fix(deps): update docs-site-runtime-tooling#143
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
1b76816 to
2837847
Compare
2837847 to
f2804cb
Compare
c9358b4 to
96eb568
Compare
e72f4d9 to
c579a0a
Compare
c46078a to
799d3fa
Compare
9f6e5c4 to
5967a00
Compare
6b7348f to
d0b76c8
Compare
4f89b76 to
3076632
Compare
3076632 to
e45764c
Compare
e45764c to
d2fd878
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^0.38.3→^0.41.08344681→5f5c86487999aa^0.22.1→^0.23.0d8e448a→b31e7a410.33.0→10.34.4Release Notes
withastro/starlight (@astrojs/starlight)
v0.41.3Compare Source
Patch Changes
1686eccThanks @timothyjordan! - Keeps keyboard focus inside the mobile menu while it is open, preventing focus moving to hidden interactive elements in page content.v0.41.2Compare Source
Patch Changes
#4008
58a3520Thanks @FrancoKaddour! - Fixes the table of contents overflowing the right edge of the viewport when a custom--sl-content-widthvalue exceeds available space#4015
bdbfffcThanks @delucis! - Fixes an issue where aside icons were rendered incorrectly in projects where Astro’s MDX integration had optimization disabledv0.41.1Compare Source
Patch Changes
#3967
72e63dcThanks @HiDeoo! - Adds 2 new icons:linkandlink-alt.#3988
ac55cfaThanks @delucis! - Fixes a dependency resolution issue introduced in Starlight v0.41#3967
72e63dcThanks @HiDeoo! - Optimizes the icons of Markdown asides.v0.41.0Compare Source
Minor Changes
1202dd4Thanks @HiDeoo! - Adds support for Astro v7, drops support for Astro v6.Upgrade Astro and dependencies
Community Starlight plugins and Astro integrations may also need to be manually updated to work with Astro v7. If you encounter any issues, please reach out to the plugin or integration author to see if it is a known issue or if an updated version is being worked on.
Patch Changes
a935d33Thanks @HiDeoo! - Fixes Starlight Markdown processing being potentially applied to files that should not be processed.v0.40.0Compare Source
Minor Changes
#3923
edf2e6bThanks @Princesseuh! - Adds support for Astro 6.4 and the new Sätteri Markdown processor.It is now possible to opt into using Astro's 6.4 Sätteri Markdown processor by installing the
@astrojs/markdown-satteripackage and configuring it in yourastro.config.mjsfile:Please update Starlight and Astro together:
Community Starlight plugins and Astro integrations may also need to be manually updated to work with Sätteri. If you encounter any issues, please reach out to the plugin or integration author to see if it is a known issue or if an updated version is being worked on.
Patch Changes
edf2e6bThanks @Princesseuh! - Updates Expressive Code to version 0.43.1.v0.39.3Compare Source
Patch Changes
#3910
dddf405Thanks @andreialba! - Improves Romanian UI translations#3924
02f2ce1Thanks @BouRock! - Improves Turkish UI translations#3928
11a7ed2Thanks @delucis! - Updates Pagefind to v1.5 and adds support for Pagefind’s newdiacriticSimilarityandmetaWeightsadvanced ranking options#3927
e944870Thanks @HiDeoo! - Refactors internal file path handling for Starlight content collections.v0.39.2Compare Source
Patch Changes
2d05e18Thanks @tats-u! - Fixes CSS selector fortext-autospacestyles in Chromium browsersv0.39.1Compare Source
Patch Changes
#3885
010eed1Thanks @ArmandPhilippot! - Fixes the version mentioned in an error message related to autogenerated sidebar groups support.#3887
b3c6990Thanks @delucis! - Adds 13 new icons:clock,desktop,mobile-android,window,database,server,code-branch,notes,question,question-circle,analytics,padlock, andsolidjs.v0.39.0Compare Source
Minor Changes
#3618⚠️ BREAKING CHANGE: This release changes how autogenerated links work in Starlight’s sidebar configuration.
dcf6d09Thanks @HiDeoo! -If you have sidebar groups using the
autogeneratekey, you must now wrap that configuration in anitemsarray:{ label: 'My group', - autogenerate: { directory: 'some-dir' }, + items: [{ autogenerate: { directory: 'some-dir' } }], }This change unlocks the possibility to mix autogenerated links and other links in a single group, for example:
This release also updates the shape of autogenerated sidebar entries in route data. Autogenerated links and groups in
Astro.locals.starlightRoute.sidebarnow include anautogenerateobject with the configureddirectoryvalue:#3618⚠️ BREAKING CHANGE: This release changes the default collapsed state of autogenerated sidebar subgroups.
dcf6d09Thanks @HiDeoo! -Autogenerated subgroups no longer inherit the
collapsedvalue from their parent group. They are now expanded by default unless explicitly configured withautogenerate.collapsed.If your sidebar configuration relies on a collapsed parent group to also collapse its autogenerated subgroups, update your configuration to set
autogenerate.collapsedtotrue:{ label: 'Reference', collapsed: true, items: [ - { autogenerate: { directory: 'reference' } }, + { autogenerate: { directory: 'reference', collapsed: true } }, ], }#3845
4d755f5Thanks @delucis! - Adds a<link rel="alternate" hreflang="x-default" href="...">tag pointing to the default locale in multilingual sites. Thex-defaultalternate is used as a signal of which language to fall back to if no other is available. Learn more in Google’s SEO localization docs.#3862
ec70630Thanks @itrew! - Makes spacing of items in nested lists more consistent#3872
417a66cThanks @tats-u! - Enables the CSS propertytext-autospacein Chinese and Japanese documents.If you would prefer to disable autospacing in Chinese and Japanese pages, you can add the following custom CSS to your site:
#3797
9764ebdThanks @delucis! - Avoids the risk of layout shift when users expand and collapse sidebar groupsThis release can introduce additional padding to the site sidebar on certain devices to reserve space for scrollbars. You may wish to inspect your site sidebar visually when upgrading.
If you would prefer to keep the previous styling, you can add the following custom CSS to your site:
#3858
6672c35Thanks @delucis! - Updatesi18next, used for Starlight’s localization APIs, from v23 to v26There should not be any user-facing changes from this update
v0.38.5Compare Source
Patch Changes
ccf6000, #387747451bcThanks @delucis! - Updates internal dependenciesv0.38.4Compare Source
Patch Changes
#3828
342038bThanks @MangelMaxime! - Fixes aside styling when used without any content#3853
563e11bThanks @delucis! - Fixes a type-checking issue for users on newer versions of TypeScriptDavidAnson/markdownlint-cli2 (markdownlint-cli2)
v0.23.0Compare Source
overridesconfiguration optionmarkdownlint)pnpm/pnpm (pnpm)
v10.34.4: pnpm 10.34.4Compare Source
Patch Changes
352ae48: Security: validate config dependency names and versions before using them to build filesystem paths. Apnpm-workspace.yamlwith a traversal-shapedconfigDependenciesname (such as../../PWNED) or version (such as../../../PWNED) could previously causepnpm installto create symlinks or write package files outsidenode_modules/.pnpm-configand the store. Names must now be valid npm package names and versions must be exact semver versions. See GHSA-qrv3-253h-g69c.352ae48: Reject path-traversal and reserved dependency aliases (such as../../../escape,.bin,.pnpm, ornode_modules) that come from a lockfile rather than a freshly resolved manifest. A crafted lockfile alias could otherwise be joined directly under a hoistednode_modulesdirectory, letting package files be written outside the intended install root or overwrite pnpm-owned layout.The
nodeLinker: hoistedgraph builder now validates each alias at the directory sink (safeJoinModulesDir), matching the validation pnpm already performs when resolving aliases from manifests. See GHSA-fr4h-3cph-29xv.352ae48: Preventpnpm patch-removefrom removing files outside the configured patches directory.217fbe0: Hardened the warning printed when a project.npmrcuses environment variables in registry/auth settings: the suggestedpnpm config setcommand is now only included for keys made up of shell-inert characters. Because the key comes from a repository-controlled.npmrcand a shell expands$(...), backticks, and$VAReven inside double quotes, a crafted key could otherwise have turned the suggested copy-paste command into command execution.Platinum Sponsors
Gold Sponsors
v10.34.3: pnpm 10.34.3Compare Source
.npmrc(action may be required)Following GHSA-3qhv-2rgh-x77r, pnpm no longer expands
${ENV_VAR}placeholders that come from a repository-controlled config file, because a malicious repository could otherwise use them to leak your environment secrets (npm tokens, CI job tokens, etc.) to an attacker-controlled registry during install. This applies to:.npmrc—registry,@scope:registry, proxy URLs, URL-scoped keys (//host/…), and credential values (_authToken,_auth,_password,username,tokenHelper,cert,key);pnpm-workspace.yaml.This release also closes a bypass where a project
.npmrccould setuserconfig,globalconfig, orprefixto make pnpm load a repo-supplied file as trusted config (via@pnpm/npm-conf@3.0.3).Environment variables are still expanded in trusted config: your user-level
~/.npmrc, the global config, CLI options, and environment config.If your authentication broke after upgrading, move the token out of the committed
.npmrc:Or keep the
${NPM_TOKEN}line but put it in your user-level~/.npmrcinstead of the repo. In GitHub Actions,actions/setup-nodewithregistry-urlalready writes a user-level.npmrc, soNODE_AUTH_TOKENkeeps working. For other CI where editing each pipeline is hard, setNPM_CONFIG_USERCONFIG=.npmrcin the CI environment to declare the project.npmrctrusted.See https://pnpm.io/npmrc for full migration details.
Patch Changes
.npmrcuses an environment variable in a registry/proxy URL or in registry credentials. The message now explains why the setting was ignored and how to migrate it to a trusted source — for example by runningpnpm config set "<key>" <value>to store it in the global config, or by keeping the${...}line in the user-level~/.npmrc— with a link to https://pnpm.io/npmrc..npmrccan no longer redirect which files pnpm loads as its trusted user and global configuration. Previously such a file could setuserconfig,globalconfig, orprefixto point at an attacker-supplied file shipped in the repository, and pnpm would load it as a trusted config source — bypassing the protection that prevents repository config from expanding environment variables into registry request destinations and credentials, and allowing it to settokenHelper. The user/global config file locations are now resolved only from trusted sources (CLI options, environment config, the npm builtin config, and defaults) before the project and workspace.npmrcfiles are read. Fixed by upgrading@pnpm/npm-confto3.0.3.Platinum Sponsors
Gold Sponsors
v10.34.2: pnpm 10.34.2Compare Source
.npmrc(action may be required)Following GHSA-3qhv-2rgh-x77r, pnpm no longer expands
${ENV_VAR}placeholders that come from a repository-controlled config file, because a malicious repository could otherwise use them to leak your environment secrets (npm tokens, CI job tokens, etc.) to an attacker-controlled registry during install. This applies to:.npmrc—registry,@scope:registry, proxy URLs, URL-scoped keys (//host/…), and credential values (_authToken,_auth,_password,username,tokenHelper,cert,key);pnpm-workspace.yaml.This release also closes a bypass where a project
.npmrccould setuserconfig,globalconfig, orprefixto make pnpm load a repo-supplied file as trusted config (via@pnpm/npm-conf@3.0.3).Environment variables are still expanded in trusted config: your user-level
~/.npmrc, the global config, CLI options, and environment config.If your authentication broke after upgrading, move the token out of the committed
.npmrc:Or keep the
${NPM_TOKEN}line but put it in your user-level~/.npmrcinstead of the repo. In GitHub Actions,actions/setup-nodewithregistry-urlalready writes a user-level.npmrc, soNODE_AUTH_TOKENkeeps working. For other CI where editing each pipeline is hard, setNPM_CONFIG_USERCONFIG=.npmrcin the CI environment to declare the project.npmrctrusted.See https://pnpm.io/npmrc for full migration details.
Patch Changes
packageManagerfield, the registry it fetches from (and the proxy/TLS settings used for that traffic) now come exclusively from trusted config sources — CLI options, env config, user and global.npmrc— defaulting to the public npm registry, instead of the repository's project/workspace settings.packageManagerfield (orpnpm self-update) makes pnpm download another pnpm version, the staged install is verified corepack-style: the integrity recorded in the staged lockfile must carry a valid npm registry signature for the exactname@version, validated against npm's public signing keys that ship embedded in the pnpm CLI. Verification fails closed — a tampered download, an unsigned package, or an unreachable registry refuses the version switch rather than running an unverified binary. It runs only when the wanted version is actually downloaded (a tools-directory cache miss), so repeated commands pay no extra network round trip..npmrcandpnpm-workspace.yaml) can no longer expand${...}placeholders in registry/proxy request destinations, URL-scoped keys, or registry credential values, preventing repository-controlled configuration from exfiltrating environment secrets through request URLs. Trusted user/global/CLI/env config keeps full env expansion, so existing token and registry setup flows continue to work.binnames ("",".","..", and scoped forms such as@scope/..) when resolving a package's bins. These names previously passed the bin-name guard and, when joined to the global bin directory during global remove/update/add operations, could resolve to the global bin directory itself or its parent and have it recursively deleted.onlyBuiltDependencies(andallowBuilds) entries can approve lifecycle scripts for git, git-hosted tarball, direct tarball, and local directory artifacts. To approve one of those artifacts explicitly, use its peer-suffix-free lockfile depPath as the key. Lockfile entries are now rejected when a registry-style dependency path (name@semver) is backed by a git, directory, or git-hosted tarball resolution (ERR_PNPM_RESOLUTION_SHAPE_MISMATCH), so the dependency path is a reliable artifact identity by the time scripts can run.SHASUMS256.txtagainst the Node.js release team's public keys (embedded in the pnpm CLI) before trusting its hashes. The Node.js download mirror is repository-configurable (node-mirror:<channel>in.npmrc), and the integrity check previously trusted aSHASUMS256.txtfetched from that same mirror — a circular check that a malicious mirror could satisfy with a tampered binary and matching hashes. A mirror that proxies the real signed SHASUMS keeps working unchanged. Only thereleasechannel publishes signed SHASUMS files, so pre-release channels (rc, nightly, …) remain unverified.Platinum Sponsors
Gold Sponsors
v10.34.1: pnpm 10.34.1Compare Source
Patch Changes
pnpm-lock.yamlentries whose remote tarballresolution:block is missing theintegrityfield. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that stripsintegrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under--frozen-lockfile. pnpm now fails closed at lockfile-read time withERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: trueor a URL on codeload.github.com / bitbucket.org / gitlab.com) andfile:tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.Platinum Sponsors
Gold Sponsors
v10.34.0: pnpm 10.34Compare Source
Minor Changes
Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously,
pnpm install(non-frozen) would logERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.pnpm installnow exits withERR_PNPM_TARBALL_INTEGRITYand a hint pointing at the new opt-in flag.The only opt-in is
pnpm install --update-checksums— narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.--forceandpnpm updatedeliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide.--frozen-lockfilebehavior is unchanged.--fix-lockfilekeeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.Patch Changes
_authToken,_auth,username/_password,tokenHelper, inlinecert/key) to the registry declared in the same config source at load time, so a later layer overridingregistry=(workspace.npmrc,pnpm-workspace.yaml, CLI--registry) cannot redirect a credential or client certificate authored for a different host. A deprecation warning is emitted whenever an unscoped per-registry setting is encountered, naming the source and the URL it was pinned to. Reported by JUNYI LIU.minimumReleaseAgehandling when cached metadata is abbreviated. The npm registry returns abbreviated package metadata (without the per-versiontimefield) by default, which made the maturity check throwERR_PNPM_MISSING_TIMEwhenever cached abbreviated metadata was reused. pnpm now upgrades cached abbreviated metadata to the full document via a follow-up fetch whenminimumReleaseAgeis active, persists the upgrade to the on-disk cache so subsequent installs skip the extra fetch, and letsERR_PNPM_MISSING_TIMEfrom the cache fast-path fall through to the network fetch even under strict mode.commitfield is not a 40-character hexadecimal SHA before invokinggit. A malicious lockfile could otherwise smuggle a value such as--upload-pack=<command>throughgit fetch/git checkout, which on SSH or local-file transports executes the supplied command.diff --githeaders reference paths outside the patched package directory. Previously a malicious.patchfile added via a pull request could write, delete, or rename arbitrary files reachable by the user runningpnpm install.--prefix=<dir>not being honored when locating the workspace root. The--prefix → dirrename was applied after workspace detection, so workspace settings declared in<dir>/pnpm-workspace.yamlwere not loaded when pnpm was invoked from outside<dir>#11535.@x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them intonode_modules. A malicious registry package could otherwise use a transitive dependency key to makepnpm installcreate symlinks at attacker-chosen paths outside the intendednode_modulesdirectory.Platinum Sponsors
Gold Sponsors
v10.33.4: pnpm 10.33.4Compare Source
Patch Changes
Configuration
📅 Schedule: (UTC)
* 0-3 * * 1)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.