🚨 [security] Update astro 5.13.4 → 5.17.1 (minor) by depfu[bot] · Pull Request #542 · jbolda/jacobbolda.com

depfu · 2026-02-05T11:25:58Z

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ astro (5.13.4 → 5.17.1) · Repo · Changelog

Security Advisories 🚨

🚨 Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765

🚨 Astro vulnerable to reflected XSS via the server islands feature

🚨 Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values

🚨 Astro Development Server has Arbitrary Local File Read

🚨 Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint

🚨 Astro development server error page is vulnerable to reflected Cross-site Scripting

🚨 Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass

🚨 Astro's bypass of image proxy domain validation leads to SSRF and potential XSS

🚨 Astro's `X-Forwarded-Host` is reflected without validation

Release Notes

Too many releases to show here. View the full release notes.

✳️ js-yaml (4.1.0 → 4.1.1) · Repo · Changelog

Security Advisories 🚨

🚨 js-yaml has prototype pollution in merge (<<)

Release Notes

4.1.1 (from changelog)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @astrojs/compiler (indirect, 2.12.2 → 2.13.0) · Repo · Changelog

Release Notes

2.13.0 (from changelog)

Does any of this look wrong? Please let us know.

↗️ @babel/helper-validator-identifier (indirect, 7.27.1 → 7.28.5) · Repo · Changelog

Release Notes

7.28.5

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @babel/parser (indirect, 7.27.5 → 7.29.0) · Repo · Changelog

Release Notes

7.29.0

7.28.5

7.28.4

7.28.3

7.28.0

7.27.7

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @babel/types (indirect, 7.27.6 → 7.29.0) · Repo · Changelog

Release Notes

7.29.0

7.28.5

7.28.4

7.28.2

7.28.1

7.28.0

7.27.7

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @emnapi/runtime (indirect, 1.4.3 → 1.8.1) · Repo

Release Notes

1.8.1

1.8.0

1.7.1

1.7.0

1.6.0

1.5.0

1.4.5

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @img/sharp-darwin-arm64 (indirect, 0.33.5 → 0.34.5) · Repo

Release Notes

0.34.5

0.34.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @img/sharp-darwin-x64 (indirect, 0.33.5 → 0.34.5) · Repo

Release Notes

0.34.5

0.34.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @img/sharp-libvips-darwin-arm64 (indirect, 1.0.4 → 1.2.4) · Repo

Release Notes

1.2.4

1.2.3

1.2.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @img/sharp-libvips-darwin-x64 (indirect, 1.0.4 → 1.2.4) · Repo

Release Notes

1.2.4

1.2.3

1.2.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @img/sharp-libvips-linux-arm (indirect, 1.0.5 → 1.2.4) · Repo

Release Notes

1.2.4

1.2.3

1.2.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @img/sharp-libvips-linux-arm64 (indirect, 1.0.4 → 1.2.4) · Repo

Release Notes

1.2.4

1.2.3

1.2.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @img/sharp-libvips-linux-s390x (indirect, 1.0.4 → 1.2.4) · Repo

Release Notes

1.2.4

1.2.3

1.2.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @img/sharp-libvips-linux-x64 (indirect, 1.0.4 → 1.2.4) · Repo

Release Notes

1.2.4

1.2.3

1.2.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @img/sharp-libvips-linuxmusl-arm64 (indirect, 1.0.4 → 1.2.4) · Repo

Release Notes

1.2.4

1.2.3

1.2.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @img/sharp-libvips-linuxmusl-x64 (indirect, 1.0.4 → 1.2.4) · Repo

Release Notes

1.2.4

1.2.3

1.2.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @img/sharp-linux-arm (indirect, 0.33.5 → 0.34.5) · Repo

Release Notes

0.34.5

0.34.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @img/sharp-linux-arm64 (indirect, 0.33.5 → 0.34.5) · Repo

Release Notes

0.34.5

0.34.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @img/sharp-linux-s390x (indirect, 0.33.5 → 0.34.5) · Repo

Release Notes

0.34.5

0.34.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @img/sharp-linux-x64 (indirect, 0.33.5 → 0.34.5) · Repo

Release Notes

0.34.5

0.34.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @img/sharp-linuxmusl-arm64 (indirect, 0.33.5 → 0.34.5) · Repo

Release Notes

0.34.5

0.34.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @img/sharp-linuxmusl-x64 (indirect, 0.33.5 → 0.34.5) · Repo

Release Notes

0.34.5

0.34.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @img/sharp-wasm32 (indirect, 0.33.5 → 0.34.5) · Repo

Release Notes

0.34.5

0.34.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @img/sharp-win32-ia32 (indirect, 0.33.5 → 0.34.5) · Repo

Release Notes

0.34.5

0.34.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @img/sharp-win32-x64 (indirect, 0.33.5 → 0.34.5) · Repo

Release Notes

0.34.5

0.34.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @jridgewell/sourcemap-codec (indirect, 1.5.0 → 1.5.5) · Repo · Changelog

↗️ @rollup/pluginutils (indirect, 5.2.0 → 5.3.0) · Repo · Changelog

Release Notes

5.3.0 (from changelog)

Does any of this look wrong? Please let us know.

↗️ ci-info (indirect, 4.2.0 → 4.4.0) · Repo · Changelog

Release Notes

4.4.0

4.3.1

4.3.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ cookie (indirect, 1.0.2 → 1.1.1) · Repo · Changelog

Release Notes

1.1.1

1.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ debug (indirect, 4.4.1 → 4.4.3) · Repo · Changelog

Security Advisories 🚨

🚨 [email protected] contains malware after npm account takeover

Release Notes

4.4.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ detect-libc (indirect, 2.0.4 → 2.1.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ devalue (indirect, 5.3.2 → 5.6.2) · Repo · Changelog

Security Advisories 🚨

🚨 Devalue is vulnerable to denial of service due to memory exhaustion in devalue.parse

🚨 devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse

Release Notes

5.6.2

5.6.1

5.6.0

5.5.0

5.4.2

5.4.1

5.4.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ diff (indirect, 5.2.0 → 8.0.3) · Repo

Security Advisories 🚨

🚨 jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch

🚨 jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ eventemitter3 (indirect, 5.0.1 → 5.0.4) · Repo

Release Notes

5.0.4

5.0.3

5.0.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ h3 (indirect, 1.15.3 → 1.15.5) · Repo · Changelog

Security Advisories 🚨

🚨 h3 v1 has Request Smuggling (TE.TE) issue

Release Notes

1.15.5

1.15.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ http-cache-semantics (indirect, 4.1.1 → 4.2.0) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ import-meta-resolve (indirect, 4.1.0 → 4.2.0) · Repo

Release Notes

4.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ magic-string (indirect, 0.30.17 → 0.30.21) · Repo · Changelog

Release Notes

0.30.21

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ magicast (indirect, 0.3.5 → 0.5.2) · Repo · Changelog

Release Notes

0.5.1

0.5.0

0.4.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ofetch (indirect, 1.4.1 → 1.5.1) · Repo · Changelog

Release Notes

1.5.1

1.5.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ p-queue (indirect, 8.1.0 → 8.1.1) · Repo

Release Notes

8.1.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ semver (indirect, 7.7.2 → 7.7.3) · Repo · Changelog

Release Notes

7.7.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sharp (indirect, 0.33.5 → 0.34.5) · Repo

Release Notes

0.34.5

0.34.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ shiki (indirect, 3.12.0 → 3.22.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ smol-toml (indirect, 1.4.2 → 1.6.0) · Repo

Release Notes

1.6.0

1.5.2

1.5.1

1.5.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tinyexec (indirect, 0.3.2 → 1.0.2) · Repo

Release Notes

1.0.2

1.0.1

1.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tinyglobby (indirect, 0.2.14 → 0.2.15) · Repo · Changelog

Release Notes

0.2.15

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ufo (indirect, 1.6.1 → 1.6.3) · Repo · Changelog

Release Notes

1.6.3

1.6.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ unist-util-visit-parents (indirect, 6.0.1 → 6.0.2) · Repo

Release Notes

6.0.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ vite (indirect, 6.3.5 → 6.4.1) · Repo · Changelog

Security Advisories 🚨

🚨 vite allows server.fs.deny bypass via backslash on Windows

🚨 Vite's `server.fs` settings were not applied to HTML files

🚨 Vite middleware may serve files starting with the same name with the public directory

Release Notes

6.4.1

6.3.6

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ zod (indirect, 3.25.67 → 3.25.76) · Repo · Changelog

Release Notes

3.25.76

3.25.75

3.25.74

3.25.73

3.25.72

3.25.71

3.25.70

3.25.69

3.25.68

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ zod-to-json-schema (indirect, 3.24.5 → 3.25.1) · Repo · Changelog

🆕 @img/colour (added, 1.0.0)

🆕 @img/sharp-libvips-linux-riscv64 (added, 1.2.4)

🆕 @img/sharp-linux-ppc64 (added, 0.34.5)

🆕 @img/sharp-linux-riscv64 (added, 0.34.5)

🆕 chokidar (added, 5.0.0)

🆕 fontkitten (added, 1.0.2)

🆕 piccolore (added, 0.1.3)

🆕 readdirp (added, 5.0.0)

🆕 vitefu (added, 1.1.1)

🗑️ @swc/helpers (removed)

🗑️ @types/fontkit (removed)

🗑️ base64-js (removed)

🗑️ blob-to-buffer (removed)

🗑️ brotli (removed)

🗑️ clone (removed)

🗑️ cross-fetch (removed)

🗑️ dfa (removed)

🗑️ fast-deep-equal (removed)

🗑️ fontkit (removed)

🗑️ pako (removed)

🗑️ restructure (removed)

🗑️ unicode-properties (removed)

🗑️ unicode-trie (removed)

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

depfu · 2026-03-04T19:00:39Z

Closed in favor of #547.

Update astro to version 5.17.1

a29312b

depfu bot added the depfu label Feb 5, 2026

depfu bot temporarily deployed to beta February 5, 2026 11:26 Inactive

depfu bot mentioned this pull request Feb 5, 2026

🚨 [security] Update astro 5.13.4 → 5.16.6 (minor) #533

Closed

depfu bot closed this Mar 4, 2026

depfu bot deleted the depfu/update/npm/astro-5.17.1 branch March 4, 2026 19:00

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

🚨 [security] Update astro 5.13.4 → 5.17.1 (minor)#542

🚨 [security] Update astro 5.13.4 → 5.17.1 (minor)#542
depfu[bot] wants to merge 1 commit intoproductionfrom
depfu/update/npm/astro-5.17.1

depfu bot commented Feb 5, 2026

Uh oh!

depfu bot commented Mar 4, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

depfu bot commented Feb 5, 2026

What changed?

✳️ astro (5.13.4 → 5.17.1) · Repo · Changelog

✳️ js-yaml (4.1.0 → 4.1.1) · Repo · Changelog

4.1.1 (from changelog)

↗️ @​astrojs/compiler (indirect, 2.12.2 → 2.13.0) · Repo · Changelog

2.13.0 (from changelog)

↗️ @​babel/helper-validator-identifier (indirect, 7.27.1 → 7.28.5) · Repo · Changelog

↗️ @​babel/parser (indirect, 7.27.5 → 7.29.0) · Repo · Changelog

↗️ @​babel/types (indirect, 7.27.6 → 7.29.0) · Repo · Changelog

↗️ @​emnapi/runtime (indirect, 1.4.3 → 1.8.1) · Repo

↗️ @​img/sharp-darwin-arm64 (indirect, 0.33.5 → 0.34.5) · Repo

↗️ @​img/sharp-darwin-x64 (indirect, 0.33.5 → 0.34.5) · Repo

↗️ @​img/sharp-libvips-darwin-arm64 (indirect, 1.0.4 → 1.2.4) · Repo

↗️ @​img/sharp-libvips-darwin-x64 (indirect, 1.0.4 → 1.2.4) · Repo

↗️ @​img/sharp-libvips-linux-arm (indirect, 1.0.5 → 1.2.4) · Repo

↗️ @​img/sharp-libvips-linux-arm64 (indirect, 1.0.4 → 1.2.4) · Repo

↗️ @​img/sharp-libvips-linux-s390x (indirect, 1.0.4 → 1.2.4) · Repo

↗️ @​img/sharp-libvips-linux-x64 (indirect, 1.0.4 → 1.2.4) · Repo

↗️ @​img/sharp-libvips-linuxmusl-arm64 (indirect, 1.0.4 → 1.2.4) · Repo

↗️ @​img/sharp-libvips-linuxmusl-x64 (indirect, 1.0.4 → 1.2.4) · Repo

↗️ @​img/sharp-linux-arm (indirect, 0.33.5 → 0.34.5) · Repo

↗️ @​img/sharp-linux-arm64 (indirect, 0.33.5 → 0.34.5) · Repo

↗️ @​img/sharp-linux-s390x (indirect, 0.33.5 → 0.34.5) · Repo

↗️ @​img/sharp-linux-x64 (indirect, 0.33.5 → 0.34.5) · Repo

↗️ @​img/sharp-linuxmusl-arm64 (indirect, 0.33.5 → 0.34.5) · Repo

↗️ @​img/sharp-linuxmusl-x64 (indirect, 0.33.5 → 0.34.5) · Repo

↗️ @​img/sharp-wasm32 (indirect, 0.33.5 → 0.34.5) · Repo

↗️ @​img/sharp-win32-ia32 (indirect, 0.33.5 → 0.34.5) · Repo

↗️ @​img/sharp-win32-x64 (indirect, 0.33.5 → 0.34.5) · Repo

↗️ @​jridgewell/sourcemap-codec (indirect, 1.5.0 → 1.5.5) · Repo · Changelog

↗️ @​rollup/pluginutils (indirect, 5.2.0 → 5.3.0) · Repo · Changelog

5.3.0 (from changelog)

↗️ ci-info (indirect, 4.2.0 → 4.4.0) · Repo · Changelog

↗️ cookie (indirect, 1.0.2 → 1.1.1) · Repo · Changelog

↗️ debug (indirect, 4.4.1 → 4.4.3) · Repo · Changelog

↗️ detect-libc (indirect, 2.0.4 → 2.1.2) · Repo · Changelog

↗️ devalue (indirect, 5.3.2 → 5.6.2) · Repo · Changelog

↗️ diff (indirect, 5.2.0 → 8.0.3) · Repo

↗️ eventemitter3 (indirect, 5.0.1 → 5.0.4) · Repo

↗️ h3 (indirect, 1.15.3 → 1.15.5) · Repo · Changelog

↗️ @astrojs/compiler (indirect, 2.12.2 → 2.13.0) · Repo · Changelog

↗️ @babel/helper-validator-identifier (indirect, 7.27.1 → 7.28.5) · Repo · Changelog

↗️ @babel/parser (indirect, 7.27.5 → 7.29.0) · Repo · Changelog

↗️ @babel/types (indirect, 7.27.6 → 7.29.0) · Repo · Changelog

↗️ @emnapi/runtime (indirect, 1.4.3 → 1.8.1) · Repo

↗️ @img/sharp-darwin-arm64 (indirect, 0.33.5 → 0.34.5) · Repo

↗️ @img/sharp-darwin-x64 (indirect, 0.33.5 → 0.34.5) · Repo

↗️ @img/sharp-libvips-darwin-arm64 (indirect, 1.0.4 → 1.2.4) · Repo

↗️ @img/sharp-libvips-darwin-x64 (indirect, 1.0.4 → 1.2.4) · Repo

↗️ @img/sharp-libvips-linux-arm (indirect, 1.0.5 → 1.2.4) · Repo

↗️ @img/sharp-libvips-linux-arm64 (indirect, 1.0.4 → 1.2.4) · Repo

↗️ @img/sharp-libvips-linux-s390x (indirect, 1.0.4 → 1.2.4) · Repo

↗️ @img/sharp-libvips-linux-x64 (indirect, 1.0.4 → 1.2.4) · Repo

↗️ @img/sharp-libvips-linuxmusl-arm64 (indirect, 1.0.4 → 1.2.4) · Repo

↗️ @img/sharp-libvips-linuxmusl-x64 (indirect, 1.0.4 → 1.2.4) · Repo

↗️ @img/sharp-linux-arm (indirect, 0.33.5 → 0.34.5) · Repo

↗️ @img/sharp-linux-arm64 (indirect, 0.33.5 → 0.34.5) · Repo

↗️ @img/sharp-linux-s390x (indirect, 0.33.5 → 0.34.5) · Repo

↗️ @img/sharp-linux-x64 (indirect, 0.33.5 → 0.34.5) · Repo

↗️ @img/sharp-linuxmusl-arm64 (indirect, 0.33.5 → 0.34.5) · Repo

↗️ @img/sharp-linuxmusl-x64 (indirect, 0.33.5 → 0.34.5) · Repo

↗️ @img/sharp-wasm32 (indirect, 0.33.5 → 0.34.5) · Repo

↗️ @img/sharp-win32-ia32 (indirect, 0.33.5 → 0.34.5) · Repo

↗️ @img/sharp-win32-x64 (indirect, 0.33.5 → 0.34.5) · Repo

↗️ @jridgewell/sourcemap-codec (indirect, 1.5.0 → 1.5.5) · Repo · Changelog

↗️ @rollup/pluginutils (indirect, 5.2.0 → 5.3.0) · Repo · Changelog