Skip to content

chore(deps): bump astro from 6.4.6 to 6.4.8 in the all-non-major group across 1 directory#85

Merged
github-actions[bot] merged 1 commit into
mainfrom
dependabot/bun/all-non-major-54983f35c8
Jun 21, 2026
Merged

chore(deps): bump astro from 6.4.6 to 6.4.8 in the all-non-major group across 1 directory#85
github-actions[bot] merged 1 commit into
mainfrom
dependabot/bun/all-non-major-54983f35c8

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 21, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps the all-non-major group with 1 update in the / directory: astro.

Updates astro from 6.4.6 to 6.4.8

Release notes

Sourced from astro's releases.

astro@6.4.8

Patch Changes

astro@6.4.7

Patch Changes

  • #17035 197e50e Thanks @​astrobot-houston! - Fixes getRelativeLocaleUrl, getAbsoluteLocaleUrl, and getAbsoluteLocaleUrlList to strip trailing slashes when trailingSlash: 'never' is configured

  • #16967 3719765 Thanks @​astrobot-houston! - Fixes double URL-encoded paths returning 400 Bad Request on on-demand routes

    Previously, any URL containing a double-encoded character (like %255B, which is [ encoded twice) was unconditionally rejected with a 400 Bad Request before middleware or route handlers could run. This broke embedded tools like Sanity Studio whose client-side router legitimately produces double-encoded URLs.

    The fix replaces the rejection approach with iterative decoding — multi-level percent-encoding is now fully resolved to its canonical form before being passed to middleware and route matching. This preserves the security fix for CVE-2025-66202 (middleware authorization bypass via double encoding) because middleware now always sees the fully decoded path, making bypass impossible. For example, /api/%2561dmin is decoded to /api/admin, which middleware can correctly block.

  • #17066 2f4d92a Thanks @​matthewp! - Fixes prerendered redirect targets being incorrectly bundled into the SSR function in hybrid mode, causing massive bundle size inflation

  • #16882 621beb7 Thanks @​jettwayio! - fix(render): honour compressHTML when joining head elements

  • #16892 8d753b0 Thanks @​astrobot-houston! - Fixes custom elements in MDX having their children's slot attribute stripped by the JSX runtime

    When custom elements (tags with hyphens like <my-element>) are used in MDX files, the slot HTML attribute on their children is now correctly preserved. Previously, the shared JSX runtime would treat slot as an Astro slot assignment and remove it from the output, breaking Shadow DOM named slot distribution for web components.

  • #16957 544ee76 Thanks @​thelazylamaGit! - Fixes stale inline CSS in server-rendered HTML after CSS file edits during dev

    When editing a CSS file (.css, .scss, etc.) during development, the inline <style> tags in server-rendered HTML would retain old CSS content instead of updating. This caused a brief flash of old CSS (FOUC) on fresh page loads before Vite's client-side HMR corrected the styles.

    The fix ensures that Astro's per-route dev CSS virtual modules are invalidated in both the SSR module graph and the module runner's evaluation cache when a style file changes, so the next page render picks up the fresh CSS.

  • #17044 2220d22 Thanks @​astrobot-houston! - Fixes CSS from client:only islands leaking to unrelated pages when Rollup bundles non-CSS-importing modules into the same chunk as CSS-importing modules

  • #17040 7c4763d Thanks @​astrobot-houston! - Fixes HMR not triggering for files inside the src/middleware/ directory during dev

  • #16672 52fc862 Thanks @​martinheidegger! - Fixes support for numeric IDs in YAML frontmatter when using content collection references

  • #16762 9de80ae Thanks @​alexanderdombroski! - Adds a JSON schema to the Wrangler configuration file generated when running astro add cloudflare

  • #17046 ef771ec Thanks @​ematipico! - Improves the diagnostics emitted when Astro parses incorrect .astro files.

Changelog

Sourced from astro's changelog.

6.4.8

Patch Changes

6.4.7

Patch Changes

  • #17035 197e50e Thanks @​astrobot-houston! - Fixes getRelativeLocaleUrl, getAbsoluteLocaleUrl, and getAbsoluteLocaleUrlList to strip trailing slashes when trailingSlash: 'never' is configured

  • #16967 3719765 Thanks @​astrobot-houston! - Fixes double URL-encoded paths returning 400 Bad Request on on-demand routes

    Previously, any URL containing a double-encoded character (like %255B, which is [ encoded twice) was unconditionally rejected with a 400 Bad Request before middleware or route handlers could run. This broke embedded tools like Sanity Studio whose client-side router legitimately produces double-encoded URLs.

    The fix replaces the rejection approach with iterative decoding — multi-level percent-encoding is now fully resolved to its canonical form before being passed to middleware and route matching. This preserves the security fix for CVE-2025-66202 (middleware authorization bypass via double encoding) because middleware now always sees the fully decoded path, making bypass impossible. For example, /api/%2561dmin is decoded to /api/admin, which middleware can correctly block.

  • #17066 2f4d92a Thanks @​matthewp! - Fixes prerendered redirect targets being incorrectly bundled into the SSR function in hybrid mode, causing massive bundle size inflation

  • #16882 621beb7 Thanks @​jettwayio! - fix(render): honour compressHTML when joining head elements

  • #16892 8d753b0 Thanks @​astrobot-houston! - Fixes custom elements in MDX having their children's slot attribute stripped by the JSX runtime

    When custom elements (tags with hyphens like <my-element>) are used in MDX files, the slot HTML attribute on their children is now correctly preserved. Previously, the shared JSX runtime would treat slot as an Astro slot assignment and remove it from the output, breaking Shadow DOM named slot distribution for web components.

  • #16957 544ee76 Thanks @​thelazylamaGit! - Fixes stale inline CSS in server-rendered HTML after CSS file edits during dev

    When editing a CSS file (.css, .scss, etc.) during development, the inline <style> tags in server-rendered HTML would retain old CSS content instead of updating. This caused a brief flash of old CSS (FOUC) on fresh page loads before Vite's client-side HMR corrected the styles.

    The fix ensures that Astro's per-route dev CSS virtual modules are invalidated in both the SSR module graph and the module runner's evaluation cache when a style file changes, so the next page render picks up the fresh CSS.

  • #17044 2220d22 Thanks @​astrobot-houston! - Fixes CSS from client:only islands leaking to unrelated pages when Rollup bundles non-CSS-importing modules into the same chunk as CSS-importing modules

  • #17040 7c4763d Thanks @​astrobot-houston! - Fixes HMR not triggering for files inside the src/middleware/ directory during dev

  • #16672 52fc862 Thanks @​martinheidegger! - Fixes support for numeric IDs in YAML frontmatter when using content collection references

  • #16762 9de80ae Thanks @​alexanderdombroski! - Adds a JSON schema to the Wrangler configuration file generated when running astro add cloudflare

  • #17046 ef771ec Thanks @​ematipico! - Improves the diagnostics emitted when Astro parses incorrect .astro files.

Commits

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 21, 2026
@dependabot dependabot Bot requested a review from dacrab as a code owner June 21, 2026 02:32
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 21, 2026
@dependabot
chore(deps): bump astro in the all-non-major group across 1 directory
2a63892 
Bumps the all-non-major group with 1 update in the / directory: [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro).


Updates `astro` from 6.4.6 to 6.4.8
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/astro@6.4.8/packages/astro/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/astro@6.4.8/packages/astro)

---
updated-dependencies:
- dependency-name: astro
  dependency-version: 6.4.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-non-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore(deps): bump astro from 6.4.6 to 6.4.8 in the all-non-major group chore(deps): bump astro from 6.4.6 to 6.4.8 in the all-non-major group across 1 directory Jun 21, 2026
@dependabot dependabot Bot force-pushed the dependabot/bun/all-non-major-54983f35c8 branch from 3354439 to 2a63892 Compare June 21, 2026 02:35
@github-actions github-actions Bot merged commit 4648515 into main Jun 21, 2026
3 checks passed
@github-actions github-actions Bot deleted the dependabot/bun/all-non-major-54983f35c8 branch June 21, 2026 02:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dacrab dacrab Awaiting requested review from dacrab dacrab is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants