fix(deps): update astro

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@astrojs/starlight (source)	^0.36.2 -> ^0.36.3
astro (source)	^5.15.3 -> ^5.16.1

---

Release Notes

withastro/starlight (@​astrojs/starlight)

v0.36.3

Compare Source

Patch Changes

• #​3555 547dc30 Thanks @​Its-Just-Nans! - Improves the error message thrown when using a file in the public/ directory with Starlight’s customCss configuration option

• #​3496 b78fda4 Thanks @​delucis! - Fixes invalid <head> output when configuration is missing:

  • Omits <meta property="og:description" /> if Starlight’s description option is unset
  • Omits <link rel="canonical" /> and <meta property="og:url" /> if Astro’s site option is unset

• #​3511 8727df1 Thanks @​astrobot-houston! - Updates the seti:gitlab icon to match latest version from Seti UI Icons

withastro/astro (astro)

v5.16.1

Compare Source

Patch Changes

• #​14769 b43ee71 Thanks @​adriandlam! - Fixes an unhandled rejection issue when using Astro with Vercel Workflow DevKit

• #​14761 345eb22 Thanks @​ooga! - Updates button attributes types to allow command and commandfor

• #​14866 65e214b Thanks @​GameRoMan! - Fixes Astro.glob to be correctly marked as deprecated

• #​14894 1ad9a5b Thanks @​delucis! - Fixes support for Astro component rendering in Vitest test suites using a “client” environment such as happy-dom or jsdom

• #​14782 abed929 Thanks @​florian-lefebvre! - Improves syncing

v5.16.0

Compare Source

Minor Changes

• #​13880 1a2ed01 Thanks @​azat-io! - Adds experimental SVGO optimization support for SVG assets

  Astro now supports automatic SVG optimization using SVGO during build time. This experimental feature helps reduce SVG file sizes while maintaining visual quality, improving your site's performance.

  To enable SVG optimization with default settings, add the following to your astro.config.mjs:

  import { defineConfig } from 'astro/config';
  
  export default defineConfig({
    experimental: {
      svgo: true,
    },
  });

  To customize optimization, pass a SVGO configuration object:

  export default defineConfig({
    experimental: {
      svgo: {
        plugins: [
          'preset-default',
          {
            name: 'removeViewBox',
            active: false,
          },
        ],
      },
    },
  });

  For more information on enabling and using this feature in your project, see the experimental SVG optimization docs.

• #​14810 2e845fe Thanks @​ascorbic! - Adds a hint for code agents to use the --yes flag to skip prompts when running astro add

• #​14698 f42ff9b Thanks @​mauriciabad! - Adds the ActionInputSchema utility type to automatically infer the TypeScript type of an action's input based on its Zod schema

  For example, this type can be used to retrieve the input type of a form action:

  import { type ActionInputSchema, defineAction } from 'astro:actions';
  import { z } from 'astro/zod';
  
  const action = defineAction({
    accept: 'form',
    input: z.object({ name: z.string() }),
    handler: ({ name }) => ({ message: `Welcome, ${name}!` }),
  });
  
  type Schema = ActionInputSchema<typeof action>;
  // typeof z.object({ name: z.string() })
  
  type Input = z.input<Schema>;
  // { name: string }

• #​14574 4356485 Thanks @​jacobdalamb! - Adds new CLI shortcuts available when running astro preview:

  • o + enter: open the site in your browser
  • q + enter: quit the preview
  • h + enter: print all available shortcuts

Patch Changes

• #​14813 e1dd377 Thanks @​ematipico! - Removes picocolors as dependency in favor of the fork piccolore.

• #​14609 d774306 Thanks @​florian-lefebvre! - Improves astro info

• #​14796 c29a785 Thanks @​florian-lefebvre! - BREAKING CHANGE to the experimental Fonts API only

  Updates the default subsets to ["latin"]

  Subsets have been a common source of confusion: they caused a lot of files to be downloaded by default. You now have to manually pick extra subsets.

  Review your Astro config and update subsets if you need, for example if you need greek characters:

  import { defineConfig, fontProviders } from "astro/config"
  
  export default defineConfig({
      experimental: {
          fonts: [{
              name: "Roboto",
              cssVariable: "--font-roboto",
              provider: fontProviders.google(),
  +            subsets: ["latin", "greek"]
          }]
      }
  })

v5.15.9

Compare Source

Patch Changes

• #​14786 758a891 Thanks @​mef! - Add handling of invalid encrypted props and slots in server islands.

• #​14783 504958f Thanks @​florian-lefebvre! - Improves the experimental Fonts API build log to show the number of downloaded files. This can help spotting excessive downloading because of misconfiguration

• #​14791 9e9c528 Thanks @​Princesseuh! - Changes the remote protocol checks for images to require explicit authorization in order to use data URIs.

  In order to allow data URIs for remote images, you will need to update your astro.config.mjs file to include the following configuration:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  
  export default defineConfig({
    images: {
      remotePatterns: [
        {
          protocol: 'data',
        },
      ],
    },
  });

• #​14787 0f75f6b Thanks @​matthewp! - Fixes wildcard hostname pattern matching to correctly reject hostnames without dots

  Previously, hostnames like localhost or other single-part names would incorrectly match patterns like *.example.com. The wildcard matching logic has been corrected to ensure that only valid subdomains matching the pattern are accepted.

• #​14776 3537876 Thanks @​ktym4a! - Fixes the behavior of passthroughImageService so it does not generate webp.

• Updated dependencies [9e9c528, 0f75f6b]:

  • @​astrojs/internal-helpers@​0.7.5
  • @​astrojs/markdown-remark@​6.3.9

v5.15.8

Compare Source

Patch Changes

• #​14772 00c579a Thanks @​matthewp! - Improves the security of Server Islands slots by encrypting them before transmission to the browser, matching the security model used for props. This improves the integrity of slot content and prevents injection attacks, even when component templates don't explicitly support slots.

  Slots continue to work as expected for normal usage—this change has no breaking changes for legitimate requests.

• #​14771 6f80081 Thanks @​matthewp! - Fix middleware pathname matching by normalizing URL-encoded paths

  Middleware now receives normalized pathname values, ensuring that encoded paths like /%61dmin are properly decoded to /admin before middleware checks. This prevents potential security issues where middleware checks might be bypassed through URL encoding.

v5.15.7

Compare Source

Patch Changes

• #​14765 03fb47c Thanks @​florian-lefebvre! - Fixes a case where process.env wouldn't be properly populated during the build

• #​14690 ae7197d Thanks @​fredriknorlin! - Fixes a bug where Astro's i18n fallback system with fallbackType: 'rewrite' would not generate fallback files for pages whose filename started with a locale key.

v5.15.6

Compare Source

Patch Changes

• #​14751 18c55e1 Thanks @​delucis! - Fixes hydration of client components when running the dev server and using a barrel file that re-exports both Astro and UI framework components.

• #​14750 35122c2 Thanks @​florian-lefebvre! - Updates the experimental Fonts API to log a warning if families with a conflicting cssVariable are provided

• #​14737 74c8852 Thanks @​Arecsu! - Fixes an error when using transition:persist with components that use declarative Shadow DOM. Astro now avoids re-attaching a shadow root if one already exists, preventing "Unable to re-attach to existing ShadowDOM" navigation errors.

• #​14750 35122c2 Thanks @​florian-lefebvre! - Updates the experimental Fonts API to allow for more granular configuration of remote font families

  A font family is defined by a combination of properties such as weights and styles (e.g. weights: [500, 600] and styles: ["normal", "bold"]), but you may want to download only certain combinations of these.

  For greater control over which font files are downloaded, you can specify the same font (ie. with the same cssVariable, name, and provider properties) multiple times with different combinations. Astro will merge the results and download only the required files. For example, it is possible to download normal 500 and 600 while downloading only italic 500:

  // astro.config.mjs
  import { defineConfig, fontProviders } from 'astro/config';
  
  export default defineConfig({
    experimental: {
      fonts: [
        {
          name: 'Roboto',
          cssVariable: '--roboto',
          provider: fontProviders.google(),
          weights: [500, 600],
          styles: ['normal'],
        },
        {
          name: 'Roboto',
          cssVariable: '--roboto',
          provider: fontProviders.google(),
          weights: [500],
          styles: ['italic'],
        },
      ],
    },
  });

v5.15.5

Compare Source

Patch Changes

• #​14712 91780cf Thanks @​florian-lefebvre! - Fixes a case where build's process.env would be inlined in the server output

• #​14713 666d5a7 Thanks @​florian-lefebvre! - Improves fallbacks generation when using the experimental Fonts API

• #​14743 dafbb1b Thanks @​matthewp! - Improves X-Forwarded header validation to prevent cache poisoning and header injection attacks. Now properly validates X-Forwarded-Proto, X-Forwarded-Host, and X-Forwarded-Port headers against configured allowedDomains patterns, rejecting malformed or suspicious values. This is especially important when running behind a reverse proxy or load balancer.

v5.15.4

Compare Source

Patch Changes

• #​14703 970ac0f Thanks @​ArmandPhilippot! - Adds missing documentation for some public utilities exported from astro:i18n.

• #​14715 3d55c5d Thanks @​ascorbic! - Adds support for client hydration in getContainerRenderer()

  The getContainerRenderer() function is exported by Astro framework integrations to simplify the process of rendering framework components when using the experimental Container API inside a Vite or Vitest environment. This update adds the client hydration entrypoint to the returned object, enabling client-side interactivity for components rendered using this function. Previously this required users to manually call container.addClientRenderer() with the appropriate client renderer entrypoint.

  See the container-with-vitest demo for a usage example, and the Container API documentation for more information on using framework components with the experimental Container API.

• #​14711 a4d284d Thanks @​deining! - Fixes typos in documenting our error messages and public APIs.

• #​14701 9be54c7 Thanks @​florian-lefebvre! - Fixes a case where the experimental Fonts API would filter available font files too aggressively, which could prevent the download of woff files when using the google provider

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for openpodcastapi ready!

Name	Link
🔨 Latest commit	2fb34f3
🔍 Latest deploy log	https://app.netlify.com/projects/openpodcastapi/deploys/6927190e76d539000775cf02
😎 Deploy Preview	https://deploy-preview-156--openpodcastapi.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.