Skip to content

Bump astro from 6.3.1 to 6.3.3 in the javascript-dependencies group#116

Merged
shenanigansd merged 1 commit into
mainfrom
dependabot/npm_and_yarn/javascript-dependencies-ee2037632b
May 21, 2026
Merged

Bump astro from 6.3.1 to 6.3.3 in the javascript-dependencies group#116
shenanigansd merged 1 commit into
mainfrom
dependabot/npm_and_yarn/javascript-dependencies-ee2037632b

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 21, 2026

Bumps the javascript-dependencies group with 1 update: astro.

Updates astro from 6.3.1 to 6.3.3

Release notes

Sourced from astro's releases.

astro@6.3.3

Patch Changes

  • #16737 bd84f33 Thanks @​matthewp! - Fixes a reflected XSS vulnerability where slot names on hydrated components were not HTML-escaped in SSR output

astro@6.3.2

Patch Changes

  • #16675 11d4592 Thanks @​ascorbic! - Fixes a regression where Astro.cache was undefined when experimental.cache was not configured.

    The previous documented behavior is for Astro.cache to always be defined as a no-op shim: cache.set() warns once, cache.invalidate() throws and cache.enabled can be used to gate. This allows library and user code can call cache methods without conditional checks. The cache provider registration was being gated at the call site on experimental.cache being configured, which meant the disabled shim branch inside the provider was unreachable and the Astro.cache getter was never attached to the context.

  • #16691 0f0a4ce Thanks @​matthewp! - Fixes HTMLElement is not defined error during HMR when using components with client-side scripts (e.g. Starlight <Tabs>) and the Cloudflare adapter

  • #16562 07529ec Thanks @​matthewp! - Fixes non-prerendered routes failing when a dynamic prerendered route exists in the same project with prerenderEnvironment: 'node'

  • #16638 272185b Thanks @​ematipico! - Fixes a bug where the Astro compiler wasn't freed at the end of the build. After the fix, the memory used by the compiler is now correctly freed at the end of the build.

  • #16544 d365c97 Thanks @​matthewp! - Tightens isRemotePath() to reject control characters after a leading slash and fixes the dev image endpoint origin check

  • #16685 889e748 Thanks @​farrosfr! - Improve validation messages for security.csp.directives when script-src or style-src are incorrectly placed in the directives array.

  • #16605 772f13a Thanks @​rururux! - Fixes assetsPrefix not being available on build from astro:config/server.

  • #16556 f38dec7 Thanks @​matthewp! - Rejects double-encoded URL paths with a 400 response instead of silently falling back to partial decoding

  • #16659 38bcb25 Thanks @​jsparkdev! - Fixes & characters appearing as raw entity strings (e.g. &[#38](https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/38);) in <meta> tags when viewed in link previews or raw HTML.

  • Updated dependencies [d365c97, 9256345]:

    • @​astrojs/internal-helpers@​0.9.1
    • @​astrojs/markdown-remark@​7.1.2
Changelog

Sourced from astro's changelog.

6.3.3

Patch Changes

  • #16737 bd84f33 Thanks @​matthewp! - Fixes a reflected XSS vulnerability where slot names on hydrated components were not HTML-escaped in SSR output

6.3.2

Patch Changes

  • #16675 11d4592 Thanks @​ascorbic! - Fixes a regression where Astro.cache was undefined when experimental.cache was not configured.

    The previous documented behavior is for Astro.cache to always be defined as a no-op shim: cache.set() warns once, cache.invalidate() throws and cache.enabled can be used to gate. This allows library and user code can call cache methods without conditional checks. The cache provider registration was being gated at the call site on experimental.cache being configured, which meant the disabled shim branch inside the provider was unreachable and the Astro.cache getter was never attached to the context.

  • #16691 0f0a4ce Thanks @​matthewp! - Fixes HTMLElement is not defined error during HMR when using components with client-side scripts (e.g. Starlight <Tabs>) and the Cloudflare adapter

  • #16562 07529ec Thanks @​matthewp! - Fixes non-prerendered routes failing when a dynamic prerendered route exists in the same project with prerenderEnvironment: 'node'

  • #16638 272185b Thanks @​ematipico! - Fixes a bug where the Astro compiler wasn't freed at the end of the build. After the fix, the memory used by the compiler is now correctly freed at the end of the build.

  • #16544 d365c97 Thanks @​matthewp! - Tightens isRemotePath() to reject control characters after a leading slash and fixes the dev image endpoint origin check

  • #16685 889e748 Thanks @​farrosfr! - Improve validation messages for security.csp.directives when script-src or style-src are incorrectly placed in the directives array.

  • #16605 772f13a Thanks @​rururux! - Fixes assetsPrefix not being available on build from astro:config/server.

  • #16556 f38dec7 Thanks @​matthewp! - Rejects double-encoded URL paths with a 400 response instead of silently falling back to partial decoding

  • #16659 38bcb25 Thanks @​jsparkdev! - Fixes & characters appearing as raw entity strings (e.g. &[#38](https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/38);) in <meta> tags when viewed in link previews or raw HTML.

  • Updated dependencies [d365c97, 9256345]:

    • @​astrojs/internal-helpers@​0.9.1
    • @​astrojs/markdown-remark@​7.1.2
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump astro from 6.3.1 to 6.3.3 in the javascript-dependencies group
43e0a6c 
Bumps the javascript-dependencies group with 1 update: [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro).


Updates `astro` from 6.3.1 to 6.3.3
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/astro@6.3.3/packages/astro)

---
updated-dependencies:
- dependency-name: astro
  dependency-version: 6.3.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: javascript-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label May 21, 2026
@dependabot dependabot Bot requested a review from shenanigansd as a code owner May 21, 2026 16:50
@dependabot dependabot Bot added javascript Pull requests that update Javascript code dependencies Pull requests that update a dependency file labels May 21, 2026
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 21, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 shenanigansd-dog 43e0a6c Commit Preview URL

Branch Preview URL		 May 21 2026, 04:51 PM

@shenanigansd shenanigansd merged commit cfce6ad into main May 21, 2026
5 checks passed
@shenanigansd shenanigansd deleted the dependabot/npm_and_yarn/javascript-dependencies-ee2037632b branch May 21, 2026 16:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shenanigansd shenanigansd Awaiting requested review from shenanigansd shenanigansd is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@shenanigansd