deps(tko.io): bump astro 5.18.1 → 6.1.8, starlight 0.37.7 → 0.38.3

Fixes dependabot advisory: Astro XSS in define:vars via incomplete
</script> tag sanitization (supersedes #354).

Migrations:
- content.config.ts: add docsLoader() — Astro 6 requires Content Layer
  loaders; file-based auto-discovery removed.
- Header.astro + tests.astro: resolve sibling/public paths from
  process.cwd() instead of import.meta.url. Astro 6's prerender
  bundles into dist/.prerender/chunks/, breaking ../-relative URLs.
- Remove patch-package: upstream starlight already includes the
  head.ts fix the patch carried, and Bun has native patching.

Verified: bun run build → 66 pages, clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: 2 people

tko.io/bun.lock

@@ -4,7 +4,6 @@
   "type": "module",
   "description": "TKO documentation site",
   "scripts": {
-    "postinstall": "patch-package",
     "prebuild": "bun ./scripts/generate-verified-behaviors.mjs && mkdir -p public/lib && cd ../builds/knockout && bun run build && cp dist/browser.min.js ../../tko.io/public/lib/ko.js && cd ../reference && bun run build && cp dist/browser.min.js ../../tko.io/public/lib/tko.js && cd ../../tko.io && bun ./scripts/bundle-tests.mjs",
     "predev": "bun run prebuild",
     "dev": "ASTRO_TELEMETRY_DISABLED=1 bun --bun astro dev",
@@ -16,10 +15,9 @@
   "author": "",
   "license": "MIT",
   "devDependencies": {
-    "@astrojs/starlight": "0.37.7",
-    "@astrojs/check": "0.9.6",
-    "astro": "5.18.1",
-    "patch-package": "^8.0.1",
+    "@astrojs/starlight": "0.38.3",
+    "@astrojs/check": "0.9.8",
+    "astro": "6.1.8",
     "typescript": "^5.9.3"
   }
 }

tko.io/package.json

@@ -1,6 +1,7 @@
 ---
 import config from 'virtual:starlight/user-config';
 import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
 
 import LanguageSelect from 'virtual:starlight/components/LanguageSelect';
 import Search from 'virtual:starlight/components/Search';
@@ -11,7 +12,7 @@ import ThemeSelect from 'virtual:starlight/components/ThemeSelect';
 const shouldRenderSearch =
 	config.pagefind || config.components.Search !== '@astrojs/starlight/components/Search.astro';
 
-const pkg = JSON.parse(readFileSync(new URL('../../../builds/knockout/package.json', import.meta.url), 'utf8'));
+const pkg = JSON.parse(readFileSync(join(process.cwd(), '../builds/knockout/package.json'), 'utf8'));
 const version = pkg.version;
 ---
 

tko.io/patches/@astrojs+starlight+0.37.7.patch

@@ -1,6 +1,7 @@
 import { defineCollection } from 'astro:content';
+import { docsLoader } from '@astrojs/starlight/loaders';
 import { docsSchema } from '@astrojs/starlight/schema';
 
 export const collections = {
-  docs: defineCollection({ schema: docsSchema() })
+  docs: defineCollection({ loader: docsLoader(), schema: docsSchema() })
 };

tko.io/src/components/Header.astro

@@ -1,5 +1,5 @@
 ---
-import { fileURLToPath } from 'node:url'
+import { join } from 'node:path'
 
 // Read the source-mode chunk list at SSR time so the HTML ships
 // with <link rel="modulepreload"> for every shared chunk already
@@ -9,7 +9,9 @@ import { fileURLToPath } from 'node:url'
 // iframes with the opaque "Importing a module script failed."
 // error. `prebuild` always runs bundle-tests.mjs before Astro
 // builds the site, so manifest.json is guaranteed to exist.
-const manifestPath = fileURLToPath(new URL('../../public/tests/source/manifest.json', import.meta.url))
+// Resolve from cwd (project root) — import.meta.url points into
+// dist/.prerender/chunks/ under Astro 6's prerender bundler.
+const manifestPath = join(process.cwd(), 'public/tests/source/manifest.json')
 const sourceChunks: string[] = (await Bun.file(manifestPath).json()).chunks ?? []
 
 // TKO Browser Test Runner — written in TKO itself.