Skip to content

chore(deps): update all non-major dependencies#236

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch
Open

chore(deps): update all non-major dependencies#236
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@astrojs/mdx (source) 7.0.07.0.3 age confidence
@changesets/cli (source) 2.31.02.31.1 age confidence
@nx/eslint (source) 22.7.622.7.7 age confidence
@nx/vite (source) 22.7.622.7.7 age confidence
@nx/vitest (source) 22.7.622.7.7 age confidence
@nx/web (source) 22.7.622.7.7 age confidence
@types/node (source) 25.9.425.9.5 age confidence
@vitest/coverage-v8 (source) 4.1.94.1.10 age confidence
@vitest/ui (source) 4.1.94.1.10 age confidence
astro (source) 7.0.27.1.0 age confidence
eslint (source) 10.5.010.7.0 age confidence
nanostores 1.3.01.4.0 age confidence
nx (source) 22.7.622.7.7 age confidence
pnpm (source) 11.9.011.13.1 age confidence
prettier (source) 3.8.43.9.5 age confidence
sharp (source, changelog) 0.35.20.35.3 age confidence
typescript-eslint (source) 8.62.08.64.0 age confidence
vite (source) 8.1.08.1.5 age confidence
vitest (source) 4.1.94.1.10 age confidence

Release Notes

withastro/astro (@​astrojs/mdx)

v7.0.3

Compare Source

Patch Changes
  • #​17341 64b0d66 Thanks @​Princesseuh! - Fixes custom pre components not applying to syntax-highlighted code blocks when using the Sätteri Markdown processor with MDX.

v7.0.2

Compare Source

Patch Changes

v7.0.1

Compare Source

Patch Changes
changesets/changesets (@​changesets/cli)

v2.31.1

Compare Source

Patch Changes
  • #​2159 15cf592 Thanks @​ingvaldlorentzen! - Fixed already-published version detection with npm 12, which always wraps successful npm info --json output in an array. The unwrapped output made changeset publish treat every package as unpublished and fail attempting to republish existing versions.
nrwl/nx (@​nx/eslint)

v22.7.7

Compare Source

22.7.7 (2026-07-10)
🩹 Fixes
  • core: prevent path traversal / zip-slip in self-hosted remote cache (#​36116)
  • core: warn when the self-hosted remote cache disables TLS verification (NXC-4593) (#​36132, #​36116)
  • dotnet: declare obj as a publish output to fix sandbox violation (#​35858)
  • dotnet: declare directory build props input for analyzer dotnet tasks (df7540195a)
  • dotnet: declare directory build props on the separate release build target (6545ee2222)
  • dotnet: declare directory build props on the analyzer tests dotnet targets (e72ee0dd79)
❤️ Thank You
vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.10

Compare Source

   🐞 Bug Fixes
    View changes on GitHub
withastro/astro (astro)

v7.1.0

Compare Source

Minor Changes
  • #​17302 5f4dc03 Thanks @​astrobot-houston! - Adds a new deferRender option to the glob() content loader

    When set to true, renderable entries (such as Markdown) are not rendered during content sync. Instead, rendering is deferred until the entry is actually rendered in a page, using the same on-demand path that .mdx files already use.

    This reduces memory usage during astro build for large collections whose rendered output is much larger than the source — for example, Markdown that uses heavy rehype plugins like rehype-katex. Such builds could previously run out of memory while storing the eagerly-rendered HTML for every entry.

    // src/content.config.ts
    import { defineCollection } from 'astro:content';
    import { glob } from 'astro/loaders';
    
    const docs = defineCollection({
      loader: glob({ pattern: '**/*.md', base: 'src/content/docs', deferRender: true }),
    });

    By default deferRender is false, preserving the existing behavior of rendering entries eagerly during sync so their rendered HTML can be cached across builds.

  • #​17296 30698a2 Thanks @​ematipico! - Adds a new experimental collectionStorage option for controlling how the content layer persists its data store

    By default, Astro serializes the entire content layer data store to a single file (.astro/data-store.json). For very large content collections, this file can grow large enough to hit platform file-size limits.

    Set experimental.collectionStorage: 'chunked' to instead split the data store across many smaller, content-addressed files inside a .astro/data-store/ directory, described by a manifest:

    // astro.config.mjs
    import { defineConfig } from 'astro/config';
    
    export default defineConfig({
      experimental: {
        collectionStorage: 'chunked',
      },
    });

    Because each part file is named by a hash of its contents, unchanged parts keep the same name across builds and are not rewritten, and identical parts are deduplicated. The default value is 'single-file', which preserves the current behavior.

  • #​17214 44c4989 Thanks @​ematipico! - Adds support for the more specific CSP directives script-src-elem, script-src-attr, style-src-elem, and style-src-attr through a new kind option.

    Previously, CSP was only scoped to generic script-src/style-src directives. Now each source or hash can be scoped to a narrower directive — for example, to allow inline style attributes (such as those from define:vars or Shiki) without loosening the policy for your <style> and <link> elements.

Scoping sources and hashes in your config

Each entry in resources and hashes can be an object with a kind property. Depending on whether you use scriptDirective or styleDirective, "element" targets script-src-elem or style-src-elem, "attribute" targets script-src-attr or style-src-attr, and "default" (the same as a bare string or hash) targets script-src or style-src.

// astro.config.mjs
import { defineConfig } from 'astro/config';

export default defineConfig({
  security: {
    csp: {
      scriptDirective: {
        resources: [{ resource: 'https://cdn.example.com', kind: 'element' }],
      },
      styleDirective: {
        resources: [{ resource: "'unsafe-inline'", kind: 'attribute' }],
      },
    },
  },
});
Scoping at runtime

The same kind option is available on the runtime CSP API, where the existing methods now also accept an object:

ctx.csp.insertScriptResource({ resource: 'https://cdn.example.com', kind: 'element' });
ctx.csp.insertStyleResource({ resource: "'unsafe-inline'", kind: 'attribute' });
  • #​17258 84814d4 Thanks @​astrobot-houston! - Adds a new format() option to the paginate utility. The format() option is a function that accepts the current URL of the page, and returns a new URL.

    For example, when your host only supports URLs using the .html extension, you can use format() to add it to the generated URLs:

    ---
    export async function getStaticPaths({ paginate }) {
      // Load your data with fetch(), getCollection(), etc.
      const response = await fetch(`https://pokeapi.co/api/v2/pokemon?limit=150`);
      const result = await response.json();
      const allPokemon = result.results;
    
      // Return a paginated collection of paths for all items
      return paginate(allPokemon, {
        pageSize: 10,
        format: (url) => `${url}.html`,
      });
    }
    
    const { page } = Astro.props;
    ---
  • #​17331 7db6420 Thanks @​matthewp! - Adds a --ignore-lock flag to astro dev for starting a dev server without checking or writing the lock file, so it can run alongside an already-running dev server for the same project.

    The new instance is not tracked by astro dev stop, astro dev status, or astro dev logs. --ignore-lock cannot be combined with --background (or an auto-detected AI agent environment, which runs dev servers in the background automatically) or --force, since those rely on the lock file.

    astro dev --ignore-lock
  • #​17389 16de021 Thanks @​florian-lefebvre! - Allows passing URL entrypoints when configuring the logger

    Matching other APIs like session drivers or font providers, the logger entrypoint can now be a URL:

    import { defineConfig } from 'astro/config';
    
    export default defineConfig({
      logger: {
        entrypoint: new URL('./logger.js', import.meta.url),
      },
    });
Patch Changes
  • #​17332 4407483 Thanks @​astrobot-houston! - Fixes the JSON logger crashing with process is not defined in non-Node runtimes like Cloudflare's workerd. The JSON logger now uses console.log/console.error instead of process.stdout/process.stderr, matching the pattern already used by the console logger.

  • #​17391 186a1e7 Thanks @​florian-lefebvre! - Fixes a case where an integration could not update the logger with updateConfig()

  • #​17394 d9f99e1 Thanks @​matthewp! - Fixes element-specific CSP directives to preserve the existing behavior of configured script and style resources

  • #​17374 b2d1b3e Thanks @​astrobot-houston! - Fixes dev server returning 404 for ?url imported assets when accessed via browser navigation

  • #​17390 ed71eaf Thanks @​florian-lefebvre! - Removes an unused and undocumented generic from the AstroLoggerDestination type

  • #​17393 092da56 Thanks @​matthewp! - Hardens generated transition styles, development metadata, and server island URLs when embedding dynamic values

v7.0.9

Compare Source

Patch Changes
  • #​17286 a249317 Thanks @​astrobot-houston! - Fixes the first browser visit after astro dev starts triggering an immediate full page reload

  • #​17369 a94d4a5 Thanks @​adamchal! - Fixes an issue where a client island could permanently fail to hydrate if the first attempt to load its component failed. Islands now reliably recover from transient import failures, which previously did not work for React components during astro dev.

v7.0.8

Compare Source

Patch Changes

v7.0.7

Compare Source

Patch Changes
  • #​17318 23a4120 Thanks @​astrobot-houston! - Fixes CSS module scoped-name hash mismatch in astro dev when using vite.css.transformer: 'lightningcss' with content collections. Previously, a component importing a CSS module and rendered via content collection render() would get different class name hashes in the element and the injected <style> tag, causing styles not to apply.

  • #​17323 4298883 Thanks @​ematipico! - Fixes a dev server memory leak which caused Node.js to emit warnings in the console.

  • #​17323 4298883 Thanks @​ematipico! - Fixes a dev server crash when a .html or /index.html suffixed request (such as those netlify dev probes as pretty-URL fallbacks) matched a dynamic endpoint route, causing a TypeError: Missing parameter error

  • #​17325 cebc404 Thanks @​astrobot-houston! - Fixes a bug where CSS @import rules could end up mid-stylesheet after inline CSS chunks were merged during build, causing browsers to silently ignore them

  • #​17323 4298883 Thanks @​ematipico! - Fixes a build regression that could leave unresolved preload markers in inlined scripts with external dynamic imports

  • Updated dependencies [4298883, 4298883]:

v7.0.6

Compare Source

Patch Changes
  • #​17261 79aa99c Thanks @​astrobot-houston! - Fixes a false deprecation warning for markdown.gfm and markdown.smartypants when using the Container API

  • #​17247 f94280d Thanks @​chatman-media! - Fixes route generation throwing "Missing parameter" (or silently dropping the segment) when a dynamic param's value is 0. The generator used truthy checks instead of checking for undefined, so paginate(posts, { params: { categoryId: 0 } }) would crash even though 0 is a perfectly valid param value.

  • #​17278 6f11739 Thanks @​astrobot-houston! - Fixes missing CSS for virtual style modules (e.g., responsive image layout styles) in dev mode when JavaScript is disabled

  • #​17250 0b30b35 Thanks @​matthewp! - Fixes the security.checkOrigin check so it is applied consistently to Astro Actions and on-demand endpoints, regardless of how the request pipeline is composed. Previously, the origin check could be skipped in the composable astro/hono pipeline depending on the order of the middleware() primitive (or when it was omitted).

  • #​17274 8c3579b Thanks @​astrobot-houston! - Fixes missing render() type overload for live collection entries. Previously, calling render() on a LiveDataEntry produced a TypeScript error when using only live.config.ts without a content.config.ts.

  • #​17257 4208297 Thanks @​astrobot-houston! - Fixes astro check failing to find @astrojs/check and typescript when astro is installed in a directory outside the project tree (e.g. pnpm virtual store)

  • #​17272 b428648 Thanks @​matthewp! - Fixes island component paths so that extensionless imports (e.g. import { Counter } from '../components/Counter') resolve to the real file on disk, matching Vite's extension order and directory index resolution. This makes the include/exclude options of JSX renderer integrations (React, Preact, Solid) match components imported without a file extension, and removes the spurious React 19 "Invalid hook call" warning logged on every request in dev when include was set alongside another JSX renderer

  • #​17279 2aeaa44 Thanks @​astrobot-houston! - Fixes a bug where <Picture inferSize> with a remote image could fail with FailedToFetchRemoteImageDimensions when the image server rate-limits requests (e.g. HTTP 429). Remote dimensions are now resolved once per render instead of once per output format.

  • #​17251 5240e26 Thanks @​matthewp! - Hardens the handling of attribute rendering when using with custom elements.

  • #​17248 429bd62 Thanks @​astrobot-houston! - Fixes a crash when using Astro's getViteConfig with Vitest browser mode (e.g., Storybook vitest runner). Astro now skips dev server setup inside Vitest, preventing errors.

  • #​17260 14524c0 Thanks @​matthewp! - Fixes a regression where a <script> inside a component rendered through Astro.slots.render() was hoisted out of its original position instead of staying next to its component content

  • Updated dependencies [eb6f97e]:

v7.0.5

Compare Source

Patch Changes
  • #​17242 9c05ba4 Thanks @​matthewp! - Fixes an error that could occur after the dev server restarts when using an adapter such as @astrojs/cloudflare, where a request would fail with a 500 referencing a missing pre-bundled dependency:

    The file does not exist at "node_modules/.vite/deps_ssr/astro_compiler-runtime.js?v=6419660d" which is in the optimize deps directory. The dependency might be incompatible with the dep optimizer. Try adding it to `optimizeDeps.exclude`.
    
  • #​17202 c6d254d Thanks @​matthewp! - Refactors path alias resolution to use Vite's native tsconfigPaths option

    This is an internal change with no expected impact on user projects. Astro now defers tsconfig and jsconfig paths alias resolution to Vite, keeping a small fallback for a few CSS cases Vite does not yet handle.

  • #​17123 72e29bd Thanks @​martrapp! - Fixes an issue where the ClientRouter wipes head elements after page transitions if the <head> contains a server:defer component.

  • #​17232 257505e Thanks @​matthewp! - Fixes a bug where <style> tags from components such as a content collection's Content could be silently dropped from the output when an await appeared before the component in an .astro file's markup.

  • #​17193 a7352fd Thanks @​jan-kubica! - Fixes the background dev server failing to start when astro is hoisted outside the project's node_modules (for example bun workspaces). The background process is now spawned from Astro's own resolved location instead of a path assumed under the project root.

  • #​17255 581d171 Thanks @​astrobot-houston! - Fixes prefetch not working for links inside server:defer components

v7.0.4

Compare Source

Patch Changes
  • #​17212 7ba0bb1 Thanks @​matthewp! - Ensures transition directive values are HTML-escaped when rendered on hydrated islands

  • #​17224 dc5e52f Thanks @​astrobot-houston! - Fixes trailing slash handling for dynamic file endpoints in dev mode. Dynamic file endpoints (e.g., src/pages/api/[name].json.ts) with trailingSlash: "always" incorrectly required a trailing slash in dev mode, returning 404 for /api/bar.json and 200 for /api/bar.json/.

  • #​17067 23f9446 Thanks @​fkatsuhiro! - Fixed a bug where the development toolbar did not output a warning even though the implicit ARIA role and the manually specified role were duplicated.

  • #​17234 d5fbee8 Thanks @​ocavue! - Adds support for sharp v0.35. pnpm users no longer need to approve sharp's build script (see allowBuilds) when on v0.35.

  • #​17223 5970ef4 Thanks @​astrobot-houston! - Fixes getCollection() returning empty in dev mode for large content collections (500k+ entries)

  • #​17184 799e5cd Thanks @​Princesseuh! - Upgrades the Rust compiler to the latest, which fixes some bugs. Refer to its changelog for more information.

  • #​17208 da8b573 Thanks @​matthewp! - Hardens forwarded header handling so the internal request helper validates X-Forwarded-Host against security.allowedDomains before trusting X-Forwarded-For for clientAddress. Previously it only checked that the header was present, which was inconsistent with the public createRequest helper. This aligns both code paths; behavior is unchanged for correctly configured proxies.

v7.0.3

Compare Source

Patch Changes
  • #​17189 24d2c9e Thanks @​astrobot-houston! - Fixes a bug where an error thrown inside one route's getStaticPaths() would prevent other valid routes from being matched in dev mode

  • #​16932 8f4a3db Thanks @​fkatsuhiro! - Fixes HMR for action files during development. Editing files in src/actions/ now takes effect on the next request without requiring a dev server restart.

  • #​17087 fb0ab02 Thanks @​jp-knj! - Fixes localized custom error pages in i18n projects so routes like /pt/404 are used for missing localized pages and return the correct status code

eslint/eslint (eslint)

v10.7.0

Compare Source

Features

  • cf2a9bf feat: add errorClassNames option to preserve-caught-error rule (#​21032) (sethamus)
  • f8b873a feat: max-nested-callbacks option for constructor callbacks (#​21063) (fnx)
  • 557fde8 feat: support computed Number.parseInt member access in radix rule (#​21041) (Pixel)
  • 0b4a73b feat: add suggestions to no-compare-neg-zero (#​21034) (den$)
  • 96cdd42 feat: report invalid signed numeric radix values in radix rule (#​21030) (Pixel)

Bug Fixes

  • 3e7bf15 fix: apply ignoreClassesWithImplements to class expressions (#​21069) (Pixel)
  • 0d7d70c fix: insert cause outside wrapping parens in preserve-caught-error (#​21062) (Mahin Anowar)
  • 75ec753 fix: handle static template literals in eqeqeq rule (#​21058) (Pixel)
  • b717a22 fix: prevent eqeqeq null option from reporting non-equality operators (#​21057) (Pixel)
  • e35b05f fix: avoid no-invalid-regexp false positive for shadowed RegExp (#​21051) (Pixel)
  • a3172b6 fix: avoid no-control-regex false positive for shadowed RegExp (#​21050) (Pixel)
  • d1f637e fix: parenthesize sequence expression operands in no-implicit-coercion (#​21045) (spokodev)
  • 8859baf fix: avoid prefer-numeric-literals false positive for shadowed globals (#​21047) (한국)
  • a9e5961 fix: use-isnan false positive on shadowed NaN/Number (#​20958) (sethamus)
  • 8a240a7 fix: avoid false positives in radix rule for spread arguments (#​21044) (Pixel)

Documentation

  • c30d808 docs: Update README (GitHub Actions Bot)
  • 5139800 docs: document ESLint migration codemods in v9 and v10 guides (#​20980) (Alex Bit)
  • 04174cb docs: Update README (GitHub Actions Bot)
  • 026e130 docs: update semver policy for bug fixes (#​21048) (Milos Djermanovic)
  • 9d42fef docs: Update README (GitHub Actions Bot)
  • b230159 docs: Update README (GitHub Actions Bot)
  • 0129972 docs: correct **/.js glob to **/*.js in config files guide (#​21036) (EduardF1)

Chores

v10.6.0

Compare Source

Features

  • b1f9106 feat: detect Symbol() and BigInt() in no-constant-binary-expression (#​20981) (Taejin Kim)
  • f291007 feat: add checkRelationalComparisons to no-constant-binary-expression (#​20948) (sethamus)

Bug Fixes

  • 6b05784 fix: prefer-exponentiation-operator invalid autofix at statement start (#​20997) (Milos Djermanovic)
  • bb9eb2a fix: account for shadowed Boolean in no-extra-boolean-cast (#​21013) (den$)
  • 8fd8741 fix: don't report shadowed undefined in radix rule (#​21011) (Pixel)
  • 5784980 fix: don't report shadowed undefined in no-throw-literal (#​21010) (Pixel)
  • 9cd1e6d fix: suppress invalid class suggestion in no-promise-executor-return (#​21008) (Pixel)
  • d4eb2dc fix: don't report shadowed undefined in prefer-promise-reject-errors (#​21006) (Pixel)
  • 2360464 fix: prefer-promise-reject-errors false positives for shadowed Promise (#​21003) (den$)
  • 63d52d2 fix: restore max-classes-per-file report range (#​21002) (Pixel)
  • 7feaff0 fix: callback detection logic for IIFEs in max-nested-callbacks (#​20979) (fnx)
  • 399a2ec fix: don't report inner non-callbacks in max-nested-callbacks (#​20995) (Milos Djermanovic)

Documentation

  • a83683d docs: Update README (GitHub Actions Bot)
  • f5449f9 docs: document userland patterns for global assertionOptions in RuleT… (#​20986) (playgirl)
  • bea49f7 docs: Update README (GitHub Actions Bot)
  • e5f70f9 docs: update code-path diagrams (#​20984) (Tanuj Kanti)
  • 8890c2d docs: add TypeScript config guidance for MCP server (#​20796) (Pierluigi Lenoci)
  • 3eb3d9b docs: Update README (GitHub Actions Bot)
  • c5bb59c docs: Update README (GitHub Actions Bot)
  • eb3c97c docs: fix grammar in prefer-const rule description (#​20983) (lumir)

Chores

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@changeset-bot

changeset-bot Bot commented Jun 25, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 7b8150f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@codecov

codecov Bot commented Jun 25, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.53%. Comparing base (cce5f30) to head (7b8150f).

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #236   +/-   ##
=======================================
  Coverage   87.53%   87.53%           
=======================================
  Files          18       18           
  Lines         409      409           
  Branches       91       89    -2     
=======================================
  Hits          358      358           
  Misses         51       51           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from f403b24 to d6e9dfa Compare June 26, 2026 15:42
@renovate renovate Bot changed the title chore(deps): update dependency astro to v7.0.3 chore(deps): update all non-major dependencies Jun 26, 2026
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 11 times, most recently from 394673a to 8c4ea94 Compare July 2, 2026 21:19
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 9 times, most recently from 52363a3 to 78d8762 Compare July 11, 2026 01:41
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 5 times, most recently from 0a4f9ce to b90c79e Compare July 16, 2026 02:10
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from b90c79e to 237411d Compare July 16, 2026 08:36
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 237411d to 7b8150f Compare July 16, 2026 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants