Skip to content

chore(deps): bump the npm_and_yarn group across 1 directory with 3 updates#242

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-ef82501230
Closed

chore(deps): bump the npm_and_yarn group across 1 directory with 3 updates#242
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-ef82501230

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 20, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 2 updates in the / directory: minimatch and astro.

Updates minimatch from 10.2.1 to 10.2.3

Commits

Updates astro from 5.16.6 to 7.0.3

Release notes

Sourced from astro's releases.

astro@7.0.3

Patch Changes

  • #17189 24d2c9e Thanks @​astrobot-houston! - Fixes a bug where an error thrown inside one route's getStaticPaths() would prevent other valid routes from being matched in dev mode

  • #16932 8f4a3db Thanks @​fkatsuhiro! - Fixes HMR for action files during development. Editing files in src/actions/ now takes effect on the next request without requiring a dev server restart.

  • #17087 fb0ab02 Thanks @​jp-knj! - Fixes localized custom error pages in i18n projects so routes like /pt/404 are used for missing localized pages and return the correct status code

astro@7.0.2

Patch Changes

  • Updated dependencies [3b5e994]:
    • @​astrojs/markdown-satteri@​0.3.2

astro@7.0.1

Patch Changes

  • #17151 ccceda3 Thanks @​matthewp! - Fixes astro dev incorrectly starting in background mode for Warp terminal users. Hybrid environments like Warp are no longer treated as AI agents for auto-background detection.

  • #17158 164df87 Thanks @​ematipico! - Fixes astro dev --background --host not listing the network addresses. The background server start output and astro dev status now show every exposed network URL, matching the foreground dev server.

  • #17141 d785b9d Thanks @​astrobot-houston! - Fixes responsive image CSS overriding user styles defined inside CSS @layer blocks. The generated image styles are now wrapped in @layer astro.images, ensuring they have lower cascade priority than user-defined layers.

  • #17150 1a61386 Thanks @​matthewp! - Fixes astro dev --background failing on Windows with "Failed to spawn background dev server process"

astro@7.0.0

Major Changes

  • #15819 cafec4e Thanks @​delucis! - Upgrade to Vite v8

  • #16965 57ead0d Thanks @​Princesseuh! - Makes 'jsx' the default value for compressHTML

    Astro now strips whitespace from your HTML using JSX rules by default, the same way frameworks like React do. Whitespace and line breaks around elements are removed, but meaningful whitespace within a single line — like a space between two inline elements — is preserved. To keep a space that would otherwise be removed, write it explicitly in your source, for example with {" "}.

    This can change rendered output where whitespace between inline elements was previously meaningful. To keep Astro's earlier behavior, set compressHTML: true for HTML-aware compression, or compressHTML: false to preserve all whitespace.

  • #16610 c63e7e4 Thanks @​matthewp! - Adds background dev server management for AI coding agents.

    When an AI coding agent is detected, astro dev now automatically starts the dev server as a detached background process. This prevents the dev server from blocking the agent's terminal and allows it to continue working while the server runs.

    A lock file (.astro/dev.json) is written when the dev server starts, recording the server's URL, port, and PID. This prevents duplicate servers from being started for the same project.

    New flag and subcommands

    • astro dev --background — Start the dev server as a background process (this is what runs automatically when an agent is detected).
    • astro dev stop — Stop a running background dev server.
    • astro dev status — Check if a dev server is running and display its URL, PID, and uptime.
    • astro dev logs — View logs from a background dev server. Use --follow (-f) to stream new output as it's written.

... (truncated)

Changelog

Sourced from astro's changelog.

7.0.3

Patch Changes

  • #17189 24d2c9e Thanks @​astrobot-houston! - Fixes a bug where an error thrown inside one route's getStaticPaths() would prevent other valid routes from being matched in dev mode

  • #16932 8f4a3db Thanks @​fkatsuhiro! - Fixes HMR for action files during development. Editing files in src/actions/ now takes effect on the next request without requiring a dev server restart.

  • #17087 fb0ab02 Thanks @​jp-knj! - Fixes localized custom error pages in i18n projects so routes like /pt/404 are used for missing localized pages and return the correct status code

7.0.2

Patch Changes

  • Updated dependencies [3b5e994]:
    • @​astrojs/markdown-satteri@​0.3.2

7.0.1

Patch Changes

  • #17151 ccceda3 Thanks @​matthewp! - Fixes astro dev incorrectly starting in background mode for Warp terminal users. Hybrid environments like Warp are no longer treated as AI agents for auto-background detection.

  • #17158 164df87 Thanks @​ematipico! - Fixes astro dev --background --host not listing the network addresses. The background server start output and astro dev status now show every exposed network URL, matching the foreground dev server.

  • #17141 d785b9d Thanks @​astrobot-houston! - Fixes responsive image CSS overriding user styles defined inside CSS @layer blocks. The generated image styles are now wrapped in @layer astro.images, ensuring they have lower cascade priority than user-defined layers.

  • #17150 1a61386 Thanks @​matthewp! - Fixes astro dev --background failing on Windows with "Failed to spawn background dev server process"

7.0.0

Major Changes

  • #15819 cafec4e Thanks @​delucis! - Upgrade to Vite v8

  • #16965 57ead0d Thanks @​Princesseuh! - Makes 'jsx' the default value for compressHTML

    Astro now strips whitespace from your HTML using JSX rules by default, the same way frameworks like React do. Whitespace and line breaks around elements are removed, but meaningful whitespace within a single line — like a space between two inline elements — is preserved. To keep a space that would otherwise be removed, write it explicitly in your source, for example with {" "}.

    This can change rendered output where whitespace between inline elements was previously meaningful. To keep Astro's earlier behavior, set compressHTML: true for HTML-aware compression, or compressHTML: false to preserve all whitespace.

  • #16610 c63e7e4 Thanks @​matthewp! - Adds background dev server management for AI coding agents.

    When an AI coding agent is detected, astro dev now automatically starts the dev server as a detached background process. This prevents the dev server from blocking the agent's terminal and allows it to continue working while the server runs.

    A lock file (.astro/dev.json) is written when the dev server starts, recording the server's URL, port, and PID. This prevents duplicate servers from being started for the same project.

    New flag and subcommands

    • astro dev --background — Start the dev server as a background process (this is what runs automatically when an agent is detected).
    • astro dev stop — Stop a running background dev server.

... (truncated)

Commits

Updates esbuild from 0.25.12 to 0.27.7

Release notes

Sourced from esbuild's releases.

v0.27.7

  • Fix lowering of define semantics for TypeScript parameter properties (#4421)

    The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:

    // Original code
    class Foo {
      constructor(public x = 1) {}
      y = 2
    }
    // Old output (with --loader=ts --target=es2021)
    class Foo {
    constructor(x = 1) {
    this.x = x;
    __publicField(this, "y", 2);
    }
    x;
    }
    // New output (with --loader=ts --target=es2021)
    class Foo {
    constructor(x = 1) {
    __publicField(this, "x", x);
    __publicField(this, "y", 2);
    }
    }

v0.27.5

  • Fix for an async generator edge case (#4401, #4417)

    Support for transforming async generators into the equivalent state machine was added in version 0.19.0. However, the generated state machine didn't work correctly when polling async generators concurrently, such as in the following code:

    async function* inner() { yield 1; yield 2 }
    async function* outer() { yield* inner() }
    let gen = outer()
    for await (let x of [gen.next(), gen.next()]) console.log(x)

    Previously esbuild's output of the above code behaved incorrectly when async generators were transformed (such as with --supported:async-generator=false). The transformation should be fixed starting with this release.

    This fix was contributed by @​2767mr.

  • Fix a regression when metafile is enabled (#4420, #4418)

    This release fixes a regression introduced by the previous release. When metafile: true was enabled in esbuild's JavaScript API, builds with build errors were incorrectly throwing an error about an empty JSON string instead of an object containing the build errors.

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2025

This changelog documents all esbuild versions published in the year 2025 (versions 0.25.0 through 0.27.2).

0.27.2

  • Allow import path specifiers starting with #/ (#4361)

    Previously the specification for package.json disallowed import path specifiers starting with #/, but this restriction has recently been relaxed and support for it is being added across the JavaScript ecosystem. One use case is using it for a wildcard pattern such as mapping #/* to ./src/* (previously you had to use another character such as #_* instead, which was more confusing). There is some more context in nodejs/node#49182.

    This change was contributed by @​hybrist.

  • Automatically add the -webkit-mask prefix (#4357, #4358)

    This release automatically adds the -webkit- vendor prefix for the mask CSS shorthand property:

    /* Original code */
    main {
      mask: url(x.png) center/5rem no-repeat
    }
    /* Old output (with --target=chrome110) */
    main {
    mask: url(x.png) center/5rem no-repeat;
    }
    /* New output (with --target=chrome110) */
    main {
    -webkit-mask: url(x.png) center/5rem no-repeat;
    mask: url(x.png) center/5rem no-repeat;
    }

    This change was contributed by @​BPJEnnova.

  • Additional minification of switch statements (#4176, #4359)

    This release contains additional minification patterns for reducing switch statements. Here is an example:

    // Original code
    switch (x) {
      case 0:
        foo()
        break
      case 1:
      default:
        bar()
    }

... (truncated)

Commits
  • 2025c9f publish 0.27.7 to npm
  • c6b586e fix typo in Makefile for @esbuild/win32-x64
  • 9785e14 publish 0.27.6 to npm
  • b169d8c Revert "update go 1.25.7 => 1.26.1"
  • 7ac8762 run make update-compat-table
  • 8b5ff53 remove an incorrect else
  • e955268 fix #4421: lower generated class fields if needed
  • a5a2500 ci: move make test-old-ts
  • b71e7ac omit go's buildvcs for more reproducible builds
  • 7406b09 organize make platform-all output in Makefile
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for esbuild since your current version.


@dependabot dependabot Bot added dependencies Dependency upgrades javascript Pull requests that update javascript code labels Jun 20, 2026
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 20, 2026

Copy link
Copy Markdown

Deploying modestbench with  Cloudflare Pages  Cloudflare Pages

Latest commit: d939001
Status:🚫  Build failed.

View logs

@github-actions github-actions Bot added the chore Build tooling, tests, configuration, overhead label Jun 20, 2026
@socket-security

socket-security Bot commented Jun 20, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updated@​astrojs/​mdx@​4.3.13 ⏵ 7.0.09910083 +197100
Updated@​astrojs/​starlight@​0.37.1 ⏵ 0.41.198 +1110085 +197 +1100
Updatedminimatch@​10.2.1 ⏵ 10.2.3100 +1100 +22100 +188100
Updatedastro@​5.16.6 ⏵ 7.0.388100 +2688 +198 +1100

View full report

@socket-security

socket-security Bot commented Jun 20, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @emnapi/runtime is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/@astrojs/mdx@7.0.0npm/@astrojs/starlight@0.41.1npm/astro@7.0.3npm/@emnapi/runtime@1.11.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm astro is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/astro@7.0.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/astro@7.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-ef82501230 branch from ee2c7c4 to d10872e Compare June 25, 2026 22:10
…dates

Bumps the npm_and_yarn group with 2 updates in the / directory: [minimatch](https://github.com/isaacs/minimatch) and [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro).


Updates `minimatch` from 10.2.1 to 10.2.3
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v10.2.1...v10.2.3)

Updates `astro` from 5.16.6 to 7.0.3
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/astro@7.0.3/packages/astro)

Updates `esbuild` from 0.25.12 to 0.27.7
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2025.md)
- [Commits](evanw/esbuild@v0.25.12...v0.27.7)

---
updated-dependencies:
- dependency-name: astro
  dependency-version: 6.4.8
  dependency-type: direct:development
- dependency-name: esbuild
  dependency-version: 0.27.7
  dependency-type: indirect
- dependency-name: minimatch
  dependency-version: 10.2.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-ef82501230 branch from d10872e to d939001 Compare June 29, 2026 23:46
@dependabot @github

dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 30, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/npm_and_yarn-ef82501230 branch June 30, 2026 13:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

chore Build tooling, tests, configuration, overhead dependencies Dependency upgrades javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants