chore(deps): bump astro, @astrojs/cloudflare and @astrojs/mdx

[dependabot]

Bumps astro, @astrojs/cloudflare and @astrojs/mdx. These dependencies needed to be updated together.
Updates astro from 5.17.1 to 6.4.8

Release notes

Sourced from astro's releases.

astro@6.4.8

Patch Changes

• #17109 27c80ea Thanks @​ematipico! - Harden the limits on the number of decoding on the URL.

astro@6.4.7

Patch Changes

• #17035 197e50e Thanks @​astrobot-houston! - Fixes getRelativeLocaleUrl, getAbsoluteLocaleUrl, and getAbsoluteLocaleUrlList to strip trailing slashes when trailingSlash: 'never' is configured

• #16967 3719765 Thanks @​astrobot-houston! - Fixes double URL-encoded paths returning 400 Bad Request on on-demand routes

  Previously, any URL containing a double-encoded character (like %255B, which is [ encoded twice) was unconditionally rejected with a 400 Bad Request before middleware or route handlers could run. This broke embedded tools like Sanity Studio whose client-side router legitimately produces double-encoded URLs.

  The fix replaces the rejection approach with iterative decoding — multi-level percent-encoding is now fully resolved to its canonical form before being passed to middleware and route matching. This preserves the security fix for CVE-2025-66202 (middleware authorization bypass via double encoding) because middleware now always sees the fully decoded path, making bypass impossible. For example, /api/%2561dmin is decoded to /api/admin, which middleware can correctly block.

• #17066 2f4d92a Thanks @​matthewp! - Fixes prerendered redirect targets being incorrectly bundled into the SSR function in hybrid mode, causing massive bundle size inflation

• #16882 621beb7 Thanks @​jettwayio! - fix(render): honour compressHTML when joining head elements

• #16892 8d753b0 Thanks @​astrobot-houston! - Fixes custom elements in MDX having their children's slot attribute stripped by the JSX runtime

  When custom elements (tags with hyphens like <my-element>) are used in MDX files, the slot HTML attribute on their children is now correctly preserved. Previously, the shared JSX runtime would treat slot as an Astro slot assignment and remove it from the output, breaking Shadow DOM named slot distribution for web components.

• #16957 544ee76 Thanks @​thelazylamaGit! - Fixes stale inline CSS in server-rendered HTML after CSS file edits during dev

  When editing a CSS file (.css, .scss, etc.) during development, the inline <style> tags in server-rendered HTML would retain old CSS content instead of updating. This caused a brief flash of old CSS (FOUC) on fresh page loads before Vite's client-side HMR corrected the styles.

  The fix ensures that Astro's per-route dev CSS virtual modules are invalidated in both the SSR module graph and the module runner's evaluation cache when a style file changes, so the next page render picks up the fresh CSS.

• #17044 2220d22 Thanks @​astrobot-houston! - Fixes CSS from client:only islands leaking to unrelated pages when Rollup bundles non-CSS-importing modules into the same chunk as CSS-importing modules

• #17040 7c4763d Thanks @​astrobot-houston! - Fixes HMR not triggering for files inside the src/middleware/ directory during dev

• #16672 52fc862 Thanks @​martinheidegger! - Fixes support for numeric IDs in YAML frontmatter when using content collection references

• #16762 9de80ae Thanks @​alexanderdombroski! - Adds a JSON schema to the Wrangler configuration file generated when running astro add cloudflare

• #17046 ef771ec Thanks @​ematipico! - Improves the diagnostics emitted when Astro parses incorrect .astro files.

astro@6.4.6

Patch Changes

• #16765 b10e86e Thanks @​fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.

• #17026 add3df1 Thanks @​matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)

• #17033 ffda27b Thanks @​matthewp! - Validates the request origin against allowedDomains before fetching prerendered error pages. When allowedDomains is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to localhost.

astro@6.4.5

... (truncated)

Changelog

Sourced from astro's changelog.

6.4.8

Patch Changes

• #17109 27c80ea Thanks @​ematipico! - Harden the limits on the number of decoding on the URL.

6.4.7

Patch Changes

• #17035 197e50e Thanks @​astrobot-houston! - Fixes getRelativeLocaleUrl, getAbsoluteLocaleUrl, and getAbsoluteLocaleUrlList to strip trailing slashes when trailingSlash: 'never' is configured

• #16967 3719765 Thanks @​astrobot-houston! - Fixes double URL-encoded paths returning 400 Bad Request on on-demand routes

  Previously, any URL containing a double-encoded character (like %255B, which is [ encoded twice) was unconditionally rejected with a 400 Bad Request before middleware or route handlers could run. This broke embedded tools like Sanity Studio whose client-side router legitimately produces double-encoded URLs.

  The fix replaces the rejection approach with iterative decoding — multi-level percent-encoding is now fully resolved to its canonical form before being passed to middleware and route matching. This preserves the security fix for CVE-2025-66202 (middleware authorization bypass via double encoding) because middleware now always sees the fully decoded path, making bypass impossible. For example, /api/%2561dmin is decoded to /api/admin, which middleware can correctly block.

• #17066 2f4d92a Thanks @​matthewp! - Fixes prerendered redirect targets being incorrectly bundled into the SSR function in hybrid mode, causing massive bundle size inflation

• #16882 621beb7 Thanks @​jettwayio! - fix(render): honour compressHTML when joining head elements

• #16892 8d753b0 Thanks @​astrobot-houston! - Fixes custom elements in MDX having their children's slot attribute stripped by the JSX runtime

  When custom elements (tags with hyphens like <my-element>) are used in MDX files, the slot HTML attribute on their children is now correctly preserved. Previously, the shared JSX runtime would treat slot as an Astro slot assignment and remove it from the output, breaking Shadow DOM named slot distribution for web components.

• #16957 544ee76 Thanks @​thelazylamaGit! - Fixes stale inline CSS in server-rendered HTML after CSS file edits during dev

  When editing a CSS file (.css, .scss, etc.) during development, the inline <style> tags in server-rendered HTML would retain old CSS content instead of updating. This caused a brief flash of old CSS (FOUC) on fresh page loads before Vite's client-side HMR corrected the styles.

  The fix ensures that Astro's per-route dev CSS virtual modules are invalidated in both the SSR module graph and the module runner's evaluation cache when a style file changes, so the next page render picks up the fresh CSS.

• #17044 2220d22 Thanks @​astrobot-houston! - Fixes CSS from client:only islands leaking to unrelated pages when Rollup bundles non-CSS-importing modules into the same chunk as CSS-importing modules

• #17040 7c4763d Thanks @​astrobot-houston! - Fixes HMR not triggering for files inside the src/middleware/ directory during dev

• #16672 52fc862 Thanks @​martinheidegger! - Fixes support for numeric IDs in YAML frontmatter when using content collection references

• #16762 9de80ae Thanks @​alexanderdombroski! - Adds a JSON schema to the Wrangler configuration file generated when running astro add cloudflare

• #17046 ef771ec Thanks @​ematipico! - Improves the diagnostics emitted when Astro parses incorrect .astro files.

6.4.6

Patch Changes

• #16765 b10e86e Thanks @​fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.

• #17026 add3df1 Thanks @​matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)

... (truncated)

Commits

• 3ec2c10 [ci] release (#17110)
• 27c80ea fix(core): encoded URLs (#17109)
• 910e121 [ci] release (#17036)
• ef771ec fix: improve diagnostics (#17046)
• 0537f5c [ci] format
• 2f4d92a Fix prerendered redirect targets inflating SSR bundle in hybrid mode (#17066)
• 360fa3f docs: fix grammar in container API JSDoc comments (#16984)
• bbe0e54 [ci] format
• 52fc862 Supporting numeric id references (#16672)
• 9de80ae feat(cli): Adds wrangler schema to generated wrangler.jsonc file when running...
• Additional commits viewable in compare view

Updates @astrojs/cloudflare from 12.6.12 to 13.7.0

Release notes

Sourced from @​astrojs/cloudflare's releases.

@​astrojs/cloudflare@​13.7.0

Minor Changes

• #16571 d4b0cd1 Thanks @​MA2153! - Sets immutable cache headers for static assets

  Static assets under _astro can be cached to improve performance. The adapter now automatically injects a Cache-Control header at build time when possible.

Patch Changes

• #16968 7a5c001 Thanks @​astrobot-houston! - Fixes a build crash when using experimental.advancedRouting with a custom fetchFile that statically imports cf from @astrojs/cloudflare/fetch. The circular dependency between @astrojs/cloudflare/fetch and astro/app/entrypoint caused createApp or createGetEnv to be undefined at module evaluation time. Initialization is now deferred to the first cf() call, breaking the cycle.

• Updated dependencies []:

  • @​astrojs/underscore-redirects@​1.0.3

@​astrojs/cloudflare@​13.6.1

Patch Changes

• #16914 4bdd240 Thanks @​matthewp! - Fixes astro/fetch and astro/hono being discovered at runtime during dev instead of pre-bundled

• #16693 9e6edc2 Thanks @​ArmandPhilippot! - Fixes a link in the documentation specifying where to open an issue for the adapter.

• Updated dependencies []:

  • @​astrojs/underscore-redirects@​1.0.3

@​astrojs/cloudflare@​13.6.0

13.6.0

Minor Changes

• #16729 01aa164 Thanks @​matthewp! - Adds @astrojs/cloudflare/fetch and @astrojs/cloudflare/hono exports for composing Cloudflare-specific setup with Astro's advanced routing handlers.

  @astrojs/cloudflare/fetch

  For use with astro/fetch in a custom fetch handler:

  import { astro, FetchState } from 'astro/fetch';
  import { cf } from '@astrojs/cloudflare/fetch';
  export default {
  async fetch(request: Request, env: Env, ctx: ExecutionContext) {
  const state = new FetchState(request);
  const asset = await cf(state, env, ctx);
  if (asset) return asset;
  return astro(state);
  },
  };

  @astrojs/cloudflare/hono

... (truncated)

Changelog

Sourced from @​astrojs/cloudflare's changelog.

13.7.0

Minor Changes

• #16571 d4b0cd1 Thanks @​MA2153! - Sets immutable cache headers for static assets

  Static assets under _astro can be cached to improve performance. The adapter now automatically injects a Cache-Control header at build time when possible.

Patch Changes

• #16968 7a5c001 Thanks @​astrobot-houston! - Fixes a build crash when using experimental.advancedRouting with a custom fetchFile that statically imports cf from @astrojs/cloudflare/fetch. The circular dependency between @astrojs/cloudflare/fetch and astro/app/entrypoint caused createApp or createGetEnv to be undefined at module evaluation time. Initialization is now deferred to the first cf() call, breaking the cycle.

• Updated dependencies []:

  • @​astrojs/underscore-redirects@​1.0.3

13.6.1

Patch Changes

• #16914 4bdd240 Thanks @​matthewp! - Fixes astro/fetch and astro/hono being discovered at runtime during dev instead of pre-bundled

• #16693 9e6edc2 Thanks @​ArmandPhilippot! - Fixes a link in the documentation specifying where to open an issue for the adapter.

• Updated dependencies []:

  • @​astrojs/underscore-redirects@​1.0.3

13.6.0

Minor Changes

• #16729 01aa164 Thanks @​matthewp! - Adds @astrojs/cloudflare/fetch and @astrojs/cloudflare/hono exports for composing Cloudflare-specific setup with Astro's advanced routing handlers.

  @astrojs/cloudflare/fetch

  For use with astro/fetch in a custom fetch handler:

  import { astro, FetchState } from 'astro/fetch';
  import { cf } from '@astrojs/cloudflare/fetch';
  export default {
  async fetch(request: Request, env: Env, ctx: ExecutionContext) {
  const state = new FetchState(request);
  const asset = await cf(state, env, ctx);
  if (asset) return asset;
  return astro(state);
  },
  };

... (truncated)

Commits

• 0b879fb [ci] release (#16972)
• ca26d0e [ci] format
• d4b0cd1 fix(cloudflare): inject headers for caching the assets folder (#16571)
• 7a5c001 fix(cloudflare): defer createApp/setGetEnv in fetch.ts to avoid circular impo...
• 75ae5df [ci] release (#16912)
• 272ca61 chore(deps): update pnpm to v11.5.0 (#16903)
• 4bdd240 Pre-bundle astro/fetch and astro/hono in Cloudflare optimizeDeps (#16914)
• 17a0fbd chore(deps): update devalue (#16900)
• 9e6edc2 fix(docs): replace last occurrences of withastro/adapters (#16693)
• da10b9e chore(deps): resolve peer dependency issues (#16894)
• Additional commits viewable in compare view

Updates @astrojs/mdx from 4.3.8 to 6.0.3

Release notes

Sourced from @​astrojs/mdx's releases.

@​astrojs/mdx@​6.0.3

Patch Changes

• #16969 4a31f90 Thanks @​Princesseuh! - Adds support for Prism syntax highlighting to the Sätteri Markdown and MDX processors. Setting markdown.syntaxHighlight to 'prism' now highlights your code blocks with Prism.

  // astro.config.mjs
  import { satteri } from '@astrojs/markdown-satteri';
  export default defineConfig({
  markdown: {
  processor: satteri(),
  syntaxHighlight: 'prism',
  },
  });

@​astrojs/mdx@​6.0.0-alpha.1

Patch Changes

• #16969 4a31f90 Thanks @​Princesseuh! - Adds support for Prism syntax highlighting to the Sätteri Markdown and MDX processors. Setting markdown.syntaxHighlight to 'prism' now highlights your code blocks with Prism.

  // astro.config.mjs
  import { satteri } from '@astrojs/markdown-satteri';
  export default defineConfig({
  markdown: {
  processor: satteri(),
  syntaxHighlight: 'prism',
  },
  });

• Updated dependencies [4a31f90]:

  • @​astrojs/markdown-satteri@​0.3.0-alpha.0

@​astrojs/mdx@​6.0.2

Patch Changes

• #16955 9a93d68 Thanks @​Princesseuh! - Updates Sätteri processor to v0.8.0. See its changelog for details on bugs fixed and features added.

• Updated dependencies [9a93d68]:

  • @​astrojs/markdown-satteri@​0.2.2

@​astrojs/mdx@​6.0.0

6.0.0

Major Changes

... (truncated)

Changelog

Sourced from @​astrojs/mdx's changelog.

6.0.3

Patch Changes

• #16969 4a31f90 Thanks @​Princesseuh! - Adds support for Prism syntax highlighting to the Sätteri Markdown and MDX processors. Setting markdown.syntaxHighlight to 'prism' now highlights your code blocks with Prism.

  // astro.config.mjs
  import { satteri } from '@astrojs/markdown-satteri';
  export default defineConfig({
  markdown: {
  processor: satteri(),
  syntaxHighlight: 'prism',
  },
  });

6.0.2

Patch Changes

• #16955 9a93d68 Thanks @​Princesseuh! - Updates Sätteri processor to v0.8.0. See its changelog for details on bugs fixed and features added.

• Updated dependencies [9a93d68]:

  • @​astrojs/markdown-satteri@​0.2.2

6.0.1

Patch Changes

• Updated dependencies [eeb064c]:
  • @​astrojs/markdown-satteri@​0.2.1

6.0.0

Major Changes

• #16848 f732f3c Thanks @​Princesseuh! - Adds a new markdown.processor configuration option, allowing you to choose an alternative Markdown processor.

  Websites with many Markdown/MDX files tend to be slow to build because the unified ecosystem (e.g., remark, rehype) is slow to process. This feature introduces the ability to replace this part of the build pipeline with another processor.

  The default processor is unified(). This means that existing configurations remain unchanged and your remark/rehype plugins continue to work.

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  import { unified } from '@astrojs/markdown-remark';
  import remarkToc from 'remark-toc';

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	rustlings	e1817d0	Jun 20 2026, 05:07 AM