chore(deps): update all digest updates #49

2026-05-14T04:06:08+04:00

renovate[bot] commented

2026-05-14 04:06:08 +04:00

This PR contains the following updates:

Package	Change	Age	Confidence
astro (source)	`6.3.1` → `6.3.2`
sanitize-html (source)	`2.17.3` → `2.17.4`

Release Notes

withastro/astro (astro)

`v6.3.2`

Compare Source

Patch Changes

#16675 11d4592 Thanks @ascorbic! - Fixes a regression where Astro.cache was undefined when experimental.cache was not configured.

The previous documented behavior is for Astro.cache to always be defined as a no-op shim: cache.set() warns once, cache.invalidate() throws and cache.enabled can be used to gate. This allows library and user code can call cache methods without conditional checks. The cache provider registration was being gated at the call site on experimental.cache being configured, which meant the disabled shim branch inside the provider was unreachable and the Astro.cache getter was never attached to the context.
#16691 0f0a4ce Thanks @matthewp! - Fixes HTMLElement is not defined error during HMR when using components with client-side scripts (e.g. Starlight <Tabs>) and the Cloudflare adapter
#16562 07529ec Thanks @matthewp! - Fixes non-prerendered routes failing when a dynamic prerendered route exists in the same project with prerenderEnvironment: 'node'
#16638 272185b Thanks @ematipico! - Fixes a bug where the Astro compiler wasn't freed at the end of the build. After the fix, the memory used by the compiler is now correctly freed at the end of the build.
#16544 d365c97 Thanks @matthewp! - Tightens isRemotePath() to reject control characters after a leading slash and fixes the dev image endpoint origin check
#16685 889e748 Thanks @farrosfr! - Improve validation messages for security.csp.directives when script-src or style-src are incorrectly placed in the directives array.
#16605 772f13a Thanks @rururux! - Fixes assetsPrefix not being available on build from astro:config/server.
#16556 f38dec7 Thanks @matthewp! - Rejects double-encoded URL paths with a 400 response instead of silently falling back to partial decoding
#16659 38bcb25 Thanks @jsparkdev! - Fixes & characters appearing as raw entity strings (e.g. &#38;) in <meta> tags when viewed in link previews or raw HTML.
Updated dependencies [d365c97, 9256345]:
- @astrojs/internal-helpers@0.9.1
- @astrojs/markdown-remark@7.1.2

apostrophecms/apostrophe (sanitize-html)

`v2.17.4`

Changes

sanitize-html and launder now share a single implementation of naughtyHref, based on that which previously existed in sanitize-html.

Security

Security vulnerability: the xmp tag could be used to pass forbidden markup through sanitize-html, even when xmp itself is not explicitly allowed All users of sanitize-html should update immediately. Thanks to Vincenzo Turturro for reporting the vulnerability.

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [astro](https://astro.build) ([source](https://github.com/withastro/astro/tree/HEAD/packages/astro)) | [`6.3.1` → `6.3.2`](https://renovatebot.com/diffs/npm/astro/6.3.1/6.3.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/astro/6.3.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/astro/6.3.1/6.3.2?slim=true) | | [sanitize-html](https://github.com/apostrophecms/apostrophe/tree/main/packages/sanitize-html#readme) ([source](https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html)) | [`2.17.3` → `2.17.4`](https://renovatebot.com/diffs/npm/sanitize-html/2.17.3/2.17.4) | ![age](https://developer.mend.io/api/mc/badges/age/npm/sanitize-html/2.17.4?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/sanitize-html/2.17.3/2.17.4?slim=true) | --- ### Release Notes <details> <summary>withastro/astro (astro)</summary> ### [`v6.3.2`](https://github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#632) [Compare Source](https://github.com/withastro/astro/compare/astro@6.3.1...astro@6.3.2) ##### Patch Changes - [#16675](https://github.com/withastro/astro/pull/16675) [`11d4592`](https://github.com/withastro/astro/commit/11d4592e9498e900b433ba94abed9cd615a9350b) Thanks [@ascorbic](https://github.com/ascorbic)! - Fixes a regression where `Astro.cache` was `undefined` when `experimental.cache` was not configured. The previous documented behavior is for `Astro.cache` to always be defined as a no-op shim: `cache.set()` warns once, `cache.invalidate()` throws and `cache.enabled` can be used to gate. This allows library and user code can call cache methods without conditional checks. The cache provider registration was being gated at the call site on `experimental.cache` being configured, which meant the disabled shim branch inside the provider was unreachable and the `Astro.cache` getter was never attached to the context. - [#16691](https://github.com/withastro/astro/pull/16691) [`0f0a4ce`](https://github.com/withastro/astro/commit/0f0a4ce1b28a6d6ec1658c7f59e0e68408935135) Thanks [@matthewp](https://github.com/matthewp)! - Fixes `HTMLElement is not defined` error during HMR when using components with client-side scripts (e.g. Starlight `<Tabs>`) and the Cloudflare adapter - [#16562](https://github.com/withastro/astro/pull/16562) [`07529ec`](https://github.com/withastro/astro/commit/07529eccdaef8727a375475e6d04071b770114a1) Thanks [@matthewp](https://github.com/matthewp)! - Fixes non-prerendered routes failing when a dynamic prerendered route exists in the same project with `prerenderEnvironment: 'node'` - [#16638](https://github.com/withastro/astro/pull/16638) [`272185b`](https://github.com/withastro/astro/commit/272185bcccf6a4adcd7575f319bf91f2e5306c6d) Thanks [@ematipico](https://github.com/ematipico)! - Fixes a bug where the Astro compiler wasn't freed at the end of the build. After the fix, the memory used by the compiler is now correctly freed at the end of the build. - [#16544](https://github.com/withastro/astro/pull/16544) [`d365c97`](https://github.com/withastro/astro/commit/d365c975ba2d88fc1dbdfe698df2bf9e2eafadce) Thanks [@matthewp](https://github.com/matthewp)! - Tightens `isRemotePath()` to reject control characters after a leading slash and fixes the dev image endpoint origin check - [#16685](https://github.com/withastro/astro/pull/16685) [`889e748`](https://github.com/withastro/astro/commit/889e748f1546eabc325d5112f95bc78e402fd4f0) Thanks [@farrosfr](https://github.com/farrosfr)! - Improve validation messages for `security.csp.directives` when `script-src` or `style-src` are incorrectly placed in the `directives` array. - [#16605](https://github.com/withastro/astro/pull/16605) [`772f13a`](https://github.com/withastro/astro/commit/772f13a153db235a232a86dc533df3b07a1a09a0) Thanks [@rururux](https://github.com/rururux)! - Fixes `assetsPrefix` not being available on `build` from `astro:config/server`. - [#16556](https://github.com/withastro/astro/pull/16556) [`f38dec7`](https://github.com/withastro/astro/commit/f38dec76a48234ae6919a118f3d626c6ed3d4e80) Thanks [@matthewp](https://github.com/matthewp)! - Rejects double-encoded URL paths with a 400 response instead of silently falling back to partial decoding - [#16659](https://github.com/withastro/astro/pull/16659) [`38bcb25`](https://github.com/withastro/astro/commit/38bcb25282d1f794b7dff349071b089a2737f0aa) Thanks [@jsparkdev](https://github.com/jsparkdev)! - Fixes `&` characters appearing as raw entity strings (e.g. `&#38;`) in `<meta>` tags when viewed in link previews or raw HTML. - Updated dependencies \[[`d365c97`](https://github.com/withastro/astro/commit/d365c975ba2d88fc1dbdfe698df2bf9e2eafadce), [`9256345`](https://github.com/withastro/astro/commit/92563452ce866d9f9b950ad4b2adc808d10e8014)]: - [@astrojs/internal-helpers](https://github.com/astrojs/internal-helpers)@0.9.1 - [@astrojs/markdown-remark](https://github.com/astrojs/markdown-remark)@7.1.2 </details> <details> <summary>apostrophecms/apostrophe (sanitize-html)</summary> ### [`v2.17.4`](https://github.com/apostrophecms/apostrophe/blob/HEAD/packages/sanitize-html/CHANGELOG.md#2174) ##### Changes - `sanitize-html` and `launder` now share a single implementation of `naughtyHref`, based on that which previously existed in `sanitize-html`. ##### Security - Security vulnerability: the xmp tag could be used to pass forbidden markup through sanitize-html, even when xmp itself is not explicitly allowed All users of sanitize-html should update immediately. Thanks to [Vincenzo Turturro](https://github.com/sushi-gif) for reporting the vulnerability. </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).

renovate[bot] added 1 commit 2026-05-14 04:06:08 +04:00

chore(deps): update all digest updates

Test / npm test (pull_request) Successful in 28s

Details

RenovateBot / renovate (push) Successful in 23s

Details

Test / npm test (push) Successful in 28s

Details

08275901a0

renovate[bot] scheduled this pull request to auto merge when all checks succeed 2026-05-14 04:06:08 +04:00

renovate[bot] merged commit 08275901a0 into master

2026-05-14 04:06:10 +04:00

renovate[bot] deleted branch renovate/all-digest

2026-05-14 04:06:11 +04:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: valentineus/popov.link#49