valentineus/popov.link
1
Fork 0
Code Issues Pull Requests 1 Actions Activity

fix(deps): update all digest updates #62

Merged
renovate[bot] merged 1 commits from renovate/all-digest into master 2026-06-11 04:04:43 +04:00
Conversation 0 Commits 1 Files Changed 2
+645 -45
renovate[bot] commented 2026-06-11 04:04:41 +04:00
Collaborator
Copy Link
Copy Source

This PR contains the following updates:

Package Change Age Confidence
astro (source) 6.4.56.4.6 age confidence
sanitize-html (source) 2.17.42.17.5 age confidence
sharp (source, changelog) ^0.34.2^0.35.0 age confidence

Release Notes

withastro/astro (astro)

v6.4.6

Compare Source

Patch Changes

  • #​16765 b10e86e Thanks @​fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.

  • #​17026 add3df1 Thanks @​matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)

  • #​17033 ffda27b Thanks @​matthewp! - Validates the request origin against allowedDomains before fetching prerendered error pages. When allowedDomains is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to localhost.

apostrophecms/apostrophe (sanitize-html)

v2.17.5

Compare Source

Security
  • Added a number of new attributes to be protected against unsafe URLs, e.g. javascript: and similar. None of these are used in the default configuration of sanitize-html or apostrophe or likely to be used there, and some attributes, like an action for a form, are inherently unsafe to allow if XSS protection is your goal. Nevertheless it makes sense to block certain URL types where they are not appropriate. Some attributes are not supported at all by modern browsers but are included for completeness. Thanks to crattack for reporting the vulnerability.
  • Address a potential vulnerability when nonTextTags is configured in a nonstandard way. While it is never a good idea to remove known non-text tags from the standard list e.g. script, styles, etc., this change ensures that doing so does not result in nested tags being passed through without sanitization when they are not expressly allowed. (ApostropheCMS would never trigger this situation.) Thanks to Dipanshu singh for pointing out the issue and contributing the fix.
lovell/sharp (sharp)

v0.35.0

Compare Source

  • Breaking: Drop support for Node.js 18, now requires Node.js >= 20.9.0.

  • Breaking: Remove install script from package.json file.
    Compiling from source is now opt-in via the build script.

  • Breaking: Lossy AVIF output is now tuned using SSIMULACRA2-based iq quality metrics.

  • Breaking: Add limitInputChannels with a default value of 5.

  • Breaking: Remove deprecated failOnError constructor property.

  • Breaking: Remove deprecated paletteBitDepth from metadata response.

  • Breaking: Remove deprecated properties from sharpen operation.

  • Breaking: Rename format.jp2k as format.jp2 for API consistency.

  • Upgrade to libvips v8.18.3 for upstream bug fixes.

  • Remove experimental status from WebAssembly binaries.

  • Add prebuilt binaries for FreeBSD (WebAssembly).

  • Deprecate Windows 32-bit (win32-ia32) prebuilt binaries.

  • Ensure TIFF output bitdepth option is limited to 1, 2 or 4.

  • Add AVIF/HEIF tune option for control over quality metrics.
    #​4227

  • Add keepGainMap and withGainMap to process HDR JPEG images with embedded gain maps.
    #​4314

  • Add toUint8Array for output image as a TypedArray backed by a transferable ArrayBuffer.
    #​4355

  • Require prebuilt binaries using static paths to aid code bundling.
    #​4380

  • TypeScript: Ensure FormatEnum keys match reality.
    #​4475

  • Add margin option to trim operation.
    #​4480
    @​eddienubes

  • Ensure HEIF primary item is used as default page/frame.
    #​4487

  • Add image Media Type (MIME Type) to metadata response.
    #​4492

  • Add withDensity to set output density in EXIF metadata.
    #​4496

  • Improve pkg-config path discovery.
    #​4504

  • Add WebP exact option for control over transparent pixel colour values.

  • Add support for ECMAScript Modules (ESM).
    #​4509
    @​florian-lefebvre

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [astro](https://astro.build) ([source](https://github.com/withastro/astro/tree/HEAD/packages/astro)) | [`6.4.5` → `6.4.6`](https://renovatebot.com/diffs/npm/astro/6.4.5/6.4.6) | ![age](https://developer.mend.io/api/mc/badges/age/npm/astro/6.4.6?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/astro/6.4.5/6.4.6?slim=true) | | [sanitize-html](https://github.com/apostrophecms/apostrophe/tree/main/packages/sanitize-html#readme) ([source](https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html)) | [`2.17.4` → `2.17.5`](https://renovatebot.com/diffs/npm/sanitize-html/2.17.4/2.17.5) | ![age](https://developer.mend.io/api/mc/badges/age/npm/sanitize-html/2.17.5?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/sanitize-html/2.17.4/2.17.5?slim=true) | | [sharp](https://sharp.pixelplumbing.com) ([source](https://github.com/lovell/sharp), [changelog](https://github.com/lovell/sharp/blob/main/docs/src/content/docs/changelog.md)) | [`^0.34.2` → `^0.35.0`](https://renovatebot.com/diffs/npm/sharp/0.34.5/0.35.0) | ![age](https://developer.mend.io/api/mc/badges/age/npm/sharp/0.35.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/sharp/0.34.5/0.35.0?slim=true) | --- ### Release Notes <details> <summary>withastro/astro (astro)</summary> ### [`v6.4.6`](https://github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#646) [Compare Source](https://github.com/withastro/astro/compare/astro@6.4.5...astro@6.4.6) ##### Patch Changes - [#&#8203;16765](https://github.com/withastro/astro/pull/16765) [`b10e86e`](https://github.com/withastro/astro/commit/b10e86e6dbaf04678127c86366befc0b78a164f6) Thanks [@&#8203;fkatsuhiro](https://github.com/fkatsuhiro)! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing. - [#&#8203;17026](https://github.com/withastro/astro/pull/17026) [`add3df1`](https://github.com/withastro/astro/commit/add3df10fdaff469ae0228f09d99290de170029a) Thanks [@&#8203;matthewp](https://github.com/matthewp)! - Hardens `addAttribute` to drop attribute names containing characters that are invalid per the HTML spec (`"`, `'`, `>`, `/`, `=`, whitespace) - [#&#8203;17033](https://github.com/withastro/astro/pull/17033) [`ffda27b`](https://github.com/withastro/astro/commit/ffda27b7c8697d4b7ed530e93385a420e1fc4acd) Thanks [@&#8203;matthewp](https://github.com/matthewp)! - Validates the request origin against `allowedDomains` before fetching prerendered error pages. When `allowedDomains` is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to `localhost`. </details> <details> <summary>apostrophecms/apostrophe (sanitize-html)</summary> ### [`v2.17.5`](https://github.com/apostrophecms/apostrophe/blob/HEAD/packages/sanitize-html/CHANGELOG.md#2175-2026-06-10) [Compare Source](https://github.com/apostrophecms/apostrophe/compare/sanitize-html@2.17.4...sanitize-html@2.17.5) ##### Security - Added a number of new attributes to be protected against unsafe URLs, e.g. `javascript:` and similar. None of these are used in the default configuration of `sanitize-html` or `apostrophe` or likely to be used there, and some attributes, like an `action` for a `form`, are inherently unsafe to allow if XSS protection is your goal. Nevertheless it makes sense to block certain URL types where they are not appropriate. Some attributes are not supported at all by modern browsers but are included for completeness. Thanks to [crattack](https://github.com/crattack) for reporting the vulnerability. - Address a potential vulnerability when nonTextTags is configured in a nonstandard way. While it is never a good idea to remove known non-text tags from the standard list e.g. script, styles, etc., this change ensures that doing so does not result in nested tags being passed through without sanitization when they are not expressly allowed. (ApostropheCMS would never trigger this situation.) Thanks to [Dipanshu singh](https://github.com/Dipanshusinghh) for pointing out the issue and contributing the fix. </details> <details> <summary>lovell/sharp (sharp)</summary> ### [`v0.35.0`](https://github.com/lovell/sharp/releases/tag/v0.35.0) [Compare Source](https://github.com/lovell/sharp/compare/v0.34.5...v0.35.0) - Breaking: Drop support for Node.js 18, now requires Node.js >= 20.9.0. - Breaking: Remove `install` script from `package.json` file. Compiling from source is now opt-in via the `build` script. - Breaking: Lossy AVIF output is now tuned using SSIMULACRA2-based `iq` quality metrics. - Breaking: Add `limitInputChannels` with a default value of 5. - Breaking: Remove deprecated `failOnError` constructor property. - Breaking: Remove deprecated `paletteBitDepth` from `metadata` response. - Breaking: Remove deprecated properties from `sharpen` operation. - Breaking: Rename `format.jp2k` as `format.jp2` for API consistency. - Upgrade to libvips v8.18.3 for upstream bug fixes. - Remove experimental status from WebAssembly binaries. - Add prebuilt binaries for FreeBSD (WebAssembly). - Deprecate Windows 32-bit (win32-ia32) prebuilt binaries. - Ensure TIFF output `bitdepth` option is limited to 1, 2 or 4. - Add AVIF/HEIF `tune` option for control over quality metrics. [#&#8203;4227](https://github.com/lovell/sharp/issues/4227) - Add `keepGainMap` and `withGainMap` to process HDR JPEG images with embedded gain maps. [#&#8203;4314](https://github.com/lovell/sharp/issues/4314) - Add `toUint8Array` for output image as a `TypedArray` backed by a transferable `ArrayBuffer`. [#&#8203;4355](https://github.com/lovell/sharp/issues/4355) - Require prebuilt binaries using static paths to aid code bundling. [#&#8203;4380](https://github.com/lovell/sharp/issues/4380) - TypeScript: Ensure `FormatEnum` keys match reality. [#&#8203;4475](https://github.com/lovell/sharp/issues/4475) - Add `margin` option to `trim` operation. [#&#8203;4480](https://github.com/lovell/sharp/issues/4480) [@&#8203;eddienubes](https://github.com/eddienubes) - Ensure HEIF primary item is used as default page/frame. [#&#8203;4487](https://github.com/lovell/sharp/issues/4487) - Add image Media Type (MIME Type) to metadata response. [#&#8203;4492](https://github.com/lovell/sharp/issues/4492) - Add `withDensity` to set output density in EXIF metadata. [#&#8203;4496](https://github.com/lovell/sharp/issues/4496) - Improve `pkg-config` path discovery. [#&#8203;4504](https://github.com/lovell/sharp/issues/4504) - Add WebP `exact` option for control over transparent pixel colour values. - Add support for ECMAScript Modules (ESM). [#&#8203;4509](https://github.com/lovell/sharp/pull/4509) [@&#8203;florian-lefebvre](https://github.com/florian-lefebvre) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNjMuMyIsInVwZGF0ZWRJblZlciI6IjQzLjE2My4zIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbImF1dG9tYXRlZCIsImRlcGVuZGVuY2llcyJdfQ==-->
renovate[bot] added 1 commit 2026-06-11 04:04:42 +04:00
fix(deps): update all digest updates
Test / npm test (pull_request) Failing after 32s
Details
RenovateBot / renovate (push) Successful in 27s
Details
Test / npm test (push) Failing after 33s
Details
c04a529fdc
renovate[bot] scheduled this pull request to auto merge when all checks succeed 2026-06-11 04:04:42 +04:00
renovate[bot] merged commit c04a529fdc into master 2026-06-11 04:04:43 +04:00
renovate[bot] deleted branch renovate/all-digest 2026-06-11 04:04:43 +04:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
renovatebot (renovate[bot]) valentineus (Valentin Popov)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: valentineus/popov.link#62
Delete Branch "renovate/all-digest"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?