chore(deps): patch 13 of 15 Dependabot alerts

[NicolaasGrobler]

Summary

Closes 13 of 15 open Dependabot alerts. Two transitive alerts (glib 0.18.5, rand 0.7.3) are deferred — they're pinned by tauri 2.11.1 and need an upstream Tauri bump to GTK 0.20 bindings.

Fixes

#	Severity	Package	Change
15	high	quinn-proto	Cargo.lock 0.11.13 → 0.11.14
13	medium	astro	website astro ^5 → ^6 (6.3.2)
14	low	astro	(same bump)
6	medium	vite	vitest ^2.1.9 → ^3.2.4 dedupes nested vite to 6.4.2
1	medium	esbuild	(same bump) dedupes esbuild to 0.25.12
2, 3, 4, 5, 7, 8, 9, 10	medium	dompurify	npm overrides forces monaco's nested dompurify to ^3.4.3

Won't fix in this PR

• ~14 shortcuts advertised in DataGrip keymap preset are not wired #11 glib 0.18.5 unsoundness — pinned via tauri 2.11.1 → gtk 0.18.2 → glib 0.18. Needs Tauri upstream to bump GTK bindings to 0.20.
• Ctrl+Shift+F double-bound (global search vs Monaco format-document) #12 rand 0.7.3 unsoundness — pulled in via tauri-utils 2.9.1 → kuchikiki → selectors → phf_codegen 0.8 → phf_generator 0.8 → rand 0.7. Build-time codegen only; triggered only with a custom logger using rand::rng() (non-exploitable in practice).

Code change beyond lockfiles

Astro 6 changed prerender chunk layout, breaking the relative-path readFileSync in website/src/lib/changelog.ts. Switched to a Vite ?raw import — bundled at build time, no runtime filesystem lookup, strictly more robust.

Test plan

• npx tsc --noEmit clean
• npm test — all 82 vitest tests pass on vitest 3
• cargo check clean
• cd website && npx astro build clean (22 pages built including /changelog)
• CI green

Summary by CodeRabbit

• Chores
  • Updated Vitest to v3.2.4 for development
  • Updated Astro to v6.0.0 and Astro MDX integration to v5.0.0

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
queryden	Ready	Preview, Comment	May 15, 2026 4:26am

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fcb0bf26-3faa-4c97-857c-f572b3a3187e

📥 Commits

Reviewing files that changed from the base of the PR and between 6fd1da2 and a39289e.

⛔ Files ignored due to path filters (3)

• package-lock.json is excluded by !**/package-lock.json
• src-tauri/Cargo.lock is excluded by !**/*.lock
• website/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• package.json
• website/package.json
• website/src/lib/changelog.ts

---

📝 Walkthrough

Walkthrough

This PR upgrades Astro and related dependencies in the website package, refactors changelog loading to use Astro's raw import instead of Node filesystem APIs, and bumps vitest to version 3 in the root package dependencies.

Changes

Tooling and Dependency Updates

Layer / File(s)	Summary
Website dependencies upgrade website/package.json	Astro bumped from ^5.0.0 to ^6.0.0 and @astrojs/mdx bumped from ^4.3.14 to ^5.0.0 to support the new changelog loading approach.
Changelog loading via Astro raw import website/src/lib/changelog.ts	Changelog now imports CHANGELOG.md directly using Astro's ?raw query parameter as CHANGELOG_RAW instead of reading from disk with Node fs/url/path, eliminating filesystem I/O at runtime.
Vitest development dependency upgrade package.json	vitest upgraded from ^2.1.9 to ^3.2.4 in root package devDependencies.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

A rabbit hops through the dependencies with glee,
Astro raw imports flow swift and free,
vitest climbs higher, version three's here,
Changelog loads faster, without a filesystem tear, 🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main objective of the PR: addressing 13 out of 15 Dependabot security alerts through dependency version updates.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/dependabot-security-fixes

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}