Skip to content

Commit 40c9e45

Browse files
chore(deps): bump the npm_and_yarn group across 3 directories with 3 updates (#1700)
Bumps the npm_and_yarn group with 1 update in the /components/ambient-ui directory: [undici](https://github.com/nodejs/undici). Bumps the npm_and_yarn group with 2 updates in the /components/frontend directory: [undici](https://github.com/nodejs/undici) and [dompurify](https://github.com/cure53/DOMPurify). Bumps the npm_and_yarn group with 2 updates in the /docs directory: [dompurify](https://github.com/cure53/DOMPurify) and [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro). Updates `undici` from 7.26.0 to 7.28.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nodejs/undici/releases">undici's releases</a>.</em></p> <blockquote> <h2>v7.28.0</h2> <h1>⚠️ Security Release</h1> <p>This release line addresses <strong>7 security advisories</strong>, all shipped in <strong>v7.28.0</strong>.</p> <blockquote> <p><strong>Action required:</strong> Upgrade to <strong>undici 7.28.0</strong> or later.</p> <pre lang="sh"><code>npm install undici@^7.28.0 </code></pre> </blockquote> <p>The v7 line is <strong>not</strong> affected by GHSA-38rv-x7px-6hhq (CVE-2026-9675), which is an 8.x-only regression.</p> <blockquote> <p><strong>Note on GHSA-hm92-r4w5-c3mj:</strong> this fix shipped in <strong>v7.28.0</strong>, not the earlier 7.2x line — the vulnerable single-pool code was still present through <code>v7.27.2</code>. The per-origin pool fix is <a href="https://github.com/nodejs/undici/commit/3805b8f8"><code>3805b8f8</code></a> (<a href="https://redirect.github.com/nodejs/undici/pull/5041">#5041</a>).</p> </blockquote> <h2>Summary</h2> <table> <thead> <tr> <th>Advisory</th> <th>CVE</th> <th>Severity (CVSS)</th> <th>Fixed in</th> <th>Fix commit</th> </tr> </thead> <tbody> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q">GHSA-vxpw-j846-p89q</a></td> <td>CVE-2026-12151</td> <td>High (7.5)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/8cb10f98"><code>8cb10f98</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g">GHSA-vmh5-mc38-953g</a></td> <td>CVE-2026-9697</td> <td>High (7.4)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/04201f89"><code>04201f89</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-hm92-r4w5-c3mj">GHSA-hm92-r4w5-c3mj</a></td> <td>CVE-2026-6734</td> <td>High (7.5)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/3805b8f8"><code>3805b8f8</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6">GHSA-pr7r-676h-xcf6</a></td> <td>CVE-2026-9678</td> <td>Moderate (5.9)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/85a24055"><code>85a24055</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv">GHSA-p88m-4jfj-68fv</a></td> <td>CVE-2026-9679</td> <td>Moderate (5.9)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/d0574cc4"><code>d0574cc4</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m">GHSA-g8m3-5g58-fq7m</a></td> <td>CVE-2026-11525</td> <td>Low (3.7)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/d0574cc4"><code>d0574cc4</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52">GHSA-35p6-xmwp-9g52</a></td> <td>CVE-2026-6733</td> <td>Low (3.7)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/ea8930cf"><code>ea8930cf</code></a></td> </tr> </tbody> </table> <hr /> <h2>High severity</h2> <h3>WebSocket DoS via fragment count bypass — CVE-2026-12151</h3> <p><strong><a href="https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q">GHSA-vxpw-j846-p89q</a></strong> · CWE-400, CWE-770 <strong>Fix:</strong> <a href="https://github.com/nodejs/undici/commit/8cb10f98"><code>8cb10f98</code></a> <em>websocket: limit the number of fragments in a message</em> (part of backport <a href="https://github.com/nodejs/undici/commit/a027a4a0"><code>a027a4a0</code></a> <em>Backport WebSocket maxPayloadSize fixes to v7.x</em>, <a href="https://redirect.github.com/nodejs/undici/pull/5423">#5423</a>)</p> <p>A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the <em>number</em> of fragments per message, leading to unbounded memory growth and denial of service.</p> <ul> <li><strong>Affected:</strong> applications using <code>new WebSocket(...)</code> or <code>WebSocketStream</code> against untrusted endpoints.</li> <li><strong>Workaround:</strong> none — upgrade is required.</li> </ul> <h3>TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697</h3> <p><strong><a href="https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g">GHSA-vmh5-mc38-953g</a></strong> · CWE-295</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodejs/undici/commit/f9eba0ad9134e1c0977848476bba9d49734696e4"><code>f9eba0a</code></a> Bumped v7.28.0 (<a href="https://redirect.github.com/nodejs/undici/issues/5430">#5430</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/a027a4a04c6c055877d1abaf5f60ee4917e7e01f"><code>a027a4a</code></a> Backport WebSocket maxPayloadSize fixes to v7.x (<a href="https://redirect.github.com/nodejs/undici/issues/5423">#5423</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/8cb10f983eb6005dd53f3744d95d3b6d7dbcee0f"><code>8cb10f9</code></a> websocket: limit the number of fragments in a message</li> <li><a href="https://github.com/nodejs/undici/commit/04201f8947041f0f4f2ac865dbdb1677e46a8844"><code>04201f8</code></a> fix: honor requestTls when proxy is SOCKS5</li> <li><a href="https://github.com/nodejs/undici/commit/fcd642ff613ea9030dec87cf622e68d4b1ae9847"><code>fcd642f</code></a> fix(socks5): preserve dispatch backpressure return value (<a href="https://redirect.github.com/nodejs/undici/issues/5166">#5166</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/bc98c97906abf26fa1e959b2f6111b53ade0e18f"><code>bc98c97</code></a> fix(socks5): use configured connector in Socks5ProxyAgent (<a href="https://redirect.github.com/nodejs/undici/issues/5168">#5168</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/9e1c74372a2b27cacd92d27c13a83a6d84f10e0e"><code>9e1c743</code></a> fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly (<a href="https://redirect.github.com/nodejs/undici/issues/5099">#5099</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/376c8be27cb40cc17ccaad6b6ebb317fa7148d65"><code>376c8be</code></a> fix(socks5): enforce authenticated state before CONNECT (<a href="https://redirect.github.com/nodejs/undici/issues/5097">#5097</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/3805b8f8518882991044048c256e005dc3c10a85"><code>3805b8f</code></a> fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing...</li> <li><a href="https://github.com/nodejs/undici/commit/85a240551c9feb8b8a0ecc56c84b2b3015add8a9"><code>85a2405</code></a> fix(cache): trim qualified field names</li> <li>Additional commits viewable in <a href="https://github.com/nodejs/undici/compare/v7.26.0...v7.28.0">compare view</a></li> </ul> </details> <br /> Updates `undici` from 7.24.7 to 7.28.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nodejs/undici/releases">undici's releases</a>.</em></p> <blockquote> <h2>v7.28.0</h2> <h1>⚠️ Security Release</h1> <p>This release line addresses <strong>7 security advisories</strong>, all shipped in <strong>v7.28.0</strong>.</p> <blockquote> <p><strong>Action required:</strong> Upgrade to <strong>undici 7.28.0</strong> or later.</p> <pre lang="sh"><code>npm install undici@^7.28.0 </code></pre> </blockquote> <p>The v7 line is <strong>not</strong> affected by GHSA-38rv-x7px-6hhq (CVE-2026-9675), which is an 8.x-only regression.</p> <blockquote> <p><strong>Note on GHSA-hm92-r4w5-c3mj:</strong> this fix shipped in <strong>v7.28.0</strong>, not the earlier 7.2x line — the vulnerable single-pool code was still present through <code>v7.27.2</code>. The per-origin pool fix is <a href="https://github.com/nodejs/undici/commit/3805b8f8"><code>3805b8f8</code></a> (<a href="https://redirect.github.com/nodejs/undici/pull/5041">#5041</a>).</p> </blockquote> <h2>Summary</h2> <table> <thead> <tr> <th>Advisory</th> <th>CVE</th> <th>Severity (CVSS)</th> <th>Fixed in</th> <th>Fix commit</th> </tr> </thead> <tbody> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q">GHSA-vxpw-j846-p89q</a></td> <td>CVE-2026-12151</td> <td>High (7.5)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/8cb10f98"><code>8cb10f98</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g">GHSA-vmh5-mc38-953g</a></td> <td>CVE-2026-9697</td> <td>High (7.4)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/04201f89"><code>04201f89</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-hm92-r4w5-c3mj">GHSA-hm92-r4w5-c3mj</a></td> <td>CVE-2026-6734</td> <td>High (7.5)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/3805b8f8"><code>3805b8f8</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6">GHSA-pr7r-676h-xcf6</a></td> <td>CVE-2026-9678</td> <td>Moderate (5.9)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/85a24055"><code>85a24055</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv">GHSA-p88m-4jfj-68fv</a></td> <td>CVE-2026-9679</td> <td>Moderate (5.9)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/d0574cc4"><code>d0574cc4</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m">GHSA-g8m3-5g58-fq7m</a></td> <td>CVE-2026-11525</td> <td>Low (3.7)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/d0574cc4"><code>d0574cc4</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52">GHSA-35p6-xmwp-9g52</a></td> <td>CVE-2026-6733</td> <td>Low (3.7)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/ea8930cf"><code>ea8930cf</code></a></td> </tr> </tbody> </table> <hr /> <h2>High severity</h2> <h3>WebSocket DoS via fragment count bypass — CVE-2026-12151</h3> <p><strong><a href="https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q">GHSA-vxpw-j846-p89q</a></strong> · CWE-400, CWE-770 <strong>Fix:</strong> <a href="https://github.com/nodejs/undici/commit/8cb10f98"><code>8cb10f98</code></a> <em>websocket: limit the number of fragments in a message</em> (part of backport <a href="https://github.com/nodejs/undici/commit/a027a4a0"><code>a027a4a0</code></a> <em>Backport WebSocket maxPayloadSize fixes to v7.x</em>, <a href="https://redirect.github.com/nodejs/undici/pull/5423">#5423</a>)</p> <p>A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the <em>number</em> of fragments per message, leading to unbounded memory growth and denial of service.</p> <ul> <li><strong>Affected:</strong> applications using <code>new WebSocket(...)</code> or <code>WebSocketStream</code> against untrusted endpoints.</li> <li><strong>Workaround:</strong> none — upgrade is required.</li> </ul> <h3>TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697</h3> <p><strong><a href="https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g">GHSA-vmh5-mc38-953g</a></strong> · CWE-295</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodejs/undici/commit/f9eba0ad9134e1c0977848476bba9d49734696e4"><code>f9eba0a</code></a> Bumped v7.28.0 (<a href="https://redirect.github.com/nodejs/undici/issues/5430">#5430</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/a027a4a04c6c055877d1abaf5f60ee4917e7e01f"><code>a027a4a</code></a> Backport WebSocket maxPayloadSize fixes to v7.x (<a href="https://redirect.github.com/nodejs/undici/issues/5423">#5423</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/8cb10f983eb6005dd53f3744d95d3b6d7dbcee0f"><code>8cb10f9</code></a> websocket: limit the number of fragments in a message</li> <li><a href="https://github.com/nodejs/undici/commit/04201f8947041f0f4f2ac865dbdb1677e46a8844"><code>04201f8</code></a> fix: honor requestTls when proxy is SOCKS5</li> <li><a href="https://github.com/nodejs/undici/commit/fcd642ff613ea9030dec87cf622e68d4b1ae9847"><code>fcd642f</code></a> fix(socks5): preserve dispatch backpressure return value (<a href="https://redirect.github.com/nodejs/undici/issues/5166">#5166</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/bc98c97906abf26fa1e959b2f6111b53ade0e18f"><code>bc98c97</code></a> fix(socks5): use configured connector in Socks5ProxyAgent (<a href="https://redirect.github.com/nodejs/undici/issues/5168">#5168</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/9e1c74372a2b27cacd92d27c13a83a6d84f10e0e"><code>9e1c743</code></a> fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly (<a href="https://redirect.github.com/nodejs/undici/issues/5099">#5099</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/376c8be27cb40cc17ccaad6b6ebb317fa7148d65"><code>376c8be</code></a> fix(socks5): enforce authenticated state before CONNECT (<a href="https://redirect.github.com/nodejs/undici/issues/5097">#5097</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/3805b8f8518882991044048c256e005dc3c10a85"><code>3805b8f</code></a> fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing...</li> <li><a href="https://github.com/nodejs/undici/commit/85a240551c9feb8b8a0ecc56c84b2b3015add8a9"><code>85a2405</code></a> fix(cache): trim qualified field names</li> <li>Additional commits viewable in <a href="https://github.com/nodejs/undici/compare/v7.26.0...v7.28.0">compare view</a></li> </ul> </details> <br /> Updates `dompurify` from 3.4.9 to 3.4.11 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/cure53/DOMPurify/releases">dompurify's releases</a>.</em></p> <blockquote> <h2>DOMPurify 3.4.11</h2> <ul> <li>Fixed an issue with a leaky config for hooks via <code>setConfig</code>, thanks <a href="https://github.com/trace37labs"><code>@​trace37labs</code></a></li> <li>Bumped vulnerable development dependencies to arrive at plain 0 with <code>npm audit</code></li> <li>Updated the <code>osv-scanner</code> suppression list as no vulnerable dependencies are left for now</li> <li>Updated up the linting tool-chain and removed now-redundant lint directives</li> <li>Updated the documentation is several spots, README, wiki, etc.</li> <li>Bumped several dependencies where possible</li> </ul> <h2>DOMPurify 3.4.10</h2> <ul> <li>Refactored codebase for clarity: extracted the public type declarations into <code>types.ts</code></li> <li>Decomposed the three largest sanitizer functions into focused helpers</li> <li>Removed duplicated defaults and dead branches, consolidated <code>SAFE_FOR_TEMPLATES</code> scrubbing into single shared path</li> <li>Improved per-node performance by hoisting the mXSS probe regexes and testing <code>textContent</code> before <code>innerHTML</code></li> <li>Added a deterministic micro-benchmark harness (<code>npm run bench</code>) with a <code>--compare</code> mode</li> <li>Reduced CI cost by running the full three-engine browser suite once per PR</li> <li>Refreshed the <code>demos/</code> folder so every demo runs again, and added a SVG-via-<code>&lt;img&gt;</code> demo</li> <li>Documented the bench and <code>test:happydom</code> scripts in the README</li> <li>Completed the Attack Classes &amp; Bypass History wiki page</li> <li>Bumped several dependencies where possible</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/cure53/DOMPurify/commit/0cae5187403132f96a6d357649e4b15633fc210a"><code>0cae518</code></a> release: 3.4.11 (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1494">#1494</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/6ee5716f8336989753611beeca364957c0eb0c3e"><code>6ee5716</code></a> release: 3.4.10 (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1478">#1478</a>)</li> <li>See full diff in <a href="https://github.com/cure53/DOMPurify/compare/3.4.9...3.4.11">compare view</a></li> </ul> </details> <br /> Updates `dompurify` from 3.4.10 to 3.4.11 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/cure53/DOMPurify/releases">dompurify's releases</a>.</em></p> <blockquote> <h2>DOMPurify 3.4.11</h2> <ul> <li>Fixed an issue with a leaky config for hooks via <code>setConfig</code>, thanks <a href="https://github.com/trace37labs"><code>@​trace37labs</code></a></li> <li>Bumped vulnerable development dependencies to arrive at plain 0 with <code>npm audit</code></li> <li>Updated the <code>osv-scanner</code> suppression list as no vulnerable dependencies are left for now</li> <li>Updated up the linting tool-chain and removed now-redundant lint directives</li> <li>Updated the documentation is several spots, README, wiki, etc.</li> <li>Bumped several dependencies where possible</li> </ul> <h2>DOMPurify 3.4.10</h2> <ul> <li>Refactored codebase for clarity: extracted the public type declarations into <code>types.ts</code></li> <li>Decomposed the three largest sanitizer functions into focused helpers</li> <li>Removed duplicated defaults and dead branches, consolidated <code>SAFE_FOR_TEMPLATES</code> scrubbing into single shared path</li> <li>Improved per-node performance by hoisting the mXSS probe regexes and testing <code>textContent</code> before <code>innerHTML</code></li> <li>Added a deterministic micro-benchmark harness (<code>npm run bench</code>) with a <code>--compare</code> mode</li> <li>Reduced CI cost by running the full three-engine browser suite once per PR</li> <li>Refreshed the <code>demos/</code> folder so every demo runs again, and added a SVG-via-<code>&lt;img&gt;</code> demo</li> <li>Documented the bench and <code>test:happydom</code> scripts in the README</li> <li>Completed the Attack Classes &amp; Bypass History wiki page</li> <li>Bumped several dependencies where possible</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/cure53/DOMPurify/commit/0cae5187403132f96a6d357649e4b15633fc210a"><code>0cae518</code></a> release: 3.4.11 (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1494">#1494</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/6ee5716f8336989753611beeca364957c0eb0c3e"><code>6ee5716</code></a> release: 3.4.10 (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1478">#1478</a>)</li> <li>See full diff in <a href="https://github.com/cure53/DOMPurify/compare/3.4.9...3.4.11">compare view</a></li> </ul> </details> <br /> Updates `astro` from 6.3.1 to 6.4.8 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/withastro/astro/releases">astro's releases</a>.</em></p> <blockquote> <h2>astro@6.4.8</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/withastro/astro/pull/17109">#17109</a> <a href="https://github.com/withastro/astro/commit/27c80ea92248993e5fce94b2c26d87d611ab6785"><code>27c80ea</code></a> Thanks <a href="https://github.com/ematipico"><code>@​ematipico</code></a>! - Harden the limits on the number of decoding on the URL.</li> </ul> <h2>astro@6.4.7</h2> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/17035">#17035</a> <a href="https://github.com/withastro/astro/commit/197e50e2e37168a9b9e8a014c13d1308b2220ca1"><code>197e50e</code></a> Thanks <a href="https://github.com/astrobot-houston"><code>@​astrobot-houston</code></a>! - Fixes <code>getRelativeLocaleUrl</code>, <code>getAbsoluteLocaleUrl</code>, and <code>getAbsoluteLocaleUrlList</code> to strip trailing slashes when <code>trailingSlash: 'never'</code> is configured</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/16967">#16967</a> <a href="https://github.com/withastro/astro/commit/37197652630ffbc11efaaec1865869410b8dfd70"><code>3719765</code></a> Thanks <a href="https://github.com/astrobot-houston"><code>@​astrobot-houston</code></a>! - Fixes double URL-encoded paths returning 400 Bad Request on on-demand routes</p> <p>Previously, any URL containing a double-encoded character (like <code>%255B</code>, which is <code>[</code> encoded twice) was unconditionally rejected with a <code>400 Bad Request</code> before middleware or route handlers could run. This broke embedded tools like Sanity Studio whose client-side router legitimately produces double-encoded URLs.</p> <p>The fix replaces the rejection approach with iterative decoding — multi-level percent-encoding is now fully resolved to its canonical form before being passed to middleware and route matching. This preserves the security fix for CVE-2025-66202 (middleware authorization bypass via double encoding) because middleware now always sees the fully decoded path, making bypass impossible. For example, <code>/api/%2561dmin</code> is decoded to <code>/api/admin</code>, which middleware can correctly block.</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/17066">#17066</a> <a href="https://github.com/withastro/astro/commit/2f4d92a72b00354114359b5746d573fbfd3b334f"><code>2f4d92a</code></a> Thanks <a href="https://github.com/matthewp"><code>@​matthewp</code></a>! - Fixes prerendered redirect targets being incorrectly bundled into the SSR function in hybrid mode, causing massive bundle size inflation</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/16882">#16882</a> <a href="https://github.com/withastro/astro/commit/621beb70fe957ecc73c3407c240392507613e0fd"><code>621beb7</code></a> Thanks <a href="https://github.com/jettwayio"><code>@​jettwayio</code></a>! - fix(render): honour compressHTML when joining head elements</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/16892">#16892</a> <a href="https://github.com/withastro/astro/commit/8d753b0b671971b78e7064fe38c2b0b518823627"><code>8d753b0</code></a> Thanks <a href="https://github.com/astrobot-houston"><code>@​astrobot-houston</code></a>! - Fixes custom elements in MDX having their children's <code>slot</code> attribute stripped by the JSX runtime</p> <p>When custom elements (tags with hyphens like <code>&lt;my-element&gt;</code>) are used in MDX files, the <code>slot</code> HTML attribute on their children is now correctly preserved. Previously, the shared JSX runtime would treat <code>slot</code> as an Astro slot assignment and remove it from the output, breaking Shadow DOM named slot distribution for web components.</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/16957">#16957</a> <a href="https://github.com/withastro/astro/commit/544ee763d7f7894e3b588daa14b09ef32a4d794a"><code>544ee76</code></a> Thanks <a href="https://github.com/thelazylamaGit"><code>@​thelazylamaGit</code></a>! - Fixes stale inline CSS in server-rendered HTML after CSS file edits during dev</p> <p>When editing a CSS file (<code>.css</code>, <code>.scss</code>, etc.) during development, the inline <code>&lt;style&gt;</code> tags in server-rendered HTML would retain old CSS content instead of updating. This caused a brief flash of old CSS (FOUC) on fresh page loads before Vite's client-side HMR corrected the styles.</p> <p>The fix ensures that Astro's per-route dev CSS virtual modules are invalidated in both the SSR module graph and the module runner's evaluation cache when a style file changes, so the next page render picks up the fresh CSS.</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/17044">#17044</a> <a href="https://github.com/withastro/astro/commit/2220d22f8c7278988560d0e4b4f378c9967e9bae"><code>2220d22</code></a> Thanks <a href="https://github.com/astrobot-houston"><code>@​astrobot-houston</code></a>! - Fixes CSS from <code>client:only</code> islands leaking to unrelated pages when Rollup bundles non-CSS-importing modules into the same chunk as CSS-importing modules</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/17040">#17040</a> <a href="https://github.com/withastro/astro/commit/7c4763d31b94ccbdc2339992d73e087912e5b8e3"><code>7c4763d</code></a> Thanks <a href="https://github.com/astrobot-houston"><code>@​astrobot-houston</code></a>! - Fixes HMR not triggering for files inside the <code>src/middleware/</code> directory during dev</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/16672">#16672</a> <a href="https://github.com/withastro/astro/commit/52fc86213e6412b6f9f3b70a2616d52b5fb783a9"><code>52fc862</code></a> Thanks <a href="https://github.com/martinheidegger"><code>@​martinheidegger</code></a>! - Fixes support for numeric IDs in YAML frontmatter when using content collection references</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/16762">#16762</a> <a href="https://github.com/withastro/astro/commit/9de80ae486bc43c8680fda099a125d836e78b552"><code>9de80ae</code></a> Thanks <a href="https://github.com/alexanderdombroski"><code>@​alexanderdombroski</code></a>! - Adds a JSON schema to the Wrangler configuration file generated when running <code>astro add cloudflare</code></p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/17046">#17046</a> <a href="https://github.com/withastro/astro/commit/ef771ece349eedb6e0b3b240b020fb96df208a92"><code>ef771ec</code></a> Thanks <a href="https://github.com/ematipico"><code>@​ematipico</code></a>! - Improves the diagnostics emitted when Astro parses incorrect <code>.astro</code> files.</p> </li> </ul> <h2>astro@6.4.6</h2> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/16765">#16765</a> <a href="https://github.com/withastro/astro/commit/b10e86e6dbaf04678127c86366befc0b78a164f6"><code>b10e86e</code></a> Thanks <a href="https://github.com/fkatsuhiro"><code>@​fkatsuhiro</code></a>! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/17026">#17026</a> <a href="https://github.com/withastro/astro/commit/add3df10fdaff469ae0228f09d99290de170029a"><code>add3df1</code></a> Thanks <a href="https://github.com/matthewp"><code>@​matthewp</code></a>! - Hardens <code>addAttribute</code> to drop attribute names containing characters that are invalid per the HTML spec (<code>&quot;</code>, <code>'</code>, <code>&gt;</code>, <code>/</code>, <code>=</code>, whitespace)</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/17033">#17033</a> <a href="https://github.com/withastro/astro/commit/ffda27b7c8697d4b7ed530e93385a420e1fc4acd"><code>ffda27b</code></a> Thanks <a href="https://github.com/matthewp"><code>@​matthewp</code></a>! - Validates the request origin against <code>allowedDomains</code> before fetching prerendered error pages. When <code>allowedDomains</code> is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to <code>localhost</code>.</p> </li> </ul> <h2>astro@6.4.5</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/withastro/astro/blob/astro@6.4.8/packages/astro/CHANGELOG.md">astro's changelog</a>.</em></p> <blockquote> <h2>6.4.8</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/withastro/astro/pull/17109">#17109</a> <a href="https://github.com/withastro/astro/commit/27c80ea92248993e5fce94b2c26d87d611ab6785"><code>27c80ea</code></a> Thanks <a href="https://github.com/ematipico"><code>@​ematipico</code></a>! - Harden the limits on the number of decoding on the URL.</li> </ul> <h2>6.4.7</h2> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/17035">#17035</a> <a href="https://github.com/withastro/astro/commit/197e50e2e37168a9b9e8a014c13d1308b2220ca1"><code>197e50e</code></a> Thanks <a href="https://github.com/astrobot-houston"><code>@​astrobot-houston</code></a>! - Fixes <code>getRelativeLocaleUrl</code>, <code>getAbsoluteLocaleUrl</code>, and <code>getAbsoluteLocaleUrlList</code> to strip trailing slashes when <code>trailingSlash: 'never'</code> is configured</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/16967">#16967</a> <a href="https://github.com/withastro/astro/commit/37197652630ffbc11efaaec1865869410b8dfd70"><code>3719765</code></a> Thanks <a href="https://github.com/astrobot-houston"><code>@​astrobot-houston</code></a>! - Fixes double URL-encoded paths returning 400 Bad Request on on-demand routes</p> <p>Previously, any URL containing a double-encoded character (like <code>%255B</code>, which is <code>[</code> encoded twice) was unconditionally rejected with a <code>400 Bad Request</code> before middleware or route handlers could run. This broke embedded tools like Sanity Studio whose client-side router legitimately produces double-encoded URLs.</p> <p>The fix replaces the rejection approach with iterative decoding — multi-level percent-encoding is now fully resolved to its canonical form before being passed to middleware and route matching. This preserves the security fix for CVE-2025-66202 (middleware authorization bypass via double encoding) because middleware now always sees the fully decoded path, making bypass impossible. For example, <code>/api/%2561dmin</code> is decoded to <code>/api/admin</code>, which middleware can correctly block.</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/17066">#17066</a> <a href="https://github.com/withastro/astro/commit/2f4d92a72b00354114359b5746d573fbfd3b334f"><code>2f4d92a</code></a> Thanks <a href="https://github.com/matthewp"><code>@​matthewp</code></a>! - Fixes prerendered redirect targets being incorrectly bundled into the SSR function in hybrid mode, causing massive bundle size inflation</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/16882">#16882</a> <a href="https://github.com/withastro/astro/commit/621beb70fe957ecc73c3407c240392507613e0fd"><code>621beb7</code></a> Thanks <a href="https://github.com/jettwayio"><code>@​jettwayio</code></a>! - fix(render): honour compressHTML when joining head elements</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/16892">#16892</a> <a href="https://github.com/withastro/astro/commit/8d753b0b671971b78e7064fe38c2b0b518823627"><code>8d753b0</code></a> Thanks <a href="https://github.com/astrobot-houston"><code>@​astrobot-houston</code></a>! - Fixes custom elements in MDX having their children's <code>slot</code> attribute stripped by the JSX runtime</p> <p>When custom elements (tags with hyphens like <code>&lt;my-element&gt;</code>) are used in MDX files, the <code>slot</code> HTML attribute on their children is now correctly preserved. Previously, the shared JSX runtime would treat <code>slot</code> as an Astro slot assignment and remove it from the output, breaking Shadow DOM named slot distribution for web components.</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/16957">#16957</a> <a href="https://github.com/withastro/astro/commit/544ee763d7f7894e3b588daa14b09ef32a4d794a"><code>544ee76</code></a> Thanks <a href="https://github.com/thelazylamaGit"><code>@​thelazylamaGit</code></a>! - Fixes stale inline CSS in server-rendered HTML after CSS file edits during dev</p> <p>When editing a CSS file (<code>.css</code>, <code>.scss</code>, etc.) during development, the inline <code>&lt;style&gt;</code> tags in server-rendered HTML would retain old CSS content instead of updating. This caused a brief flash of old CSS (FOUC) on fresh page loads before Vite's client-side HMR corrected the styles.</p> <p>The fix ensures that Astro's per-route dev CSS virtual modules are invalidated in both the SSR module graph and the module runner's evaluation cache when a style file changes, so the next page render picks up the fresh CSS.</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/17044">#17044</a> <a href="https://github.com/withastro/astro/commit/2220d22f8c7278988560d0e4b4f378c9967e9bae"><code>2220d22</code></a> Thanks <a href="https://github.com/astrobot-houston"><code>@​astrobot-houston</code></a>! - Fixes CSS from <code>client:only</code> islands leaking to unrelated pages when Rollup bundles non-CSS-importing modules into the same chunk as CSS-importing modules</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/17040">#17040</a> <a href="https://github.com/withastro/astro/commit/7c4763d31b94ccbdc2339992d73e087912e5b8e3"><code>7c4763d</code></a> Thanks <a href="https://github.com/astrobot-houston"><code>@​astrobot-houston</code></a>! - Fixes HMR not triggering for files inside the <code>src/middleware/</code> directory during dev</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/16672">#16672</a> <a href="https://github.com/withastro/astro/commit/52fc86213e6412b6f9f3b70a2616d52b5fb783a9"><code>52fc862</code></a> Thanks <a href="https://github.com/martinheidegger"><code>@​martinheidegger</code></a>! - Fixes support for numeric IDs in YAML frontmatter when using content collection references</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/16762">#16762</a> <a href="https://github.com/withastro/astro/commit/9de80ae486bc43c8680fda099a125d836e78b552"><code>9de80ae</code></a> Thanks <a href="https://github.com/alexanderdombroski"><code>@​alexanderdombroski</code></a>! - Adds a JSON schema to the Wrangler configuration file generated when running <code>astro add cloudflare</code></p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/17046">#17046</a> <a href="https://github.com/withastro/astro/commit/ef771ece349eedb6e0b3b240b020fb96df208a92"><code>ef771ec</code></a> Thanks <a href="https://github.com/ematipico"><code>@​ematipico</code></a>! - Improves the diagnostics emitted when Astro parses incorrect <code>.astro</code> files.</p> </li> </ul> <h2>6.4.6</h2> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/16765">#16765</a> <a href="https://github.com/withastro/astro/commit/b10e86e6dbaf04678127c86366befc0b78a164f6"><code>b10e86e</code></a> Thanks <a href="https://github.com/fkatsuhiro"><code>@​fkatsuhiro</code></a>! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/17026">#17026</a> <a href="https://github.com/withastro/astro/commit/add3df10fdaff469ae0228f09d99290de170029a"><code>add3df1</code></a> Thanks <a href="https://github.com/matthewp"><code>@​matthewp</code></a>! - Hardens <code>addAttribute</code> to drop attribute names containing characters that are invalid per the HTML spec (<code>&quot;</code>, <code>'</code>, <code>&gt;</code>, <code>/</code>, <code>=</code>, whitespace)</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/withastro/astro/commit/3ec2c10b1fd073916a00b60ff74d9d5bb17ad208"><code>3ec2c10</code></a> [ci] release (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/17110">#17110</a>)</li> <li><a href="https://github.com/withastro/astro/commit/27c80ea92248993e5fce94b2c26d87d611ab6785"><code>27c80ea</code></a> fix(core): encoded URLs (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/17109">#17109</a>)</li> <li><a href="https://github.com/withastro/astro/commit/910e121ad33c481dcfb4b313abd7d8ff370ee347"><code>910e121</code></a> [ci] release (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/17036">#17036</a>)</li> <li><a href="https://github.com/withastro/astro/commit/ef771ece349eedb6e0b3b240b020fb96df208a92"><code>ef771ec</code></a> fix: improve diagnostics (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/17046">#17046</a>)</li> <li><a href="https://github.com/withastro/astro/commit/0537f5ca22b8ee94ddd173bae5b7c9a44049a5ed"><code>0537f5c</code></a> [ci] format</li> <li><a href="https://github.com/withastro/astro/commit/2f4d92a72b00354114359b5746d573fbfd3b334f"><code>2f4d92a</code></a> Fix prerendered redirect targets inflating SSR bundle in hybrid mode (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/17066">#17066</a>)</li> <li><a href="https://github.com/withastro/astro/commit/360fa3f0b97f0b595c3df868dc7f2bcab210d5fe"><code>360fa3f</code></a> docs: fix grammar in container API JSDoc comments (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/16984">#16984</a>)</li> <li><a href="https://github.com/withastro/astro/commit/bbe0e5403193b0cc2141667b65ab66aeebcff725"><code>bbe0e54</code></a> [ci] format</li> <li><a href="https://github.com/withastro/astro/commit/52fc86213e6412b6f9f3b70a2616d52b5fb783a9"><code>52fc862</code></a> Supporting numeric id references (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/16672">#16672</a>)</li> <li><a href="https://github.com/withastro/astro/commit/9de80ae486bc43c8680fda099a125d836e78b552"><code>9de80ae</code></a> feat(cli): Adds wrangler schema to generated wrangler.jsonc file when running...</li> <li>Additional commits viewable in <a href="https://github.com/withastro/astro/commits/astro@6.4.8/packages/astro">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/ambient-code/platform/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
1 parent edaaa9a commit 40c9e45

5 files changed

Lines changed: 78 additions & 25 deletions

File tree

components/ambient-ui/package-lock.json

Lines changed: 3 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

components/frontend/package-lock.json

Lines changed: 7 additions & 7 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

components/frontend/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@
3838
"cron-parser": "^5.5.0",
3939
"cronstrue": "^3.13.0",
4040
"date-fns": "^4.1.0",
41-
"dompurify": "^3.4.9",
41+
"dompurify": "^3.4.11",
4242
"file-type": "^21.3.2",
4343
"geist": "^1.7.0",
4444
"highlight.js": "^11.11.1",

docs/package-lock.json

Lines changed: 66 additions & 13 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

docs/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212
},
1313
"dependencies": {
1414
"@astrojs/starlight": "^0.39",
15-
"astro": "^6.3",
15+
"astro": "^6.4",
1616
"playwright": "^1.58.2",
1717
"sharp": "^0.33.0"
1818
},

0 commit comments

Comments
 (0)