🚨 [security] Update @astrojs/mdx 4.3.4 → 4.3.14 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ @​astrojs/mdx (4.3.4 → 4.3.14) · Repo

Sorry, we couldn't find anything useful about this release.

✳️ js-yaml (4.1.0 → 4.1.1) · Repo · Changelog

Security Advisories 🚨

🚨 js-yaml has prototype pollution in merge (<<)

Impact

In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted.

Patches

Problem is patched in js-yaml 4.1.1 and 3.14.2.

Workarounds

You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).

References

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

Release Notes

4.1.1 (from changelog)

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

• 4.1.1 released
• dist rebuild
• lint fix
• fix prototype pollution in merge (<<)
• README.md: HTTP => HTTPS (#678)
• doc: 'empty' style option for !!null
• Fix demo link (#618)

↗️ @​mdx-js/mdx (indirect, 3.1.0 → 3.1.1) · Repo · Changelog

Release Notes

3.1.1

Fix

• 3cad7d7 @mdx-js/mdx: add dependency on acorn
• 0dc4472 @mdx-js/esbuild: fix crash with esbuild loader and jsx option
  by @egnor in #2593
• 84ec66e @mdx-js/esbuild: refactor to improve error conversion in esbuild
  by @egnor in #2595
• 2b3381a @mdx-js/rollup: fix support for query parameters in Vite
  by @markdalgleish in #2629

Types

• 933ab44 @mdx-js/mdx: add attributes to export/import declarations

Docs

• c156a1f Add rehype-mdx-toc to list of plugin
  by @boning-w in #2622
• 913659c Add recma-module-to-function to list of plugins
  by @remcohaszing in #2605
• 67fb1d0 Remove unneeded JSX type casting in docs, tests
• f0d20da Remove local use of JSX
  by @remcohaszing in #2604
• 63f39ce Remove references to twitter
• 35ac59d Refactor some docs regarding recma plugins

Full Changelog: 3.1.0...3.1.1

Does any of this look wrong? Please let us know.

↗️ import-meta-resolve (indirect, 4.1.0 → 4.2.0) · Repo

Release Notes

4.2.0

Types

• 4598fbe Add declaration maps

Fix

• 2514cb5 Fix default conditions for moduleResolve
  by @JounQin in #32

resolve/pull/32

Full Changelog: 4.1.0...4.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 14 commits:

• 4.2.0
• Update Node in Actions
• Update actions
• Refactor `tsconfig.json`
• Add declaration maps
• Refactor `package.json`
• Remove copyright year
• Refactor to use `@import`s
• Refactor `.prettierignore`
• Add `ignore-scripts` to `.npmrc`
• Add `.tsbuildinfo` to `.gitignore`
• Update dev-dependencies
• Fix default `conditions` for `moduleResolve`
• Fix dates

↗️ remark-mdx (indirect, 3.1.0 → 3.1.1) · Repo · Changelog

Release Notes

3.1.1

Fix

• 3cad7d7 @mdx-js/mdx: add dependency on acorn
• 0dc4472 @mdx-js/esbuild: fix crash with esbuild loader and jsx option
  by @egnor in #2593
• 84ec66e @mdx-js/esbuild: refactor to improve error conversion in esbuild
  by @egnor in #2595
• 2b3381a @mdx-js/rollup: fix support for query parameters in Vite
  by @markdalgleish in #2629

Types

• 933ab44 @mdx-js/mdx: add attributes to export/import declarations

Docs

• c156a1f Add rehype-mdx-toc to list of plugin
  by @boning-w in #2622
• 913659c Add recma-module-to-function to list of plugins
  by @remcohaszing in #2605
• 67fb1d0 Remove unneeded JSX type casting in docs, tests
• f0d20da Remove local use of JSX
  by @remcohaszing in #2604
• 63f39ce Remove references to twitter
• 35ac59d Refactor some docs regarding recma plugins

Full Changelog: 3.1.0...3.1.1

Does any of this look wrong? Please let us know.

↗️ shiki (indirect, 3.12.0 → 3.23.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ smol-toml (indirect, 1.4.2 → 1.6.0) · Repo

Release Notes

1.6.0

As of this version, smol-toml now supports the newly released TOML 1.1.0 specification!

Highlights

Multiline inline tables

TOML 1.1.0 now allows inline tables to have newlines, as well as trailing commas.

database = {
  driver = "postgresql",
  server = {
    host = "127.0.0.1",
    port = 3307,
  },
}

Omitting seconds in datetime and time

TOML 1.1.0 renders the seconds component of time elements optional.

datetime-tz = 1979-05-27 07:32Z
datetime = 2001-09-21 10:17
time = 13:37

New string escapes

Strings now support 2 additional escape sequences:

• \xHH for code points between 0 and 255
• \e for the escape character (U+001B)

What's Changed

• feat: toml 1.1 support by @cyyynthia in #49

Full Changelog: v1.5.2...v1.6.0

1.5.2

Hot fix for v1.5.1... 🙃

What's Changed

• fix: properly stringify arrays of tables by @cyyynthia

Full Changelog: v1.5.1...v1.5.2

1.5.1

Smol fix that makes newlines actually consistent when stringifying objects to TOML.

What's Changed

• fix: actually consistent newlines by @cyyynthia

Full Changelog: v1.5.0...v1.5.1

1.5.0

This version improves the TOML output of the library when stringifying objects, courtesy of the folks over at Cloudflare.

Most notably, the lib no longer emits unnecessary table headers, and doesn't add an empty line between successive table headers anymore:

[look.at.me]
note = "In earlier versions, there would've been [look] and [look.at] generated as well."
[empty.table]

[another.empty.table]

[look.how.compact]

this = "looks"

What's Changed

• Simplify nested tables by @penalosa in #46

New Contributors

• @penalosa made their first contribution in #46

Full Changelog: v1.4.2...v1.5.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 20 commits:

• chore: version bump
• Merge pull request #49 from squirrelchat/toml-110
• fix: properly test \e escape
• fix: properly run toml-test v2
• docs: toml 1.1.0 in the readme
• chore: upgrade dependencies, actions
• feat: allow omitting seconds in datetime and time values
• feat: support \e unicode escape in strings
• feat: support \xHH unicode escape in strings
• feat: toml 1.1 allows newline and trailing comma in inline tables
• chore: version bump
• fix: properly stringify arrays of tables
• chore: version bump
• fix: actually consistent newlines
• chore: yml -> yaml in readme
• chore: version bump
• chore: deps upgrade
• chore: update action versions
• chore: npm trusted publisher
• feat: simplify nested tables (#46)

↗️ source-map (indirect, 0.7.4 → 0.7.6) · Repo · Changelog

Release Notes

0.7.6

Full Changelog: 0.7.5...0.7.6

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ style-to-object (indirect, 1.0.9 → 1.0.14) · Repo · Changelog

Release Notes

1.0.14

1.0.14 (2025-11-16)

Build System

• deps: bump inline-style-parser from 0.2.6 to 0.2.7 (#818) (31ca552)

1.0.13

1.0.13 (2025-11-16)

Documentation

• readme: replace badgen.net with shields.io status badges (34d0947)

1.0.12

1.0.12 (2025-10-24)

Build System

• deps: bump inline-style-parser from 0.2.4 to 0.2.6 (#774) (50aa645)

1.0.11

1.0.11 (2025-10-03)

Bug Fixes

• package: fix esm types (#769) (cf23bb7)

1.0.10

1.0.10 (2025-10-02)

Bug Fixes

• remove esm build dir (79df2e8) @nathancahill
• switch to true esm build (8e7b7ed) @nathancahill

Miscellaneous Chores

• export StyleObject interface (45e8343) @xthezealot

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ unist-util-visit-parents (indirect, 6.0.1 → 6.0.2) · Repo

Release Notes

6.0.2

• 579ffbc Fix type support for readonly arrays

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 6 commits:

• 6.0.2
• Fix type support for readonly arrays
• Add declaration maps
• Update dev-dependencies
• Add `.tsbuildinfo` to `.gitignore`
• Update dev-dependencies

🆕 piccolore (added, 0.1.3)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)