Skip to content

fix(deps): update dependency astro to v5.14.3 [security] #3595

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency astro to v5.14.3 [security] #3595

wants to merge 1 commit into from
+295 −389

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 7, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
astro (source) 5.11.0 -> 5.14.3 age confidence

GitHub Vulnerability Alerts

CVE-2025-54793

Summary

There is an Open Redirection vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks.

This affects Astro >=5.2.0 sites that use on-demand rendering (SSR) with the Node or Cloudflare adapter. It does not affect static sites, or sites deployed to Netlify or Vercel.

Background

Astro performs automatic redirection to the canonical URL, either adding or removing trailing slashes according to the value of the trailingSlash configuration option. It follows the following rules:

  • If trailingSlash is set to "never", https://example.com/page/ will redirect to https://example.com/page
  • If trailingSlash is set to "always", https://example.com/page will redirect to https://example.com/page/

It also collapses multiple trailing slashes, according to the following rules:

  • If trailingSlash is set to "always" or "ignore" (the default), https://example.com/page// will redirect to https://example.com/page/
  • If trailingSlash is set to "never", https://example.com/page// will redirect to https://example.com/page

It does this by returning a 301 redirect to the target path. The vulnerability occurs because it uses a relative path for the redirect. To redirect from https://example.com/page to https://example.com/page/, it sending a 301 response with the header Location: /page/. The browser resolves this URL relative to the original page URL and redirects to https://example.com/page/

Details

The vulnerability occurs if the target path starts with //. A request for https://example.com//page will send the header Location: //page/. The browser interprets this as a protocol-relative URL, so instead of redirecting to https://example.com//page/, it will attempt to redirect to https://page/. This is unlikely to resolve, but by crafting a URL in the form https://example.com//target.domain/subpath, it will send the header Location: //target.domain/subpath/, which the browser translates as a redirect to https://target.domain/subpath/. The subpath part is required because otherwise Astro will interpret /target.domain as a file download, which skips trailing slash handling.

This leads to an Open Redirect vulnerability.

The URL needed to trigger the vulnerability varies according to the trailingSlash setting.

  • If trailingSlash is set to "never", a URL in the form https://example.com//target.domain/subpath/
  • If trailingSlash is set to "always", a URL in the form https://example.com//target.domain/subpath
  • For any config value, a URL in the form https://example.com//target.domain/subpath//

Impact

This is classified as an Open Redirection vulnerability (CWE-601). It affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks.

No authentication is required to exploit this vulnerability. Any unauthenticated user can trigger the redirect by clicking a malicious link.

Mitigation

You can test if your site is affected by visiting https://yoursite.com//docs.astro.build/en//. If you are redirected to the Astro docs then your site is affected and must be updated.

Upgrade your site to Astro 5.12.8. To mitigate at the network level, block outgoing redirect responses with a Location header value that starts with //.

CVE-2025-55303

Summary

In affected versions of astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.

Details

On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images.

The /_image endpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using the image.domains or image.remotePatterns options).

However, a bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png.

Proof of Concept

  1. Create a new minimal Astro project ([email protected]).

  2. Configure it to use the Node adapter (@astrojs/[email protected] — newer versions are not impacted):

    // astro.config.mjs
import { defineConfig } from 'astro/config';
import node from '@​astrojs/node';

export default defineConfig({
	adapter: node({ mode: 'standalone' }),
});

  3. Build the site by running astro build.

  4. Run the server, e.g. with astro preview.

  5. Append /_image?href=//placehold.co/600x400 to the preview URL, e.g. http://localhost:4321/_image?href=//placehold.co/600x400

  6. The site will serve the image from the unauthorized placehold.co origin.

Impact

Allows a non-authorized third-party to create URLs on an impacted site’s origin that serve unauthorized image content.
In the case of SVG images, this could include the risk of cross-site scripting (XSS) if a user followed a link to a maliciously crafted SVG.

CVE-2025-61925

Summary

When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an X-Forwarded-Host header that is reflected when using the recommended Astro.url property as there is no validation that the value is safe.

Details

Astro reflects the value in X-Forwarded-Host in output when using Astro.url without any validation.

It is common for web servers such as nginx to route requests via the Host header, and forward on other request headers. As such as malicious request can be sent with both a Host header and an X-Forwarded-Host header where the values do not match and the X-Forwarded-Host header is malicious. Astro will then return the malicious value.

This could result in any usages of the Astro.url value in code being manipulated by a request. For example if a user follows guidance and uses Astro.url for a canonical link the canonical link can be manipulated to another site. It is not impossible to imagine that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party.

As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users.

Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues.

PoC

  • Check out the minimal Astro example found here: https://github.com/Chisnet/minimal_dynamic_astro_server
  • nvm use
  • yarn run build
  • node ./dist/server/entry.mjs
  • curl --location 'http://localhost:4321/' --header 'X-Forwarded-Host: www.evil.com' --header 'Host: www.example.com'
  • Observe that the response reflects the malicious X-Forwarded-Host header

For the more advanced / dangerous attack vector deploy the application behind a caching proxy, e.g. Cloudflare, set a non-zero cache time, perform the above curl request a few times to establish a cache, then perform the request without the malicious headers and observe that the malicious data is persisted.

Impact

This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy.

Release Notes

withastro/astro (astro)

v5.14.3

Compare Source

Patch Changes

  • #​14505 28b2a1d Thanks @​matthewp! - Fixes Cannot set property manifest error in test utilities by adding a protected setter for the manifest property

  • #​14235 c4d84bb Thanks @​toxeeec! - Fixes a bug where the "tap" prefetch strategy worked only on the first clicked link with view transitions enabled

v5.14.1

Compare Source

Patch Changes

v5.14.0

Compare Source

Minor Changes

  • #​13520 a31edb8 Thanks @​openscript! - Adds a new property routePattern available to GetStaticPathsOptions

    This provides the original, dynamic segment definition in a routing file path (e.g. /[...locale]/[files]/[slug]) from the Astro render context that would not otherwise be available within the scope of getStaticPaths(). This can be useful to calculate the params and props for each page route.

    For example, you can now localize your route segments and return an array of static paths by passing routePattern to a custom getLocalizedData() helper function. The params object will be set with explicit values for each route segment (e.g. locale, files, and slug). Then, these values will be used to generate the routes and can be used in your page template via Astro.params.

v5.13.11

Compare Source

Patch Changes

  • #​14409 250a595 Thanks @​louisescher! - Fixes an issue where astro info would log errors to console in certain cases.

  • #​14398 a7df80d Thanks @​idawnlight! - Fixes an unsatisfiable type definition when calling addServerRenderer on an experimental container instance

  • #​13747 120866f Thanks @​jp-knj! - Adds automatic request signal abortion when the underlying socket closes in the Node.js adapter

    The Node.js adapter now automatically aborts the request.signal when the client connection is terminated. This enables better resource management and allows applications to properly handle client disconnections through the standard AbortSignal API.

  • #​14428 32a8acb Thanks @​drfuzzyness! - Force sharpService to return a Uint8Array if Sharp returns a SharedArrayBuffer

  • #​14411 a601186 Thanks @​GameRoMan! - Fixes relative links to docs that could not be opened in the editor.

v5.13.10

Compare Source

Patch Changes

v5.13.9

Compare Source

Patch Changes

v5.13.8

Compare Source

Patch Changes

  • #​14300 bd4a70b Thanks @​louisescher! - Adds Vite version & integration versions to output of astro info

  • #​14341 f75fd99 Thanks @​delucis! - Fixes support for declarative Shadow DOM when using the <ClientRouter> component

  • #​14350 f59581f Thanks @​ascorbic! - Improves error reporting for content collections by adding logging for configuration errors that had previously been silently ignored. Also adds a new error that is thrown if a live collection is used in content.config.ts rather than live.config.ts.

  • #​14343 13f7d36 Thanks @​florian-lefebvre! - Fixes a regression in non node runtimes

v5.13.7

Compare Source

Patch Changes

v5.13.6

Compare Source

Patch Changes

v5.13.5

Compare Source

Patch Changes

  • #​14286 09c5db3 Thanks @​ematipico! - BREAKING CHANGES only to the experimental CSP feature

    The following runtime APIs of the Astro global have been renamed:

    • Astro.insertDirective to Astro.csp.insertDirective
    • Astro.insertStyleResource to Astro.csp.insertStyleResource
    • Astro.insertStyleHash to Astro.csp.insertStyleHash
    • Astro.insertScriptResource to Astro.csp.insertScriptResource
    • Astro.insertScriptHash to Astro.csp.insertScriptHash

    The following runtime APIs of the APIContext have been renamed:

    • ctx.insertDirective to ctx.csp.insertDirective
    • ctx.insertStyleResource to ctx.csp.insertStyleResource
    • ctx.insertStyleHash to ctx.csp.insertStyleHash
    • ctx.insertScriptResource to ctx.csp.insertScriptResource
    • ctx.insertScriptHash to ctx.csp.insertScriptHash

  • #​14283 3224637 Thanks @​ematipico! - Fixes an issue where CSP headers were incorrectly injected in the development server.

  • #​14275 3e2f20d Thanks @​florian-lefebvre! - Adds support for experimental CSP when using experimental fonts

    Experimental fonts now integrate well with experimental CSP by injecting hashes for the styles it generates, as well as font-src directives.

    No action is required to benefit from it.

  • #​14280 4b9fb73 Thanks @​ascorbic! - Fixes a bug that caused cookies to not be correctly set when using middleware sequences

  • #​14276 77281c4 Thanks @​ArmandPhilippot! - Adds a missing export for resolveSrc, a documented image services utility.

v5.13.4

Compare Source

Patch Changes

  • #​14260 86a1e40 Thanks @​jp-knj! - Fixes Astro.url.pathname to respect trailingSlash: 'never' configuration when using a base path. Previously, the root path with a base would incorrectly return /base/ instead of /base when trailingSlash was set to 'never'.

  • #​14248 e81c4bd Thanks @​julesyoungberg! - Fixes a bug where actions named 'apply' do not work due to being a function prototype method.

v5.13.3

Compare Source

Patch Changes

  • #​14239 d7d93e1 Thanks @​wtchnm! - Fixes a bug where the types for the live content collections were not being generated correctly in dev mode

  • #​14221 eadc9dd Thanks @​delucis! - Fixes JSON schema support for content collections using the file() loader

  • #​14229 1a9107a Thanks @​jonmichaeldarby! - Ensures Astro.currentLocale returns the correct locale during SSG for pages that use a locale param (such as [locale].astro or [locale]/index.astro, which produce [locale].html)

v5.13.2

Compare Source

Patch Changes

v5.13.1

Compare Source

Patch Changes

  • #​14409 250a595 Thanks @​louisescher! - Fixes an issue where astro info would log errors to console in certain cases.

  • #​14398 a7df80d Thanks @​idawnlight! - Fixes an unsatisfiable type definition when calling addServerRenderer on an experimental container instance

  • #​13747 120866f Thanks @​jp-knj! - Adds automatic request signal abortion when the underlying socket closes in the Node.js adapter

    The Node.js adapter now automatically aborts the request.signal when the client connection is terminated. This enables better resource management and allows applications to properly handle client disconnections through the standard AbortSignal API.

  • #​14428 32a8acb Thanks @​drfuzzyness! - Force sharpService to return a Uint8Array if Sharp returns a SharedArrayBuffer

  • #​14411 a601186 Thanks @​GameRoMan! - Fixes relative links to docs that could not be opened in the editor.

v5.13.0

Compare Source

Minor Changes

  • #​14173 39911b8 Thanks @​florian-lefebvre! - Adds an experimental flag staticImportMetaEnv to disable the replacement of import.meta.env values with process.env calls and their coercion of environment variable values. This supersedes the rawEnvValues experimental flag, which is now removed.

    Astro allows you to configure a type-safe schema for your environment variables, and converts variables imported via astro:env into the expected type. This is the recommended way to use environment variables in Astro, as it allows you to easily see and manage whether your variables are public or secret, available on the client or only on the server at build time, and the data type of your values.

    However, you can still access environment variables through process.env and import.meta.env directly when needed. This was the only way to use environment variables in Astro before astro:env was added in Astro 5.0, and Astro's default handling of import.meta.env includes some logic that was only needed for earlier versions of Astro.

    The experimental.staticImportMetaEnv flag updates the behavior of import.meta.env to align with Vite's handling of environment variables and for better ease of use with Astro's current implementations and features. This will become the default behavior in Astro 6.0, and this early preview is introduced as an experimental feature.

    Currently, non-public import.meta.env environment variables are replaced by a reference to process.env. Additionally, Astro may also convert the value type of your environment variables used through import.meta.env, which can prevent access to some values such as the strings "true" (which is converted to a boolean value), and "1" (which is converted to a number).

    The experimental.staticImportMetaEnv flag simplifies Astro's default behavior, making it easier to understand and use. Astro will no longer replace any import.meta.env environment variables with a process.env call, nor will it coerce values.

    To enable this feature, add the experimental flag in your Astro config and remove rawEnvValues if it was enabled:

    // astro.config.mjs
import { defineConfig } from "astro/config";

export default defineConfig({
+  experimental: {
+    staticImportMetaEnv: true
-    rawEnvValues: false
+  }
});
Updating your project

If you were relying on Astro's default coercion, you may need to update your project code to apply it manually:

// src/components/MyComponent.astro
- const enabled: boolean = import.meta.env.ENABLED;
+ const enabled: boolean = import.meta.env.ENABLED === "true";

If you were relying on the transformation into process.env calls, you may need to update your project code to apply it manually:

// src/components/MyComponent.astro
- const enabled: boolean = import.meta.env.DB_PASSWORD;
+ const enabled: boolean = process.env.DB_PASSWORD;

You may also need to update types:

// src/env.d.ts
interface ImportMetaEnv {
  readonly PUBLIC_POKEAPI: string;
-  readonly DB_PASSWORD: string;
-  readonly ENABLED: boolean;
+  readonly ENABLED: string;
}

interface ImportMeta {
  readonly env: ImportMetaEnv;
}

+ namespace NodeJS {
+  interface ProcessEnv {
+    DB_PASSWORD: string;
+  }
+ }

See the experimental static import.meta.env documentation for more information about this feature. You can learn more about using environment variables in Astro, including astro:env, in the environment variables documentation.

  • #​14122 41ed3ac Thanks @​ascorbic! - Adds experimental support for automatic Chrome DevTools workspace folders

    This feature allows you to edit files directly in the browser and have those changes reflected in your local file system via a connected workspace folder. This allows you to apply edits such as CSS tweaks without leaving your browser tab!

    With this feature enabled, the Astro dev server will automatically configure a Chrome DevTools workspace for your project. Your project will then appear as a workspace source, ready to connect. Then, changes that you make in the "Sources" panel are automatically saved to your project source code.

    To enable this feature, add the experimental flag chromeDevtoolsWorkspace to your Astro config:

    // astro.config.mjs
import { defineConfig } from 'astro/config';

export default defineConfig({
  experimental: {
    chromeDevtoolsWorkspace: true,
  },
});

    See the experimental Chrome DevTools workspace feature documentation for more information.

v5.12.9

Compare Source

Patch Changes

  • #​14020 9518975 Thanks @​jp-knj and @​asieradzk! - Prevent double-prefixed redirect paths when using fallback and redirectToDefaultLocale together

    Fixes an issue where i18n fallback routes would generate double-prefixed paths (e.g., /es/es/test/item1/) when fallback and redirectToDefaultLocale configurations were used together. The fix adds proper checks to prevent double prefixing in route generation.

  • #​14199 3e4cb8e Thanks @​ascorbic! - Fixes a bug that prevented HMR from working with inline styles

v5.12.8

Compare Source

Patch Changes

v5.12.7

Compare Source

Patch Changes

v5.12.6

Compare Source

Patch Changes

v5.12.5

Compare Source

Patch Changes

  • #​14059 19f53eb Thanks @​benosmac! - Fixes a bug in i18n implementation, where Astro didn't emit the correct pages when fallback is enabled, and a locale uses a catch-all route, e.g. src/pages/es/[...catchAll].astro

  • #​14155 31822c3 Thanks @​ascorbic! - Fixes a bug that caused an error "serverEntrypointModule[_start] is not a function" in some adapters

v5.12.4

Compare Source

Patch Changes

v5.12.3

Compare Source

Patch Changes

  • #​14119 14807a4 Thanks @​ascorbic! - Fixes a bug that caused builds to fail if a client directive was mistakenly added to an Astro component

  • #​14001 4b03d9c Thanks @​dnek! - Fixes an issue where getImage() assigned the resized base URL to the srcset URL of ImageTransform, which matched the width, height, and format of the original image.

v5.12.2

Compare Source

Patch Changes

v5.12.1

Compare Source

Patch Changes

v5.12.0

Compare Source

Minor Changes

  • #​13971 fe35ee2 Thanks @​adamhl8! - Adds an experimental flag rawEnvValues to disable coercion of import.meta.env values (e.g. converting strings to other data types) that are populated from process.env

    Astro allows you to configure a type-safe schema for your environment variables, and converts variables imported via astro:env into the expected type.

    However, Astro also converts your environment variables used through import.meta.env in some cases, and this can prevent access to some values such as the strings "true" (which is converted to a boolean value), and "1" (which is converted to a number).

    The experimental.rawEnvValues flag disables coercion of import.meta.env values that are populated from process.env, allowing you to use the raw value.

    To enable this feature, add the experimental flag in your Astro config:

    import { defineConfig } from "astro/config"

export default defineConfig({
+  experimental: {
+    rawEnvValues: true,
+  }
})

    If you were relying on this coercion, you may need to update your project code to apply it manually:

    - const enabled: boolean = import.meta.env.ENABLED
+ const enabled: boolean = import.meta.env.ENABLED === "true"

    See the experimental raw environment variables reference docs for more information.

  • #​13941 6bd5f75 Thanks @​aditsachde! - Adds support for TOML files to Astro's built-in glob() and file() content loaders.

    In Astro 5.2, Astro added support for using TOML frontmatter in Markdown files instead of YAML. However, if you wanted to use TOML files as local content collection entries themselves, you needed to write your own loader.

    Astro 5.12 now directly supports loading data from TOML files in content collections in both the glob() and the file() loaders.

    If you had added your own TOML content parser for the file() loader, you can now remove it as this functionality is now included:

    // src/content.config.ts
import { defineCollection } from "astro:content";
import { file } from "astro/loaders";
- import { parse as parseToml } from "toml";
const dogs = defineCollection({
-  loader: file("src/data/dogs.toml", { parser: (text) => parseToml(text) }),
+ loader: file("src/data/dogs.toml")
  schema: /* ... */
})

    Note that TOML does not support top-level arrays. Instead, the file() loader considers each top-level table to be an independent entry. The table header is populated in the id field of the entry object.

    See Astro's content collections guide for more information on using the built-in content loaders.

Patch Changes

v5.11.2

Compare Source

Patch Changes

v5.11.1

Compare Source

Patch Changes

  • #​14045 3276b79 Thanks @​ghubo! - Fixes a problem where importing animated .avif files returns a NoImageMetadata error.

  • #​14041 0c4d5f8 Thanks @​dixslyf! - Fixes a <ClientRouter /> bug where the fallback view transition animations when exiting a page
    ran too early for browsers that do not support the View Transition API.
    This bug prevented event.viewTransition?.skipTransition() from skipping the page exit animation
    when used in an astro:before-swap event hook.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency label Aug 7, 2025
@netlify Netlify
Copy link

netlify bot commented Aug 7, 2025
edited
Loading

Deploy Preview for brilliant-pasca-3e80ec ready!

Name Link
🔨 Latest commit 490f428
🔍 Latest deploy log https://app.netlify.com/projects/brilliant-pasca-3e80ec/deploys/68e9aa5c7559720008a5f984
😎 Deploy Preview https://deploy-preview-3595--brilliant-pasca-3e80ec.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@github-actions github-actions bot added the pkg: documentation Changes in the documentation package. label Aug 7, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 7, 2025
edited
Loading

🚀 Performance Test Results

Test Configuration:

  • VUs: 4
  • Duration: 1m0s

Test Metrics:

  • Requests/s: 45.57
  • Iterations/s: 15.20
  • Failed Requests: 0.00% (0 of 2741)
📜 Logs 

> [email protected] run-tests:testenv /home/runner/work/rafiki/rafiki/test/performance
> ./scripts/run-tests.sh -e test "-k" "-q" "--vus" "4" "--duration" "1m"

Cloud Nine GraphQL API is up: http://localhost:3101/graphql
Cloud Nine Wallet Address is up: http://localhost:3100/
Happy Life Bank Address is up: http://localhost:4100/
cloud-nine-wallet-test-backend already set
cloud-nine-wallet-test-auth already set
happy-life-bank-test-backend already set
happy-life-bank-test-auth already set
     data_received..................: 989 kB 16 kB/s
     data_sent......................: 2.1 MB 35 kB/s
     http_req_blocked...............: avg=6.72µs   min=1.8µs    med=5.02µs   max=744.96µs p(90)=6.02µs   p(95)=6.57µs  
     http_req_connecting............: avg=717ns    min=0s       med=0s       max=678.32µs p(90)=0s       p(95)=0s      
     http_req_duration..............: avg=87.15ms  min=7.26ms   med=71.34ms  max=536.86ms p(90)=145.84ms p(95)=174.23ms
       { expected_response:true }...: avg=87.15ms  min=7.26ms   med=71.34ms  max=536.86ms p(90)=145.84ms p(95)=174.23ms
     http_req_failed................: 0.00%  ✓ 0         ✗ 2741
     http_req_receiving.............: avg=85.46µs  min=25.29µs  med=75.06µs  max=1.74ms   p(90)=109.03µs p(95)=139.43µs
     http_req_sending...............: avg=34.65µs  min=10.45µs  med=26.71µs  max=1.99ms   p(90)=39.38µs  p(95)=54.38µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=87.03ms  min=7.13ms   med=71.24ms  max=536.77ms p(90)=145.71ms p(95)=174.06ms
     http_reqs......................: 2741   45.568659/s
     iteration_duration.............: avg=262.97ms min=167.93ms med=248.51ms max=1.07s    p(90)=325.5ms  p(95)=354.35ms
     iterations.....................: 914    15.195095/s
     vus............................: 4      min=4       max=4 
     vus_max........................: 4      min=4       max=4

@renovate renovate bot force-pushed the renovate-npm-astro-vulnerability branch 2 times, most recently from 2600748 to 7a64610 Compare August 13, 2025 16:50
@renovate renovate bot force-pushed the renovate-npm-astro-vulnerability branch from 7a64610 to f59c82c Compare August 19, 2025 16:16
@renovate renovate bot changed the title fix(deps): update dependency astro to v5.12.8 [security] fix(deps): update dependency astro to v5.13.2 [security] Aug 19, 2025
@renovate renovate bot force-pushed the renovate-npm-astro-vulnerability branch from f59c82c to 89d359b Compare August 31, 2025 14:35
@renovate renovate bot force-pushed the renovate-npm-astro-vulnerability branch from 89d359b to ed21e5e Compare September 25, 2025 14:52
@renovate renovate bot force-pushed the renovate-npm-astro-vulnerability branch from ed21e5e to 490f428 Compare October 11, 2025 00:52
@renovate renovate bot changed the title fix(deps): update dependency astro to v5.13.2 [security] fix(deps): update dependency astro to v5.14.3 [security] Oct 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency pkg: documentation Changes in the documentation package.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants