chore(deps-dev): bump astro from 3.5.0 to 6.1.6

[dependabot]

Bumps astro from 3.5.0 to 6.1.6.

Release notes

Sourced from astro's releases.

astro@6.1.6

Patch Changes

• #16202 b5c2fba Thanks @​matthewp! - Fixes Actions failing with ActionsWithoutServerOutputError when using output: 'static' with an adapter

• #16303 b06eabf Thanks @​matthewp! - Improves handling of special characters in inline <script> content

• #14924 bb4586a Thanks @​aralroca! - Fixes SCSS and CSS module file changes triggering a full page reload instead of hot-updating styles in place during development

astro@6.1.5

Patch Changes

• #16171 5bcd03c Thanks @​Desel72! - Fixes a build error that occurred when a pre-rendered page used the <Picture> component and another page called render() on content collection entries.

• #16239 7c65c04 Thanks @​dataCenter430! - Fixes sync content inside <Fragment> not streaming to the browser until all async sibling expressions have resolved.

• #16242 686c312 Thanks @​martrapp! - Revives UnoCSS in dev mode when used with the client router.

  This change partly reverts #16089, which in hindsight turned out to be too general. Instead of automatically persisting all style sheets, we now do this only for styles from Vue components.

• #16192 79d86b8 Thanks @​alexanderniebuhr! - Uses today’s date for Cloudflare compatibility_date in astro add cloudflare

  When creating new projects, astro add cloudflare now sets compatibility_date to the current date. Previously, this date was resolved from locally installed packages, which could be unreliable in some package manager environments. Using today’s date is simpler and more reliable across environments, and is supported by workerd.

• #16259 34df955 Thanks @​gameroman! - Removed dlv dependency

astro@6.1.4

Patch Changes

• #16197 21f9fe2 Thanks @​SchahinRohani! - Remove unused re-exports from assets/utils barrel file to fix Vite build warning

• #16059 6d5469e Thanks @​matthewp! - Fixes Expected 'miniflare' to be defined errors and 404 responses in dev mode when using the Cloudflare adapter and the config file changes. Instead of creating a brand new Vite server on config changes, Astro now performs a Vite in-place restart, allowing the Cloudflare adapter to reuse its existing miniflare instance across restarts.

• #16154 7610ba4 Thanks @​Desel72! - Fixes pages with dots in their filenames (e.g. hello.world.astro) returning 404 when accessed with a trailing slash in the dev server. The trailingSlashForPath function now only forces trailingSlash: 'never' for endpoints with file extensions, allowing pages to correctly respect the user's trailingSlash config.

• #16193 23425e2 Thanks @​matthewp! - Fixes trailingSlash: "always" producing redirect HTML instead of the actual response for extensionless endpoints during static builds

astro@6.1.3

Patch Changes

• #16161 b51f297 Thanks @​matthewp! - Fixes a dev rendering issue with the Cloudflare adapter where head metadata could be missing and dev CSS/scripts could be injected in the wrong place

• #16110 de669f0 Thanks @​tmimmanuel! - Fixes skew protection query parameters not being appended to inter-chunk JavaScript imports in client bundles, which could cause version mismatches during rolling deployments on Vercel

• #16162 a0a49e9 Thanks @​rururux! - Fixes an issue where HMR would not trigger when modifying files while using @​astrojs/cloudflare with prerenderEnvironment: 'node' enabled.

• #16142 7454854 Thanks @​rururux! - Fixes HTML content being incorrectly escaped as plain text when rendering a MDX component using the AstroContainer APIs.

• #16116 12602a9 Thanks @​riderx! - Fixes a bug where page-level CSS could leak between unrelated pages when traversing style parents across top-level route boundaries

... (truncated)

Changelog

Sourced from astro's changelog.

3.6.4

Patch Changes

• #9226 8f8a40e93 Thanks @​outofambit! - Fix i18n fallback routing with routing strategy of always-prefix

• #9179 3f28336d9 Thanks @​lilnasy! - Fixes an issue where the presence of a slot in a page led to an error.

• #9219 067a65f5b Thanks @​natemoo-re! - Fix edge case where <style> updates inside of .astro files would occasionally fail to update without reloading the page.

• #9236 27d3e86e4 Thanks @​ematipico! - The configuration i18n.routingStrategy has been replaced with an object called routing.

  export default defineConfig({
    experimental: {
        i18n: {
  -          routingStrategy: "prefix-always",
  +          routing: {
  +              prefixDefaultLocale: true,
  +          }
        }
    }
  })

  export default defineConfig({
    experimental: {
        i18n: {
  -          routingStrategy: "prefix-other-locales",
  +          routing: {
  +              prefixDefaultLocale: false,
  +          }
        }
    }
  })

3.6.3

Patch Changes

• #9193 0dc99c9a2 Thanks @​florian-lefebvre! - Prevents the Code component from crashing if the lang isn't supported by falling back to plaintext.

3.6.2

Patch Changes

• #9189 d90714fc3 Thanks @​SpencerWhitehead7! - Fixes an issue where links with the same pathname as the current page, but different search params, were not prefetched.

... (truncated)

Commits

• 1945a93 [ci] release (#16281)
• bb4586a fix: avoid full-reload in scss modules (#14924)
• 5f3085b [ci] format
• b5c2fba Skip actions server-output validation when an adapter is configured (#16202)
• b06eabf Consolidate inline script escaping into shared utility (#16303)
• 92fc030 refactor(core): rename logger internal types (#16271)
• ba18015 [ci] format
• d198e82 test: port 16 routing unit tests to TypeScript (#16266)
• 673a871 [ci] release (#16244)
• fab9c00 chore: upgrade biome (#16246)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for astro since your current version.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit e6d05b1. Configure here.}

[cursor]

Vite devDependency incompatible with Astro 6 requirement

Medium Severity

Bumping astro to ^6.1.6 while keeping vite at ^5.4.11 creates a version conflict. Astro 6 requires Vite 7 as a peer dependency. This mismatch can cause type resolution issues (e.g., import type { Plugin } from 'vite' in cloudflare.ts would resolve against Vite 5 types while Astro 6 expects Vite 7 types) and potentially break TypeScript compilation or tests.

 

^{Reviewed by Cursor Bugbot for commit e6d05b1. Configure here.}

[semgrep-code-getsentry]

Risk: Affected versions of vite are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor / Missing Authentication for Critical Function. This occurs because the Vite Dev Server WebSocket improperly exposes the fetchModule method, allowing unauthenticated remote attackers to bypass filesystem restrictions and read arbitrary files from the host machine

Manual Review Advice: A vulnerability from this advisory is reachable if you enable vite dev server using --host flag and websocket is not disabled

Fix: Upgrade this library to at least version 6.4.2 at sentry-javascript/yarn.lock:30204.

Reference(s): GHSA-p9ff-h696-f583, CVE-2026-39363

🧁 Fixed in commit 9ecdcd5 🧁

[dependabot]

Dependabot couldn't access the repository. Because of this, Dependabot cannot update this pull request.

[JPeer264]

@dependabot rebase

[s1gr1d]

Currently we still support Astro v3 so it still makes sense to keep this version. And as the Cursor comment already states ("Vite devDependency incompatible with Astro 6 requirement"), the types are not compatible and the build fails.

I will close this now. We can update this manually once we decide on the new version ranges to support.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.