed

dependabot Bot assigned NikolaRHristov Jun 4, 2026

github-actions Bot requested a review from NikolaRHristov June 4, 2026 03:16

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump astro from 6.4.2 to 6.4.4#738

Bump astro from 6.4.2 to 6.4.4#738
dependabot[bot] wants to merge 1 commit into
Currentfrom
dependabot/npm_and_yarn/astro-6.4.4

dependabot Bot commented on behalf of github Jun 4, 2026

Uh oh!

socket-security Bot commented Jun 4, 2026

Uh oh!

socket-security Bot commented Jun 4, 2026

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

dependabot Bot commented on behalf of github Jun 4, 2026

astro@6.4.4

Patch Changes

astro@6.4.3

Patch Changes

6.4.4

Patch Changes

6.4.3

Patch Changes

Uh oh!

socket-security Bot commented Jun 4, 2026

Uh oh!

socket-security Bot commented Jun 4, 2026

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

1 participant