fix(deps): update @astrojs packages

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@astrojs/rss (source)	4.0.15 → 4.0.17
@astrojs/sitemap (source)	3.7.0 → 3.7.1
astro (source)	5.16.15 → 5.18.1

---

Release Notes

withastro/astro (@​astrojs/rss)

v4.0.17

Compare Source

Patch Changes

• #​15830 8d3f3aa Thanks @​Princesseuh! - Pin fast-xml-parser to 5.4.1 in order to fix an upstream bug

v4.0.16

Compare Source

Patch Changes

• #​15187 bbb5811 Thanks @​matthewp! - Update to Astro 6 beta

• #​14956 0ff51df Thanks @​matthewp! - Updates usage of zod to own dependency rather than relying on astro/zod

• #​15561 413b0f7 Thanks @​renovate! - Updates fast-xml-parser to v5.3.6

• #​15283 daf41c6 Thanks @​eldair! - Updates validation to use Zod v4

• #​15373 14252b2 Thanks @​renovate! - Updates zod to v4

withastro/astro (@​astrojs/sitemap)

v3.7.1

Compare Source

Patch Changes

• #​15187 bbb5811 Thanks @​matthewp! - Update to Astro 6 beta

• #​14956 0ff51df Thanks @​matthewp! - Updates usage of zod to own dependency rather than relying on astro/zod

• #​15036 f125a73 Thanks @​florian-lefebvre! - Updates how routes are retrieved to avoid relying on a deprecated API

• #​15373 14252b2 Thanks @​renovate! - Updates zod to v4

withastro/astro (astro)

v5.18.1

Compare Source

Patch Changes

• Updated dependencies [c2cd371]:
  • @​astrojs/internal-helpers@​0.7.6
  • @​astrojs/markdown-remark@​6.3.11

v5.18.0

Compare Source

Minor Changes

• #​15589 b7dd447 Thanks @​qzio! - Adds a new security.actionBodySizeLimit option to configure the maximum size of Astro Actions request bodies.

  This lets you increase the default 1 MB limit when your actions need to accept larger payloads. For example, actions that handle file uploads or large JSON payloads can now opt in to a higher limit.

  If you do not set this option, Astro continues to enforce the 1 MB default to help prevent abuse.

  // astro.config.mjs
  export default defineConfig({
    security: {
      actionBodySizeLimit: 10 * 1024 * 1024, // set to 10 MB
    },
  });

Patch Changes

• #​15594 efae11c Thanks @​qzio! - Fix X-Forwarded-Proto validation when allowedDomains includes both protocol and hostname fields. The protocol check no longer fails due to hostname mismatch against the hardcoded test URL.

v5.17.3

Compare Source

Patch Changes

• #​15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #​15569 e01e98b Thanks @​matthewp! - Respect image allowlists when inferring remote image sizes and reject remote redirects.

v5.17.2

Compare Source

Patch Changes

• c13b536 Thanks @​matthewp! - Improves Host header handling for SSR deployments behind proxies

v5.17.1

Compare Source

Patch Changes

• #​15334 d715f1f Thanks @​florian-lefebvre! - BREAKING CHANGE to the experimental Fonts API only

  Removes the getFontBuffer() helper function exported from astro:assets when using the experimental Fonts API

  This experimental feature introduced in v15.6.13 ended up causing significant memory usage during build. This feature has been removed and will be reintroduced after further exploration and testing.

  If you were relying on this function, you can replicate the previous behavior manually:

  • On prerendered routes, read the file using node:fs
  • On server rendered routes, fetch files using URLs from fontData and context.url

v5.17.0

Compare Source

Minor Changes

• #​14932 b19d816 Thanks @​patrickarlt! - Adds support for returning a Promise from the parser() option of the file() loader

  This enables you to run asynchronous code such as fetching remote data or using async parsers when loading files with the Content Layer API.

  For example:

  import { defineCollection } from 'astro:content';
  import { file } from 'astro/loaders';
  
  const blog = defineCollection({
    loader: file('src/data/blog.json', {
      parser: async (text) => {
        const data = JSON.parse(text);
  
        // Perform async operations like fetching additional data
        const enrichedData = await fetch(`https://api.example.com/enrich`, {
          method: 'POST',
          body: JSON.stringify(data),
        }).then((res) => res.json());
  
        return enrichedData;
      },
    }),
  });
  
  export const collections = { blog };

  See the parser() reference documentation for more information.

• #​15171 f220726 Thanks @​mark-ignacio! - Adds a new, optional kernel configuration option to select a resize algorithm in the Sharp image service

  By default, Sharp resizes images with the lanczos3 kernel. This new config option allows you to set the default resizing algorithm to any resizing option supported by Sharp (e.g. linear, mks2021).

  Kernel selection can produce quite noticeable differences depending on various characteristics of the source image - especially drawn art - so changing the kernel gives you more control over the appearance of images on your site:

  export default defineConfig({
    image: {
      service: {
        entrypoint: 'astro/assets/services/sharp',
        config: {
          kernel: "mks2021"
        }
    }
  })

  This selection will apply to all images on your site, and is not yet configurable on a per-image basis. For more information, see Sharps documentation on resizing images.

• #​15063 08e0fd7 Thanks @​jmortlock! - Adds a new partitioned option when setting a cookie to allow creating partitioned cookies.

  Partitioned cookies can only be read within the context of the top-level site on which they were set. This allows cross-site tracking to be blocked, while still enabling legitimate uses of third-party cookies.

  You can create a partitioned cookie by passing partitioned: true when setting a cookie. Note that partitioned cookies must also be set with secure: true:

  Astro.cookies.set('my-cookie', 'value', {
    partitioned: true,
    secure: true,
  });

  For more information, see the AstroCookieSetOptions API reference.

• #​15022 f1fce0e Thanks @​ascorbic! - Adds a new retainBody option to the glob() loader to allow reducing the size of the data store.

  Currently, the glob() loader stores the raw body of each content file in the entry, in addition to the rendered HTML.

  The retainBody option defaults to true, but you can set it to false to prevent the raw body of content files from being stored in the data store. This significantly reduces the deployed size of the data store and helps avoid hitting size limits for sites with very large collections.

  The rendered body will still be available in the entry.rendered.html property for markdown files, and the entry.filePath property will still point to the original file.

  import { defineCollection } from 'astro:content';
  import { glob } from 'astro/loaders';
  
  const blog = defineCollection({
    loader: glob({
      pattern: '**/*.md',
      base: './src/content/blog',
      retainBody: false,
    }),
  });

  When retainBody is false, entry.body will be undefined instead of containing the raw file contents.

• #​15153 928529f Thanks @​jcayzac! - Adds a new background property to the <Image /> component.

  This optional property lets you pass a background color to flatten the image with. By default, Sharp uses a black background when flattening an image that is being converted to a format that does not support transparency (e.g. jpeg). Providing a value for background on an <Image /> component, or passing it to the getImage() helper, will flatten images using that color instead.

  This is especially useful when the requested output format doesn't support an alpha channel (e.g. jpeg) and can't support transparent backgrounds.

  ---
  import { Image } from 'astro:assets';
  ---
  
  <Image
    src="/transparent.png"
    alt="A JPEG with a white background!"
    format="jpeg"
    background="#ffffff"
  />

  See more about this new property in the image reference docs

• #​15015 54f6006 Thanks @​tony! - Adds optional placement config option for the dev toolbar.

  You can now configure the default toolbar position ('bottom-left', 'bottom-center', or 'bottom-right') via devToolbar.placement in your Astro config. This option is helpful for sites with UI elements (chat widgets, cookie banners) that are consistently obscured by the toolbar in the dev environment.

  You can set a project default that is consistent across environments (e.g. dev machines, browser instances, team members):

  // astro.config.mjs
  export default defineConfig({
    devToolbar: {
      placement: 'bottom-left',
    },
  });

  User preferences from the toolbar UI (stored in localStorage) still take priority, so this setting can be overridden in individual situations as necessary.

v5.16.16

Compare Source

Patch Changes

• #​15281 a1b80c6 Thanks @​matthewp! - Ensures server island requests carry an encrypted component export identifier so they do not accidentally resolve to the wrong component.

• #​15304 02ee3c7 Thanks @​cameronapak! - Fix: Remove await from getActionResult example

• #​15324 ab41c3e Thanks @​Princesseuh! - Fixes an issue where certain unauthorized links could be rendered as clickable in the error overlay

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

astro: 5.16.15 → 5.18.1 (3 minor versions)

Security Fixes:

• 5.17.2-5.17.3: Critical security improvements for SSR deployments
  • Improved Host header handling for deployments behind proxies
  • Added default body size limit (1MB) for server actions to prevent memory exhaustion from oversized requests
  • Fixed image handling to respect allowlists when inferring remote image sizes and reject remote redirects
• 5.16.16: Server island security enhancement - encrypted component export identifiers to prevent resolving to wrong components

New Features:

• 5.18.0: New security.actionBodySizeLimit config option (defaults to 1MB)
• 5.18.0: New partitioned cookie option support
• 5.17.0: Content Layer API improvements - parser() now supports Promises, new retainBody option for glob() loader
• 5.17.0: Sharp image service enhancements - new kernel config option, new background property for <Image /> component
• 5.17.0: Dev toolbar placement configuration option

Breaking Changes:

• 5.17.1: Removed experimental getFontBuffer() helper from astro:assets (experimental Fonts API only - unlikely to affect most users)

Bug Fixes & Improvements:

• 5.18.0: Fixed X-Forwarded-Proto validation with allowedDomains
• 5.16.16: Documentation fix for getActionResult example

@astrojs/rss: 4.0.15 → 4.0.17 (2 patch versions)

• 4.0.17: Pinned fast-xml-parser to 5.4.1 to fix upstream bug
• 4.0.16: Updated to Astro 6 beta compatibility, migrated from astro/zod to own zod dependency, updated to Zod v4

@astrojs/sitemap: 3.7.0 → 3.7.1 (1 patch version)

• 3.7.1: Updated to Astro 6 beta compatibility, migrated from astro/zod to own zod dependency, updated to Zod v4
• 3.7.1: Fixed deprecated API usage for route retrieval

🎯 Impact Scope Investigation

Package Usage Analysis:

1. astro - Core framework

   • Used throughout the entire project
   • No usage of affected experimental features (getFontBuffer, server islands with custom export identifiers)
   • No explicit image allowlist configuration detected in astro.config.ts
   • No Astro Actions usage detected (security.actionBodySizeLimit not applicable)
   • Output mode: static with node adapter (security improvements still beneficial)

2. @astrojs/rss - RSS feed generation

   • Used in 12 RSS endpoint files (src/pages/.xml.ts, src/pages/tags/.xml.ts, src/pages/categories/*.xml.ts)
   • Standard RSS feed usage pattern detected - no special configurations
   • Example: src/pages/index.xml.ts:1
   • The fast-xml-parser pin addresses upstream issues transparently

3. @astrojs/sitemap - Sitemap generation

   • Configured in astro.config.ts:20 as integration: sitemap()
   • Standard sitemap integration usage with no custom configuration
   • Zod v4 migration handled internally

Content Layer API Usage:

• Uses glob() loader in src/content.config.ts:6-9 and :15-17
• Current usage does not specify retainBody option (defaults to true - existing behavior maintained)
• No parser() function with async operations detected

Dependency Chain Impact:

• All three packages updated zod internally (Astro 5.x still uses zod v3 in the project's devDependencies)
• esbuild version bump from 0.25.12 to 0.27.4 in astro (internal optimization)
• sitemap package updated from 8.0.2 to 9.0.1 (internal dependency of @astrojs/sitemap)
• No user-facing breaking changes in dependency updates

Security Improvements Benefit:
Even though this is a static site build, the security improvements provide defense-in-depth:

• Host header handling improvements protect against potential SSRF in OG image generation endpoint (src/pages/og/[slug].png.ts:5 - prerender: false)
• Image security enhancements protect the build process from malicious remote images

💡 Recommended Actions

Immediate Actions:

1. ✅ Merge this PR - All changes are backward compatible
2. ✅ No code modifications required - The codebase uses these packages in standard ways that are fully compatible with the updates

Post-Merge Verification:

1. Run full build to confirm no regressions: pnpm build
2. Test RSS feeds: verify XML output at /index.xml, /index.en.xml
3. Test sitemap generation: verify /sitemap-index.xml and /sitemap-0.xml
4. Verify OG image generation works correctly (dynamic route)

Optional Future Enhancements:

• Consider using the new retainBody: false option in content.config.ts to reduce build size if the raw markdown body is not needed
• Review if the new Sharp kernel option could improve image quality for your specific use case

🔗 Reference Links

Release Notes:

• astro 5.18.1 Release
• astro 5.18.0 Release
• astro 5.17.3 Release
• astro 5.17.2 Release
• astro 5.17.1 Release
• astro 5.17.0 Release
• astro 5.16.16 Release

CHANGELOG:

• @astrojs/rss CHANGELOG
• @astrojs/sitemap CHANGELOG
• astro CHANGELOG

Pull Requests:

• Security: Add body size limit for actions (#15564)
• Security: Respect image allowlists (#15569)
• Security: Server island encryption (#15281)

Generated by koki-develop/claude-renovate-review

[github-actions]

🚀 Preview deployment ready!

✅ Preview URL: https://pr-1330---web-njpdbbjcea-an.a.run.app
📝 Commit SHA: 147af1b (view commit)

This comment was automatically generated by the deploy-preview workflow.