fix(deps): update dependency astro to v6.1.7

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
astro (source)	6.1.6 → 6.1.7

---

Release Notes

withastro/astro (astro)

v6.1.7

Compare Source

Patch Changes

• #​16027 c62516b Thanks @​fkatsuhiro! - Fixes a bug where remote image dimensions were not validated during static builds on Netlify.

• #​16311 94048f2 Thanks @​Arecsu! - Fixes --port flag being ignored after a Vite-triggered server restart (e.g. when a .env file changes)

• #​16316 0fcd04c Thanks @​ematipico! - Fixes the /_image endpoint accepting an arbitrary f=svg query parameter and serving non-SVG content as image/svg+xml. The endpoint now validates that the source is actually SVG before honoring f=svg, matching the same guard already enforced on the <Image> component path.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Astro v6.1.7 is a patch release containing three bug fixes:

1. Remote Image Dimension Validation (PR #16027)

   • Fixes a bug where remote image dimensions were not validated during static builds on Netlify
   • Adds proper validation enforcement through verifyOptions functionality
   • This fix only affects projects using Netlify adapter with remote images

2. Dev Server Port Persistence (PR #16311)

   • Fixes the --port flag being ignored after Vite-triggered server restarts (e.g., when .env file changes)
   • Ensures custom port configuration persists across server restarts during development
   • Development-only improvement, no production impact

3. Security Fix: SVG Content-Type Validation (PR #16316)

   • Fixes the /_image endpoint accepting arbitrary f=svg query parameter
   • Prevents serving non-SVG content as image/svg+xml, mitigating content-type confusion attacks
   • Validates source is actually SVG before honoring f=svg parameter
   • Aligns endpoint behavior with <Image> component's existing safeguards

Breaking Changes: None
Security Fixes: Yes (PR #16316)

🎯 Impact Scope Investigation

Current Deployment Architecture:

• Platform: GCP Cloud Run (not Netlify)
• Output mode: output: 'static' with @astrojs/node adapter
• Image handling: Custom rehype plugin (rehype-image-cdn) for Cloudflare R2 CDN
• No usage of Astro's built-in <Image> component or astro:assets

Impact Analysis by Fix:

1. Netlify Image Validation (PR #16027): ❌ NOT APPLICABLE

   • This project uses GCP Cloud Run, not Netlify adapter
   • No impact on current deployment

2. Port Flag Fix (PR #16311): ✅ BENEFICIAL

   • Improves local development experience
   • Development-only, no production impact
   • No code changes required

3. SVG Security Fix (PR #16316): ⚠️ LOW IMPACT

   • The /_image endpoint is part of Astro's image optimization service
   • This project doesn't use Astro's <Image> component (verified via codebase search)
   • Uses custom image CDN solution (Cloudflare R2 with rehype-image-cdn)
   • The endpoint may still be accessible but is not actively used by the application
   • Security improvement with no functional impact on current implementation

Dependency Impact:

• Only package.json and pnpm-lock.yaml are modified
• @astrojs/node adapter automatically uses the updated Astro version
• No peer dependency conflicts identified

Configuration Impact:

• No changes to astro.config.ts required
• No environment variable changes needed
• No breaking API changes

💡 Recommended Actions

1. Merge immediately - This is a safe patch update with beneficial fixes
2. No code modifications required - All changes are backward compatible
3. Testing recommendations:
   • Verify dev server starts correctly with pnpm dev
   • Run build process: pnpm build
   • Optional: Test custom port flag during development (pnpm dev --port 4000, modify .env, verify port persists)
4. Security consideration: The SVG validation fix is a defense-in-depth improvement even though this project doesn't actively use the /_image endpoint

🔗 Reference Links

• Astro 6.1.7 Changelog
• PR #16027: Netlify Image Validation Fix
• PR #16311: Port Flag Persistence Fix
• PR #16316: SVG Security Fix
• Package Diff: 6.1.6 → 6.1.7

Generated by koki-develop/claude-renovate-review

[github-actions]

🚀 Preview deployment ready!

✅ Preview URL: https://pr-1524---web-njpdbbjcea-an.a.run.app
📝 Commit SHA: 2352c96 (view commit)

This comment was automatically generated by the deploy-preview workflow.