chore(deps): bump the npm-deps group with 4 updates

[dependabot]

Bumps the npm-deps group with 4 updates: astro, starlight-llms-txt, starlight-theme-nova and @lavamoat/allow-scripts.

Updates astro from 6.3.1 to 6.3.3

Release notes

Sourced from astro's releases.

astro@6.3.3

Patch Changes

• #16737 bd84f33 Thanks @​matthewp! - Fixes a reflected XSS vulnerability where slot names on hydrated components were not HTML-escaped in SSR output

astro@6.3.2

Patch Changes

• #16675 11d4592 Thanks @​ascorbic! - Fixes a regression where Astro.cache was undefined when experimental.cache was not configured.

  The previous documented behavior is for Astro.cache to always be defined as a no-op shim: cache.set() warns once, cache.invalidate() throws and cache.enabled can be used to gate. This allows library and user code can call cache methods without conditional checks. The cache provider registration was being gated at the call site on experimental.cache being configured, which meant the disabled shim branch inside the provider was unreachable and the Astro.cache getter was never attached to the context.

• #16691 0f0a4ce Thanks @​matthewp! - Fixes HTMLElement is not defined error during HMR when using components with client-side scripts (e.g. Starlight <Tabs>) and the Cloudflare adapter

• #16562 07529ec Thanks @​matthewp! - Fixes non-prerendered routes failing when a dynamic prerendered route exists in the same project with prerenderEnvironment: 'node'

• #16638 272185b Thanks @​ematipico! - Fixes a bug where the Astro compiler wasn't freed at the end of the build. After the fix, the memory used by the compiler is now correctly freed at the end of the build.

• #16544 d365c97 Thanks @​matthewp! - Tightens isRemotePath() to reject control characters after a leading slash and fixes the dev image endpoint origin check

• #16685 889e748 Thanks @​farrosfr! - Improve validation messages for security.csp.directives when script-src or style-src are incorrectly placed in the directives array.

• #16605 772f13a Thanks @​rururux! - Fixes assetsPrefix not being available on build from astro:config/server.

• #16556 f38dec7 Thanks @​matthewp! - Rejects double-encoded URL paths with a 400 response instead of silently falling back to partial decoding

• #16659 38bcb25 Thanks @​jsparkdev! - Fixes & characters appearing as raw entity strings (e.g. &[#38](https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/38);) in <meta> tags when viewed in link previews or raw HTML.

• Updated dependencies [d365c97, 9256345]:

  • @​astrojs/internal-helpers@​0.9.1
  • @​astrojs/markdown-remark@​7.1.2

Changelog

Sourced from astro's changelog.

6.3.3

Patch Changes

• #16737 bd84f33 Thanks @​matthewp! - Fixes a reflected XSS vulnerability where slot names on hydrated components were not HTML-escaped in SSR output

6.3.2

Patch Changes

• #16675 11d4592 Thanks @​ascorbic! - Fixes a regression where Astro.cache was undefined when experimental.cache was not configured.

  The previous documented behavior is for Astro.cache to always be defined as a no-op shim: cache.set() warns once, cache.invalidate() throws and cache.enabled can be used to gate. This allows library and user code can call cache methods without conditional checks. The cache provider registration was being gated at the call site on experimental.cache being configured, which meant the disabled shim branch inside the provider was unreachable and the Astro.cache getter was never attached to the context.

• #16691 0f0a4ce Thanks @​matthewp! - Fixes HTMLElement is not defined error during HMR when using components with client-side scripts (e.g. Starlight <Tabs>) and the Cloudflare adapter

• #16562 07529ec Thanks @​matthewp! - Fixes non-prerendered routes failing when a dynamic prerendered route exists in the same project with prerenderEnvironment: 'node'

• #16638 272185b Thanks @​ematipico! - Fixes a bug where the Astro compiler wasn't freed at the end of the build. After the fix, the memory used by the compiler is now correctly freed at the end of the build.

• #16544 d365c97 Thanks @​matthewp! - Tightens isRemotePath() to reject control characters after a leading slash and fixes the dev image endpoint origin check

• #16685 889e748 Thanks @​farrosfr! - Improve validation messages for security.csp.directives when script-src or style-src are incorrectly placed in the directives array.

• #16605 772f13a Thanks @​rururux! - Fixes assetsPrefix not being available on build from astro:config/server.

• #16556 f38dec7 Thanks @​matthewp! - Rejects double-encoded URL paths with a 400 response instead of silently falling back to partial decoding

• #16659 38bcb25 Thanks @​jsparkdev! - Fixes & characters appearing as raw entity strings (e.g. &[#38](https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/38);) in <meta> tags when viewed in link previews or raw HTML.

• Updated dependencies [d365c97, 9256345]:

  • @​astrojs/internal-helpers@​0.9.1
  • @​astrojs/markdown-remark@​7.1.2

Commits

• 5ec95d0 [ci] release (#16736)
• bce5c34 [ci] format
• bd84f33 fix(security): escape slot names in hydration template attributes to prevent ...
• 42e7eec refactor: fix flaky view-transitions e2e test (#16735)
• 33b54c4 [ci] format
• 0f868b0 chore: remove redundant server assertions (#16721)
• e345bcd [ci] release (#16653)
• 04fdbb2 Update pnpm to v11 (#16716)
• 772f13a fix(astro): correctly export build.assetsPrefix from astro:config/server ...
• d1c258a test: isolate fixture cache dirs for shared fixtures (#16689)
• Additional commits viewable in compare view

Updates starlight-llms-txt from 0.8.1 to 0.10.0

Release notes

Sourced from starlight-llms-txt's releases.

starlight-llms-txt@0.10.0

Minor Changes

• #105 aa7f8cf Thanks @​IEvangelist! - Extend the customSelectors option to support per-output control.

  The option is now exposed at the top level of the plugin configuration and accepts either of two shapes:

  • Array (legacy) — selectors apply to llms-small.txt only, matching the existing scope of minify.customSelectors.
  • Object with optional small, full, and all arrays — small applies to llms-small.txt, full applies to llms-full.txt and any customSets outputs, and all applies to both (merged with small and full).

  The deprecated minify.customSelectors option keeps working: selectors listed there are merged additively into the small bucket so existing configurations are unaffected.

  Use the new object shape to strip transient HTML injected by docs-site rendering plugins (for example, hover popovers from expressive-code-twoslash) from every generated output:

  starlightLlmsTxt({
    customSelectors: {
      all: ['.twoslash-popup-container', '.twoslash-error-box'],
    },
  }),

starlight-llms-txt@0.9.0

Minor Changes

• #104 3f6c45b Thanks @​davidfowl! - Preserves the contents of code blocks when collapsing whitespace in llms-small.txt.

  Previously, the minify.whitespace option collapsed every whitespace run — including newlines inside fenced code blocks — into a single space, so multi-line code samples ended up on one line. Now, fenced code blocks keep their original newlines and indentation while whitespace in prose still collapses for token efficiency.

  A new minify.collapseCodeBlocks option controls this behavior. Set it to true to restore the previous flatten-everything output.

Changelog

Sourced from starlight-llms-txt's changelog.

0.10.0

Minor Changes

• #105 aa7f8cf Thanks @​IEvangelist! - Extend the customSelectors option to support per-output control.

  The option is now exposed at the top level of the plugin configuration and accepts either of two shapes:

  • Array (legacy) — selectors apply to llms-small.txt only, matching the existing scope of minify.customSelectors.
  • Object with optional small, full, and all arrays — small applies to llms-small.txt, full applies to llms-full.txt and any customSets outputs, and all applies to both (merged with small and full).

  The deprecated minify.customSelectors option keeps working: selectors listed there are merged additively into the small bucket so existing configurations are unaffected.

  Use the new object shape to strip transient HTML injected by docs-site rendering plugins (for example, hover popovers from expressive-code-twoslash) from every generated output:

  starlightLlmsTxt({
    customSelectors: {
      all: ['.twoslash-popup-container', '.twoslash-error-box'],
    },
  }),

0.9.0

Minor Changes

• #104 3f6c45b Thanks @​davidfowl! - Preserves the contents of code blocks when collapsing whitespace in llms-small.txt.

  Previously, the minify.whitespace option collapsed every whitespace run — including newlines inside fenced code blocks — into a single space, so multi-line code samples ended up on one line. Now, fenced code blocks keep their original newlines and indentation while whitespace in prose still collapses for token efficiency.

  A new minify.collapseCodeBlocks option controls this behavior. Set it to true to restore the previous flatten-everything output.

Commits

• 0a39679 [ci] release (#108)
• aa7f8cf feat: extend customSelectors to support per-output control (#105)
• 209dc4d [ci] release (#107)
• 3f6c45b Preserve fenced code-block newlines when minifying whitespace (#104)
• 272433c fix(deps): update dependency astro to ^6.1.10 (#103)
• 58ae2ec fix(deps): update astro (#100)
• See full diff in compare view

Updates starlight-theme-nova from 0.11.9 to 0.11.10

Commits

• See full diff in compare view

Updates @lavamoat/allow-scripts from 5.0.1 to 5.0.2

Release notes

Sourced from @​lavamoat/allow-scripts's releases.

allow-scripts: v5.0.2

5.0.2 (2026-05-13)

Bug Fixes

• allow-scripts: fix issues with --skip-versions backward-compatibility (#1969) (e68c877)

Changelog

Sourced from @​lavamoat/allow-scripts's changelog.

5.0.2 (2026-05-13)

Bug Fixes

• allow-scripts: fix issues with --skip-versions backward-compatibility (#1969) (e68c877)

Commits

• 1851a85 chore: release main (#1975)
• e68c877 fix(allow-scripts): fix issues with --skip-versions backward-compatibility (#...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions