chore(deps): update astro ecosystem

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@astrojs/starlight (source)	^0.37.6 → ^0.40.0			dependencies	minor	0.41.1 (+1)
astro-vtbot (source)	^2.1.11 → 2.1.11			devDependencies	pin
sharp (source, changelog)	^0.33.5 → ^0.35.2			dependencies	minor

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

withastro/starlight (@​astrojs/starlight)

v0.40.0

Compare Source

Minor Changes

• #​3923 edf2e6b Thanks @​Princesseuh! - Adds support for Astro 6.4 and the new Sätteri Markdown processor.

  It is now possible to opt into using Astro's 6.4 Sätteri Markdown processor by installing the @astrojs/markdown-satteri package and configuring it in your astro.config.mjs file:

  // astro.config.mjs
  
  import { defineConfig } from 'astro/config';
  import { satteri } from '@​astrojs/markdown-satteri';
  
  export default defineConfig({
    markdown: {
      processor: satteri(),
    },
  });

  ⚠️ BREAKING CHANGE: The minimum supported version of Astro is now v6.4.5.

  Please update Starlight and Astro together:

  npx @​astrojs/upgrade

  Community Starlight plugins and Astro integrations may also need to be manually updated to work with Sätteri. If you encounter any issues, please reach out to the plugin or integration author to see if it is a known issue or if an updated version is being worked on.

Patch Changes

• #​3923 edf2e6b Thanks @​Princesseuh! - Updates Expressive Code to version 0.43.1.

v0.39.3

Compare Source

Patch Changes

• #​3910 dddf405 Thanks @​andreialba! - Improves Romanian UI translations

• #​3924 02f2ce1 Thanks @​BouRock! - Improves Turkish UI translations

• #​3928 11a7ed2 Thanks @​delucis! - Updates Pagefind to v1.5 and adds support for Pagefind’s new diacriticSimilarity and metaWeights advanced ranking options

• #​3927 e944870 Thanks @​HiDeoo! - Refactors internal file path handling for Starlight content collections.

v0.39.2

Compare Source

Patch Changes

• #​3890 2d05e18 Thanks @​tats-u! - Fixes CSS selector for text-autospace styles in Chromium browsers

v0.39.1

Compare Source

Patch Changes

• #​3885 010eed1 Thanks @​ArmandPhilippot! - Fixes the version mentioned in an error message related to autogenerated sidebar groups support.

• #​3887 b3c6990 Thanks @​delucis! - Adds 13 new icons: clock, desktop, mobile-android, window, database, server, code-branch, notes, question, question-circle, analytics, padlock, and solidjs.

v0.39.0

Compare Source

Minor Changes

• #​3618 dcf6d09 Thanks @​HiDeoo! - ⚠️ BREAKING CHANGE: This release changes how autogenerated links work in Starlight’s sidebar configuration.

  If you have sidebar groups using the autogenerate key, you must now wrap that configuration in an items array:

  {
      label: 'My group',
  -   autogenerate: { directory: 'some-dir' },
  +   items: [{ autogenerate: { directory: 'some-dir' } }],
  }

  This change unlocks the possibility to mix autogenerated links and other links in a single group, for example:

  {
    label: 'Mixed group',
    items: [
      'example-page',
      { autogenerate: { directory: 'examples' } },
      { label: 'More examples', link: 'https://example.com' },
    ],
  }

  This release also updates the shape of autogenerated sidebar entries in route data. Autogenerated links and groups in Astro.locals.starlightRoute.sidebar now include an autogenerate object with the configured directory value:

  {
    type: 'link',
    label: 'Example',
    href: '/examples/example/',
    isCurrent: false,
    autogenerate: { directory: 'examples' }
  }

• #​3618 dcf6d09 Thanks @​HiDeoo! - ⚠️ BREAKING CHANGE: This release changes the default collapsed state of autogenerated sidebar subgroups.

  Autogenerated subgroups no longer inherit the collapsed value from their parent group. They are now expanded by default unless explicitly configured with autogenerate.collapsed.

  If your sidebar configuration relies on a collapsed parent group to also collapse its autogenerated subgroups, update your configuration to set autogenerate.collapsed to true:

  {
    label: 'Reference',
    collapsed: true,
    items: [
  -   { autogenerate: { directory: 'reference' } },
  +   { autogenerate: { directory: 'reference', collapsed: true } },
    ],
  }

• #​3845 4d755f5 Thanks @​delucis! - Adds a <link rel="alternate" hreflang="x-default" href="..."> tag pointing to the default locale in multilingual sites. The x-default alternate is used as a signal of which language to fall back to if no other is available. Learn more in Google’s SEO localization docs.

• #​3862 ec70630 Thanks @​itrew! - Makes spacing of items in nested lists more consistent

• #​3872 417a66c Thanks @​tats-u! - Enables the CSS property text-autospace in Chinese and Japanese documents.

  If you would prefer to disable autospacing in Chinese and Japanese pages, you can add the following custom CSS to your site:

  [lang]:where(:lang(zh, ja)) {
    text-autospace: initial;
  }

• #​3797 9764ebd Thanks @​delucis! - Avoids the risk of layout shift when users expand and collapse sidebar groups

  This release can introduce additional padding to the site sidebar on certain devices to reserve space for scrollbars. You may wish to inspect your site sidebar visually when upgrading.

  If you would prefer to keep the previous styling, you can add the following custom CSS to your site:

  .sidebar-pane {
    scrollbar-gutter: auto;
  }

• #​3858 6672c35 Thanks @​delucis! - Updates i18next, used for Starlight’s localization APIs, from v23 to v26

  There should not be any user-facing changes from this update

v0.38.5

Compare Source

Patch Changes

• #​3854 ccf6000, #​3877 47451bc Thanks @​delucis! - Updates internal dependencies

v0.38.4

Compare Source

Patch Changes

• #​3828 342038b Thanks @​MangelMaxime! - Fixes aside styling when used without any content

• #​3853 563e11b Thanks @​delucis! - Fixes a type-checking issue for users on newer versions of TypeScript

v0.38.3

Compare Source

Patch Changes

• #​3799 313611b Thanks @​JosefJezek! - Improves Czech UI translations

• #​3770 6e7bed1 Thanks @​gameroman! - Adds examples to the inline documentation for title in the Starlight configuration object

• #​3801 fedd48b Thanks @​delucis! - Fixes missing draft content warning in dev on pages using the hero layout

v0.38.2

Compare Source

Patch Changes

• #​3759 f24ce99 Thanks @​MilesChou! - Fixes an issue where monolingual sites using a region-specific locale (e.g., zh-TW) as the default would incorrectly display base language translations (e.g., zh Simplified Chinese) instead of the region-specific ones (e.g., zh-TW Traditional Chinese).

• #​3768 a4c6c20 Thanks @​delucis! - Improves performance of sidebar generation for sites with very large sidebars

v0.38.1

Compare Source

Patch Changes

• #​3751 fb955ff Thanks @​pyxelr! - Fixes a regression causing global tableOfContents config to be ignored

v0.38.0

Compare Source

Minor Changes

• #​3644 0d2e7ed Thanks @​HiDeoo! - Adds support for Astro v6, drops support for Astro v5.

Upgrade Astro and dependencies

⚠️ BREAKING CHANGE: Astro v5 is no longer supported. Make sure you update Astro and any other official integrations at the same time as updating Starlight:

npx @​astrojs/upgrade

Community Starlight plugins and Astro integrations may also need to be manually updated to work with Astro v6. If you encounter any issues, please reach out to the plugin or integration author to see if it is a known issue or if an updated version is being worked on.

Update your collections

⚠️ BREAKING CHANGE: Drops support for content collections backwards compatibility.

In Astro 5.x, projects could delay upgrading to the new Content Layer API introduced for content collections because of some existing automatic backwards compatibility that was not previously behind a flag. This meant that it was possible to upgrade from Astro 4 to Astro 5 without updating your content collections, even if you had not enabled the legacy.collections flag. Projects would continue to build, and no errors or warnings would be displayed.

Astro v6.0 now removes this automatic legacy content collections support, along with the legacy.collections flag.

If you experience content collections errors after updating to v6, check your project for any removed legacy features that may need updating to the Content Layer API. See the Starlight v0.30.0 upgrade guide for detailed instructions on upgrading legacy collections to the new Content Layer API.

If you are unable to make any changes to your collections at this time, including Starlight's default docs and i18n collections, you can enable the legacy.collectionsBackwardsCompat flag to upgrade to v6 without updating your collections. This temporary flag preserves some legacy v4 content collections features, and will allow you to keep your collections in their current state until the legacy flag is no longer supported.

• #​3704 375edcc Thanks @​florian-lefebvre! - Fixes autocomplete for components exported from @astrojs/starlight/components/*

  ⚠️ Potentially breaking change: This change moves some files used in Starlight’s component internals out of the components/ directory. Direct use of these files was not and is not officially supported. If you previously imported TableOfContents/starlight-toc.ts, TableOfContents/TableOfContentsList.astro, Icons.ts, or SidebarPersistState.ts, please review your code when updating.

• #​3729 3642625 Thanks @​delucis! - Improves Starlight’s default body font stack to better support languages such as Chinese, Japanese, and Korean on Windows.
  For most users there should be no visible change.

  If you would prefer to keep the previous font stack, you can add the following custom CSS to your site:

  :root {
    --sl-font-system: ui-sans-serif, system-ui, 'Segoe UI', Roboto,
      'Helvetica Neue', Arial, 'Noto Sans', sans-serif, 'Apple Color Emoji',
      'Segoe UI Emoji', 'Segoe UI Symbol', 'Noto Color Emoji';
  }

• #​3598 fff38d5 Thanks @​HiDeoo! - Makes hover styles consistent in Starlight’s navigation bar

  Previously, the social icon links and language/theme switchers in Starlight’s navigation bar, dimmed on hover.
  After this change, they now increase in contrast on hover instead.
  This matches hover behavior elsewhere, for example in the sidebar, table of contents, or search button.

  ⚠️ Potentially breaking change: this is a subtle change to the hover style colors.
  If you want to preserve the previous styling, you can add the following custom CSS to your site:

  starlight-theme-select label,
  starlight-lang-select label {
    color: var(--sl-color-gray-1);
  
    &:hover {
      color: var(--sl-color-white);
    }
  }
  
  .social-icons a:hover {
    color: var(--sl-color-text-accent);
    opacity: 0.66;
  }

v0.37.7

Compare Source

Patch Changes

• #​3726 8a09b60 Thanks @​delucis! - Fixes an issue using components containing scripts inside Starlight’s steps component in versions of Astro >= 5.16.9

lovell/sharp (sharp)

v0.35.2

Compare Source

v0.35.1

Compare Source

• TypeScript: Ensure type definitions are published for both ESM and CJS.
  #​4537

• WebAssembly: Ensure wrapper file is published.
  #​4538

v0.35.0

Compare Source

• Breaking: Drop support for Node.js 18, now requires Node.js >= 20.9.0.

• Breaking: Remove install script from package.json file.
  Compiling from source is now opt-in via the build script.

• Breaking: Lossy AVIF output is now tuned using SSIMULACRA2-based iq quality metrics.

• Breaking: Add limitInputChannels with a default value of 5.

• Breaking: Remove deprecated failOnError constructor property.

• Breaking: Remove deprecated paletteBitDepth from metadata response.

• Breaking: Remove deprecated properties from sharpen operation.

• Breaking: Rename format.jp2k as format.jp2 for API consistency.

• Upgrade to libvips v8.18.3 for upstream bug fixes.

• Remove experimental status from WebAssembly binaries.

• Add prebuilt binaries for FreeBSD (WebAssembly).

• Deprecate Windows 32-bit (win32-ia32) prebuilt binaries.

• Ensure TIFF output bitdepth option is limited to 1, 2 or 4.

• Add AVIF/HEIF tune option for control over quality metrics.
  #​4227

• Add keepGainMap and withGainMap to process HDR JPEG images with embedded gain maps.
  #​4314

• Add toUint8Array for output image as a TypedArray backed by a transferable ArrayBuffer.
  #​4355

• Require prebuilt binaries using static paths to aid code bundling.
  #​4380

• TypeScript: Ensure FormatEnum keys match reality.
  #​4475

• Add margin option to trim operation.
  #​4480
  @​eddienubes

• Ensure HEIF primary item is used as default page/frame.
  #​4487

• Add image Media Type (MIME Type) to metadata response.
  #​4492

• Add withDensity to set output density in EXIF metadata.
  #​4496

• Improve pkg-config path discovery.
  #​4504

• Add WebP exact option for control over transparent pixel colour values.

• Add support for ECMAScript Modules (ESM).
  #​4509
  @​florian-lefebvre

v0.34.5

Compare Source

• Upgrade to libvips v8.17.3 for upstream bug fixes.

• Add experimental support for prebuilt Linux RISC-V 64-bit binaries.

• Support building from source with npm v12+, deprecate --build-from-source flag.
  #​4458

• Add support for BigTIFF output.
  #​4459
  @​throwbi

• Improve error messaging when only warnings issued.
  #​4465

• Simplify ICC processing when retaining input profiles.
  #​4468

v0.34.4

Compare Source

• Upgrade to libvips v8.17.2 for upstream bug fixes.

• Ensure TIFF subifd and OpenSlide level input options are respected (regression in 0.34.3).

• Ensure autoOrient occurs before non-90 angle rotation.
  #​4425

• Ensure autoOrient removes existing metadata after shrink-on-load.
  #​4431

• TypeScript: Ensure KernelEnum includes linear.
  #​4441
  @​BayanBennett

• Ensure unlimited flag is passed upstream when reading TIFF images.
  #​4446

• Support Electron memory cage when reading XMP metadata (regression in 0.34.3).
  #​4451

• Add sharp-libvips rpath for yarn v5 support.
  #​4452
  @​arcanis

v0.34.3

Compare Source

v0.34.2

Compare Source

v0.34.1

Compare Source

v0.34.0

Compare Source

---

Configuration

📅 Schedule: (in timezone America/Havana)

• Branch creation
  • "after 10pm every weekday,before 5am every weekday,every weekend"
• Automerge
  • "before 4am on the first day of the month"

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

✅ Contributor Report

User: @renovate[bot]
Status: Trusted contributor (whitelisted)

This user is on the trusted contributors list and was automatically approved.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​astrojs/​starlight@​0.40.0
	npm/​sharp@​0.35.2

View full report

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @emnapi/runtime is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: docs/website/pnpm-lock.yaml → npm/astro@5.18.1 → npm/sharp@0.35.2 → npm/@emnapi/runtime@1.11.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud