chore(astro): Update [DEV] minor & patch dependencies to ^6.4.8

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
astro (source)	^6.0.0 → ^6.4.8

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

withastro/astro (astro)

v6.4.8

Compare Source

Patch Changes

• #​17109 27c80ea Thanks @​ematipico! - Harden the limits on the number of decoding on the URL.

v6.4.7

Compare Source

Patch Changes

• #​17035 197e50e Thanks @​astrobot-houston! - Fixes getRelativeLocaleUrl, getAbsoluteLocaleUrl, and getAbsoluteLocaleUrlList to strip trailing slashes when trailingSlash: 'never' is configured

• #​16967 3719765 Thanks @​astrobot-houston! - Fixes double URL-encoded paths returning 400 Bad Request on on-demand routes

  Previously, any URL containing a double-encoded character (like %255B, which is [ encoded twice) was unconditionally rejected with a 400 Bad Request before middleware or route handlers could run. This broke embedded tools like Sanity Studio whose client-side router legitimately produces double-encoded URLs.

  The fix replaces the rejection approach with iterative decoding — multi-level percent-encoding is now fully resolved to its canonical form before being passed to middleware and route matching. This preserves the security fix for CVE-2025-66202 (middleware authorization bypass via double encoding) because middleware now always sees the fully decoded path, making bypass impossible. For example, /api/%2561dmin is decoded to /api/admin, which middleware can correctly block.

• #​17066 2f4d92a Thanks @​matthewp! - Fixes prerendered redirect targets being incorrectly bundled into the SSR function in hybrid mode, causing massive bundle size inflation

• #​16882 621beb7 Thanks @​jettwayio! - fix(render): honour compressHTML when joining head elements

• #​16892 8d753b0 Thanks @​astrobot-houston! - Fixes custom elements in MDX having their children's slot attribute stripped by the JSX runtime

  When custom elements (tags with hyphens like <my-element>) are used in MDX files, the slot HTML attribute on their children is now correctly preserved. Previously, the shared JSX runtime would treat slot as an Astro slot assignment and remove it from the output, breaking Shadow DOM named slot distribution for web components.

• #​16957 544ee76 Thanks @​thelazylamaGit! - Fixes stale inline CSS in server-rendered HTML after CSS file edits during dev

  When editing a CSS file (.css, .scss, etc.) during development, the inline <style> tags in server-rendered HTML would retain old CSS content instead of updating. This caused a brief flash of old CSS (FOUC) on fresh page loads before Vite's client-side HMR corrected the styles.

  The fix ensures that Astro's per-route dev CSS virtual modules are invalidated in both the SSR module graph and the module runner's evaluation cache when a style file changes, so the next page render picks up the fresh CSS.

• #​17044 2220d22 Thanks @​astrobot-houston! - Fixes CSS from client:only islands leaking to unrelated pages when Rollup bundles non-CSS-importing modules into the same chunk as CSS-importing modules

• #​17040 7c4763d Thanks @​astrobot-houston! - Fixes HMR not triggering for files inside the src/middleware/ directory during dev

• #​16672 52fc862 Thanks @​martinheidegger! - Fixes support for numeric IDs in YAML frontmatter when using content collection references

• #​16762 9de80ae Thanks @​alexanderdombroski! - Adds a JSON schema to the Wrangler configuration file generated when running astro add cloudflare

• #​17046 ef771ec Thanks @​ematipico! - Improves the diagnostics emitted when Astro parses incorrect .astro files.

v6.4.6

Compare Source

Patch Changes

• #​16765 b10e86e Thanks @​fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.

• #​17026 add3df1 Thanks @​matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)

• #​17033 ffda27b Thanks @​matthewp! - Validates the request origin against allowedDomains before fetching prerendered error pages. When allowedDomains is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to localhost.

v6.4.5

Compare Source

Patch Changes

• #​16985 4ecff32 Thanks @​maximslo! - Fixes the experimental.logger destination not being used for the "Server listening on..." startup message. The logger is now resolved before the server starts listening, and adapterLogger re-creates itself when the underlying logger changes so the startup message uses the correct destination.

• #​16947 e0703a6 Thanks @​ematipico! - Fixes Astro.request.url not reflecting validated X-Forwarded-Proto/X-Forwarded-Host headers when security.allowedDomains is configured. Previously, only Astro.url was updated with the forwarded origin while Astro.request.url retained the socket-derived URL, causing the two to diverge behind TLS-terminating proxies.

• #​16997 dc45246 Thanks @​matthewp! - Reverts a change to isNode runtime detection that caused a significant build time regression for Cloudflare adapter users with large prerendered sites

v6.4.4

Compare Source

Patch Changes

• #​16926 1b39ae8 Thanks @​narendraio! - Prevents App.match() from throwing on request paths that contain an invalid percent-sequence.

• #​16924 2c0bc94 Thanks @​astrobot-houston! - Fixes an issue where editing a client-side component (e.g. with client:idle, client:load, etc.) caused an unnecessary full program reload of the backend during development.

• #​16958 2c1d50f Thanks @​fkatsuhiro! - Fixes a bug where static file endpoints using getStaticPaths with .html in dynamic param values (e.g. { path: 'file.html' }) would fail with a NoMatchingStaticPathFound error during build. The .html suffix is no longer incorrectly stripped from endpoint route pathnames.

• #​16855 c610cda Thanks @​astrobot-houston! - Fixes dynamic routes returning 500 "TypeError: Missing parameter" when using domain-based i18n routing in SSR.

• #​16946 606c37b Thanks @​ematipico! - Fixes Astro.routePattern to preserve original casing of dynamic parameter names from filenames. Previously, a file at src/pages/blog/[postId].astro would return /blog/[postid] for Astro.routePattern due to an internal .toLowerCase() call. It now correctly returns /blog/[postId].

• #​16720 16d49b6 Thanks @​thomas-callahan-collibra! - Fix an issue where dynamic routes would return the string [object Object] instead of the expected content, in certain runtimes.

• #​16703 17390a6 Thanks @​henrybrewer00-dotcom! - Fixes styles being stripped when the project root is started with a path whose case differs from the actual filesystem case (e.g. running astro dev from d:\dev\app while the folder on disk is D:\dev\app).

• #​16855 c610cda Thanks @​astrobot-houston! - Fixes Astro.currentLocale returning the default locale instead of the domain's locale on dynamic routes served from a mapped domain.

v6.4.3

Compare Source

Patch Changes

• #​16900 17a0fbd Thanks @​ocavue! - Bumps devalue dependency to v5.8.1

• #​16016 0d85e1b Thanks @​felmonon! - Fix a false positive in the dev toolbar accessibility audit for anchors with text inside closed <details> elements.

• #​16911 79c6c46 Thanks @​astrobot-houston! - Fixes a bug where experimental.advancedRouting with astro/hono handlers threw TypeError: Cannot read properties of undefined (reading 'route') for unmatched routes instead of rendering the custom 404 page.

• #​16899 239c469 Thanks @​matthewp! - Fixes a false "does not call the middleware() handler" warning when using astro() in a custom src/app.ts and the first request is a redirect route.

• #​16887 493acdb Thanks @​astrobot-houston! - Fixes redirectToDefaultLocale not working after the Advanced Routing refactoring.

• #​16908 ef53ab9 Thanks @​florian-lefebvre! - Improves optimized fallbacks generation when using the Fonts API by using better metrics for bold variants

---

Configuration

📅 Schedule: (in timezone GMT)

• Branch creation
  • "before 7am on the first day of the week"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
swingset	Ready	Preview, Comment	Jun 26, 2026 2:57pm

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Skipped		Jun 26, 2026 2:57pm

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

<--- Last few GCs --->

[921:0x45eff000]   120099 ms: Scavenge (interleaved) 1480.3 (1498.0) -> 1478.8 (1498.0) MB, pooled: 0 MB, 161.09 / 0.01 ms  (average mu = 0.359, current mu = 0.351) task; 
[921:0x45eff000]   122284 ms: Mark-Compact (reduce) 1484.6 (1500.9) -> 1476.7 (1490.3) MB, pooled: 0 MB, 912.79 / 0.13 ms  (+ 759.0 ms in 60 steps since start of marking, biggest step 19.7 ms, walltime since start of marking 1925 ms) (average mu = 0.374, 
FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory
----- Native stack trace -----

 1: 0x73f8c4 node::OOMErrorHandler(char const*, v8::OOMDetails const&) [/opt/containerbase/tools/node/24.15.0/bin/node]
 2: 0xc06f90  [/opt/containerbase/tools/node/24.15.0/bin/node]
 3: 0xc0707f  [/opt/containerbase/tools/node/24.15.0/bin/node]
 4: 0xeaa885  [/opt/containerbase/tools/node/24.15.0/bin/node]
 5: 0xeaa8b2  [/opt/containerbase/tools/node/24.15.0/bin/node]
 6: 0xeaabaa  [/opt/containerbase/tools/node/24.15.0/bin/node]
 7: 0xebb8aa  [/opt/containerbase/tools/node/24.15.0/bin/node]
 8: 0xebfc50  [/opt/containerbase/tools/node/24.15.0/bin/node]
 9: 0x1953f71  [/opt/containerbase/tools/node/24.15.0/bin/node]
/usr/local/bin/node: line 18:   921 Aborted                 /opt/containerbase/tools/node/24.15.0/bin/node "$@"

[changeset-bot]

⚠️ No Changeset found

Latest commit: d5ba668

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8858

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8858

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8858

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8858

@clerk/electron

npm i https://pkg.pr.new/@clerk/electron@8858

@clerk/electron-passkeys

npm i https://pkg.pr.new/@clerk/electron-passkeys@8858

@clerk/eslint-plugin

npm i https://pkg.pr.new/@clerk/eslint-plugin@8858

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8858

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8858

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8858

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8858

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8858

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8858

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8858

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8858

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8858

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8858

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8858

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8858

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8858

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8858

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8858

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8858

commit: d5ba668

[github-actions]

API Changes Report

Generated by Break Check on 2026-06-26T14:59:36.243Z

Summary

Metric	Count
Packages analyzed	19
Packages with changes	0
🔴 Breaking changes	0
🟡 Non-breaking changes	0
🟢 Additions	0

No API Changes Detected

All packages have stable APIs with no detected changes.

---

Report generated by Break Check

_{Last ran on d5ba668.}