Skip to content

Bump astro from 5.14.1 to 5.14.4 in /site in the npm_and_yarn group across 1 directory#1

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/site/npm_and_yarn-8554045f87
Closed

Bump astro from 5.14.1 to 5.14.4 in /site in the npm_and_yarn group across 1 directory#1
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/site/npm_and_yarn-8554045f87

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Oct 11, 2025

Bumps the npm_and_yarn group with 1 update in the /site directory: astro.

Updates astro from 5.14.1 to 5.14.4

Release notes

Sourced from astro's releases.

astro@5.14.4

Patch Changes

astro@5.14.3

Patch Changes

  • #14505 28b2a1d Thanks @​matthewp! - Fixes Cannot set property manifest error in test utilities by adding a protected setter for the manifest property

  • #14235 c4d84bb Thanks @​toxeeec! - Fixes a bug where the "tap" prefetch strategy worked only on the first clicked link with view transitions enabled

Changelog

Sourced from astro's changelog.

5.14.4

Patch Changes

5.14.3

Patch Changes

  • #14505 28b2a1d Thanks @​matthewp! - Fixes Cannot set property manifest error in test utilities by adding a protected setter for the manifest property

  • #14235 c4d84bb Thanks @​toxeeec! - Fixes a bug where the "tap" prefetch strategy worked only on the first clicked link with view transitions enabled

5.14.2

Patch Changes

  • #14459 916f9c2 Thanks @​florian-lefebvre! - Improves font files URLs in development when using the experimental fonts API by showing the subset if present

  • b8ca69b Thanks @​ascorbic! - Aligns dev image server file base with Vite rules

  • #14469 1c090b0 Thanks @​delucis! - Updates tinyexec dependency

  • #14460 008dc75 Thanks @​florian-lefebvre! - Fixes a case where astro:config/server values typed as URLs would be serialized as strings

  • #13730 7260367 Thanks @​razonyang! - Fixes a bug in i18n, where Astro caused an infinite loop when a locale that doesn't have an index, and Astro falls back to the index of the default locale.

  • 6ee63bf Thanks @​matthewp! - Adds security.allowedDomains configuration to validate X-Forwarded-Host headers in SSR

    The X-Forwarded-Host header will now only be trusted if it matches one of the configured allowed host patterns. This prevents host header injection attacks that can lead to cache poisoning and other security vulnerabilities.

    Configure allowed host patterns to enable X-Forwarded-Host support:

    // astro.config.mjs
export default defineConfig({
  output: 'server',
  adapter: node(),
  security: {
    allowedDomains: [
      { hostname: 'example.com' },
      { hostname: '*.example.com' },
      { hostname: 'cdn.example.com', port: '443' },
    ],
  },
});

    The patterns support wildcards (* and **) for flexible hostname matching and can optionally specify protocol and port.

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump astro in /site in the npm_and_yarn group across 1 directory
0fc80b2 
Bumps the npm_and_yarn group with 1 update in the /site directory: [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro).


Updates `astro` from 5.14.1 to 5.14.4
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/astro@5.14.4/packages/astro)

---
updated-dependencies:
- dependency-name: astro
  dependency-version: 5.14.4
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Author

dependabot Bot commented on behalf of github Mar 4, 2026

Superseded by #3.

@dependabot dependabot Bot closed this Mar 4, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/site/npm_and_yarn-8554045f87 branch March 4, 2026 02:54
ebursztein added a commit that referenced this pull request Apr 20, 2026
@ebursztein
fix(app): unblock update-dialog runtime worker + 0600 session logs
ce26c06 
Two independent but colocated bugs in crates/capsem-app/src/main.rs.

1. blocking_show() in async context.
   check_for_update_with_prompt is an async fn spawned on the tauri/
   tokio runtime, and it called tauri_plugin_dialog's .blocking_show()
   at line 108. The user can leave the dialog sitting for seconds or
   minutes, so a runtime worker was held for human time -- same
   anti-pattern as std::process::Command in async (tray fix, bug #1).

   spawn_blocking is NOT the fix here: its bounded pool is for short
   blocking I/O, not human-time waits. The idiomatic path is the
   plugin's callback-based .show(|accepted| ...) bridged to the async
   call site via tokio::sync::oneshot. Same shape, zero threads held.

2. World-readable session logs.
   ~/.capsem/logs/<ts>.jsonl was opened via std::fs::File::create,
   which respects the process umask (typically 0644) and makes the
   file readable by every local user. The log stream includes tracing
   spans with VM ids, filesystem paths, provider API metadata, and
   tool-call arguments. Factored an open_log_file(path) that uses
   OpenOptions::mode(0o600) under cfg(unix) with a plain fallback,
   matching pty_log.rs, the gateway auth token, per-VM sockets, and
   capsem-core's key helpers (dev-rust-patterns lesson 14).

TDD: 2 new tests in capsem-app
  - open_log_file_creates_file_and_returns_writable_handle
  - open_log_file_restricts_permissions_to_0600 (cfg(unix))
Stated up front: the dialog bug is not unit-testable without a live
Tauri app harness, so the fix ships on visual diff + green existing
suite + clippy -D warnings. All 14 capsem-app tests pass.

Clippy: cleared a pre-existing needless_borrows_for_generic_args on
the deep-link window.eval call in the same file to keep the gate
green per the no-pre-existing-dismissal rule.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants