chore(deps): bump the patch-only group with 5 updates

[dependabot]

Bumps the patch-only group with 5 updates:

Package	From	To
@types/node	25.9.1	25.9.3
eslint-plugin-security	4.0.0	4.0.1
prettier	3.8.3	3.8.4
@astrojs/mdx	6.0.2	6.0.3
astro	6.4.4	6.4.6

Updates @types/node from 25.9.1 to 25.9.3

Commits

• See full diff in compare view

Updates eslint-plugin-security from 4.0.0 to 4.0.1

Release notes

Sourced from eslint-plugin-security's releases.

eslint-plugin-security: v4.0.1

4.0.1 (2026-06-12)

Bug Fixes

• treat import.meta.dirname and import.meta.filename as static (#200) (74c97bb)

Changelog

Sourced from eslint-plugin-security's changelog.

4.0.1 (2026-06-12)

Bug Fixes

• treat import.meta.dirname and import.meta.filename as static (#200) (74c97bb)

Commits

• cb8645c chore: release 4.0.1 🚀 (#204)
• 74c97bb fix: treat import.meta.dirname and import.meta.filename as static (#200)
• 0b45f82 chore(deps-dev): bump shell-quote from 1.7.4 to 1.8.4 (#202)
• 954149a chore(deps-dev): bump handlebars from 4.7.7 to 4.7.9 (#198)
• d5012b6 chore(deps-dev): bump picomatch from 2.3.1 to 2.3.2 (#197)
• b53d8b4 chore(deps-dev): bump flatted from 3.3.1 to 3.4.2 (#196)
• 7876750 chore(deps): bump minimatch (#194)
• See full diff in compare view

Updates prettier from 3.8.3 to 3.8.4

Release notes

Sourced from prettier's releases.

3.8.4

• Markdown: Fix blank lines between list items and nested sub-lists being removed in Markdown/MDX (prettier/prettier#17746 by @​byplayer)

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.8.4

diff

Markdown: Fix blank lines between list items and nested sub-lists being removed in Markdown/MDX (#17746 by @​byplayer)

Prettier was removing blank lines between list items and their nested sub-lists, converting loose lists into tight lists and changing their semantic meaning.

<!-- Input -->
- a


b


c

d



<!-- Prettier 3.8.3 -->

a

b


c

d



<!-- Prettier 3.8.4 -->


a

b



c

d

Commits

• 1c6ba55 Release 3.8.4
• 4a673dc Fix blank lines between list items and nested sub-lists being removed in Mark...
• 074aaed Replace main branch in changelog link with tags (#19054)
• c22a003 Bump Prettier dependency to 3.8.3
• 07bad1f Clean changelog_unreleased
• See full diff in compare view

Updates @astrojs/mdx from 6.0.2 to 6.0.3

Release notes

Sourced from @​astrojs/mdx's releases.

@​astrojs/mdx@​6.0.3

Patch Changes

• #16969 4a31f90 Thanks @​Princesseuh! - Adds support for Prism syntax highlighting to the Sätteri Markdown and MDX processors. Setting markdown.syntaxHighlight to 'prism' now highlights your code blocks with Prism.

  // astro.config.mjs
  import { satteri } from '@astrojs/markdown-satteri';
  export default defineConfig({
  markdown: {
  processor: satteri(),
  syntaxHighlight: 'prism',
  },
  });

Changelog

Sourced from @​astrojs/mdx's changelog.

6.0.3

Patch Changes

• #16969 4a31f90 Thanks @​Princesseuh! - Adds support for Prism syntax highlighting to the Sätteri Markdown and MDX processors. Setting markdown.syntaxHighlight to 'prism' now highlights your code blocks with Prism.

  // astro.config.mjs
  import { satteri } from '@astrojs/markdown-satteri';
  export default defineConfig({
  markdown: {
  processor: satteri(),
  syntaxHighlight: 'prism',
  },
  });

Commits

• 0b879fb [ci] release (#16972)
• 7e8d371 chore: avoid an unwanted mdx major bump (#16977)
• 4a31f90 feat(satteri): Add support for Prism highlighting (#16969)
• See full diff in compare view

Updates astro from 6.4.4 to 6.4.6

Release notes

Sourced from astro's releases.

astro@6.4.6

Patch Changes

• #16765 b10e86e Thanks @​fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.

• #17026 add3df1 Thanks @​matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)

• #17033 ffda27b Thanks @​matthewp! - Validates the request origin against allowedDomains before fetching prerendered error pages. When allowedDomains is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to localhost.

astro@6.4.5

Patch Changes

• #16985 4ecff32 Thanks @​maximslo! - Fixes the experimental.logger destination not being used for the "Server listening on..." startup message. The logger is now resolved before the server starts listening, and adapterLogger re-creates itself when the underlying logger changes so the startup message uses the correct destination.

• #16947 e0703a6 Thanks @​ematipico! - Fixes Astro.request.url not reflecting validated X-Forwarded-Proto/X-Forwarded-Host headers when security.allowedDomains is configured. Previously, only Astro.url was updated with the forwarded origin while Astro.request.url retained the socket-derived URL, causing the two to diverge behind TLS-terminating proxies.

• #16997 dc45246 Thanks @​matthewp! - Reverts a change to isNode runtime detection that caused a significant build time regression for Cloudflare adapter users with large prerendered sites

Changelog

Sourced from astro's changelog.

6.4.6

Patch Changes

• #16765 b10e86e Thanks @​fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.

• #17026 add3df1 Thanks @​matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)

• #17033 ffda27b Thanks @​matthewp! - Validates the request origin against allowedDomains before fetching prerendered error pages. When allowedDomains is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to localhost.

6.4.5

Patch Changes

• #16985 4ecff32 Thanks @​maximslo! - Fixes the experimental.logger destination not being used for the "Server listening on..." startup message. The logger is now resolved before the server starts listening, and adapterLogger re-creates itself when the underlying logger changes so the startup message uses the correct destination.

• #16947 e0703a6 Thanks @​ematipico! - Fixes Astro.request.url not reflecting validated X-Forwarded-Proto/X-Forwarded-Host headers when security.allowedDomains is configured. Previously, only Astro.url was updated with the forwarded origin while Astro.request.url retained the socket-derived URL, causing the two to diverge behind TLS-terminating proxies.

• #16997 dc45246 Thanks @​matthewp! - Reverts a change to isNode runtime detection that caused a significant build time regression for Cloudflare adapter users with large prerendered sites

Commits

• 19ad1b4 [ci] release (#17023)
• f1baeea [ci] format
• ffda27b Validate origin in prerendered error page fetch against allowedDomains (#17033)
• 0408628 [ci] format
• add3df1 Harden addAttribute to reject invalid attribute names (#17026)
• cfeb958 [ci] format
• b10e86e fix : content collections image hmr (#16765)
• 0b879fb [ci] release (#16972)
• dc45246 Revert isNode workerd detection that caused Cloudflare build regression (#16997)
• 132a879 [ci] format
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions