Skip to content

chore(docs): upgrade Astro 5.18.1 -> 6.2.1#1110

Merged
danielmeppiel merged 4 commits intomainfrom
chore/upgrade-astro-6.2.1
May 2, 2026
Merged

chore(docs): upgrade Astro 5.18.1 -> 6.2.1#1110
danielmeppiel merged 4 commits intomainfrom
chore/upgrade-astro-6.2.1

Conversation

@danielmeppiel
Copy link
Copy Markdown
Collaborator

@danielmeppiel danielmeppiel commented May 2, 2026

TL;DR

Upgrades the docs site to Astro 6.2.1 (latest stable) and brings the Starlight ecosystem peers along. Verified locally with a clean npm install + npm run build (51 pages, link validator green, no new warnings). The Deploy Docs workflow build job runs on this PR via pull_request: paths: ['docs/**'] and gates the change.

Version bumps (docs/package.json)

Package Before After Why
astro 5.18.1 6.2.1 latest stable Astro 6
@astrojs/starlight 0.37.6 0.38.4 Starlight 0.38+ requires astro ^6
astro-mermaid ^1.3.1 ^2.0.1 1.x peers `astro ^4
starlight-links-validator ^0.19.2 ^0.24.0 requires astro >=6
starlight-llms-txt ^0.7.0 ^0.8.1 requires astro ^6
@astrojs/sitemap (override) 3.7.0 3.7.2 minor bump, keeps the override pin meaningful

Astro 5 -> 6 risk surface (assessed, none hit this project)

  • Node >=22.12.0: docs.yml uses node-version: '22', which resolves to the latest 22.x on the runner -> satisfies the floor.
  • Vite 7: no custom Vite config in astro.config.mjs.
  • Zod 4: only schema usage is docsSchema() from Starlight; no custom Zod schemas to migrate.
  • Shiki 4: no Shiki APIs used directly (config relies on expressiveCode defaults).
  • Legacy content collections removed: src/content.config.ts already uses the Content Layer API (docsLoader()).
  • astro-mermaid 1.x -> 2.x is a major bump; build succeeded but reviewers may want to spot-check a mermaid-heavy page in the Pages preview.

Validation

$ cd docs && rm -rf node_modules package-lock.json && npm install && npm run build
...
[build] 51 page(s) built in 10.49s
[build] Complete!
All internal links are valid.

CI Deploy Docs / build job runs on this PR (no deploy until a stable release tag fires the workflow). Merge once that job is green.

Daniel Meppiel and others added 3 commits May 2, 2026 18:47
fix(tests): use urlparse for host assertions in marketplace tests
3fff1fb 
CodeQL py/incomplete-url-substring-sanitization (alerts #88, #89, #90, #91)
flagged four assertions that substring-checked 'gitlab.com' inside CLI
output / exception text. Per .github/instructions/tests.instructions.md
URL/host assertions must compare on a parsed component, not a raw substring.

Adds a small _quoted_hosts() helper at the top of each affected test file
that regex-extracts `Host '<host>'` tokens, normalises each via
urllib.parse.urlparse, and returns a set. Call sites switch from
`assert 'gitlab.com' in output` to `assert _quoted_hosts(output) == {'gitlab.com'}` -- set equality on parsed hostnames, the canonical pattern from
the tests-instructions file.

Behaviour preserved:
- Tests still verify the host name is named in the user-facing error.
- 'not supported' / 'not a supported marketplace source' phrase checks
  unchanged (plain English, not host substrings).
- 'credential' / 'leak' negative assertions unchanged.

Verified:
- Targeted 4 tests: pass.
- Full tests/unit/marketplace/ suite: 905 passed.
- ruff check + ruff format --check: silent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
chore(docs): upgrade Astro to 6.1.6 + ecosystem peers
b880b5e 
- astro 5.18.1 -> 6.1.6
- @astrojs/starlight 0.37.6 -> 0.38.4
- astro-mermaid ^1.3.1 -> ^2.0.1
- starlight-links-validator ^0.19.2 -> ^0.24.0
- starlight-llms-txt ^0.7.0 -> ^0.8.1
- @astrojs/sitemap override 3.7.0 -> 3.7.2

Verified: `npm run build` succeeds, 51 pages, link validator passes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
chore(docs): bump astro 6.1.6 -> 6.2.1 (latest stable)
61e58a3 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 2, 2026 17:41
Copilot AI reviewed May 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Upgrades the documentation site (Astro/Starlight ecosystem) to versions compatible with Astro 6, and adjusts a few marketplace unit tests to avoid URL/host substring assertions that can trigger CodeQL rules.

Changes:

  • Bump docs site dependencies to Astro 6.2.1 and compatible Starlight-related packages.
  • Update marketplace CLI/client unit tests to assert hostnames via parsed values (rather than substring matches).
Show a summary per file
File Description
tests/unit/marketplace/test_marketplace_commands.py Replaces host substring assertions with parsed-host set equality via a helper.
tests/unit/marketplace/test_marketplace_client.py Same parsed-host assertion approach for a MarketplaceFetchError message.
docs/package.json Updates Astro/Starlight and related docs-site dependencies to Astro 6-compatible versions.
docs/package-lock.json Lockfile refresh reflecting the Astro 6 + peer dependency upgrades.

Copilot's findings

  • Files reviewed: 3/4 changed files
  • Comments generated: 3

Comment thread docs/package.json
Comment on lines +13 to +15
"@astrojs/starlight": "0.38.4",
"astro": "6.2.1",
"astro-mermaid": "^2.0.1",
Comment thread tests/unit/marketplace/test_marketplace_commands.py
Comment on lines +18 to +33
def _quoted_hosts(text: str) -> set[str]:
"""Extract host tokens from `Host '<host>'` patterns in error text.

Each token is normalised through ``urllib.parse.urlparse`` so callers
compare on parsed hostnames (set equality), not raw substrings -- which
is what CodeQL's ``py/incomplete-url-substring-sanitization`` rule
requires (see ``.github/instructions/tests.instructions.md``).
"""
hosts: set[str] = set()
for m in re.finditer(r"Host '([^']+)'", text, re.IGNORECASE):
parsed = urlparse(f"https://{m.group(1)}")
if parsed.hostname:
hosts.add(parsed.hostname)
return hosts


Comment thread tests/unit/marketplace/test_marketplace_client.py
Comment on lines +16 to +20
def _quoted_hosts(text: str) -> set[str]:
"""Extract host tokens from `Host '<host>'` patterns in error text.

Each token is normalised through ``urllib.parse.urlparse`` so callers
compare on parsed hostnames (set equality), not raw substrings -- which
chore(docs): override uuid to ^14.0.0 to fix GHSA-w5hq-g745-h8pq
d149b58 
mermaid 11.14.0 transitively pulls uuid@11.1.1, which is flagged by
dependency-review-action (moderate severity, GHSA-w5hq-g745-h8pq:
v3/v5/v6 missing buffer bounds check). Force the fixed v14 via npm
overrides; mermaid only uses v4 for diagram IDs so this is API-safe.
`npm audit` reports 0 vulnerabilities post-override and the docs
build still produces 51 pages cleanly.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@danielmeppiel danielmeppiel merged commit 6940f3a into main May 2, 2026
11 checks passed
@danielmeppiel danielmeppiel deleted the chore/upgrade-astro-6.2.1 branch May 2, 2026 21:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sergio-sisternes-epam sergio-sisternes-epam Awaiting requested review from sergio-sisternes-epam sergio-sisternes-epam is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danielmeppiel