Bump the npm-dependencies group with 3 updates

[dependabot]

Bumps the npm-dependencies group with 3 updates: astro, typescript-eslint and wrangler.

Updates astro from 6.4.6 to 6.4.8

Release notes

Sourced from astro's releases.

astro@6.4.8

Patch Changes

• #17109 27c80ea Thanks @​ematipico! - Harden the limits on the number of decoding on the URL.

astro@6.4.7

Patch Changes

• #17035 197e50e Thanks @​astrobot-houston! - Fixes getRelativeLocaleUrl, getAbsoluteLocaleUrl, and getAbsoluteLocaleUrlList to strip trailing slashes when trailingSlash: 'never' is configured

• #16967 3719765 Thanks @​astrobot-houston! - Fixes double URL-encoded paths returning 400 Bad Request on on-demand routes

  Previously, any URL containing a double-encoded character (like %255B, which is [ encoded twice) was unconditionally rejected with a 400 Bad Request before middleware or route handlers could run. This broke embedded tools like Sanity Studio whose client-side router legitimately produces double-encoded URLs.

  The fix replaces the rejection approach with iterative decoding — multi-level percent-encoding is now fully resolved to its canonical form before being passed to middleware and route matching. This preserves the security fix for CVE-2025-66202 (middleware authorization bypass via double encoding) because middleware now always sees the fully decoded path, making bypass impossible. For example, /api/%2561dmin is decoded to /api/admin, which middleware can correctly block.

• #17066 2f4d92a Thanks @​matthewp! - Fixes prerendered redirect targets being incorrectly bundled into the SSR function in hybrid mode, causing massive bundle size inflation

• #16882 621beb7 Thanks @​jettwayio! - fix(render): honour compressHTML when joining head elements

• #16892 8d753b0 Thanks @​astrobot-houston! - Fixes custom elements in MDX having their children's slot attribute stripped by the JSX runtime

  When custom elements (tags with hyphens like <my-element>) are used in MDX files, the slot HTML attribute on their children is now correctly preserved. Previously, the shared JSX runtime would treat slot as an Astro slot assignment and remove it from the output, breaking Shadow DOM named slot distribution for web components.

• #16957 544ee76 Thanks @​thelazylamaGit! - Fixes stale inline CSS in server-rendered HTML after CSS file edits during dev

  When editing a CSS file (.css, .scss, etc.) during development, the inline <style> tags in server-rendered HTML would retain old CSS content instead of updating. This caused a brief flash of old CSS (FOUC) on fresh page loads before Vite's client-side HMR corrected the styles.

  The fix ensures that Astro's per-route dev CSS virtual modules are invalidated in both the SSR module graph and the module runner's evaluation cache when a style file changes, so the next page render picks up the fresh CSS.

• #17044 2220d22 Thanks @​astrobot-houston! - Fixes CSS from client:only islands leaking to unrelated pages when Rollup bundles non-CSS-importing modules into the same chunk as CSS-importing modules

• #17040 7c4763d Thanks @​astrobot-houston! - Fixes HMR not triggering for files inside the src/middleware/ directory during dev

• #16672 52fc862 Thanks @​martinheidegger! - Fixes support for numeric IDs in YAML frontmatter when using content collection references

• #16762 9de80ae Thanks @​alexanderdombroski! - Adds a JSON schema to the Wrangler configuration file generated when running astro add cloudflare

• #17046 ef771ec Thanks @​ematipico! - Improves the diagnostics emitted when Astro parses incorrect .astro files.

Changelog

Sourced from astro's changelog.

6.4.8

Patch Changes

• #17109 27c80ea Thanks @​ematipico! - Harden the limits on the number of decoding on the URL.

6.4.7

Patch Changes

• #17035 197e50e Thanks @​astrobot-houston! - Fixes getRelativeLocaleUrl, getAbsoluteLocaleUrl, and getAbsoluteLocaleUrlList to strip trailing slashes when trailingSlash: 'never' is configured

• #16967 3719765 Thanks @​astrobot-houston! - Fixes double URL-encoded paths returning 400 Bad Request on on-demand routes

  Previously, any URL containing a double-encoded character (like %255B, which is [ encoded twice) was unconditionally rejected with a 400 Bad Request before middleware or route handlers could run. This broke embedded tools like Sanity Studio whose client-side router legitimately produces double-encoded URLs.

  The fix replaces the rejection approach with iterative decoding — multi-level percent-encoding is now fully resolved to its canonical form before being passed to middleware and route matching. This preserves the security fix for CVE-2025-66202 (middleware authorization bypass via double encoding) because middleware now always sees the fully decoded path, making bypass impossible. For example, /api/%2561dmin is decoded to /api/admin, which middleware can correctly block.

• #17066 2f4d92a Thanks @​matthewp! - Fixes prerendered redirect targets being incorrectly bundled into the SSR function in hybrid mode, causing massive bundle size inflation

• #16882 621beb7 Thanks @​jettwayio! - fix(render): honour compressHTML when joining head elements

• #16892 8d753b0 Thanks @​astrobot-houston! - Fixes custom elements in MDX having their children's slot attribute stripped by the JSX runtime

  When custom elements (tags with hyphens like <my-element>) are used in MDX files, the slot HTML attribute on their children is now correctly preserved. Previously, the shared JSX runtime would treat slot as an Astro slot assignment and remove it from the output, breaking Shadow DOM named slot distribution for web components.

• #16957 544ee76 Thanks @​thelazylamaGit! - Fixes stale inline CSS in server-rendered HTML after CSS file edits during dev

  When editing a CSS file (.css, .scss, etc.) during development, the inline <style> tags in server-rendered HTML would retain old CSS content instead of updating. This caused a brief flash of old CSS (FOUC) on fresh page loads before Vite's client-side HMR corrected the styles.

  The fix ensures that Astro's per-route dev CSS virtual modules are invalidated in both the SSR module graph and the module runner's evaluation cache when a style file changes, so the next page render picks up the fresh CSS.

• #17044 2220d22 Thanks @​astrobot-houston! - Fixes CSS from client:only islands leaking to unrelated pages when Rollup bundles non-CSS-importing modules into the same chunk as CSS-importing modules

• #17040 7c4763d Thanks @​astrobot-houston! - Fixes HMR not triggering for files inside the src/middleware/ directory during dev

• #16672 52fc862 Thanks @​martinheidegger! - Fixes support for numeric IDs in YAML frontmatter when using content collection references

• #16762 9de80ae Thanks @​alexanderdombroski! - Adds a JSON schema to the Wrangler configuration file generated when running astro add cloudflare

• #17046 ef771ec Thanks @​ematipico! - Improves the diagnostics emitted when Astro parses incorrect .astro files.

Commits

• 3ec2c10 [ci] release (#17110)
• 27c80ea fix(core): encoded URLs (#17109)
• 910e121 [ci] release (#17036)
• ef771ec fix: improve diagnostics (#17046)
• 0537f5c [ci] format
• 2f4d92a Fix prerendered redirect targets inflating SSR bundle in hybrid mode (#17066)
• 360fa3f docs: fix grammar in container API JSDoc comments (#16984)
• bbe0e54 [ci] format
• 52fc862 Supporting numeric id references (#16672)
• 9de80ae feat(cli): Adds wrangler schema to generated wrangler.jsonc file when running...
• Additional commits viewable in compare view

Updates typescript-eslint from 8.61.0 to 8.61.1

Release notes

Sourced from typescript-eslint's releases.

v8.61.1

8.61.1 (2026-06-15)

🩹 Fixes

• eslint-plugin: [consistent-indexed-object-style] do not remove comments when fixing (#12396, #10577)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive for template literal expressions (#12281)
• eslint-plugin: [no-unnecessary-type-assertion] wrap object literal in parens when removing TSTypeAssertion in arrow body (#12394, #12393)
• eslint-plugin: [no-unnecessary-boolean-literal-compare] fix precedence bug in autofix (#12413)
• eslint-plugin: [no-unnecessary-template-expression] respect ECMAScript line terminators (#12388)

❤️ Thank You

• Anas @​anasm266
• Deftera @​Deftera186
• Kirk Waiblinger @​kirkwaiblinger
• lumir
• Sarath Francis @​sarathfrancis90

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from typescript-eslint's changelog.

8.61.1 (2026-06-15)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• aaad718 chore(release): publish 8.61.1
• See full diff in compare view

Updates wrangler from 4.100.0 to 4.102.0

Release notes

Sourced from wrangler's releases.

wrangler@4.102.0

Minor Changes

• #14340 f6e49dd Thanks @​emily-shen! - Add cf-wrangler build delegate support

  The experimental cf-wrangler delegate binary now accepts build and emits the Build Output API directory through Wrangler's new-config build path. This lets parent tools invoke Wrangler's build-output implementation with cf-wrangler build instead of shelling out through the public Wrangler CLI.

• #14324 36777db Thanks @​jamesopstad! - Add experimental --experimental-cf-build-output flag to wrangler build

  When used alongside --experimental-new-config, wrangler build now emits a self-contained Build Output API directory under .cloudflare/output/v0/ instead of delegating to wrangler deploy --dry-run.

Patch Changes

• #14347 673b09e Thanks @​jamesopstad! - Update undici from 7.24.8 to 7.28.0

• #14346 e930bd4 Thanks @​haidargit! - Bump ws from 8.20.1 to 8.21.0 to address GHSA-96hv-2xvq-fx4p

  GHSA-96hv-2xvq-fx4p / CVE-2026-48779 (high severity) reports a remote memory-exhaustion DoS in ws@<8.21.0: a peer sending a high volume of tiny fragments and data chunks over modest network traffic can crash a ws server or client via OOM. The fix shipped in ws@8.21.0 (commit 2b2abd45, released 2026-05-22), which also introduces the maxBufferedChunks and maxFragments options. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

• #14314 5c3bb11 Thanks @​harryzcy! - Bump esbuild to 0.28.1

  This update includes several bug fixes from esbuild versions 0.27.3 through 0.28.1. See the esbuild changelog for details.

• #14331 296ad65 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260616.1	1.20260617.1

• #14275 594544d Thanks @​alsuren! - Resolve auto-provisioned D1 bindings via the API in remote subcommands

  Remote D1 subcommands (d1 execute --remote, d1 export --remote, d1 info, d1 insights, d1 delete, d1 migrations apply --remote, d1 migrations list --remote, d1 time-travel) previously failed with:

  Found a database with name or binding DB but it is missing a database_id, which is needed for operations on remote resources.

  when the [[d1_databases]] config entry only had binding and database_name (the shape wrangler deploy writes for automatically-provisioned bindings). They now resolve the real database UUID via GET /accounts/:accountId/d1/database/:name?fields=uuid and proceed as if database_id had been set in config.

  If the config entry only has a binding (no database_name, no database_id), the lookup uses the same name wrangler deploy would create via auto provisioning (<worker name>-<binding-lowercased-with-dashes>).

  Non-404 API failures (auth, rate-limit, server errors) now propagate verbatim instead of being masked as "database not found".

• #14315 a79b899 Thanks @​matingathani! - Respect find_additional_modules = false when no_bundle is set

  When using no_bundle = true, wrangler was always scanning for and attaching additional modules even if find_additional_modules was explicitly set to false in the config. Additional modules are now only collected when find_additional_modules is not false, consistent with the bundled code path.

• #14269 5dfb788 Thanks @​mattjohnsonpint! - Support dev.plugin on typed services bindings

  Wrangler only honored dev.plugin on unsafe.bindings entries, so users authoring a service binding via services[] could not wire it to a local Miniflare plugin during wrangler dev — they had to fall back to unsafe.bindings and accept a "directly supported by wrangler" warning. Typed services bindings now accept the same dev: { plugin, options? } shape, route the binding through Miniflare's external-plugin pathway in wrangler dev, and strip the field at deploy time. Validation rejects malformed dev shapes.

... (truncated)

Commits

• dd7e101 Version Packages (#14327)
• 5dfb788 Support dev.plugin on typed services bindings (#14269)
• 296ad65 Bump the workerd-and-workers-types group across 1 directory with 2 updates (#...
• f6e49dd add build command to cf-wrangler (#14340)
• 36777db Wrangler support for experimental Build Output API (#14324)
• a79b899 [wrangler] fix: respect find_additional_modules when no_bundle is set (#14315)
• 5c3bb11 Bump esbuild to 0.28.1 (#14314)
• ca61558 [wrangler] Mention temporary preview accounts in whoami when unauthenticated ...
• 594544d D1 subcommands resolve auto-provisioned bindings via API (#14275)
• 89a753e Version Packages (#14274)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	proofline-website	da11055	Commit Preview URL Branch Preview URL	Jun 18 2026, 05:28 PM