Skip to content

Bump astro from 5.12.3 to 5.12.8 #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dependabot wants to merge 1 commit into from
Closed

Bump astro from 5.12.3 to 5.12.8 #2

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Aug 7, 2025

Bumps astro from 5.12.3 to 5.12.8.

Release notes

Sourced from astro's releases.

astro@5.12.8

Patch Changes

astro@5.12.7

Patch Changes

  • #14169 f4e8889 Thanks @​ascorbic! - Skips trailing slash handling for paths that start with /..

  • #14170 34e6b3a Thanks @​ematipico! - Fixes an issue where static redirects couldn't correctly generate a redirect when the destination is a prerendered route, and the output is set to "server".

  • #14169 f4e8889 Thanks @​ascorbic! - Fixes a bug that prevented images from being displayed in dev when using the Netlify adapter with trailingSlash set to always

  • Updated dependencies [f4e8889]:

    • @​astrojs/internal-helpers@​0.7.0
    • @​astrojs/markdown-remark@​6.3.4

astro@5.12.6

Patch Changes

  • #14153 29e9283 Thanks @​jp-knj! - Fixes a regression introduced by a recent optimisation of how SVG images are emitted during the build.

  • #14156 592f08d Thanks @​TheOtterlord! - Fix the client router not submitting forms if the active URL contained a hash

  • #14160 d2e25c6 Thanks @​ascorbic! - Fixes a bug that meant some remote image URLs could cause invalid filenames to be used for processed images

  • #14167 62bd071 Thanks @​ascorbic! - Fixes a bug that prevented destroyed sessions from being deleted from storage unless the session had been loaded

astro@5.12.5

Patch Changes

  • #14059 19f53eb Thanks @​benosmac! - Fixes a bug in i18n implementation, where Astro didn't emit the correct pages when fallback is enabled, and a locale uses a catch-all route, e.g. src/pages/es/[...catchAll].astro

  • #14155 31822c3 Thanks @​ascorbic! - Fixes a bug that caused an error "serverEntrypointModule[_start] is not a function" in some adapters

astro@5.12.4

Patch Changes

  • #14031 e9206c1 Thanks @​jp-knj! - Optimized the build pipeline for SVG images. Now, Astro doesn't reprocess images that have already been processed.

  • #14132 976879a Thanks @​ematipico! - Fixes a bug where the property Astro.routePattern/context.routePattern wasn't updated when using a rewrite via middleware.

  • #14131 aafc4d7 Thanks @​florian-lefebvre! - Fixes a case where an error occurring in a middleware would show the dev overlay instead of the custom 500.astro page

... (truncated)

Changelog

Sourced from astro's changelog.

5.12.8

Patch Changes

5.12.7

Patch Changes

  • #14169 f4e8889 Thanks @​ascorbic! - Skips trailing slash handling for paths that start with /..

  • #14170 34e6b3a Thanks @​ematipico! - Fixes an issue where static redirects couldn't correctly generate a redirect when the destination is a prerendered route, and the output is set to "server".

  • #14169 f4e8889 Thanks @​ascorbic! - Fixes a bug that prevented images from being displayed in dev when using the Netlify adapter with trailingSlash set to always

  • Updated dependencies [f4e8889]:

    • @​astrojs/internal-helpers@​0.7.0
    • @​astrojs/markdown-remark@​6.3.4

5.12.6

Patch Changes

  • #14153 29e9283 Thanks @​jp-knj! - Fixes a regression introduced by a recent optimisation of how SVG images are emitted during the build.

  • #14156 592f08d Thanks @​TheOtterlord! - Fix the client router not submitting forms if the active URL contained a hash

  • #14160 d2e25c6 Thanks @​ascorbic! - Fixes a bug that meant some remote image URLs could cause invalid filenames to be used for processed images

  • #14167 62bd071 Thanks @​ascorbic! - Fixes a bug that prevented destroyed sessions from being deleted from storage unless the session had been loaded

5.12.5

Patch Changes

  • #14059 19f53eb Thanks @​benosmac! - Fixes a bug in i18n implementation, where Astro didn't emit the correct pages when fallback is enabled, and a locale uses a catch-all route, e.g. src/pages/es/[...catchAll].astro

  • #14155 31822c3 Thanks @​ascorbic! - Fixes a bug that caused an error "serverEntrypointModule[_start] is not a function" in some adapters

5.12.4

Patch Changes

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump astro from 5.12.3 to 5.12.8
186435e 
Bumps [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) from 5.12.3 to 5.12.8.
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/astro@5.12.8/packages/astro)

---
updated-dependencies:
- dependency-name: astro
  dependency-version: 5.12.8
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Aug 7, 2025
@socket-security
Copy link

socket-security bot commented Aug 7, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​astrojs/​check@​0.9.41001007883100
Addedtailwindcss@​3.4.17981008698100
Updatedastro@​5.12.3 ⏵ 5.12.897 +110087 +198 +1100

View full report

@socket-security
Copy link

socket-security bot commented Aug 7, 2025

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block High
@astrojs/internal-helpers@0.7.1 has Unstable ownership.

Author: matthewp

From: ?npm/astro@5.12.8npm/@astrojs/internal-helpers@0.7.1

ℹ Read more on: This package | This alert | What is unstable ownership?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@astrojs/internal-helpers@0.7.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
@vscode/l10n@0.0.18 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: ?npm/@astrojs/check@0.9.4npm/@vscode/l10n@0.0.18

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@vscode/l10n@0.0.18. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
request-light@0.7.0 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: ?npm/@astrojs/check@0.9.4npm/request-light@0.7.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/request-light@0.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
request-light@0.7.0 has Network access.

Module: http

Location: Package overview

From: ?npm/@astrojs/check@0.9.4npm/request-light@0.7.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/request-light@0.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
request-light@0.7.0 has Network access.

Module: https

Location: Package overview

From: ?npm/@astrojs/check@0.9.4npm/request-light@0.7.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/request-light@0.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
request-light@0.7.0 has Network access.

Module: net

Location: Package overview

From: ?npm/@astrojs/check@0.9.4npm/request-light@0.7.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/request-light@0.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
request-light@0.7.0 has Network access.

Module: tls

Location: Package overview

From: ?npm/@astrojs/check@0.9.4npm/request-light@0.7.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/request-light@0.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
unstorage@1.16.1 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: ?npm/astro@5.12.8npm/unstorage@1.16.1

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/unstorage@1.16.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
vscode-jsonrpc@8.2.0 has Network access.

Module: net

Location: Package overview

From: ?npm/@astrojs/check@0.9.4npm/vscode-jsonrpc@8.2.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vscode-jsonrpc@8.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
vscode-languageserver@9.0.1 has Shell access.

Module: child_process

Location: Package overview

From: ?npm/@astrojs/check@0.9.4npm/vscode-languageserver@9.0.1

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vscode-languageserver@9.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
@astrojs/language-server@2.15.4 has URL strings.

URLs: https://docs.astro.build/en/guides/typescript/#component-props, https://docs.astro.build/en/reference/api-reference/#getstaticpaths, https://docs.astro.build/en/guides/server-side-rendering/#enabling-ssr-in-your-project, https://docs.astro.build/en/guides/server-side-rendering/#configuring-individual-routes, https://docs.astro.build/en/reference/directives-reference/#classlist, https://docs.astro.build/en/core-concepts/astro-components/#slots, https://docs.astro.build/en/core-concepts/astro-components/#named-slots, https://docs.astro.build/en/reference/directives-reference/#definevars, https://docs.astro.build/en/core-concepts/astro-components/#using-hoisted-scripts, https://docs.astro.build/en/reference/directives-reference/#isinline, https://docs.astro.build/en/guides/view-transitions/#script-behavior, https://docs.astro.build/en/reference/directives-reference/#isglobal, https://docs.astro.build/en/reference/directives-reference/#sethtml, https://docs.astro.build/en/reference/directives-reference/#settext, https://docs.astro.build/en/reference/directives-reference/#israw, https://docs.astro.build/en/guides/view-transitions/#transition-directives, https://docs.astro.build/en/reference/directives-reference/#clientload, https://docs.astro.build/en/reference/directives-reference/#clientidle, https://docs.astro.build/en/reference/directives-reference/#clientvisible, https://docs.astro.build/en/reference/directives-reference/#clientmedia, https://docs.astro.build/en/reference/directives-reference/#clientonly

Location: Package overview

From: ?npm/@astrojs/check@0.9.4npm/@astrojs/language-server@2.15.4

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@astrojs/language-server@2.15.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
@astrojs/language-server@2.15.4 has a Dynamic require.

Location: Package overview

From: ?npm/@astrojs/check@0.9.4npm/@astrojs/language-server@2.15.4

ℹ Read more on: This package | This alert | What is dynamic require?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@astrojs/language-server@2.15.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
@emmetio/css-parser@0.4.0 is Unmaintained.

Last Publish: 7/15/2017, 4:05:14 PM

From: ?npm/@astrojs/check@0.9.4npm/@emmetio/css-parser@0.4.0

ℹ Read more on: This package | This alert | What are unmaintained packages?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emmetio/css-parser@0.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
@emmetio/html-matcher@1.3.0 is Unmaintained.

Last Publish: 5/27/2020, 3:50:49 PM

From: ?npm/@astrojs/check@0.9.4npm/@emmetio/html-matcher@1.3.0

ℹ Read more on: This package | This alert | What are unmaintained packages?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emmetio/html-matcher@1.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
@emmetio/stream-reader-utils@0.1.0 is Unmaintained.

Last Publish: 3/22/2017, 10:56:28 PM

From: ?npm/@astrojs/check@0.9.4npm/@emmetio/stream-reader-utils@0.1.0

ℹ Read more on: This package | This alert | What are unmaintained packages?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emmetio/stream-reader-utils@0.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
@emmetio/stream-reader@2.2.0 is Unmaintained.

Last Publish: 4/25/2017, 9:23:13 PM

From: ?npm/@astrojs/check@0.9.4npm/@emmetio/stream-reader@2.2.0

ℹ Read more on: This package | This alert | What are unmaintained packages?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emmetio/stream-reader@2.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
@volar/kit@2.4.22 has Filesystem access.

Module: fs

Location: Package overview

From: ?npm/@astrojs/check@0.9.4npm/@volar/kit@2.4.22

ℹ Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@volar/kit@2.4.22. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
@vscode/emmet-helper@2.11.0 has a New author.

New Author: microsoft1es

Previous Author: vscode-bot

From: ?npm/@astrojs/check@0.9.4npm/@vscode/emmet-helper@2.11.0

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@vscode/emmet-helper@2.11.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
@vscode/emmet-helper@2.11.0 has URL strings.

URLs: https://code.visualstudio.com/docs/editor/emmet#_emmet-configuration, https://code.visualstudio.com/docs/editor/emmet#_using-custom-emmet-snippets

Location: Package overview

From: ?npm/@astrojs/check@0.9.4npm/@vscode/emmet-helper@2.11.0

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@vscode/emmet-helper@2.11.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
@vscode/l10n@0.0.18 has Filesystem access.

Module: fs

Location: Package overview

From: ?npm/@astrojs/check@0.9.4npm/@vscode/l10n@0.0.18

ℹ Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@vscode/l10n@0.0.18. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
@vscode/l10n@0.0.18 has Filesystem access.

Module: fs/promises

Location: Package overview

From: ?npm/@astrojs/check@0.9.4npm/@vscode/l10n@0.0.18

ℹ Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@vscode/l10n@0.0.18. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
astro@5.12.8 has URL strings.

URLs: https://docs.netlify.com/configure-builds/manage-dependencies/#node-js-and-javascript, https://docs.github.com/en/actions/guides/building-and-testing-nodejs#specifying-the-nodejs-version, https://vercel.com/docs/runtimes#official-runtimes/node-js/node-js-version, https://docs.astro.build/, http://www.w3.org/2000/svg, https://docs.astro.build/en/guides/actions, https://docs.astro.build/en/guides/endpoints/#server-endpoints-api-routes, https://docs.astro.build/en/reference/cli-reference/#astro-dev, https://registry.npmjs.org, https://docs.astro.build/en/reference/cli-reference/#astro-preview, https://www.typescriptlang.org/tsconfig#allowJs, https://astro.build/telemetry, https://astro.build/issues, 127.0.0.1, https://github.com/rich-harris/devalue, https://astro.build/integrations, https://docs.astro.build/en/guides/deploy/, https://example.com, https://example.com/, https://docs.astro.build/en/core-concepts/routing/#dynamic-routes, https://astro.build/api/v1/dev-overlay/, https://github.com/withastro/astro/issues/new/choose, https://github.com/withastro/roadmap/discussions/new/choose, https://docs.astro.build, https://astro.build/chat

Location: Package overview

From: package.jsonnpm/astro@5.12.8

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/astro@5.12.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
chokidar@3.6.0 has Filesystem access.

Module: fs

Location: Package overview

From: ?npm/tailwindcss@3.4.17npm/chokidar@3.6.0

ℹ Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/chokidar@3.6.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
chokidar@3.6.0 has Environment variable access.

Env Vars: CHOKIDAR_USEPOLLING

Location: Package overview

From: ?npm/tailwindcss@3.4.17npm/chokidar@3.6.0

ℹ Read more on: This package | This alert | What is environment variable access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/chokidar@3.6.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
chokidar@3.6.0 has Environment variable access.

Env Vars: CHOKIDAR_INTERVAL

Location: Package overview

From: ?npm/tailwindcss@3.4.17npm/chokidar@3.6.0

ℹ Read more on: This package | This alert | What is environment variable access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/chokidar@3.6.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
chokidar@3.6.0 has Filesystem access.

Module: fsevents

Location: Package overview

From: ?npm/tailwindcss@3.4.17npm/chokidar@3.6.0

ℹ Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/chokidar@3.6.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

See 32 more rows in the dashboard

View full report

@dependabot @github
Copy link
Author

dependabot bot commented on behalf of github Aug 20, 2025

Superseded by #3.

@dependabot dependabot bot closed this Aug 20, 2025
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/astro-5.12.8 branch August 20, 2025 14:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants