You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
#17209fbcfa03 Thanks @matthewp! - Hardens RSS feed generation by escaping the source and enclosure item fields. These fields are now serialized as structured XML values, ensuring that special characters in values like source.title and enclosure.type are always treated as text rather than markup, consistent with how other feed fields are handled.
#172127ba0bb1 Thanks @matthewp! - Ensures transition directive values are HTML-escaped when rendered on hydrated islands
#17224dc5e52f Thanks @astrobot-houston! - Fixes trailing slash handling for dynamic file endpoints in dev mode. Dynamic file endpoints (e.g., src/pages/api/[name].json.ts) with trailingSlash: "always" incorrectly required a trailing slash in dev mode, returning 404 for /api/bar.json and 200 for /api/bar.json/.
#1706723f9446 Thanks @fkatsuhiro! - Fixed a bug where the development toolbar did not output a warning even though the implicit ARIA role and the manually specified role were duplicated.
#172235970ef4 Thanks @astrobot-houston! - Fixes getCollection() returning empty in dev mode for large content collections (500k+ entries)
#17184799e5cd Thanks @Princesseuh! - Upgrades the Rust compiler to the latest, which fixes some bugs. Refer to its changelog for more information.
#17208da8b573 Thanks @matthewp! - Hardens forwarded header handling so the internal request helper validates X-Forwarded-Host against security.allowedDomains before trusting X-Forwarded-For for clientAddress. Previously it only checked that the header was present, which was inconsistent with the public createRequest helper. This aligns both code paths; behavior is unchanged for correctly configured proxies.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/astro@7.0.4. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.0.18→4.0.197.0.3→7.0.40.25.1→0.25.2Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
withastro/astro (@astrojs/rss)
v4.0.19Compare Source
Patch Changes
fbcfa03Thanks @matthewp! - Hardens RSS feed generation by escaping thesourceandenclosureitem fields. These fields are now serialized as structured XML values, ensuring that special characters in values likesource.titleandenclosure.typeare always treated as text rather than markup, consistent with how other feed fields are handled.withastro/astro (astro)
v7.0.4Compare Source
Patch Changes
#17212
7ba0bb1Thanks @matthewp! - Ensures transition directive values are HTML-escaped when rendered on hydrated islands#17224
dc5e52fThanks @astrobot-houston! - Fixes trailing slash handling for dynamic file endpoints in dev mode. Dynamic file endpoints (e.g.,src/pages/api/[name].json.ts) withtrailingSlash: "always"incorrectly required a trailing slash in dev mode, returning 404 for/api/bar.jsonand 200 for/api/bar.json/.#17067
23f9446Thanks @fkatsuhiro! - Fixed a bug where the development toolbar did not output a warning even though the implicit ARIA role and the manually specified role were duplicated.#17234
d5fbee8Thanks @ocavue! - Adds support forsharpv0.35. pnpm users no longer need to approvesharp's build script (seeallowBuilds) when on v0.35.#17223
5970ef4Thanks @astrobot-houston! - FixesgetCollection()returning empty in dev mode for large content collections (500k+ entries)#17184
799e5cdThanks @Princesseuh! - Upgrades the Rust compiler to the latest, which fixes some bugs. Refer to its changelog for more information.#17208
da8b573Thanks @matthewp! - Hardens forwarded header handling so the internal request helper validatesX-Forwarded-Hostagainstsecurity.allowedDomainsbefore trustingX-Forwarded-ForforclientAddress. Previously it only checked that the header was present, which was inconsistent with the publiccreateRequesthelper. This aligns both code paths; behavior is unchanged for correctly configured proxies.HiDeoo/starlight-links-validator (starlight-links-validator)
v0.25.2Compare Source
Patch Changes
19b97a0Thanks @HiDeoo! - Fixes link validation issue for frontmatter-only pages when using Sätteri.Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.