build(deps): bump the astro-packages group with 3 updates

[dependabot]

Bumps the astro-packages group with 3 updates: @astrojs/mdx, @astrojs/rss and astro.

Updates @astrojs/mdx from 4.3.9 to 4.3.13

Release notes

Sourced from @​astrojs/mdx's releases.

@​astrojs/mdx@​4.3.13

Patch Changes

• Updated dependencies [d8305f8]:
  • @​astrojs/markdown-remark@​6.3.10

@​astrojs/mdx@​4.3.12

Patch Changes

• #14813 e1dd377 Thanks @​ematipico! - Removes picocolors as dependency in favor of the fork piccolore.

@​astrojs/mdx@​4.3.11

Patch Changes

• Updated dependencies []:
  • @​astrojs/markdown-remark@​6.3.9

@​astrojs/mdx@​4.3.10

Patch Changes

• #14715 3d55c5d Thanks @​ascorbic! - Adds support for client hydration in getContainerRenderer()

  The getContainerRenderer() function is exported by Astro framework integrations to simplify the process of rendering framework components when using the experimental Container API inside a Vite or Vitest environment. This update adds the client hydration entrypoint to the returned object, enabling client-side interactivity for components rendered using this function. Previously this required users to manually call container.addClientRenderer() with the appropriate client renderer entrypoint.

  See the container-with-vitest demo for a usage example, and the Container API documentation for more information on using framework components with the experimental Container API.

Changelog

Sourced from @​astrojs/mdx's changelog.

4.3.13

Patch Changes

• Updated dependencies [d8305f8]:
  • @​astrojs/markdown-remark@​6.3.10

4.3.12

Patch Changes

• #14813 e1dd377 Thanks @​ematipico! - Removes picocolors as dependency in favor of the fork piccolore.

4.3.11

Patch Changes

• Updated dependencies []:
  • @​astrojs/markdown-remark@​6.3.9

4.3.10

Patch Changes

• #14715 3d55c5d Thanks @​ascorbic! - Adds support for client hydration in getContainerRenderer()

  The getContainerRenderer() function is exported by Astro framework integrations to simplify the process of rendering framework components when using the experimental Container API inside a Vite or Vitest environment. This update adds the client hydration entrypoint to the returned object, enabling client-side interactivity for components rendered using this function. Previously this required users to manually call container.addClientRenderer() with the appropriate client renderer entrypoint.

  See the container-with-vitest demo for a usage example, and the Container API documentation for more information on using framework components with the experimental Container API.

Commits

• 02c19eb [ci] release (#14959)
• e878679 [ci] release (#14808)
• e1dd377 fix: remove picocolors (#14813)
• 7a07f02 [ci] release (#14788)
• 5bc37fd fix(deps): update astro dependencies (#14739)
• 7a5f280 [ci] release (#14702)
• 3d55c5d feat: return clientEntrypoint from getContainerRenderer (#14715)
• See full diff in compare view

Updates @astrojs/rss from 4.0.13 to 4.0.14

Release notes

Sourced from @​astrojs/rss's releases.

@​astrojs/rss@​4.0.14

Patch Changes

• #14813 e1dd377 Thanks @​ematipico! - Removes picocolors as dependency in favor of the fork piccolore.

Changelog

Sourced from @​astrojs/rss's changelog.

4.0.14

Patch Changes

• #14813 e1dd377 Thanks @​ematipico! - Removes picocolors as dependency in favor of the fork piccolore.

Commits

• e878679 [ci] release (#14808)
• e1dd377 fix: remove picocolors (#14813)
• See full diff in compare view

Updates astro from 5.15.3 to 5.16.6

Release notes

Sourced from astro's releases.

astro@5.16.6

Patch Changes

• #14982 6849e38 Thanks @​Princesseuh! - Fixes images outside the project directory not working when using astro:assets in development mode

• #14987 9dd9fca Thanks @​Princesseuh! - Fixes SVGs not working in dev mode when using the passthrough image service

• #15014 a178422 Thanks @​delucis! - Adds support for extending the type of the props accepted by Astro’s <Image> component, <Picture> component, and getImage() API.

astro@5.16.5

Patch Changes

• #14985 c016f10 Thanks @​florian-lefebvre! - Fixes a case where JSDoc annotations wouldn't show for fonts related APIs in the Astro config

• #14973 ed7cc2f Thanks @​amankumarpandeyin! - Fixes performance regression and OOM errors when building medium-sized blogs with many content entries. Replaced O(n²) object spread pattern with direct mutation in generateLookupMap.

• #14958 70eb542 Thanks @​ascorbic! - Gives a helpful error message if a user sets output: "hybrid" in their Astro config.

  The option was removed in Astro 5, but lots of content online still references it, and LLMs often suggest it. It's not always clear that the replacement is output: "static", rather than output: "server". This change adds a helpful error message to guide humans and robots.

• #14901 ef53716 Thanks @​Darknab! - Updates the glob() loader to log a warning when duplicated IDs are detected

• Updated dependencies [d8305f8]:

  • @​astrojs/markdown-remark@​6.3.10

astro@5.16.4

Patch Changes

• #14940 2cf79c2 Thanks @​ematipico! - Fixes a bug where Astro didn't properly combine CSP resources from the csp configuration with those added using the runtime API (Astro.csp.insertDirective()) to form grammatically correct CSP headers

  Now Astro correctly deduplicate CSP resources. For example, if you have a global resource in the configuration file, and then you add a a new one using the runtime APIs.

astro@5.16.3

Patch Changes

• #14889 4bceeb0 Thanks @​florian-lefebvre! - Fixes actions types when using specific TypeScript configurations

• #14929 e0f277d Thanks @​matthewp! - Fixes authentication bypass via double URL encoding in middleware

  Prevents attackers from bypassing path-based authentication checks using multi-level URL encoding (e.g., /%2561dmin instead of /%61dmin). Pathnames are now validated after decoding to ensure no additional encoding remains.

astro@5.16.2

Patch Changes

• #14876 b43dc7f Thanks @​florian-lefebvre! - Fixes a vite warning log during builds when using npm

• #14884 10273e0 Thanks @​florian-lefebvre! - Fixes a case where setting the status of a page to 404 in ssr would show an empty page (or 404.astro page if provided) instead of using the current page

astro@5.16.1

... (truncated)

Changelog

Sourced from astro's changelog.

5.16.6

Patch Changes

• #14982 6849e38 Thanks @​Princesseuh! - Fixes images outside the project directory not working when using astro:assets in development mode

• #14987 9dd9fca Thanks @​Princesseuh! - Fixes SVGs not working in dev mode when using the passthrough image service

• #15014 a178422 Thanks @​delucis! - Adds support for extending the type of the props accepted by Astro’s <Image> component, <Picture> component, and getImage() API.

5.16.5

Patch Changes

• #14985 c016f10 Thanks @​florian-lefebvre! - Fixes a case where JSDoc annotations wouldn't show for fonts related APIs in the Astro config

• #14973 ed7cc2f Thanks @​amankumarpandeyin! - Fixes performance regression and OOM errors when building medium-sized blogs with many content entries. Replaced O(n²) object spread pattern with direct mutation in generateLookupMap.

• #14958 70eb542 Thanks @​ascorbic! - Gives a helpful error message if a user sets output: "hybrid" in their Astro config.

  The option was removed in Astro 5, but lots of content online still references it, and LLMs often suggest it. It's not always clear that the replacement is output: "static", rather than output: "server". This change adds a helpful error message to guide humans and robots.

• #14901 ef53716 Thanks @​Darknab! - Updates the glob() loader to log a warning when duplicated IDs are detected

• Updated dependencies [d8305f8]:

  • @​astrojs/markdown-remark@​6.3.10

5.16.4

Patch Changes

• #14940 2cf79c2 Thanks @​ematipico! - Fixes a bug where Astro didn't properly combine CSP resources from the csp configuration with those added using the runtime API (Astro.csp.insertDirective()) to form grammatically correct CSP headers

  Now Astro correctly deduplicate CSP resources. For example, if you have a global resource in the configuration file, and then you add a a new one using the runtime APIs.

5.16.3

Patch Changes

• #14889 4bceeb0 Thanks @​florian-lefebvre! - Fixes actions types when using specific TypeScript configurations

• #14929 e0f277d Thanks @​matthewp! - Fixes authentication bypass via double URL encoding in middleware

  Prevents attackers from bypassing path-based authentication checks using multi-level URL encoding (e.g., /%2561dmin instead of /%61dmin). Pathnames are now validated after decoding to ensure no additional encoding remains.

5.16.2

Patch Changes

... (truncated)

Commits

• 0343993 [ci] release (#14997)
• a178422 Support extending the image API props type (#15014)
• 8cdaa00 [ci] format
• 9dd9fca fix(assets): Fixes missing format option for svgs in the passthrough service ...
• 6849e38 fix(assets): support images outside of the project in dev (#14982)
• 02c19eb [ci] release (#14959)
• ed7cc2f fix: prevent O(n²) memory allocation in content lookup map generation (#14973)
• c016f10 fix(fonts): jsdocs (#14985)
• ef53716 fix(content): warn on duplicate Markdown content entry IDs (#14901)
• 70eb542 feat: print a more helpful error message for output: hybrid (#14958)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions