chore(website): bump astro to 5.18.1

[fhennig]

Summary

• Bumps astro from 5.17.2 to 5.18.1 (latest 5.x)
• Changelog: https://github.com/withastro/astro/releases/tag/astro%405.18.0
• Notable fix: fix: X-Forwarded-Proto rejected when allowedDomains includes protocol… withastro/astro#15594 — HTTPS wasn't correctly recognized

🤖 Generated with Claude Code

---

I had this Problem (Claude's words):

The problem

Logging in via GitHub OAuth on staging fails with "Cross-site POST form submissions are
forbidden". Auth.js generates this error when it detects a CSRF/origin mismatch.

Root cause

Auth.js doesn't know it's running behind nginx and being served over HTTPS. It thinks its own URL
is http://staging.genspectrum.org, which causes two issues:

1. It sets cookies without the __Host-/__Secure- prefixes (insecure cookies)
2. When the browser submits the sign-in form with callbackUrl=https://..., Auth.js sees a
   protocol mismatch and rejects it as cross-site

What we tried

AUTH_TRUST_HOST=true — the Auth.js-recommended fix for reverse proxy setups. It picks up
X-Forwarded-Host correctly (callback URL changes from http://localhost to
http://staging.genspectrum.org) but ignores X-Forwarded-Proto, so the scheme stays http://
regardless.

...

Turns out, it is actually an Astro bug. This release fixes it.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
dashboards	Ready	Preview, Comment	Apr 27, 2026 11:58am