build(deps): bump the npm-patch-updates group with 5 updates

[dependabot]

Bumps the npm-patch-updates group with 5 updates:

Package	From	To
verdaccio	6.7.2	6.7.4
astro-mermaid	2.0.2	2.0.4
astro	6.4.6	6.4.8
sharp	0.35.1	0.35.2
vitest	4.1.8	4.1.9

Updates verdaccio from 6.7.2 to 6.7.4

Release notes

Sourced from verdaccio's releases.

v6.7.4

Patch Changes

• 0205c78: fix: run jwt middleware before middleware plugins

  Register the JWT middleware before middleware plugins are loaded so that req.remote_user (anonymous by default) is available inside a plugin's register_middlewares. The API router keeps its own JWT middleware behind a guard so it is not executed twice.

  Backport of verdaccio/verdaccio#5697

  Closes #5167

v6.7.3

Patch Changes

• f8fdfc2: fix: enforce generated npm token metadata

  Generated npm tokens (POST /-/npm/v1/tokens) stored their readonly and cidr_whitelist restrictions but never enforced them, and deleting a token did not revoke it for the package APIs. A token marked read-only or pinned to a CIDR range could still publish packages and change dist-tags, and a deleted token remained usable.

  Generated tokens now embed a server-issued key (in the JWT claim, or in the encrypted legacy AES payload) and a new enforceGeneratedTokenMetadata middleware looks that key up on each request, rejecting the token when it is missing/revoked, used outside its CIDR whitelist, or used for a write while read-only. Enforcement applies to both AES and JWT API-token modes.

  Note: tokens issued before upgrading carry no key and are not retroactively constrained — regenerate them to apply the restrictions.

• be80623: fix: allow npm token create without readonly/cidr_whitelist

  npm token create in npm >= 11 (and the npm 12 prereleases) rewrote the request body: it no longer sends readonly and only sends cidr_whitelist when --cidr is passed. The POST /-/npm/v1/tokens endpoint required both, so modern npm clients failed with 422 the parameters are not valid.

  The endpoint now defaults readonly to false and cidr_whitelist to [] when they are absent, while still rejecting values of the wrong type.

• 75c85d5: Update verdaccio dependencies to the latest npm dist-tag (@verdaccio/ui-theme tracks next-9):

  • @verdaccio/ui-theme: 9.0.0-next-9.19 → 9.0.0-next-9.20

• d5e5332: chore: update dependencies

  Updates runtime dependencies @verdaccio/ui-theme (9.0.0-next-9.19) and

... (truncated)

Changelog

Sourced from verdaccio's changelog.

6.7.4

Patch Changes

• 0205c78: fix: run jwt middleware before middleware plugins

  Register the JWT middleware before middleware plugins are loaded so that req.remote_user (anonymous by default) is available inside a plugin's register_middlewares. The API router keeps its own JWT middleware behind a guard so it is not executed twice.

  Backport of verdaccio/verdaccio#5697

  Closes #5167

6.7.3

Patch Changes

• f8fdfc2: fix: enforce generated npm token metadata

  Generated npm tokens (POST /-/npm/v1/tokens) stored their readonly and cidr_whitelist restrictions but never enforced them, and deleting a token did not revoke it for the package APIs. A token marked read-only or pinned to a CIDR range could still publish packages and change dist-tags, and a deleted token remained usable.

  Generated tokens now embed a server-issued key (in the JWT claim, or in the encrypted legacy AES payload) and a new enforceGeneratedTokenMetadata middleware looks that key up on each request, rejecting the token when it is missing/revoked, used outside its CIDR whitelist, or used for a write while read-only. Enforcement applies to both AES and JWT API-token modes.

  Note: tokens issued before upgrading carry no key and are not retroactively constrained — regenerate them to apply the restrictions.

• be80623: fix: allow npm token create without readonly/cidr_whitelist

  npm token create in npm >= 11 (and the npm 12 prereleases) rewrote the request body: it no longer sends readonly and only sends cidr_whitelist when --cidr is passed. The POST /-/npm/v1/tokens endpoint required both, so modern npm clients failed with 422 the parameters are not valid.

  The endpoint now defaults readonly to false and cidr_whitelist to [] when they are absent, while still rejecting values of the wrong type.

• 75c85d5: Update verdaccio dependencies to the latest npm dist-tag (@verdaccio/ui-theme tracks next-9):

  • @verdaccio/ui-theme: 9.0.0-next-9.19 → 9.0.0-next-9.20

• d5e5332: chore: update dependencies

... (truncated)

Commits

• 9570db1 chore: release 6.x (#5963)
• 0205c78 fix: run jwt middleware before middleware plugins (#5962)
• 9d924e7 chore: release 6.x (#5950)
• 75c85d5 chore: update verdaccio 6.x dependencies (#5961)
• d5e5332 fix: update core dependencies (#5952)
• be80623 fix: allow npm token create without readonly/cidr_whitelist (#5951)
• f8fdfc2 fix: enforce generated npm token metadata (#5945)
• b491e84 chore: update ci settings
• 3a6c393 chore: update ci settings
• b319f7e fix(deps): update dependency express to v4.22.2 (#5902)
• See full diff in compare view

Updates astro-mermaid from 2.0.2 to 2.0.4

Release notes

Sourced from astro-mermaid's releases.

v2.0.4

2.0.4 (2026-06-17)

Bug Fixes

• route markdown plugins through unified processor on Astro 6.4+ (#66) (4edbfd5), closes #62

v2.0.3

2.0.3 (2026-06-17)

Bug Fixes

• add support for icons property in iconPacks (fixes #18) (#20) (87a84f6)

Commits

• 4edbfd5 fix: route markdown plugins through unified processor on Astro 6.4+ (#66)
• 9b37610 docs: fix C4 container diagram using unsupported Rel_Back_Neighbor (#67)
• 712988b chore(deps): resolve all Dependabot security alerts (#65)
• a4ec613 chore: add issue-workflow skill and brainstorm/code-reviewer subagents (#64)
• 87a84f6 fix: add support for icons property in iconPacks (fixes #18) (#20)
• 6df4298 chore(deps-dev): bump dompurify (#63)
• See full diff in compare view

Updates astro from 6.4.6 to 6.4.8

Release notes

Sourced from astro's releases.

astro@6.4.8

Patch Changes

• #17109 27c80ea Thanks @​ematipico! - Harden the limits on the number of decoding on the URL.

astro@6.4.7

Patch Changes

• #17035 197e50e Thanks @​astrobot-houston! - Fixes getRelativeLocaleUrl, getAbsoluteLocaleUrl, and getAbsoluteLocaleUrlList to strip trailing slashes when trailingSlash: 'never' is configured

• #16967 3719765 Thanks @​astrobot-houston! - Fixes double URL-encoded paths returning 400 Bad Request on on-demand routes

  Previously, any URL containing a double-encoded character (like %255B, which is [ encoded twice) was unconditionally rejected with a 400 Bad Request before middleware or route handlers could run. This broke embedded tools like Sanity Studio whose client-side router legitimately produces double-encoded URLs.

  The fix replaces the rejection approach with iterative decoding — multi-level percent-encoding is now fully resolved to its canonical form before being passed to middleware and route matching. This preserves the security fix for CVE-2025-66202 (middleware authorization bypass via double encoding) because middleware now always sees the fully decoded path, making bypass impossible. For example, /api/%2561dmin is decoded to /api/admin, which middleware can correctly block.

• #17066 2f4d92a Thanks @​matthewp! - Fixes prerendered redirect targets being incorrectly bundled into the SSR function in hybrid mode, causing massive bundle size inflation

• #16882 621beb7 Thanks @​jettwayio! - fix(render): honour compressHTML when joining head elements

• #16892 8d753b0 Thanks @​astrobot-houston! - Fixes custom elements in MDX having their children's slot attribute stripped by the JSX runtime

  When custom elements (tags with hyphens like <my-element>) are used in MDX files, the slot HTML attribute on their children is now correctly preserved. Previously, the shared JSX runtime would treat slot as an Astro slot assignment and remove it from the output, breaking Shadow DOM named slot distribution for web components.

• #16957 544ee76 Thanks @​thelazylamaGit! - Fixes stale inline CSS in server-rendered HTML after CSS file edits during dev

  When editing a CSS file (.css, .scss, etc.) during development, the inline <style> tags in server-rendered HTML would retain old CSS content instead of updating. This caused a brief flash of old CSS (FOUC) on fresh page loads before Vite's client-side HMR corrected the styles.

  The fix ensures that Astro's per-route dev CSS virtual modules are invalidated in both the SSR module graph and the module runner's evaluation cache when a style file changes, so the next page render picks up the fresh CSS.

• #17044 2220d22 Thanks @​astrobot-houston! - Fixes CSS from client:only islands leaking to unrelated pages when Rollup bundles non-CSS-importing modules into the same chunk as CSS-importing modules

• #17040 7c4763d Thanks @​astrobot-houston! - Fixes HMR not triggering for files inside the src/middleware/ directory during dev

• #16672 52fc862 Thanks @​martinheidegger! - Fixes support for numeric IDs in YAML frontmatter when using content collection references

• #16762 9de80ae Thanks @​alexanderdombroski! - Adds a JSON schema to the Wrangler configuration file generated when running astro add cloudflare

• #17046 ef771ec Thanks @​ematipico! - Improves the diagnostics emitted when Astro parses incorrect .astro files.

Changelog

Sourced from astro's changelog.

6.4.8

Patch Changes

• #17109 27c80ea Thanks @​ematipico! - Harden the limits on the number of decoding on the URL.

6.4.7

Patch Changes

• #17035 197e50e Thanks @​astrobot-houston! - Fixes getRelativeLocaleUrl, getAbsoluteLocaleUrl, and getAbsoluteLocaleUrlList to strip trailing slashes when trailingSlash: 'never' is configured

• #16967 3719765 Thanks @​astrobot-houston! - Fixes double URL-encoded paths returning 400 Bad Request on on-demand routes

  Previously, any URL containing a double-encoded character (like %255B, which is [ encoded twice) was unconditionally rejected with a 400 Bad Request before middleware or route handlers could run. This broke embedded tools like Sanity Studio whose client-side router legitimately produces double-encoded URLs.

  The fix replaces the rejection approach with iterative decoding — multi-level percent-encoding is now fully resolved to its canonical form before being passed to middleware and route matching. This preserves the security fix for CVE-2025-66202 (middleware authorization bypass via double encoding) because middleware now always sees the fully decoded path, making bypass impossible. For example, /api/%2561dmin is decoded to /api/admin, which middleware can correctly block.

• #17066 2f4d92a Thanks @​matthewp! - Fixes prerendered redirect targets being incorrectly bundled into the SSR function in hybrid mode, causing massive bundle size inflation

• #16882 621beb7 Thanks @​jettwayio! - fix(render): honour compressHTML when joining head elements

• #16892 8d753b0 Thanks @​astrobot-houston! - Fixes custom elements in MDX having their children's slot attribute stripped by the JSX runtime

  When custom elements (tags with hyphens like <my-element>) are used in MDX files, the slot HTML attribute on their children is now correctly preserved. Previously, the shared JSX runtime would treat slot as an Astro slot assignment and remove it from the output, breaking Shadow DOM named slot distribution for web components.

• #16957 544ee76 Thanks @​thelazylamaGit! - Fixes stale inline CSS in server-rendered HTML after CSS file edits during dev

  When editing a CSS file (.css, .scss, etc.) during development, the inline <style> tags in server-rendered HTML would retain old CSS content instead of updating. This caused a brief flash of old CSS (FOUC) on fresh page loads before Vite's client-side HMR corrected the styles.

  The fix ensures that Astro's per-route dev CSS virtual modules are invalidated in both the SSR module graph and the module runner's evaluation cache when a style file changes, so the next page render picks up the fresh CSS.

• #17044 2220d22 Thanks @​astrobot-houston! - Fixes CSS from client:only islands leaking to unrelated pages when Rollup bundles non-CSS-importing modules into the same chunk as CSS-importing modules

• #17040 7c4763d Thanks @​astrobot-houston! - Fixes HMR not triggering for files inside the src/middleware/ directory during dev

• #16672 52fc862 Thanks @​martinheidegger! - Fixes support for numeric IDs in YAML frontmatter when using content collection references

• #16762 9de80ae Thanks @​alexanderdombroski! - Adds a JSON schema to the Wrangler configuration file generated when running astro add cloudflare

• #17046 ef771ec Thanks @​ematipico! - Improves the diagnostics emitted when Astro parses incorrect .astro files.

Commits

• 3ec2c10 [ci] release (#17110)
• 27c80ea fix(core): encoded URLs (#17109)
• 910e121 [ci] release (#17036)
• ef771ec fix: improve diagnostics (#17046)
• 0537f5c [ci] format
• 2f4d92a Fix prerendered redirect targets inflating SSR bundle in hybrid mode (#17066)
• 360fa3f docs: fix grammar in container API JSDoc comments (#16984)
• bbe0e54 [ci] format
• 52fc862 Supporting numeric id references (#16672)
• 9de80ae feat(cli): Adds wrangler schema to generated wrangler.jsonc file when running...
• Additional commits viewable in compare view

Updates sharp from 0.35.1 to 0.35.2

Release notes

Sourced from sharp's releases.

v0.35.2

• TypeScript: Add mediaType to metadata response. #4492

• Improve WebAssembly fallback detection. #4513

• Improve code bundler support with stub binaries. #4543

• Verify GIF effort option is an integer. #4544 @​metsw24-max

• Verify recomb matrix entries are numbers. #4545 @​metsw24-max

• TypeScript: Replace namespace with named exports for ESM. #4546

• Bound dilate and erode width to avoid mask-size overflow. #4548 @​metsw24-max

• Verify convolve kernel values are numbers. #4549 @​metsw24-max

v0.35.2-rc.2

• TypeScript: Add mediaType to metadata response. #4492

• Improve WebAssembly fallback detection. #4513

• Improve code bundler support with stub binaries. #4543

• Verify GIF effort option is an integer. #4544 @​metsw24-max

• Verify recomb matrix entries are numbers. #4545 @​metsw24-max

• TypeScript: Replace namespace with named exports for ESM. #4546

... (truncated)

Commits

• c9622a3 Release v0.35.2
• cd4568f Upgrade to sharp-libvips v1.3.1
• 78390cf Tests: Add font file to prevent font discovery flakiness (#4550)
• 61210b4 Verify convolve kernel values are numbers (#4549)
• 1cb27dc Prerelease v0.35.2-rc.2
• c7606c3 Upgrade to sharp-libvips v1.3.1-rc.0
• 29d1e9e Prerelease v0.35.2-rc.1
• bbba0a1 Improve code bundler support with stub binaries
• ab52866 Bound dilate and erode width to avoid mask-size overflow (#4548)
• 0f594dd Prerelease v0.35.2-rc.0
• Additional commits viewable in compare view

Updates vitest from 4.1.8 to 4.1.9

Release notes

Sourced from vitest's releases.

v4.1.9

🐞 Bug Fixes

• Fix importOriginal with optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in vitest-dev/vitest#10546 (a5180)
• browser:
  • Wait for orchestrator readiness before resolving browser sessions [backport to v4] - by Vladimir and Séamus O'Connor in vitest-dev/vitest#10555 (7fb29)
  • Wait for iframe tester readiness before preparing [backport to v4] - by Vladimir and Séamus O'Connor in vitest-dev/vitest#10497 and vitest-dev/vitest#10556 (fbc62)
• mocker:
  • Hoist vi.mock() for vite-plus/test imports [backport to v4] - by Hiroshi Ogawa, LongYinan, Claude Opus 4.8 and Vladimir in vitest-dev/vitest#10548 (2c955)
• pool:
  • Prevent test run hang on worker crash [backport to v4] - by Ari Perkkiö and Jattioui Ismail in vitest-dev/vitest#10543 and vitest-dev/vitest#10564 (934b0)

View changes on GitHub

Commits

• a7a61e7 chore: release v4.1.9 (#10598)
• 934b0f5 fix(pool): prevent test run hang on worker crash (#10543) [backport to v4] (#...
• 7fb2965 fix(browser): wait for orchestrator readiness before resolving browser sessio...
• a518019 fix: fix importOriginal with optimizer and query import [backport to v4] (#...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions