Skip to content

chore(deps): bump the production-dependencies group with 12 updates#173

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-dependencies-4a9790e334
Closed

chore(deps): bump the production-dependencies group with 12 updates#173
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-dependencies-4a9790e334

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps the production-dependencies group with 12 updates:

Package From To
@astrojs/cloudflare 13.7.0 14.0.1
astro 6.4.8 7.0.3
@astrojs/starlight 0.40.0 0.41.1
sharp 0.34.5 0.35.2
three 0.184.0 0.185.0
@babel/parser 7.29.7 8.0.0
@hono/node-server 2.0.5 2.0.6
@sentry/node 10.60.0 10.62.0
@ungap/structured-clone 1.3.1 1.3.2
graphql 16.14.2 17.0.1
hono 4.12.26 4.12.27
posthog-node 4.18.0 5.38.7

Updates @astrojs/cloudflare from 13.7.0 to 14.0.1

Release notes

Sourced from @​astrojs/cloudflare's releases.

@​astrojs/cloudflare@​14.0.1

Patch Changes

  • #17175 7a7d879 Thanks @​astrobot-houston! - Fixes astro dev OOM crashes for @astrojs/cloudflare users on Vite 8 by migrating the frontmatter scan plugin to Rolldown-compatible options.

  • #17187 0db4b57 Thanks @​matthewp! - Fixes React invalid hook warning during cold SSR optimizer reload when using ClientRouter

  • Updated dependencies []:

    • @​astrojs/underscore-redirects@​1.0.3

@​astrojs/cloudflare@​14.0.0

Major Changes

Minor Changes

  • #16335 9a53f77 Thanks @​ascorbic! - Adds an opt-in CDN cache provider for Astro route caching on Cloudflare Workers

    [!WARNING] This provider requires the Cloudflare Workers Cache feature, which is currently in private beta. It is opt-in: nothing changes unless you import cacheCloudflare() and set it as your provider. But without beta access it does not work and should not be used. Cloudflare Workers run in front of the cache, so cached responses are never served, and calling cache.invalidate() throws an error.

    Setup

    Import cacheCloudflare() from @astrojs/cloudflare/cache and set it as your cache provider:

    import { defineConfig } from 'astro/config';
    import cloudflare from '@astrojs/cloudflare';
    import { cacheCloudflare } from '@astrojs/cloudflare/cache';
    export default defineConfig({
    adapter: cloudflare(),
    cache: {
    provider: cacheCloudflare(),
    },
    });

    The adapter automatically enables the Worker caching layer when a Cloudflare cache provider is configured. No manual wrangler.jsonc changes are needed.

    Caching responses

    Use Astro.cache.set() in your pages and API routes to cache responses. The provider sets Cloudflare-CDN-Cache-Control and Cache-Tag headers, which are read by Cloudflare's built-in caching layer. Cache hits bypass Worker execution entirely, meaning your Worker is not invoked for cached responses.

    ---
    Astro.cache.set({ maxAge: 300, tags: ['products'] });
    const data = await fetchProducts();
    ---

... (truncated)

Changelog

Sourced from @​astrojs/cloudflare's changelog.

14.0.1

Patch Changes

  • #17175 7a7d879 Thanks @​astrobot-houston! - Fixes astro dev OOM crashes for @astrojs/cloudflare users on Vite 8 by migrating the frontmatter scan plugin to Rolldown-compatible options.

  • #17187 0db4b57 Thanks @​matthewp! - Fixes React invalid hook warning during cold SSR optimizer reload when using ClientRouter

  • Updated dependencies []:

    • @​astrojs/underscore-redirects@​1.0.3

14.0.0

Major Changes

Minor Changes

  • #16335 9a53f77 Thanks @​ascorbic! - Adds an opt-in CDN cache provider for Astro route caching on Cloudflare Workers

    [!WARNING] This provider requires the Cloudflare Workers Cache feature, which is currently in private beta. It is opt-in: nothing changes unless you import cacheCloudflare() and set it as your provider. But without beta access it does not work and should not be used. Cloudflare Workers run in front of the cache, so cached responses are never served, and calling cache.invalidate() throws an error.

    Setup

    Import cacheCloudflare() from @astrojs/cloudflare/cache and set it as your cache provider:

    import { defineConfig } from 'astro/config';
    import cloudflare from '@astrojs/cloudflare';
    import { cacheCloudflare } from '@astrojs/cloudflare/cache';
    export default defineConfig({
    adapter: cloudflare(),
    cache: {
    provider: cacheCloudflare(),
    },
    });

    The adapter automatically enables the Worker caching layer when a Cloudflare cache provider is configured. No manual wrangler.jsonc changes are needed.

    Caching responses

    Use Astro.cache.set() in your pages and API routes to cache responses. The provider sets Cloudflare-CDN-Cache-Control and Cache-Tag headers, which are read by Cloudflare's built-in caching layer. Cache hits bypass Worker execution entirely, meaning your Worker is not invoked for cached responses.

    ---
    Astro.cache.set({ maxAge: 300, tags: ['products'] });

... (truncated)

Commits

Updates astro from 6.4.8 to 7.0.3

Release notes

Sourced from astro's releases.

astro@7.0.3

Patch Changes

  • #17189 24d2c9e Thanks @​astrobot-houston! - Fixes a bug where an error thrown inside one route's getStaticPaths() would prevent other valid routes from being matched in dev mode

  • #16932 8f4a3db Thanks @​fkatsuhiro! - Fixes HMR for action files during development. Editing files in src/actions/ now takes effect on the next request without requiring a dev server restart.

  • #17087 fb0ab02 Thanks @​jp-knj! - Fixes localized custom error pages in i18n projects so routes like /pt/404 are used for missing localized pages and return the correct status code

astro@7.0.2

Patch Changes

  • Updated dependencies [3b5e994]:
    • @​astrojs/markdown-satteri@​0.3.2

astro@7.0.1

Patch Changes

  • #17151 ccceda3 Thanks @​matthewp! - Fixes astro dev incorrectly starting in background mode for Warp terminal users. Hybrid environments like Warp are no longer treated as AI agents for auto-background detection.

  • #17158 164df87 Thanks @​ematipico! - Fixes astro dev --background --host not listing the network addresses. The background server start output and astro dev status now show every exposed network URL, matching the foreground dev server.

  • #17141 d785b9d Thanks @​astrobot-houston! - Fixes responsive image CSS overriding user styles defined inside CSS @layer blocks. The generated image styles are now wrapped in @layer astro.images, ensuring they have lower cascade priority than user-defined layers.

  • #17150 1a61386 Thanks @​matthewp! - Fixes astro dev --background failing on Windows with "Failed to spawn background dev server process"

astro@7.0.0

Major Changes

  • #15819 cafec4e Thanks @​delucis! - Upgrade to Vite v8

  • #16965 57ead0d Thanks @​Princesseuh! - Makes 'jsx' the default value for compressHTML

    Astro now strips whitespace from your HTML using JSX rules by default, the same way frameworks like React do. Whitespace and line breaks around elements are removed, but meaningful whitespace within a single line — like a space between two inline elements — is preserved. To keep a space that would otherwise be removed, write it explicitly in your source, for example with {" "}.

    This can change rendered output where whitespace between inline elements was previously meaningful. To keep Astro's earlier behavior, set compressHTML: true for HTML-aware compression, or compressHTML: false to preserve all whitespace.

  • #16610 c63e7e4 Thanks @​matthewp! - Adds background dev server management for AI coding agents.

    When an AI coding agent is detected, astro dev now automatically starts the dev server as a detached background process. This prevents the dev server from blocking the agent's terminal and allows it to continue working while the server runs.

    A lock file (.astro/dev.json) is written when the dev server starts, recording the server's URL, port, and PID. This prevents duplicate servers from being started for the same project.

    New flag and subcommands

    • astro dev --background — Start the dev server as a background process (this is what runs automatically when an agent is detected).
    • astro dev stop — Stop a running background dev server.
    • astro dev status — Check if a dev server is running and display its URL, PID, and uptime.
    • astro dev logs — View logs from a background dev server. Use --follow (-f) to stream new output as it's written.

... (truncated)

Changelog

Sourced from astro's changelog.

7.0.3

Patch Changes

  • #17189 24d2c9e Thanks @​astrobot-houston! - Fixes a bug where an error thrown inside one route's getStaticPaths() would prevent other valid routes from being matched in dev mode

  • #16932 8f4a3db Thanks @​fkatsuhiro! - Fixes HMR for action files during development. Editing files in src/actions/ now takes effect on the next request without requiring a dev server restart.

  • #17087 fb0ab02 Thanks @​jp-knj! - Fixes localized custom error pages in i18n projects so routes like /pt/404 are used for missing localized pages and return the correct status code

7.0.2

Patch Changes

  • Updated dependencies [3b5e994]:
    • @​astrojs/markdown-satteri@​0.3.2

7.0.1

Patch Changes

  • #17151 ccceda3 Thanks @​matthewp! - Fixes astro dev incorrectly starting in background mode for Warp terminal users. Hybrid environments like Warp are no longer treated as AI agents for auto-background detection.

  • #17158 164df87 Thanks @​ematipico! - Fixes astro dev --background --host not listing the network addresses. The background server start output and astro dev status now show every exposed network URL, matching the foreground dev server.

  • #17141 d785b9d Thanks @​astrobot-houston! - Fixes responsive image CSS overriding user styles defined inside CSS @layer blocks. The generated image styles are now wrapped in @layer astro.images, ensuring they have lower cascade priority than user-defined layers.

  • #17150 1a61386 Thanks @​matthewp! - Fixes astro dev --background failing on Windows with "Failed to spawn background dev server process"

7.0.0

Major Changes

  • #15819 cafec4e Thanks @​delucis! - Upgrade to Vite v8

  • #16965 57ead0d Thanks @​Princesseuh! - Makes 'jsx' the default value for compressHTML

    Astro now strips whitespace from your HTML using JSX rules by default, the same way frameworks like React do. Whitespace and line breaks around elements are removed, but meaningful whitespace within a single line — like a space between two inline elements — is preserved. To keep a space that would otherwise be removed, write it explicitly in your source, for example with {" "}.

    This can change rendered output where whitespace between inline elements was previously meaningful. To keep Astro's earlier behavior, set compressHTML: true for HTML-aware compression, or compressHTML: false to preserve all whitespace.

  • #16610 c63e7e4 Thanks @​matthewp! - Adds background dev server management for AI coding agents.

    When an AI coding agent is detected, astro dev now automatically starts the dev server as a detached background process. This prevents the dev server from blocking the agent's terminal and allows it to continue working while the server runs.

    A lock file (.astro/dev.json) is written when the dev server starts, recording the server's URL, port, and PID. This prevents duplicate servers from being started for the same project.

    New flag and subcommands

    • astro dev --background — Start the dev server as a background process (this is what runs automatically when an agent is detected).
    • astro dev stop — Stop a running background dev server.

... (truncated)

Commits

Updates @astrojs/starlight from 0.40.0 to 0.41.1

Release notes

Sourced from @​astrojs/starlight's releases.

@​astrojs/starlight@​0.41.1

Patch Changes

@​astrojs/starlight@​0.41.0

Minor Changes

  • #3951 1202dd4 Thanks @​HiDeoo! - Adds support for Astro v7, drops support for Astro v6.

    Upgrade Astro and dependencies

    ⚠️ BREAKING CHANGE: Astro v6 is no longer supported. Make sure you update Astro and any other official integrations at the same time as updating Starlight:

    npx @astrojs/upgrade

    Community Starlight plugins and Astro integrations may also need to be manually updated to work with Astro v7. If you encounter any issues, please reach out to the plugin or integration author to see if it is a known issue or if an updated version is being worked on.

    ⚠️ BREAKING CHANGE: This release drops official support for Chromium-based browsers prior to version 111 (released 07 March 2023) and Safari-based browsers prior to version 16.4 (released 27 March 2023). You can find a list of currently supported browsers and their versions using this browserslist query.

Patch Changes

  • #3953 a935d33 Thanks @​HiDeoo! - Fixes Starlight Markdown processing being potentially applied to files that should not be processed.
Changelog

Sourced from @​astrojs/starlight's changelog.

0.41.1

Patch Changes

0.41.0

Minor Changes

  • #3951 1202dd4 Thanks @​HiDeoo! - Adds support for Astro v7, drops support for Astro v6.

    Upgrade Astro and dependencies

    ⚠️ BREAKING CHANGE: Astro v6 is no longer supported. Make sure you update Astro and any other official integrations at the same time as updating Starlight:

    npx @astrojs/upgrade

    Community Starlight plugins and Astro integrations may also need to be manually updated to work with Astro v7. If you encounter any issues, please reach out to the plugin or integration author to see if it is a known issue or if an updated version is being worked on.

    ⚠️ BREAKING CHANGE: This release drops official support for Chromium-based browsers prior to version 111 (released 07 March 2023) and Safari-based browsers prior to version 16.4 (released 27 March 2023). You can find a list of currently supported browsers and their versions using this browserslist query.

Patch Changes

  • #3953 a935d33 Thanks @​HiDeoo! - Fixes Starlight Markdown processing being potentially applied to files that should not be processed.
Commits

Updates sharp from 0.34.5 to 0.35.2

Release notes

Sourced from sharp's releases.

v0.35.2

v0.35.2-rc.2

  • TypeScript: Add mediaType to metadata response. #4492

  • Improve WebAssembly fallback detection. #4513

  • Improve code bundler support with stub binaries. #4543

  • Verify GIF effort option is an integer. #4544 @​metsw24-max

  • Verify recomb matrix entries are numbers. #4545 @​metsw24-max

  • TypeScript: Replace namespace with named exports for ESM. #4546

... (truncated)

Commits
  • c9622a3 Release v0.35.2
  • cd4568f Upgrade to sharp-libvips v1.3.1
  • 78390cf Tests: Add font file to prevent font discovery flakiness (#4550)
  • 61210b4 Verify convolve kernel values are numbers (#4549)
  • 1cb27dc Prerelease v0.35.2-rc.2
  • c7606c3 Upgrade to sharp-libvips v1.3.1-rc.0
  • 29d1e9e Prerelease v0.35.2-rc.1
  • bbba0a1 Improve code bundler support with stub binaries
  • ab52866 Bound dilate and erode width to avoid mask-size overflow (#4548)
  • 0f594dd Prerelease v0.35.2-rc.0
  • Additional commits viewable in compare view

Updates three from 0.184.0 to 0.185.0

Commits

Updates @babel/parser from 7.29.7 to 8.0.0

Release notes

Sourced from @​babel/parser's releases.

v8.0.0 (2026-06-16)

NOTE: The changelog below is relative to v8.0.0-rc.6. You can find a summary of all the breaking changes shipped in the Babel 8 release line in the migration guide for users and migration guide for plugin developers.

Read the release blog post at http://babeljs.io/blog/2026/06/16/8.0.0!

👓 Spec Compliance

💥 Breaking Change

  • babel-cli, babel-node, babel-plugin-proposal-decorators, babel-plugin-transform-classes, babel-plugin-transform-function-name, babel-plugin-transform-modules-commonjs, babel-plugin-transform-object-rest-spread, babel-plugin-transform-parameters, babel-plugin-transform-react-constant-elements, babel-plugin-transform-regenerator, babel-preset-env, babel-register
  • babel-plugin-transform-runtime, babel-runtime-corejs3, babel-runtime
  • babel-parser

🐛 Bug Fix

  • babel-generator
  • babel-plugin-transform-modules-systemjs

📝 Documentation

🏠 Internal

🏃‍♀️ Performance

Committers: 6

v8.0.0-rc.6 (2026-05-25)

Re-release all packages with npm provenance attestations

🐛 Bug Fix

... (truncated)

Changelog

Sourced from @​babel/parser's changelog.

v8.0.0 (2026-06-16)

👓 Spec Compliance

💥 Breaking Change

  • babel-cli, babel-node, babel-plugin-proposal-decorators, babel-plugin-transform-classes, babel-plugin-transform-function-name, babel-plugin-transform-modules-commonjs, babel-plugin-transform-object-rest-spread, babel-plugin-transform-parameters, babel-plugin-transform-react-constant-elements, babel-plugin-transform-regenerator, babel-preset-env, babel-register
  • babel-plugin-transform-runtime, babel-runtime-corejs3, babel-runtime
  • babel-parser

🐛 Bug Fix

  • babel-generator
  • babel-plugin-transform-modules-systemjs

📝 Documentation

🏠 Internal

🏃‍♀️ Performance

v8.0.0-rc.6 (2026-05-25)

🐛 Bug Fix

🏠 Internal

  • babel-core
  • babel-compat-data, babel-register
  • babel-helper-transform-fixture-test-runner, babel-node
  • babel-build-external-helpers, babel-cli, babel-generator, babel-helper-fixtures, babel-helper-plugin-test-runner, babel-helper-transform-fixture-test-runner, babel-node, babel-parser, babel-plugin-transform-modules-systemjs, babel-types

🔬 Output optimization

... (truncated)

Commits

Updates @hono/node-server from 2.0.5 to 2.0.6

Release notes

Sourced from @​hono/node-server's releases.

v2.0.6

What's Changed

Full Changelog: honojs/node-server@v2.0.5...v2.0.6

Commits
  • ff75c61 2.0.6
  • 814720f fix: preserve status and statusText when cloning a Response with live headers...
  • a76209a ci: use npm Staged publishing (#364)
  • 44c365a ci: publish to npm from CI with OIDC trusted publishing and bump np (#361)
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​hono/node-server since your current version.


Updates @sentry/node from 10.60.0 to 10.62.0

Release notes

Sourced from @​sentry/node's releases.

10.62.0

Important Changes

  • feat(server-runtimes): Add v7 support for vercelAiIntegration (#21613)

    The vercelAiIntegration now supports v7 of the ai package. Note that v7 is not yet supported on Cloudflare.

Other Changes

  • fix(node): Avoid failing at runtime if tracingChannel is not available (#21783)
  • fix(sveltekit): Avoid capturing preloaded 400 errors on client (#21784)

Work in this release was contributed by @​hyunbinseo. Thank you for your contribution!

  • chore(github): Update tracked packages (#21789)
  • feat(core): Add spanKindToName helper for reverse span-kind lookup (#21780)
  • ref(aws-serverless): Streamline AwsLambda instrumentation (#21758)
  • ref(node): Fix server-utils name for VercelAI integration (#21809)
  • ref(node): Streamline amqplib instrumentation (#21753)
  • ref(node): Streamline Firebase instrumentation (#21748)
  • test: Pin webpack to 5.107.0 (#21781)
  • test(e2e): Add no-browser-session lighthouse e2e test mode (#21787)
  • test(e2e): Add more test modes, pre-init and element timing (#21760)

Bundle size 📦

Path Size
@​sentry/browser 26.83 KB
@​sentry/browser - with treeshaking flags 25.3 KB
@​sentry/browser (incl. Tracing) 44.89 KB
@​sentry/browser (incl. Tracing + Span Streaming) 46.6 KB
@​sentry/browser (incl. Tracing, Profiling) 49.57 KB
@​sentry/browser (incl. Tracing, Replay) 83.22 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags 73.06 KB
@​sentry/browser (incl. Tracing, Replay with Canvas) 87.8 KB
@​sentry/browser (incl. Tracing, Replay, Feedback) 100.17 KB
@​sentry/browser (incl. Feedback) 43.61 KB
@​sentry/browser (incl. sendFeedback) 31.5 KB
@​sentry/browser (incl. FeedbackAsync) 36.52 KB
@​sentry/browser (incl. Metrics) 27.87 KB
@​sentry/browser (incl. Logs) 28.11 KB
@​sentry/browser (incl. Metrics & Logs) 28.78 KB
@​sentry/react 28.59 KB
@​sentry/react (incl. Tracing) 47.15 KB

... (truncated)

Changelog

Sourced from @​sentry/node's changelog.

10.62.0

Important Changes

  • feat(server-runtimes): Add v7 support for vercelAiIntegration (#21613)

    The vercelAiIntegration now supports v7 of the ai package. Note that v7 is not yet supported on Cloudflare.

Other Changes

  • fix(node): Avoid failing at runtime if tracingChannel is not available (#21783)
  • fix(sveltekit): Avoid capturing preloaded 400 errors on client (#21784)

Work in this release was contributed by @​hyunbinseo. Thank you for your contribution!

  • chore(github): Update tracked packages (#21789)
  • feat(core): Add spanKindToName helper for reverse span-kind lookup (#21780)
  • ref(aws-serverless): Streamline AwsLambda instrumentation (#21758)
  • ref(node): Fix server-utils name for VercelAI integration (#21809)
  • ref(node): Streamline amqplib instrumentation (#21753)
  • ref(node): Streamline Firebase instrumentation (#21748)
  • test: Pin webpack to 5.107.0 (#21781)
  • test(e2e): Add no-browser-session lighthouse e2e test mode (#21787)
  • test(e2e): Add more test modes, pre-init and element timing (#21760)

10.61.0

Important Changes

  • feat(core): Enable streamGenAiSpans by default (#21732)

    The SDK now extracts all gen_ai spans out of a transaction and sends them as v2 envelope items by default. This prevents gen_ai spans from being dropped when the transaction payload exceeds size limits. Because they are no longer constrained by transaction size limits, AI message data is also no longer truncated by default. Set enableTruncation: true on the respective AI integration to re-enable truncation. To keep the previous behavior, set streamGenAiSpans: false.

    Self-hosted Sentry users should opt out with streamGenAiSpans: false, since streamed gen_ai spans may not be ingested by their Sentry instance.

Other Changes

  • feat(cloudflare): Add batch, exec, and withSession D1 instrumentation (#21292)
  • feat(cloudflare): Instrument SQL API in sqlite durable objects (#21656)
  • feat(core): Add db.query.summary functionality (#21670)
  • feat(core): Add top-level Sentry.setAttribute(s) APIs (#21705)
  • fix(hono): Name transactions after the matched route handler (#21700)
  • fix(react-router): Bump peerDependencies for react-router 8 (#21762)
  • fix(replays): Record replay Description has been truncated

Bumps the production-dependencies group with 12 updates:

| Package | From | To |
| --- | --- | --- |
| [@astrojs/cloudflare](https://github.com/withastro/astro/tree/HEAD/packages/integrations/cloudflare) | `13.7.0` | `14.0.1` |
| [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) | `6.4.8` | `7.0.3` |
| [@astrojs/starlight](https://github.com/withastro/starlight/tree/HEAD/packages/starlight) | `0.40.0` | `0.41.1` |
| [sharp](https://github.com/lovell/sharp) | `0.34.5` | `0.35.2` |
| [three](https://github.com/mrdoob/three.js) | `0.184.0` | `0.185.0` |
| [@babel/parser](https://github.com/babel/babel/tree/HEAD/packages/babel-parser) | `7.29.7` | `8.0.0` |
| [@hono/node-server](https://github.com/honojs/node-server) | `2.0.5` | `2.0.6` |
| [@sentry/node](https://github.com/getsentry/sentry-javascript) | `10.60.0` | `10.62.0` |
| [@ungap/structured-clone](https://github.com/ungap/structured-clone) | `1.3.1` | `1.3.2` |
| [graphql](https://github.com/graphql/graphql-js) | `16.14.2` | `17.0.1` |
| [hono](https://github.com/honojs/hono) | `4.12.26` | `4.12.27` |
| [posthog-node](https://github.com/PostHog/posthog-js/tree/HEAD/packages/node) | `4.18.0` | `5.38.7` |


Updates `@astrojs/cloudflare` from 13.7.0 to 14.0.1
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/main/packages/integrations/cloudflare/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/@astrojs/cloudflare@14.0.1/packages/integrations/cloudflare)

Updates `astro` from 6.4.8 to 7.0.3
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/astro@7.0.3/packages/astro)

Updates `@astrojs/starlight` from 0.40.0 to 0.41.1
- [Release notes](https://github.com/withastro/starlight/releases)
- [Changelog](https://github.com/withastro/starlight/blob/main/packages/starlight/CHANGELOG.md)
- [Commits](https://github.com/withastro/starlight/commits/@astrojs/starlight@0.41.1/packages/starlight)

Updates `sharp` from 0.34.5 to 0.35.2
- [Release notes](https://github.com/lovell/sharp/releases)
- [Commits](lovell/sharp@v0.34.5...v0.35.2)

Updates `three` from 0.184.0 to 0.185.0
- [Release notes](https://github.com/mrdoob/three.js/releases)
- [Commits](https://github.com/mrdoob/three.js/commits)

Updates `@babel/parser` from 7.29.7 to 8.0.0
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v8.0.0/packages/babel-parser)

Updates `@hono/node-server` from 2.0.5 to 2.0.6
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](honojs/node-server@v2.0.5...v2.0.6)

Updates `@sentry/node` from 10.60.0 to 10.62.0
- [Release notes](https://github.com/getsentry/sentry-javascript/releases)
- [Changelog](https://github.com/getsentry/sentry-javascript/blob/develop/CHANGELOG.md)
- [Commits](getsentry/sentry-javascript@10.60.0...10.62.0)

Updates `@ungap/structured-clone` from 1.3.1 to 1.3.2
- [Commits](ungap/structured-clone@v1.3.1...v1.3.2)

Updates `graphql` from 16.14.2 to 17.0.1
- [Release notes](https://github.com/graphql/graphql-js/releases)
- [Commits](graphql/graphql-js@v16.14.2...v17.0.1)

Updates `hono` from 4.12.26 to 4.12.27
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.26...v4.12.27)

Updates `posthog-node` from 4.18.0 to 5.38.7
- [Release notes](https://github.com/PostHog/posthog-js/releases)
- [Changelog](https://github.com/PostHog/posthog-js/blob/main/packages/node/CHANGELOG.md)
- [Commits](https://github.com/PostHog/posthog-js/commits/posthog-node@5.38.7/packages/node)

---
updated-dependencies:
- dependency-name: "@astrojs/cloudflare"
  dependency-version: 14.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: astro
  dependency-version: 7.0.3
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: "@astrojs/starlight"
  dependency-version: 0.41.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: sharp
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: three
  dependency-version: 0.185.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: "@babel/parser"
  dependency-version: 8.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: "@hono/node-server"
  dependency-version: 2.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: "@sentry/node"
  dependency-version: 10.62.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: "@ungap/structured-clone"
  dependency-version: 1.3.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: graphql
  dependency-version: 17.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: hono
  dependency-version: 4.12.27
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: posthog-node
  dependency-version: 5.38.7
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 29, 2026
@greptile-apps

greptile-apps Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

PR author is in the excluded authors list.

@socket-security

Copy link
Copy Markdown

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @sentry/node-core is 60.0% likely obfuscated

Confidence: 0.60

Location: Package overview

From: pnpm-lock.yamlnpm/@sentry/node@10.62.0npm/@sentry/node-core@10.62.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/node-core@10.62.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm astro is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: apps/catalog/package.jsonnpm/astro@7.0.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/astro@7.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm three is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: apps/landing/package.jsonnpm/three@0.185.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/three@0.185.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@ian-pascoe ian-pascoe closed this Jun 29, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/production-dependencies-4a9790e334 branch June 29, 2026 11:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant