chore(deps): bump the prod-dependencies group across 1 directory with 3 updates

[dependabot]

Bumps the prod-dependencies group with 3 updates in the / directory: @astrojs/starlight, astro and starlight-sidebar-topics.

Updates @astrojs/starlight from 0.39.3 to 0.40.0

Release notes

Sourced from @​astrojs/starlight's releases.

@​astrojs/starlight@​0.40.0

Minor Changes

• #3923 edf2e6b Thanks @​Princesseuh! - Adds support for Astro 6.4 and the new Sätteri Markdown processor.

  It is now possible to opt into using Astro's 6.4 Sätteri Markdown processor by installing the @astrojs/markdown-satteri package and configuring it in your astro.config.mjs file:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  import { satteri } from '@​astrojs/markdown-satteri';
  export default defineConfig({
  markdown: {
  processor: satteri(),
  },
  });

  ⚠️ BREAKING CHANGE: The minimum supported version of Astro is now v6.4.5.

  Please update Starlight and Astro together:

  npx @astrojs/upgrade

  Community Starlight plugins and Astro integrations may also need to be manually updated to work with Sätteri. If you encounter any issues, please reach out to the plugin or integration author to see if it is a known issue or if an updated version is being worked on.

Patch Changes

• #3923 edf2e6b Thanks @​Princesseuh! - Updates Expressive Code to version 0.43.1.

Changelog

Sourced from @​astrojs/starlight's changelog.

0.40.0

Minor Changes

• #3923 edf2e6b Thanks @​Princesseuh! - Adds support for Astro 6.4 and the new Sätteri Markdown processor.

  It is now possible to opt into using Astro's 6.4 Sätteri Markdown processor by installing the @astrojs/markdown-satteri package and configuring it in your astro.config.mjs file:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  import { satteri } from '@​astrojs/markdown-satteri';
  export default defineConfig({
  markdown: {
  processor: satteri(),
  },
  });

  ⚠️ BREAKING CHANGE: The minimum supported version of Astro is now v6.4.5.

  Please update Starlight and Astro together:

  npx @astrojs/upgrade

  Community Starlight plugins and Astro integrations may also need to be manually updated to work with Sätteri. If you encounter any issues, please reach out to the plugin or integration author to see if it is a known issue or if an updated version is being worked on.

Patch Changes

• #3923 edf2e6b Thanks @​Princesseuh! - Updates Expressive Code to version 0.43.1.

Commits

• 79897a3 [ci] release (#3944)
• edf2e6b feat: add support for Astro 6.4 and Sätteri (#3923)
• See full diff in compare view

Updates astro from 6.4.4 to 6.4.8

Release notes

Sourced from astro's releases.

astro@6.4.8

Patch Changes

• #17109 27c80ea Thanks @​ematipico! - Harden the limits on the number of decoding on the URL.

astro@6.4.7

Patch Changes

• #17035 197e50e Thanks @​astrobot-houston! - Fixes getRelativeLocaleUrl, getAbsoluteLocaleUrl, and getAbsoluteLocaleUrlList to strip trailing slashes when trailingSlash: 'never' is configured

• #16967 3719765 Thanks @​astrobot-houston! - Fixes double URL-encoded paths returning 400 Bad Request on on-demand routes

  Previously, any URL containing a double-encoded character (like %255B, which is [ encoded twice) was unconditionally rejected with a 400 Bad Request before middleware or route handlers could run. This broke embedded tools like Sanity Studio whose client-side router legitimately produces double-encoded URLs.

  The fix replaces the rejection approach with iterative decoding — multi-level percent-encoding is now fully resolved to its canonical form before being passed to middleware and route matching. This preserves the security fix for CVE-2025-66202 (middleware authorization bypass via double encoding) because middleware now always sees the fully decoded path, making bypass impossible. For example, /api/%2561dmin is decoded to /api/admin, which middleware can correctly block.

• #17066 2f4d92a Thanks @​matthewp! - Fixes prerendered redirect targets being incorrectly bundled into the SSR function in hybrid mode, causing massive bundle size inflation

• #16882 621beb7 Thanks @​jettwayio! - fix(render): honour compressHTML when joining head elements

• #16892 8d753b0 Thanks @​astrobot-houston! - Fixes custom elements in MDX having their children's slot attribute stripped by the JSX runtime

  When custom elements (tags with hyphens like <my-element>) are used in MDX files, the slot HTML attribute on their children is now correctly preserved. Previously, the shared JSX runtime would treat slot as an Astro slot assignment and remove it from the output, breaking Shadow DOM named slot distribution for web components.

• #16957 544ee76 Thanks @​thelazylamaGit! - Fixes stale inline CSS in server-rendered HTML after CSS file edits during dev

  When editing a CSS file (.css, .scss, etc.) during development, the inline <style> tags in server-rendered HTML would retain old CSS content instead of updating. This caused a brief flash of old CSS (FOUC) on fresh page loads before Vite's client-side HMR corrected the styles.

  The fix ensures that Astro's per-route dev CSS virtual modules are invalidated in both the SSR module graph and the module runner's evaluation cache when a style file changes, so the next page render picks up the fresh CSS.

• #17044 2220d22 Thanks @​astrobot-houston! - Fixes CSS from client:only islands leaking to unrelated pages when Rollup bundles non-CSS-importing modules into the same chunk as CSS-importing modules

• #17040 7c4763d Thanks @​astrobot-houston! - Fixes HMR not triggering for files inside the src/middleware/ directory during dev

• #16672 52fc862 Thanks @​martinheidegger! - Fixes support for numeric IDs in YAML frontmatter when using content collection references

• #16762 9de80ae Thanks @​alexanderdombroski! - Adds a JSON schema to the Wrangler configuration file generated when running astro add cloudflare

• #17046 ef771ec Thanks @​ematipico! - Improves the diagnostics emitted when Astro parses incorrect .astro files.

astro@6.4.6

Patch Changes

• #16765 b10e86e Thanks @​fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.

• #17026 add3df1 Thanks @​matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)

• #17033 ffda27b Thanks @​matthewp! - Validates the request origin against allowedDomains before fetching prerendered error pages. When allowedDomains is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to localhost.

astro@6.4.5

... (truncated)

Changelog

Sourced from astro's changelog.

6.4.8

Patch Changes

• #17109 27c80ea Thanks @​ematipico! - Harden the limits on the number of decoding on the URL.

6.4.7

Patch Changes

• #17035 197e50e Thanks @​astrobot-houston! - Fixes getRelativeLocaleUrl, getAbsoluteLocaleUrl, and getAbsoluteLocaleUrlList to strip trailing slashes when trailingSlash: 'never' is configured

• #16967 3719765 Thanks @​astrobot-houston! - Fixes double URL-encoded paths returning 400 Bad Request on on-demand routes

  Previously, any URL containing a double-encoded character (like %255B, which is [ encoded twice) was unconditionally rejected with a 400 Bad Request before middleware or route handlers could run. This broke embedded tools like Sanity Studio whose client-side router legitimately produces double-encoded URLs.

  The fix replaces the rejection approach with iterative decoding — multi-level percent-encoding is now fully resolved to its canonical form before being passed to middleware and route matching. This preserves the security fix for CVE-2025-66202 (middleware authorization bypass via double encoding) because middleware now always sees the fully decoded path, making bypass impossible. For example, /api/%2561dmin is decoded to /api/admin, which middleware can correctly block.

• #17066 2f4d92a Thanks @​matthewp! - Fixes prerendered redirect targets being incorrectly bundled into the SSR function in hybrid mode, causing massive bundle size inflation

• #16882 621beb7 Thanks @​jettwayio! - fix(render): honour compressHTML when joining head elements

• #16892 8d753b0 Thanks @​astrobot-houston! - Fixes custom elements in MDX having their children's slot attribute stripped by the JSX runtime

  When custom elements (tags with hyphens like <my-element>) are used in MDX files, the slot HTML attribute on their children is now correctly preserved. Previously, the shared JSX runtime would treat slot as an Astro slot assignment and remove it from the output, breaking Shadow DOM named slot distribution for web components.

• #16957 544ee76 Thanks @​thelazylamaGit! - Fixes stale inline CSS in server-rendered HTML after CSS file edits during dev

  When editing a CSS file (.css, .scss, etc.) during development, the inline <style> tags in server-rendered HTML would retain old CSS content instead of updating. This caused a brief flash of old CSS (FOUC) on fresh page loads before Vite's client-side HMR corrected the styles.

  The fix ensures that Astro's per-route dev CSS virtual modules are invalidated in both the SSR module graph and the module runner's evaluation cache when a style file changes, so the next page render picks up the fresh CSS.

• #17044 2220d22 Thanks @​astrobot-houston! - Fixes CSS from client:only islands leaking to unrelated pages when Rollup bundles non-CSS-importing modules into the same chunk as CSS-importing modules

• #17040 7c4763d Thanks @​astrobot-houston! - Fixes HMR not triggering for files inside the src/middleware/ directory during dev

• #16672 52fc862 Thanks @​martinheidegger! - Fixes support for numeric IDs in YAML frontmatter when using content collection references

• #16762 9de80ae Thanks @​alexanderdombroski! - Adds a JSON schema to the Wrangler configuration file generated when running astro add cloudflare

• #17046 ef771ec Thanks @​ematipico! - Improves the diagnostics emitted when Astro parses incorrect .astro files.

6.4.6

Patch Changes

• #16765 b10e86e Thanks @​fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.

• #17026 add3df1 Thanks @​matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)

... (truncated)

Commits

• 3ec2c10 [ci] release (#17110)
• 27c80ea fix(core): encoded URLs (#17109)
• 910e121 [ci] release (#17036)
• ef771ec fix: improve diagnostics (#17046)
• 0537f5c [ci] format
• 2f4d92a Fix prerendered redirect targets inflating SSR bundle in hybrid mode (#17066)
• 360fa3f docs: fix grammar in container API JSDoc comments (#16984)
• bbe0e54 [ci] format
• 52fc862 Supporting numeric id references (#16672)
• 9de80ae feat(cli): Adds wrangler schema to generated wrangler.jsonc file when running...
• Additional commits viewable in compare view

Updates starlight-sidebar-topics from 0.7.1 to 0.8.0

Release notes

Sourced from starlight-sidebar-topics's releases.

starlight-sidebar-topics@0.8.0

Minor Changes

• #72 0afdff2 Thanks @​HiDeoo! - Adds support for defining HTML attributes on topic links using the attrs topic option.

starlight-sidebar-topics@0.7.2

Patch Changes

• #69 c7a0535 Thanks @​HiDeoo! - Improves the topic lookup error message for pages hidden from the sidebar using the sidebar.hidden frontmatter property.

Changelog

Sourced from starlight-sidebar-topics's changelog.

0.8.0

Minor Changes

• #72 0afdff2 Thanks @​HiDeoo! - Adds support for defining HTML attributes on topic links using the attrs topic option.

0.7.2

Patch Changes

• #69 c7a0535 Thanks @​HiDeoo! - Improves the topic lookup error message for pages hidden from the sidebar using the sidebar.hidden frontmatter property.

Commits

• 677d7a9 ci: release (#73)
• 0afdff2 Add support for topic link attributes (#72)
• 02a746b ci: release (#70)
• c7a0535 Improve topic error message (#69)
• 431316f docs: fix typos (#62)
• 2444665 ci: improve e2e performances (#60)
• 8efd638 chore: update package manager to pnpm 11 (#59)
• See full diff in compare view

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[cloudflare-workers-and-pages]

Deploying helpers4 with    Cloudflare Pages

Latest commit:	5399288
Status:	✅  Deploy successful!
Preview URL:	https://fcf72610.helpers4.pages.dev
Branch Preview URL:	https://dependabot-npm-and-yarn-prod-qh60.helpers4.pages.dev

View logs

[github-actions]

✅ PR Validation Passed

All checks passed!

---

📋 Pipeline Status

	Job	Status
✅	🧾 Conventional Commits	passing
✅	🏗️ Build	passing
✅	📘 TypeCheck	passing

---

_{🤖 Generated by @helpers4 CI • 2026-06-20}