Bump astro from 4.4.0 to 4.8.6

[dependabot]

Bumps astro from 4.4.0 to 4.8.6.

Release notes

Sourced from astro's releases.

astro@4.8.6

Patch Changes

• #11084 9637014 Thanks @​bluwy! - Fixes regression when handling hoisted scripts from content collections

astro@4.8.5

Patch Changes

• #11065 1f988ed Thanks @​ematipico! - Fixes a bug in the Astro rewrite logic, where rewriting the index with parameters - next("/?foo=bar") - didn't work as expected.

• #10924 3a0c02a Thanks @​Its-Just-Nans! - Handle image-size errors by displaying a clearer message

• #11058 749a7ac Thanks @​matthewp! - Fix streaming in Node.js fast path

• #11052 a05ca38 Thanks @​florian-lefebvre! - Fixes a case where rewriting would conflict with the actions internal middleware

• #11062 16f12e4 Thanks @​ematipico! - Fixes a bug where astro build didn't create custom 404.html and 500.html when a certain combination of i18n options was applied

• #10965 a8f0372 Thanks @​Elias-Chairi! - Update generator.ts to allow %23 (#) in dynamic urls

• #11069 240a70a Thanks @​ematipico! - Improves debug logging for on-demand pages

astro@4.8.4

Patch Changes

• #11026 8dfb1a2 Thanks @​bluwy! - Skips rendering script tags if it's inlined and empty when experimental.directRenderScript is enabled

• #11043 d0d1710 Thanks @​bholmesdev! - Fixes minor type issues in actions component example

• #10999 5f353e3 Thanks @​bluwy! - The prefetch feature is updated to better support different browsers and different cache headers setup, including:

  1. All prefetch strategies will now always try to use <link rel="prefetch"> if supported, or will fall back to fetch().
  2. The prefetch() programmatic API's with option is deprecated in favour of an automatic approach that will also try to use <link rel="prefetch> if supported, or will fall back to fetch().

  This change shouldn't affect most sites and should instead make prefetching more effective.

• #11041 6cc3fb9 Thanks @​bholmesdev! - Fixes 500 errors when sending empty params or returning an empty response from an action.

• #11028 771d1f7 Thanks @​bholmesdev! - Throw on missing server output when using Astro Actions.

• #11029 bd34452 Thanks @​bholmesdev! - Actions: include validation error in thrown error message for debugging.

• #11046 086694a Thanks @​HiDeoo! - Fixes getViteConfig() type definition to allow passing an inline Astro configuration as second argument

• #11026 8dfb1a2 Thanks @​bluwy! - Fixes CSS handling if imported in a script tag in an Astro file when experimental.directRenderScript is enabled

• #11020 2e2d6b7 Thanks @​xsynaptic! - Add type declarations for import.meta.env.ASSETS_PREFIX when defined as an object for handling different file types.

• #11030 18e7f33 Thanks @​bholmesdev! - Actions: Fix missing message for custom Action errors.

... (truncated)

Changelog

Sourced from astro's changelog.

4.8.6

Patch Changes

• #11084 9637014 Thanks @​bluwy! - Fixes regression when handling hoisted scripts from content collections

4.8.5

Patch Changes

• #11065 1f988ed Thanks @​ematipico! - Fixes a bug in the Astro rewrite logic, where rewriting the index with parameters - next("/?foo=bar") - didn't work as expected.

• #10924 3a0c02a Thanks @​Its-Just-Nans! - Handle image-size errors by displaying a clearer message

• #11058 749a7ac Thanks @​matthewp! - Fix streaming in Node.js fast path

• #11052 a05ca38 Thanks @​florian-lefebvre! - Fixes a case where rewriting would conflict with the actions internal middleware

• #11062 16f12e4 Thanks @​ematipico! - Fixes a bug where astro build didn't create custom 404.html and 500.html when a certain combination of i18n options was applied

• #10965 a8f0372 Thanks @​Elias-Chairi! - Update generator.ts to allow %23 (#) in dynamic urls

• #11069 240a70a Thanks @​ematipico! - Improves debug logging for on-demand pages

4.8.4

Patch Changes

• #11026 8dfb1a2 Thanks @​bluwy! - Skips rendering script tags if it's inlined and empty when experimental.directRenderScript is enabled

• #11043 d0d1710 Thanks @​bholmesdev! - Fixes minor type issues in actions component example

• #10999 5f353e3 Thanks @​bluwy! - The prefetch feature is updated to better support different browsers and different cache headers setup, including:

  1. All prefetch strategies will now always try to use <link rel="prefetch"> if supported, or will fall back to fetch().
  2. The prefetch() programmatic API's with option is deprecated in favour of an automatic approach that will also try to use <link rel="prefetch> if supported, or will fall back to fetch().

  This change shouldn't affect most sites and should instead make prefetching more effective.

• #11041 6cc3fb9 Thanks @​bholmesdev! - Fixes 500 errors when sending empty params or returning an empty response from an action.

• #11028 771d1f7 Thanks @​bholmesdev! - Throw on missing server output when using Astro Actions.

• #11029 bd34452 Thanks @​bholmesdev! - Actions: include validation error in thrown error message for debugging.

• #11046 086694a Thanks @​HiDeoo! - Fixes getViteConfig() type definition to allow passing an inline Astro configuration as second argument

• #11026 8dfb1a2 Thanks @​bluwy! - Fixes CSS handling if imported in a script tag in an Astro file when experimental.directRenderScript is enabled

• #11020 2e2d6b7 Thanks @​xsynaptic! - Add type declarations for import.meta.env.ASSETS_PREFIX when defined as an object for handling different file types.

... (truncated)

Commits

• 8a80221 [ci] release (#11085)
• 9637014 Fix hoisted scripts propagation (#11084)
• 4d32a80 [ci] release (#11053)
• fac5923 [ci] format
• 749a7ac Fix streaming in Node.js fast path (#11058)
• 3830e5d [ci] format
• 240a70a fix: improve logging for on-demand pages (#11069)
• 1f988ed fix(rewrite): match index with params (#11065)
• 87f36d4 [ci] format
• 16f12e4 fix(i18n): allow to create 404.html and 500.html (#11062)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/astro@4.8.6	Transitive: environment, eval, filesystem, network, shell, unsafe	+360	47.3 MB

🚮 Removed packages: npm/astro@4.4.0

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Install scripts	npm/sharp@0.33.4	Install script: install Source: node install/check	orphan: npm/sharp@0.33.4

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/sharp@0.33.4