chore(deps): bump the site-dependencies group across 1 directory with 2 updates

[dependabot]

Bumps the site-dependencies group with 2 updates in the /site directory: astro and sharp.

Updates astro from 6.4.6 to 6.4.8

Release notes

Sourced from astro's releases.

astro@6.4.8

Patch Changes

• #17109 27c80ea Thanks @​ematipico! - Harden the limits on the number of decoding on the URL.

astro@6.4.7

Patch Changes

• #17035 197e50e Thanks @​astrobot-houston! - Fixes getRelativeLocaleUrl, getAbsoluteLocaleUrl, and getAbsoluteLocaleUrlList to strip trailing slashes when trailingSlash: 'never' is configured

• #16967 3719765 Thanks @​astrobot-houston! - Fixes double URL-encoded paths returning 400 Bad Request on on-demand routes

  Previously, any URL containing a double-encoded character (like %255B, which is [ encoded twice) was unconditionally rejected with a 400 Bad Request before middleware or route handlers could run. This broke embedded tools like Sanity Studio whose client-side router legitimately produces double-encoded URLs.

  The fix replaces the rejection approach with iterative decoding — multi-level percent-encoding is now fully resolved to its canonical form before being passed to middleware and route matching. This preserves the security fix for CVE-2025-66202 (middleware authorization bypass via double encoding) because middleware now always sees the fully decoded path, making bypass impossible. For example, /api/%2561dmin is decoded to /api/admin, which middleware can correctly block.

• #17066 2f4d92a Thanks @​matthewp! - Fixes prerendered redirect targets being incorrectly bundled into the SSR function in hybrid mode, causing massive bundle size inflation

• #16882 621beb7 Thanks @​jettwayio! - fix(render): honour compressHTML when joining head elements

• #16892 8d753b0 Thanks @​astrobot-houston! - Fixes custom elements in MDX having their children's slot attribute stripped by the JSX runtime

  When custom elements (tags with hyphens like <my-element>) are used in MDX files, the slot HTML attribute on their children is now correctly preserved. Previously, the shared JSX runtime would treat slot as an Astro slot assignment and remove it from the output, breaking Shadow DOM named slot distribution for web components.

• #16957 544ee76 Thanks @​thelazylamaGit! - Fixes stale inline CSS in server-rendered HTML after CSS file edits during dev

  When editing a CSS file (.css, .scss, etc.) during development, the inline <style> tags in server-rendered HTML would retain old CSS content instead of updating. This caused a brief flash of old CSS (FOUC) on fresh page loads before Vite's client-side HMR corrected the styles.

  The fix ensures that Astro's per-route dev CSS virtual modules are invalidated in both the SSR module graph and the module runner's evaluation cache when a style file changes, so the next page render picks up the fresh CSS.

• #17044 2220d22 Thanks @​astrobot-houston! - Fixes CSS from client:only islands leaking to unrelated pages when Rollup bundles non-CSS-importing modules into the same chunk as CSS-importing modules

• #17040 7c4763d Thanks @​astrobot-houston! - Fixes HMR not triggering for files inside the src/middleware/ directory during dev

• #16672 52fc862 Thanks @​martinheidegger! - Fixes support for numeric IDs in YAML frontmatter when using content collection references

• #16762 9de80ae Thanks @​alexanderdombroski! - Adds a JSON schema to the Wrangler configuration file generated when running astro add cloudflare

• #17046 ef771ec Thanks @​ematipico! - Improves the diagnostics emitted when Astro parses incorrect .astro files.

Changelog

Sourced from astro's changelog.

6.4.8

Patch Changes

• #17109 27c80ea Thanks @​ematipico! - Harden the limits on the number of decoding on the URL.

6.4.7

Patch Changes

• #17035 197e50e Thanks @​astrobot-houston! - Fixes getRelativeLocaleUrl, getAbsoluteLocaleUrl, and getAbsoluteLocaleUrlList to strip trailing slashes when trailingSlash: 'never' is configured

• #16967 3719765 Thanks @​astrobot-houston! - Fixes double URL-encoded paths returning 400 Bad Request on on-demand routes

  Previously, any URL containing a double-encoded character (like %255B, which is [ encoded twice) was unconditionally rejected with a 400 Bad Request before middleware or route handlers could run. This broke embedded tools like Sanity Studio whose client-side router legitimately produces double-encoded URLs.

  The fix replaces the rejection approach with iterative decoding — multi-level percent-encoding is now fully resolved to its canonical form before being passed to middleware and route matching. This preserves the security fix for CVE-2025-66202 (middleware authorization bypass via double encoding) because middleware now always sees the fully decoded path, making bypass impossible. For example, /api/%2561dmin is decoded to /api/admin, which middleware can correctly block.

• #17066 2f4d92a Thanks @​matthewp! - Fixes prerendered redirect targets being incorrectly bundled into the SSR function in hybrid mode, causing massive bundle size inflation

• #16882 621beb7 Thanks @​jettwayio! - fix(render): honour compressHTML when joining head elements

• #16892 8d753b0 Thanks @​astrobot-houston! - Fixes custom elements in MDX having their children's slot attribute stripped by the JSX runtime

  When custom elements (tags with hyphens like <my-element>) are used in MDX files, the slot HTML attribute on their children is now correctly preserved. Previously, the shared JSX runtime would treat slot as an Astro slot assignment and remove it from the output, breaking Shadow DOM named slot distribution for web components.

• #16957 544ee76 Thanks @​thelazylamaGit! - Fixes stale inline CSS in server-rendered HTML after CSS file edits during dev

  When editing a CSS file (.css, .scss, etc.) during development, the inline <style> tags in server-rendered HTML would retain old CSS content instead of updating. This caused a brief flash of old CSS (FOUC) on fresh page loads before Vite's client-side HMR corrected the styles.

  The fix ensures that Astro's per-route dev CSS virtual modules are invalidated in both the SSR module graph and the module runner's evaluation cache when a style file changes, so the next page render picks up the fresh CSS.

• #17044 2220d22 Thanks @​astrobot-houston! - Fixes CSS from client:only islands leaking to unrelated pages when Rollup bundles non-CSS-importing modules into the same chunk as CSS-importing modules

• #17040 7c4763d Thanks @​astrobot-houston! - Fixes HMR not triggering for files inside the src/middleware/ directory during dev

• #16672 52fc862 Thanks @​martinheidegger! - Fixes support for numeric IDs in YAML frontmatter when using content collection references

• #16762 9de80ae Thanks @​alexanderdombroski! - Adds a JSON schema to the Wrangler configuration file generated when running astro add cloudflare

• #17046 ef771ec Thanks @​ematipico! - Improves the diagnostics emitted when Astro parses incorrect .astro files.

Commits

• 3ec2c10 [ci] release (#17110)
• 27c80ea fix(core): encoded URLs (#17109)
• 910e121 [ci] release (#17036)
• ef771ec fix: improve diagnostics (#17046)
• 0537f5c [ci] format
• 2f4d92a Fix prerendered redirect targets inflating SSR bundle in hybrid mode (#17066)
• 360fa3f docs: fix grammar in container API JSDoc comments (#16984)
• bbe0e54 [ci] format
• 52fc862 Supporting numeric id references (#16672)
• 9de80ae feat(cli): Adds wrangler schema to generated wrangler.jsonc file when running...
• Additional commits viewable in compare view

Updates sharp from 0.34.5 to 0.35.1

Release notes

Sourced from sharp's releases.

v0.35.1

• TypeScript: Ensure type definitions are published for both ESM and CJS. #4537

• WebAssembly: Ensure wrapper file is published. #4538

v0.35.1-rc.1

• TypeScript: Ensure type definitions are published for both ESM and CJS. #4537

• WebAssembly: Ensure wrapper file is published. #4538

v0.35.1-rc.0

• TypeScript: Ensure type definitions are published #4537

• WebAssembly: Ensure wrapper file is published. #4538

v0.35.0

• Breaking: Drop support for Node.js 18, now requires Node.js >= 20.9.0.

• Breaking: Remove install script from package.json file. Compiling from source is now opt-in via the build script.

• Breaking: Lossy AVIF output is now tuned using SSIMULACRA2-based iq quality metrics.

• Breaking: Add limitInputChannels with a default value of 5.

• Breaking: Remove deprecated failOnError constructor property.

• Breaking: Remove deprecated paletteBitDepth from metadata response.

• Breaking: Remove deprecated properties from sharpen operation.

• Breaking: Rename format.jp2k as format.jp2 for API consistency.

• Upgrade to libvips v8.18.3 for upstream bug fixes.

• Remove experimental status from WebAssembly binaries.

• Add prebuilt binaries for FreeBSD (WebAssembly).

• Deprecate Windows 32-bit (win32-ia32) prebuilt binaries.

• Ensure TIFF output bitdepth option is limited to 1, 2 or 4.

• Add AVIF/HEIF tune option for control over quality metrics.

... (truncated)

Commits

• d781a2d Release v0.35.1
• 84fa853 Prerelease v0.35.1-rc.1
• 21263c3 TypeScript: Switch type defs to ESM, convert back to CJS #4537
• 8deceb4 Docs: fix link in changelog (#4541)
• c9f08eb Revert "Docs: Highlight that Windows ARM64 support is experimental" (#4540)
• 3ec892f Prerelease v0.35.1-rc.0
• fbdeac5 CI: Run packaging linter on sub-packages
• 1da92b3 WebAssembly: Ensure wrapper file is published #4538
• 32c029e Add packaging linter to help prevent regression e.g. #4537
• 98dc1df TypeScript: Ensure type definitions are published #4537
• Additional commits viewable in compare view

[jaylann]

Holding this one. Two reasons:

1. Build site fails the supply-chain release-age gate (ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION): sharp@0.35.0 and its @img/* deps were published 2026-06-10 ~17:06 UTC, inside the minimumReleaseAge cutoff. This gate is working as designed — we don't trust <24h-old packages.
2. sharp 0.35.0 is a minor with real breaking changes (drops Node 18, AVIF re-tuning, removed deprecated APIs). Even once the age gate clears, the site build should be verified before merging.

The astro 6.4.5→6.4.6 patch is harmless on its own, but Dependabot grouped both under site-dependencies. Plan: once sharp ages past the cutoff (~17:06 UTC today), re-run checks; if the site build passes, merge. Otherwise verify just site-build locally first.

[jaylann]

Re-reviewed in depth — the content is safe, the only blocker is timing:

• Site CI runs Node 24, satisfying sharp 0.35's new Node >=20.9 floor.
• No direct sharp usage anywhere in the site and no custom Astro image-service config — sharp is only Astro's default image optimizer, so 0.35's breaking changes (removed deprecated failOnError/paletteBitDepth/sharpen props, jp2k→jp2, AVIF retuning) don't affect us.
• pnpm resolved the lockfile cleanly; the install failed only on the release-age gate, not on any astro↔sharp peer conflict.

So the sole blocker is the minimumReleaseAge supply-chain gate: sharp 0.35.0 / @img/* published 2026-06-10 ~17:06 UTC, clearing the 24h cutoff ~17:06 UTC today. Re-run Build site after that and it merges clean. No code-side concerns.

[jaylann]

@dependabot rebase

[jaylann]

https://github.com/dependabot rebase

[jaylann]

@copilot resolve the merge conflicts in this pull request. Then rebase

[Copilot]

@copilot resolve the merge conflicts in this pull request. Then rebase

I checked and rebased this branch onto stage; there were no merge conflicts to resolve and Git reports it is already up to date at 838f08c.

I also checked the failing Build site job logs: the failure is the ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION supply-chain age gate for sharp@0.35.1 and @img/sharp-*, not a merge conflict.

[jaylann]

@dependabot rebase

[jaylann]

Holding this one: the astro bump in this group resolves to 6.4.8, published 2026-06-17 and still inside the site's pnpm minimumReleaseAge (24h) window, so Build site fails the supply-chain age check. Merging it now would red the site build on stage until the package ages past the gate (~2026-06-18 14:10 UTC).

The conservative astro patch (6.4.5→6.4.6) landed separately via #146, so the site is already current there. Once 6.4.8 clears the age gate, @dependabot rebase this PR to pick up astro 6.4.8 + sharp 0.35.1 with a green build, or let dependabot reconcile it against #146.

[dependabot]

Looks like these dependencies are no longer updatable, so this is no longer needed.