Bump the npm_and_yarn group across 1 directory with 6 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the / directory: astro and mdast-util-to-hast.

Updates astro from 5.10.0 to 5.16.12

Release notes

Sourced from astro's releases.

astro@5.16.12

Patch Changes

• #15175 47ae148 Thanks @​florian-lefebvre! - Allows experimental Font providers to specify family options

  Previously, an Astro FontProvider could only accept options at the provider level when called. That could result in weird data structures for family-specific options.

  Astro FontProviders can now declare family-specific options, by specifying a generic:

  // font-provider.ts
  import type { FontProvider } from "astro";
  import { retrieveFonts, type Fonts } from "./utils.js",
  interface Config {
  token: string;
  }
  +interface FamilyOptions {
  
  minimal?: boolean;
  +}
  
  -export function registryFontProvider(config: Config): FontProvider {
  +export function registryFontProvider(config: Config): FontProvider<FamilyOptions> {
  let data: Fonts = {}
  return {
  name: "registry",
  config,
  init: async () => {
  data = await retrieveFonts(token);
  },
  listFonts: () => {
  return Object.keys(data);
  },
  
  resolveFont: ({ familyName, ...rest }) => {
  
  
  // options is typed as FamilyOptions
  resolveFont: ({ familyName, options, ...rest }) => {
  const fonts = data[familyName];
  if (fonts) {
  return { fonts };
  }
  return undefined;
  },
  };
  }

Once the font provider is registered in the Astro config, types are automatically inferred:

... (truncated)

Changelog

Sourced from astro's changelog.

5.16.12

Patch Changes

• #15175 47ae148 Thanks @​florian-lefebvre! - Allows experimental Font providers to specify family options

  Previously, an Astro FontProvider could only accept options at the provider level when called. That could result in weird data structures for family-specific options.

  Astro FontProviders can now declare family-specific options, by specifying a generic:

  // font-provider.ts
  import type { FontProvider } from "astro";
  import { retrieveFonts, type Fonts } from "./utils.js",
  interface Config {
  token: string;
  }
  +interface FamilyOptions {
  
  minimal?: boolean;
  +}
  
  -export function registryFontProvider(config: Config): FontProvider {
  +export function registryFontProvider(config: Config): FontProvider<FamilyOptions> {
  let data: Fonts = {}
  return {
  name: "registry",
  config,
  init: async () => {
  data = await retrieveFonts(token);
  },
  listFonts: () => {
  return Object.keys(data);
  },
  
  resolveFont: ({ familyName, ...rest }) => {
  
  
  // options is typed as FamilyOptions
  resolveFont: ({ familyName, options, ...rest }) => {
  const fonts = data[familyName];
  if (fonts) {
  return { fonts };
  }
  return undefined;
  },
  };
  }

Once the font provider is registered in the Astro config, types are automatically inferred:

... (truncated)

Commits

• dc5bcd9 [ci] release (#15228)
• 47ae148 feat(fonts)!: family options (#15175)
• c0595b3 feat(fonts)!: fontData instead of getFontData() (#15200)
• 096c331 fix: typo in comment (#15232)
• 2a6315a React / MDX nested regression (#15253)
• 731f52d fix: prevent font copying when stopping dev server with q+enter (#15178)
• 8d84b30 bug: Support remote url for css in content collection (#15254)
• 3da6272 Fix greedy regex in error message markdown rendering (#15230)
• c390fb7 refactor(fonts): use runtime as entrypoint (#15181)
• 1a3f302 refactor(fonts): do not mutate provider name (#15190)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for astro since your current version.

Updates devalue from 5.1.1 to 5.6.2

Release notes

Sourced from devalue's releases.

v5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

v5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

v5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

v5.4.0

Minor Changes

• 9306d09: feat: pass uneval to replacer, for handling nested custom types

Patch Changes

• b617c7c: perf: shrink uneval output with null-proto objects

v5.3.2

Patch Changes

• 0623a47: fix: disallow array method access when parsing
• 0623a47: fix: disallow __proto__ properties on objects

v5.3.1

Patch Changes

... (truncated)

Changelog

Sourced from devalue's changelog.

5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

5.4.0

Minor Changes

• 9306d09: feat: pass uneval to replacer, for handling nested custom types

Patch Changes

• b617c7c: perf: shrink uneval output with null-proto objects

5.3.2

... (truncated)

Commits

• fcf4e88 fix tests
• 1d8a5ea Version Packages (#131)
• 1175584 Merge commit from fork
• e46afa6 Merge commit from fork
• 5e07a67 Version Packages (#129)
• aa09604 Bump js-yaml from 3.14.1 to 3.14.2 (#125)
• 2161d44 fix: add hasOwn check before calling reviver (#128)
• 83de81d Version Packages (#127)
• a3d09d4 Add value and root properties in DevalueError instances (#126)
• f4b37f3 Version Packages (#124)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for devalue since your current version.

Updates h3 from 1.15.3 to 1.15.5

Release notes

Sourced from h3's releases.

v1.15.5

compare changes

[!IMPORTANT] Security: Fixed a bug in readBody(event) and readRawBody(event) utils where certain Transfer-Encoding header formats could cause the request body to be ignored.

In some deployments (for example, behind TCP load balancers or non-normalizing proxies), this could allow request smuggling. The handling is now safe and fully compliant. (read more)

🩹 Fixes

• readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

v1.15.4

compare changes

🩹 Fixes

• getRequestHost: Return first host from x-forwarded-host (#1175)

💅 Refactors

• useSession: Backport SessionManager interface to fix types (#1058)

🏡 Chore

• docs: Fix typos (#1108)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Kricsleo (@​kricsleo)
• Izoukhai (@​izoukhai)

Changelog

Sourced from h3's changelog.

v1.15.5

compare changes

🩹 Fixes

• readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

🏡 Chore

• Update deps (e2462ec)
• Update ci (c934599)
• Add test:types script (0a4a115)
• Update ci (b4dce71)
• Update publish tag to 1.x (589625c)
• Fix ts issue (c9ebf80)
• Update deps (d18c074)
• Fix more ts/lint issues (bd92b74)

🤖 CI

• Fix publish tag (401c9b8)

❤️ Contributors

• Pooya Parsa (@​pi0)

v1.15.4

compare changes

🩹 Fixes

• serveStatic: Omit decoded id from statusMessage (#1044)
• getRequestHost: Return first host from x-forwarded-host (#1175)

💅 Refactors

• useSession: Backport SessionManager interface to fix types (#1058)

📦 Build

• Update repository field (d94b09a)

🏡 Chore

• release: V1.15.3 (3d0f4d5)
• docs: Fix typos (#1108)
• Apply automated updates (774956a)
• Update deps (18d0bb7)

... (truncated)

Commits

• 24231b9 chore(release): v1.15.5
• bd92b74 chore: fix more ts/lint issues
• d18c074 chore: update deps
• c9ebf80 chore: fix ts issue
• 618ccf4 fix(readRawBody): fix case-sensitive Transfer-Encoding check causing reques...
• 401c9b8 ci: fix publish tag
• 589625c chore: update publish tag to 1.x
• b4dce71 chore: update ci
• 0a4a115 chore: add test:types script
• c934599 chore: update ci
• Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates mdast-util-to-hast from 13.2.0 to 13.2.1

Release notes

Sourced from mdast-util-to-hast's releases.

13.2.1

Fix

• ab3a795 Fix support for spaces in class names

Types

• efb5312 Refactor to use @imports
• a5bc210 Add declaration maps

Full Changelog: syntax-tree/mdast-util-to-hast@13.2.0...13.2.1

Commits

• 174795b 13.2.1
• 3d05b3a Update Node in Actions
• ab3a795 Fix support for spaces in class names
• efb5312 Refactor to use @imports
• a5bc210 Add declaration maps
• b54955d Add .tsbuildinfo to .gitignore
• See full diff in compare view

Updates vite from 6.3.5 to 6.4.1

Release notes

Sourced from vite's releases.

create-vite@6.4.1

Please refer to CHANGELOG.md for details.

v6.4.1

Please refer to CHANGELOG.md for details.

create-vite@6.4.0

Please refer to CHANGELOG.md for details.

v6.4.0

Please refer to CHANGELOG.md for details.

v6.3.7

Please refer to CHANGELOG.md for details.

v6.3.6

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.0-beta.8 (2026-01-15)

⚠ BREAKING CHANGES

• remove import.meta.hot.accept resolution fallback (#21382)

Features

• update rolldown to 1.0.0-beta.60 (#21408) (c33aa7c)

Bug Fixes

• deps: update all non-major dependencies (#21389) (30f48df)
• deps: update esbuild peerDependency version (#21398) (4266c97)
• hmr: trigger prune event when last import is removed (#20781) (#21093) (7576735)
• module-runner: use process.getBuiltinModule instead of import('node:module') (#21402) (6633bcb)
• support .env file mounts (FIFOs) (#21365) (6e6f82a)

Code Refactoring

• remove import.meta.hot.accept resolution fallback (#21382) (71d0797)

8.0.0-beta.7 (2026-01-08)

Features

• update rolldown to 1.0.0-beta.59 (#21374) (0037943)

Bug Fixes

• css: stylus Evaluator support (#21376) (cf9ace1)

8.0.0-beta.6 (2026-01-07)

Features

• add ignoreOutdatedRequests option to optimizeDeps (#21364) (b2e75aa)
• add ios to default esbuild targets (#21342) (daae6e9)
• update rolldown to 1.0.0-beta.58 (#21354) (ba40cef)

Bug Fixes

• deps: update all non-major dependencies (#21321) (9bc7c2e)
• import-analysis: avoid cjs interop for built browser external module (#21333) (dc5a2fb)

Miscellaneous Chores

• replace caniuse link for ES2024 (#21355) (2ba4e99)

8.0.0-beta.5 (2025-12-25)

Features

• update rolldown to 1.0.0-beta.57 (#21335) (d5412ef)

... (truncated)

Commits

• 0a0c50a refactor: simplify pluginFilter implementation (#19828)
• 59d0b35 perf(css): avoid constructing renderedModules (#19775)
• 175a839 fix: reject requests with # in request-target (#19830)
• e2e11b1 fix(module-runner): allow already resolved id as entry (#19768)
• 7200dee fix: correct the behavior when multiple transform filter options are specifie...
• b125172 fix(css): remove empty chunk imports correctly when chunk file name contained...
• 8fe3538 test: tweak generateCodeFrame test (#19812)
• 36935b5 fix(types): remove the keepProcessEnv from the DefaultEnvironmentOptions ...
• a0e1a04 docs(vite): fix description of transformIndexHtml hook (#19799)
• 71227be fix: unbundle fdir to fix commonjsOptions.dynamicRequireTargets (#19791)
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	astro@​5.10.0 ⏵ 5.16.12		+26	+1

View full report