chore(deps): bump astro, @astrojs/starlight, astro-mermaid and starlight-llms-txt in /docs

[dependabot]

Bumps astro, @astrojs/starlight, astro-mermaid and starlight-llms-txt. These dependencies needed to be updated together.
Updates astro from 5.18.1 to 6.1.8

Release notes

Sourced from astro's releases.

astro@6.1.8

Patch Changes

• #16367 a6866a7 Thanks @​ematipico! - Fixes an issue where build output files could contain special characters (!, ~, {, }) in their names, causing deploy failures on platforms like Netlify.

• #16381 217c5b3 Thanks @​ematipico! - Slightly improved the performance of the dev server by caching the internal crawling of the dependencies of a project.

• #16348 7d26cd7 Thanks @​ocavue! - Fixes a bug where emitted assets during a client build would contain always fresh, new hashes in their name. Now the build should be more stable.

• #16317 d012bfe Thanks @​das-peter! - Fixes a bug where allowedDomains weren't correctly propagated when using the development server.

• #16379 5a84551 Thanks @​martrapp! - Improves Vue scoped style handling in DEV mode during client router navigation.

• #16317 d012bfe Thanks @​das-peter! - Adds tests to verify settings are properly propagated when using the development server.

• #16282 5b0fdaa Thanks @​jmurty! - Fixes build errors on platforms with skew protection enabled (e.g. Vercel, Netlify) for inter-chunk Javascript using dynamic imports

• Updated dependencies [e0b240e]:

  • @​astrojs/telemetry@​3.3.1

astro@6.1.7

Patch Changes

• #16027 c62516b Thanks @​fkatsuhiro! - Fixes a bug where remote image dimensions were not validated during static builds on Netlify.

• #16311 94048f2 Thanks @​Arecsu! - Fixes --port flag being ignored after a Vite-triggered server restart (e.g. when a .env file changes)

• #16316 0fcd04c Thanks @​ematipico! - Fixes the /_image endpoint accepting an arbitrary f=svg query parameter and serving non-SVG content as image/svg+xml. The endpoint now validates that the source is actually SVG before honoring f=svg, matching the same guard already enforced on the <Image> component path.

astro@6.1.6

Patch Changes

• #16202 b5c2fba Thanks @​matthewp! - Fixes Actions failing with ActionsWithoutServerOutputError when using output: 'static' with an adapter

• #16303 b06eabf Thanks @​matthewp! - Improves handling of special characters in inline <script> content

• #14924 bb4586a Thanks @​aralroca! - Fixes SCSS and CSS module file changes triggering a full page reload instead of hot-updating styles in place during development

astro@6.1.5

Patch Changes

• #16171 5bcd03c Thanks @​Desel72! - Fixes a build error that occurred when a pre-rendered page used the <Picture> component and another page called render() on content collection entries.

• #16239 7c65c04 Thanks @​dataCenter430! - Fixes sync content inside <Fragment> not streaming to the browser until all async sibling expressions have resolved.

• #16242 686c312 Thanks @​martrapp! - Revives UnoCSS in dev mode when used with the client router.

  This change partly reverts #16089, which in hindsight turned out to be too general. Instead of automatically persisting all style sheets, we now do this only for styles from Vue components.

• #16192 79d86b8 Thanks @​alexanderniebuhr! - Uses today’s date for Cloudflare compatibility_date in astro add cloudflare

... (truncated)

Changelog

Sourced from astro's changelog.

6.1.8

Patch Changes

• #16367 a6866a7 Thanks @​ematipico! - Fixes an issue where build output files could contain special characters (!, ~, {, }) in their names, causing deploy failures on platforms like Netlify.

• #16381 217c5b3 Thanks @​ematipico! - Slightly improved the performance of the dev server by caching the internal crawling of the dependencies of a project.

• #16348 7d26cd7 Thanks @​ocavue! - Fixes a bug where emitted assets during a client build would contain always fresh, new hashes in their name. Now the build should be more stable.

• #16317 d012bfe Thanks @​das-peter! - Fixes a bug where allowedDomains weren't correctly propagated when using the development server.

• #16379 5a84551 Thanks @​martrapp! - Improves Vue scoped style handling in DEV mode during client router navigation.

• #16317 d012bfe Thanks @​das-peter! - Adds tests to verify settings are properly propagated when using the development server.

• #16282 5b0fdaa Thanks @​jmurty! - Fixes build errors on platforms with skew protection enabled (e.g. Vercel, Netlify) for inter-chunk Javascript using dynamic imports

• Updated dependencies [e0b240e]:

  • @​astrojs/telemetry@​3.3.1

6.1.7

Patch Changes

• #16027 c62516b Thanks @​fkatsuhiro! - Fixes a bug where remote image dimensions were not validated during static builds on Netlify.

• #16311 94048f2 Thanks @​Arecsu! - Fixes --port flag being ignored after a Vite-triggered server restart (e.g. when a .env file changes)

• #16316 0fcd04c Thanks @​ematipico! - Fixes the /_image endpoint accepting an arbitrary f=svg query parameter and serving non-SVG content as image/svg+xml. The endpoint now validates that the source is actually SVG before honoring f=svg, matching the same guard already enforced on the <Image> component path.

6.1.6

Patch Changes

• #16202 b5c2fba Thanks @​matthewp! - Fixes Actions failing with ActionsWithoutServerOutputError when using output: 'static' with an adapter

• #16303 b06eabf Thanks @​matthewp! - Improves handling of special characters in inline <script> content

• #14924 bb4586a Thanks @​aralroca! - Fixes SCSS and CSS module file changes triggering a full page reload instead of hot-updating styles in place during development

6.1.5

Patch Changes

• #16171 5bcd03c Thanks @​Desel72! - Fixes a build error that occurred when a pre-rendered page used the <Picture> component and another page called render() on content collection entries.

• #16239 7c65c04 Thanks @​dataCenter430! - Fixes sync content inside <Fragment> not streaming to the browser until all async sibling expressions have resolved.

• #16242 686c312 Thanks @​martrapp! - Revives UnoCSS in dev mode when used with the client router.

... (truncated)

Commits

• 63c5c85 [ci] release (#16356)
• 71c93ca [ci] format
• 5a84551 Improves Vue scoped style handling in DEV mode during client router navigatio...
• ba2dbf1 refactor(astro): correct Fixture type signatures in test-utils (#16380)
• 217c5b3 perf(core): cache crawl result (#16381)
• 6e5bc17 chore: absorb tests into others (#16365)
• dc8a01d chore: reduce fixtures by merging them (#16364)
• bb0ff91 refactor(astro): migrate error tests to typescript (#16377)
• a6866a7 fix(core): clean chunk name (#16367)
• 811015d chore: remove lone fixtures (#16363)
• Additional commits viewable in compare view

Updates @astrojs/starlight from 0.37.6 to 0.38.3

Release notes

Sourced from @​astrojs/starlight's releases.

@​astrojs/starlight@​0.38.3

Patch Changes

• #3799 313611b Thanks @​JosefJezek! - Improves Czech UI translations

• #3770 6e7bed1 Thanks @​gameroman! - Adds examples to the inline documentation for title in the Starlight configuration object

• #3801 fedd48b Thanks @​delucis! - Fixes missing draft content warning in dev on pages using the hero layout

@​astrojs/starlight@​0.38.2

Patch Changes

• #3759 f24ce99 Thanks @​MilesChou! - Fixes an issue where monolingual sites using a region-specific locale (e.g., zh-TW) as the default would incorrectly display base language translations (e.g., zh Simplified Chinese) instead of the region-specific ones (e.g., zh-TW Traditional Chinese).

• #3768 a4c6c20 Thanks @​delucis! - Improves performance of sidebar generation for sites with very large sidebars

@​astrojs/starlight@​0.38.1

Patch Changes

• #3751 fb955ff Thanks @​pyxelr! - Fixes a regression causing global tableOfContents config to be ignored

@​astrojs/starlight@​0.38.0

Minor Changes

• #3644 0d2e7ed Thanks @​HiDeoo! - Adds support for Astro v6, drops support for Astro v5.

  Upgrade Astro and dependencies

  ⚠️ BREAKING CHANGE: Astro v5 is no longer supported. Make sure you update Astro and any other official integrations at the same time as updating Starlight:

  npx @astrojs/upgrade

  Community Starlight plugins and Astro integrations may also need to be manually updated to work with Astro v6. If you encounter any issues, please reach out to the plugin or integration author to see if it is a known issue or if an updated version is being worked on.

  Update your collections

  ⚠️ BREAKING CHANGE: Drops support for content collections backwards compatibility.

  In Astro 5.x, projects could delay upgrading to the new Content Layer API introduced for content collections because of some existing automatic backwards compatibility that was not previously behind a flag. This meant that it was possible to upgrade from Astro 4 to Astro 5 without updating your content collections, even if you had not enabled the legacy.collections flag. Projects would continue to build, and no errors or warnings would be displayed.

  Astro v6.0 now removes this automatic legacy content collections support, along with the legacy.collections flag.

  If you experience content collections errors after updating to v6, check your project for any removed legacy features that may need updating to the Content Layer API. See the Starlight v0.30.0 upgrade guide for detailed instructions on upgrading legacy collections to the new Content Layer API.

  If you are unable to make any changes to your collections at this time, including Starlight's default docs and i18n collections, you can enable the legacy.collectionsBackwardsCompat flag to upgrade to v6 without updating your collections. This temporary flag preserves some legacy v4 content collections features, and will allow you to keep your collections in their current state until the legacy flag is no longer supported.

• #3704 375edcc Thanks @​florian-lefebvre! - Fixes autocomplete for components exported from @astrojs/starlight/components/*

... (truncated)

Changelog

Sourced from @​astrojs/starlight's changelog.

0.38.3

Patch Changes

• #3799 313611b Thanks @​JosefJezek! - Improves Czech UI translations

• #3770 6e7bed1 Thanks @​gameroman! - Adds examples to the inline documentation for title in the Starlight configuration object

• #3801 fedd48b Thanks @​delucis! - Fixes missing draft content warning in dev on pages using the hero layout

0.38.2

Patch Changes

• #3759 f24ce99 Thanks @​MilesChou! - Fixes an issue where monolingual sites using a region-specific locale (e.g., zh-TW) as the default would incorrectly display base language translations (e.g., zh Simplified Chinese) instead of the region-specific ones (e.g., zh-TW Traditional Chinese).

• #3768 a4c6c20 Thanks @​delucis! - Improves performance of sidebar generation for sites with very large sidebars

0.38.1

Patch Changes

• #3751 fb955ff Thanks @​pyxelr! - Fixes a regression causing global tableOfContents config to be ignored

0.38.0

Minor Changes

• #3644 0d2e7ed Thanks @​HiDeoo! - Adds support for Astro v6, drops support for Astro v5.

  Upgrade Astro and dependencies

  ⚠️ BREAKING CHANGE: Astro v5 is no longer supported. Make sure you update Astro and any other official integrations at the same time as updating Starlight:

  npx @astrojs/upgrade

  Community Starlight plugins and Astro integrations may also need to be manually updated to work with Astro v6. If you encounter any issues, please reach out to the plugin or integration author to see if it is a known issue or if an updated version is being worked on.

  Update your collections

  ⚠️ BREAKING CHANGE: Drops support for content collections backwards compatibility.

  In Astro 5.x, projects could delay upgrading to the new Content Layer API introduced for content collections because of some existing automatic backwards compatibility that was not previously behind a flag. This meant that it was possible to upgrade from Astro 4 to Astro 5 without updating your content collections, even if you had not enabled the legacy.collections flag. Projects would continue to build, and no errors or warnings would be displayed.

  Astro v6.0 now removes this automatic legacy content collections support, along with the legacy.collections flag.

  If you experience content collections errors after updating to v6, check your project for any removed legacy features that may need updating to the Content Layer API. See the Starlight v0.30.0 upgrade guide for detailed instructions on upgrading legacy collections to the new Content Layer API.

... (truncated)

Commits

• 7a59b9a [ci] release (#3773)
• 313611b Update Czech translations for consistency (#3799)
• fedd48b Include draft content notice on pages with hero component (#3801)
• d940845 [ci] format
• 6e7bed1 docs: update jsdoc for UserConfigSchema.title with example (#3770)
• d871021 [ci] release (#3766)
• a4c6c20 Improve performance of sidebar generation logic (#3768)
• f24ce99 fix: use region-specific translations for default locale (#3759)
• 1a87ed4 Update to Vitest 4.1 (#3757)
• ac64c72 [ci] release (#3752)
• Additional commits viewable in compare view

Updates astro-mermaid from 1.3.1 to 1.4.0

Release notes

Sourced from astro-mermaid's releases.

v1.4.0

What's Changed

• chore: bump version to 1.4.0 (#44)
• Chore: support Astro 6.x and above in peerDependencies (#42)
• feat: add enableLog option to control client-side logging (#38)
• Update README.md
• Update demo dependency to 1.3.1

Full Changelog: joesaby/astro-mermaid@v1.3.1...v1.4.0

Commits

• ebe84bc chore: bump version to 1.4.0 (#44)
• 1623261 Chore: support Astro 6.x and above in peerDependencies (#42)
• 50bb768 feat: add enableLog option to control client-side logging (#38)
• d3b1b07 Update README.md
• 88e6ea9 Update demo dependency to 1.3.1
• See full diff in compare view

Updates starlight-llms-txt from 0.7.0 to 0.8.1

Release notes

Sourced from starlight-llms-txt's releases.

starlight-llms-txt@0.8.1

Patch Changes

• 29e5efb Thanks @​mvanhorn! - Strips HTML comments from llms.txt files. <!-- ... --> style comments in .md files are no longer emitted in the generated files.

starlight-llms-txt@0.8.0

Minor Changes

• #80 dea7b22 Thanks @​nonoakij! - Adds support for Astro v6 and Starlight v0.38, drops support for lower versions.

Changelog

Sourced from starlight-llms-txt's changelog.

0.8.1

Patch Changes

• 29e5efb Thanks @​mvanhorn! - Strips HTML comments from llms.txt files. <!-- ... --> style comments in .md files are no longer emitted in the generated files.

0.8.0

Minor Changes

• #80 dea7b22 Thanks @​nonoakij! - Adds support for Astro v6 and Starlight v0.38, drops support for lower versions.

Commits

• 5b7d9e0 [ci] release (#98)
• 29e5efb fix: strip HTML comments from llms.txt output (#97)
• a66510e fix(deps): update astro (#95)
• 6409751 fix(deps): update astro (#92)
• 897ff05 fix(deps): update dependency astro to ^6.0.4 (#89)
• c0eb642 fix(deps): update dependency @​astrojs/starlight to ^0.38.1 (#88)
• 9b81974 fix(deps): update dependency astro to ^6.0.3 (#86)
• b70667a fix(deps): update dependency astro to ^6.0.2 (#82)
• 9aee078 [ci] release (#81)
• dea7b22 feat: add Astro v6 support (#80)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

APM Review Panel Verdict

Disposition: REQUEST_CHANGES

PR: chore(deps): bump astro, @astrojs/starlight, astro-mermaid and starlight-llms-txt in /docs
Author: dependabot[bot] | Scope: docs/package.json + docs/package-lock.json only
Key version changes: astro 5.18.1 -> 6.1.8 (MAJOR), @astrojs/starlight 0.37.6 -> 0.38.3, astro-mermaid ^1.3.1 -> ^1.4.0, starlight-llms-txt ^0.7.0 -> ^0.8.1

---

Per-persona findings

Python Architect: No Python source changes. No APM CLI code, no module structure, no design patterns affected. This PR is entirely within the Node.js docs toolchain (docs/). Not in scope for architectural review. No concerns.

CLI Logging Expert: No changes to CommandLogger, _rich_* helpers, DiagnosticCollector, STATUS_SYMBOLS, or any CLI output path. This PR does not touch APM's output layer. No concerns.

DevX UX Expert: The docs site (Astro + Starlight) is the user-facing documentation funnel -- the primary conversion surface for new contributors and enterprise evaluators. The astro 5 -> 6 jump is a major semver boundary. Astro v6 introduced breaking changes (config API, adapter contracts, server output mode). The Deploy Docs CI workflow is currently failing (conclusion: failure, run 24753879971). Until the docs build passes, the docs site cannot be deployed, which degrades the first-run user experience and the community landing page. The starlight-llms-txt ^0.8.1 bump is a small positive -- it likely improves LLM agent discoverability via the generated LLMs.txt artifact. However, no docs benefit justifies merging a broken build. The astro-mermaid update (^1.4.0) also needs validation since APM's how-it-works.md relies on mermaid diagrams for the system mental model.

Supply Chain Security Expert: Scope is correctly limited to the docs Node.js project. The apm.lock.yaml, uv.lock, and all Python APM supply chain surfaces are completely unaffected. Dependabot is a trusted update source and the package-lock.json churn (-986 / +502 lines) is expected for an astro major version upgrade (new transitive deps, dropped deps, version range resolutions). No path traversal, no credential surface, no token scoping change. Threat model rating: low for the APM tool itself; the docs site carries no secrets or privileged access. The one procedural note: lockfile churn of this magnitude should be validated by a passing build before merge -- which is currently blocked. No security blocker beyond the failed CI.

Auth Expert: No authentication code changes. AuthResolver, token management, credential resolution flows, and remote host auth are entirely unaffected. No concerns.

OSS Growth Hacker: Keeping docs tooling current is a hygiene signal for community trust -- stale dependencies read as an abandoned project. The starlight-llms-txt ^0.8.1 update is directly aligned with APM's AI-native positioning: a better-generated LLMs.txt means AI coding agents (Copilot, Cursor, Claude) are more likely to surface APM correctly. However, all of this growth value is zero if the docs build is broken and the site fails to deploy. The priority is: fix the build, then capture the growth upside. Side-channel to CEO: the starlight-llms-txt improvements may be worth a mention in release notes once it lands cleanly, as an AI-discoverability signal to the community.

---

CEO arbitration

This is a routine dependabot docs-tooling update that hits a real blocker: the astro 5 -> 6 major version upgrade is breaking the Deploy Docs CI workflow. There is no strategic disagreement among the panel -- all specialists agree the scope is narrow (docs only, no APM Python surface), the intent is correct (stay current on tooling), but the merge must wait for the build to pass. The Node.js 20 deprecation warning surfaced in the annotations is a separate but adjacent concern (actions/checkout@v4, actions/setup-node@v4 will need Node.js 24 variants by June 2026) that maintainers should track but is not a blocker for this PR. The strategic call: hold at REQUEST_CHANGES until CI is green. If the astro v6 migration requires config changes beyond a lockfile bump, dependabot may need manual assist from a maintainer.

---

Required actions before merge

1. Fix the docs build: The Deploy Docs workflow is failing (run 24753879971). Astro v6 likely requires config updates (e.g., astro.config.mjs, adapter contracts, or deprecated API usage). Check the Astro v6 migration guide at (docs.astro.build/redacted) and apply any required changes to docs/astro.config.mjs or related config files.
2. Verify mermaid diagrams render: After fixing the build, confirm that astro-mermaid ^1.4.0 still renders the mermaid diagrams in docs/src/content/docs/introduction/how-it-works.md correctly (the system mental model diagram is a key UX artifact).

Optional follow-ups

• Track the Node.js 20 deprecation warning: actions/checkout@v4 and actions/setup-node@v4 will need Node.js 24-compatible versions before September 2026. This can be a separate chore PR.
• Consider noting the starlight-llms-txt improvement in CHANGELOG.md under [Unreleased] once merged, as an AI-discoverability enhancement.

Generated by PR Review Panel for issue #825 · ● 797.3K · ◷