deps(deps): bump the npm_and_yarn group across 1 directory with 6 updates

[dependabot]

Bumps the npm_and_yarn group with 4 updates in the / directory: astro, glob, mdast-util-to-hast and vite.

Updates astro from 4.16.18 to 5.16.9

Release notes

Sourced from astro's releases.

astro@5.16.9

Patch Changes

• #15174 37ab65a Thanks @​florian-lefebvre! - Adds Google Icons to built-in font providers

  To start using it, access it on fontProviders:

  import { defineConfig, fontProviders } from 'astro/config';
  export default defineConfig({
  experimental: {
  fonts: [
  {
  name: 'Material Symbols Outlined',
  provider: fontProviders.googleicons(),
  cssVariable: '--font-material',
  },
  ],
  },
  });

• #15150 a77c4f4 Thanks @​matthewp! - Fixes hydration for framework components inside MDX when using Astro.slots.render()

  Previously, when multiple framework components with client:* directives were passed as named slots to an Astro component in MDX, only the first slot would hydrate correctly. Subsequent slots would render their HTML but fail to include the necessary hydration scripts.

• #15130 9b726c4 Thanks @​florian-lefebvre! - BREAKING CHANGE to the experimental Fonts API only

  Changes how font providers are implemented with updates to the FontProvider type

  This is an implementation detail that changes how font providers are created. This process allows Astro to take more control rather than relying directly on unifont types. All of Astro's built-in font providers have been updated to reflect this new type, and can be configured as before. However, using third-party unifont providers that rely on unifont types will require an update to your project code.

  Previously, an Astro FontProvider was made of a config and a runtime part. It relied directly on unifont types, which allowed a simple configuration for third-party unifont providers, but also coupled Astro's implementation to unifont, which was limiting.

  Astro's font provider implementation is now only made of a config part with dedicated hooks. This allows for the separation of config and runtime, but requires you to create a font provider object in order to use custom font providers (e.g. third-party unifont providers, or private font registeries).

  What should I do?

  If you were using a 3rd-party unifont font provider, you will now need to write an Astro FontProvider using it under the hood. For example:

  // astro.config.ts
  import { defineConfig } from "astro/config";
  import { acmeProvider, type AcmeOptions } from '@acme/unifont-provider'
  +import type { FontProvider } from "astro";
  +import type { InitializedProvider } from 'unifont';
  +function acme(config?: AcmeOptions): FontProvider {
  
  const provider = acmeProvider(config);

... (truncated)

Changelog

Sourced from astro's changelog.

5.16.9

Patch Changes

• #15174 37ab65a Thanks @​florian-lefebvre! - Adds Google Icons to built-in font providers

  To start using it, access it on fontProviders:

  import { defineConfig, fontProviders } from 'astro/config';
  export default defineConfig({
  experimental: {
  fonts: [
  {
  name: 'Material Symbols Outlined',
  provider: fontProviders.googleicons(),
  cssVariable: '--font-material',
  },
  ],
  },
  });

• #15150 a77c4f4 Thanks @​matthewp! - Fixes hydration for framework components inside MDX when using Astro.slots.render()

  Previously, when multiple framework components with client:* directives were passed as named slots to an Astro component in MDX, only the first slot would hydrate correctly. Subsequent slots would render their HTML but fail to include the necessary hydration scripts.

• #15130 9b726c4 Thanks @​florian-lefebvre! - BREAKING CHANGE to the experimental Fonts API only

  Changes how font providers are implemented with updates to the FontProvider type

  This is an implementation detail that changes how font providers are created. This process allows Astro to take more control rather than relying directly on unifont types. All of Astro's built-in font providers have been updated to reflect this new type, and can be configured as before. However, using third-party unifont providers that rely on unifont types will require an update to your project code.

  Previously, an Astro FontProvider was made of a config and a runtime part. It relied directly on unifont types, which allowed a simple configuration for third-party unifont providers, but also coupled Astro's implementation to unifont, which was limiting.

  Astro's font provider implementation is now only made of a config part with dedicated hooks. This allows for the separation of config and runtime, but requires you to create a font provider object in order to use custom font providers (e.g. third-party unifont providers, or private font registeries).

  What should I do?

  If you were using a 3rd-party unifont font provider, you will now need to write an Astro FontProvider using it under the hood. For example:

  // astro.config.ts
  import { defineConfig } from "astro/config";
  import { acmeProvider, type AcmeOptions } from '@acme/unifont-provider'
  +import type { FontProvider } from "astro";
  +import type { InitializedProvider } from 'unifont';
  +function acme(config?: AcmeOptions): FontProvider {

... (truncated)

Commits

• 7f449b7 [ci] release (#15159)
• 37ab65a feat(fonts): export googleicons provider (#15174)
• 4636348 [ci] format
• 9b726c4 feat(fonts)!: update font provider API (#15130)
• 337bca1 [ci] format
• a77c4f4 Fix hydration for framework components in MDX slots (#15150)
• 9cd5b87 fix: scripts not rendering with unused Fragment slots (#13847) (#15147)
• f88b852 [ci] release (#15132)
• 39ee41f fix: Accept setCookie from both context and headers (#15152)
• 34f84c2 fix(toolbar): skip image audit for framework components (#15149)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for astro since your current version.

Updates devalue from 5.1.1 to 5.6.1

Release notes

Sourced from devalue's releases.

v5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

v5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

v5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

v5.4.0

Minor Changes

• 9306d09: feat: pass uneval to replacer, for handling nested custom types

Patch Changes

• b617c7c: perf: shrink uneval output with null-proto objects

v5.3.2

Patch Changes

• 0623a47: fix: disallow array method access when parsing
• 0623a47: fix: disallow __proto__ properties on objects

v5.3.1

Patch Changes

• ae904c5: fix: correctly differentiate between +0 and -0

v5.3.0

Minor Changes

• 2896e7b: feat: support Temporal

... (truncated)

Changelog

Sourced from devalue's changelog.

5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

5.4.0

Minor Changes

• 9306d09: feat: pass uneval to replacer, for handling nested custom types

Patch Changes

• b617c7c: perf: shrink uneval output with null-proto objects

5.3.2

Patch Changes

• 0623a47: fix: disallow array method access when parsing
• 0623a47: fix: disallow __proto__ properties on objects

5.3.1

... (truncated)

Commits

• 5e07a67 Version Packages (#129)
• aa09604 Bump js-yaml from 3.14.1 to 3.14.2 (#125)
• 2161d44 fix: add hasOwn check before calling reviver (#128)
• 83de81d Version Packages (#127)
• a3d09d4 Add value and root properties in DevalueError instances (#126)
• f4b37f3 Version Packages (#124)
• 828fa1c Enable support for custom reducer/reviver for "function" values (#123)
• 6f4eb8b Version Packages (#119)
• 5c26c0d fix: allow custom revivers to revive things serialized by buitin reducers (#118)
• 8b0c28d Version Packages (#117)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for devalue since your current version.

Updates glob from 10.4.5 to 10.5.0

Commits

• 56774ef 10.5.0
• 1e4e297 bin: Do not expose filenames to shell expansion
• See full diff in compare view

Updates js-yaml from 3.14.1 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.
• Added replacer option (similar to option in JSON.stringify), #339.
• Custom Tag can now handle all tags or multiple tags with the same prefix, #385.

Fixed

... (truncated)

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• 2cef47b 4.1.0 released
• 810b149 dist rebuild
• 2b5620e Export built-in types, type override now preserves order
• Additional commits viewable in compare view

Updates mdast-util-to-hast from 13.2.0 to 13.2.1

Release notes

Sourced from mdast-util-to-hast's releases.

13.2.1

Fix

• ab3a795 Fix support for spaces in class names

Types

• efb5312 Refactor to use @imports
• a5bc210 Add declaration maps

Full Changelog: syntax-tree/mdast-util-to-hast@13.2.0...13.2.1

Commits

• 174795b 13.2.1
• 3d05b3a Update Node in Actions
• ab3a795 Fix support for spaces in class names
• efb5312 Refactor to use @imports
• a5bc210 Add declaration maps
• b54955d Add .tsbuildinfo to .gitignore
• See full diff in compare view

Updates vite from 5.4.19 to 5.4.21

Release notes

Sourced from vite's releases.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.21 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970) (cad1d31), closes #20968 #20970
• chore: update CHANGELOG (ca88ed7)

5.4.20 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (482000f), closes #20736
• fix: port sirv@3.0.2 changes to sirv@2.0.4 (#20737) (4f1c35b), closes #20737

Commits

• adce3c2 release: v5.4.21
• cad1d31 fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970)
• ca88ed7 chore: update CHANGELOG
• 997700f release: v5.4.20
• 482000f fix: apply fs.strict check to HTML files (#20736)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.
• ⚠️ 3 packages with OpenSSF Scorecard issues.

View full job summary