v0.6.0 — Astro 6 security upgrade
Highlights
Security release. Bumps the `astro` peer dependency to `^6.1.10` to resolve two upstream advisories that were never backported to Astro 5:
- 🔐 GHSA-j687-52p2-xcff (CVE-2026-41067, moderate) — XSS in `define:vars` via incomplete `</script>` tag sanitization. Patched in Astro 6.1.6.
- 🔐 GHSA-xr5h-phrj-8vxv (CVE-2026-45028, low) — Server island encrypted parameters vulnerable to cross-component replay. Patched in Astro 6.1.10.
If you ship `@dualmark/astro` on a public site, upgrade.
Breaking changes
- `@dualmark/astro` now requires `astro@^6.1.10`. Astro 5 is no longer a supported peer. The integration uses only stable hooks (`astro:config:setup`, `injectRoute`, `addMiddleware`) and the Content Layer API — there are no source changes inside `@dualmark/astro` itself, but you'll need to run Astro's v5 → v6 migration guide on your own site.
- `engines.node` is now `>=22.12.0` across every published `@dualmark/*` package, matching Astro 6's hard Node 22 requirement.
Upgrade
```bash
1. Make sure you're on Node 22+
node --version # → v22.x.x
2. Upgrade @dualmark/astro and astro together
bun add @dualmark/astro@^0.6.0 astro@^6.1.10
or: pnpm add / npm install / yarn add equivalents
3. Run Astro's official 5 → 6 codemod / migration
https://docs.astro.build/en/guides/upgrade-to/v6/
```
The other five `@dualmark/*` packages (`core`, `converters`, `cli`, `cloudflare`, `nextjs`) are unchanged and remain at `0.5.2` — no Node bump on their published metadata, no peer-dep changes. If you don't use `@dualmark/astro`, this release is a no-op for you.
Verified end-to-end
The conformance E2E suite (`.github/workflows/conformance.yml`) ran clean against Astro 6 on every push since the upgrade landed:
- ✅ `examples/astro-blog` — boots under `astro dev`, `dualmark verify` passes
- ✅ `examples/astro-cloudflare-full` — boots under `wrangler dev`, full 125/125 conformance
- ✅ All 313 unit/integration tests across `@dualmark/*` pass on Astro 6.3.1 (resolved from `^6.1.10`)
Full changelogs
- @dualmark/astro
- @dualmark/core (unchanged)
- @dualmark/converters (unchanged)
- @dualmark/nextjs (unchanged)
- @dualmark/cloudflare (unchanged)
- @dualmark/cli (unchanged)