Skip to content

build(site): bump astro 5→6 to clear Dependabot advisories#15

Merged
tachyon-beep merged 1 commit into
mainfrom
chore/site-astro-6-security
Jun 20, 2026
Merged

build(site): bump astro 5→6 to clear Dependabot advisories#15
tachyon-beep merged 1 commit into
mainfrom
chore/site-astro-6-security

Conversation

@tachyon-beep

@tachyon-beep tachyon-beep commented Jun 20, 2026

Copy link
Copy Markdown
Collaborator

The legis site's astro 5.18.2 carries 5 GHSA advisories (the 5 of the 6 Dependabot alerts on this repo that aren't the esbuild low):

Advisory Issue Severity
GHSA-j687-52p2-xcff XSS in define:vars (incomplete </script> sanitization) high
GHSA-jrpj-wcv7-9fh9 XSS via unescaped attribute names in spread props high
GHSA-8hv8-536x-4wqp reflected XSS via unescaped slot name moderate
GHSA-xr5h-phrj-8vxv server-island encrypted-param replay moderate
GHSA-2pvr-wf23-7pc7 host-header SSRF in prerendered error-page fetch low

5.18.2 is the latest 5.x (no patched 5.x line), so the fix is astro 6.4.8 (breaking major).

Changes

  • astro ^5.5.0^6.4.8
  • @astrojs/react ^4.2.0^5.0.7 (astro-6-compatible integration)
  • deploy-site.yml node 2022 (astro 6 requires node ≥22.12)

Verification (node 22)

  • npm install clean; astro build succeeds — static, 1 page, dist/index.html renders (45 KB, correct <title>/meta).
  • 5 astro advisories cleared. One esbuild low remains (GHSA-g7r4-m6w7-qqqr — dev-server arbitrary file read, Windows only): not exploitable for a Linux-built static deploy, and its only fix is a forced breaking change astro controls, so left intentionally (dismiss as "not affected" on GitHub if desired).

Site-only — no effect on the legis Python package. (Companion change applied to lacuna's identical site: foundryside-dev/lacuna@262f36a.)

🤖 Generated with Claude Code

@tachyon-beep @claude
build(site): bump astro 5→6 to clear Dependabot advisories
58fde0e 
The legis site's astro 5.18.2 carried 5 GHSA advisories (XSS in define:vars /
spread props / slot names, server-island param replay, host-header SSRF). 5.18.2
is the latest 5.x with no patched line, so the fix is astro 6.4.8 (breaking
major). Bumped:
  - astro ^5.5.0 -> ^6.4.8
  - @astrojs/react ^4.2.0 -> ^5.0.7
  - deploy-site.yml node 20 -> 22 (astro 6 requires node >=22.12)

Verified under node 22: npm install clean, `astro build` succeeds (static, 1
page, dist/index.html renders). The 5 astro advisories are cleared; one esbuild
low remains (GHSA-g7r4, dev-server file read on WINDOWS only) — not exploitable
for a Linux-built static deploy, fix is a forced breaking change astro controls,
so left intentionally. Site-only change; no effect on the legis package.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@tachyon-beep tachyon-beep merged commit d5ca50f into main Jun 20, 2026
2 checks passed
@tachyon-beep tachyon-beep deleted the chore/site-astro-6-security branch June 20, 2026 09:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tachyon-beep