chore(deps): bump the npm_and_yarn group across 2 directories with 3 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: astro.
Bumps the npm_and_yarn group with 2 updates in the /cli directory: esbuild and @mariozechner/pi-coding-agent.

Updates astro from 6.4.5 to 6.4.6

Release notes

Sourced from astro's releases.

astro@6.4.6

Patch Changes

• #16765 b10e86e Thanks @​fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.

• #17026 add3df1 Thanks @​matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)

• #17033 ffda27b Thanks @​matthewp! - Validates the request origin against allowedDomains before fetching prerendered error pages. When allowedDomains is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to localhost.

Changelog

Sourced from astro's changelog.

6.4.6

Patch Changes

• #16765 b10e86e Thanks @​fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.

• #17026 add3df1 Thanks @​matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)

• #17033 ffda27b Thanks @​matthewp! - Validates the request origin against allowedDomains before fetching prerendered error pages. When allowedDomains is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to localhost.

Commits

• 19ad1b4 [ci] release (#17023)
• f1baeea [ci] format
• ffda27b Validate origin in prerendered error page fetch against allowedDomains (#17033)
• 0408628 [ci] format
• add3df1 Harden addAttribute to reject invalid attribute names (#17026)
• cfeb958 [ci] format
• b10e86e fix : content collections image hmr (#16765)
• See full diff in compare view

Updates esbuild from 0.27.7 to 0.28.1

Release notes

Sourced from esbuild's releases.

v0.28.1

• Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

  This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

  Thanks to @​dellalibera for reporting this issue.

• Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

  The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

  Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

  Thanks to @​sondt99 for reporting this issue.

• Avoid inlining using and await using declarations (#4482)

  Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

  // Original code
  {
    using x = new Resource()
    x.activate()
  }
  // Old output (with --minify)
  new Resource().activate();
  // New output (with --minify)
  {using e=new Resource;e.activate()}

• Fix module evaluation when an error is thrown (#4461, #4467)

  If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

• Fix some edge cases around the new operator (#4477)

  Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

  // Original code
  new (foo()`bar`)()
  new (foo()?.bar)()
  // Old output
  new foo()bar();
  new (foo())?.bar();

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.28.1

• Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

  This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

  Thanks to @​dellalibera for reporting this issue.

• Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

  The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

  Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

  Thanks to @​sondt99 for reporting this issue.

• Avoid inlining using and await using declarations (#4482)

  Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

  // Original code
  {
    using x = new Resource()
    x.activate()
  }
  // Old output (with --minify)
  new Resource().activate();
  // New output (with --minify)
  {using e=new Resource;e.activate()}

• Fix module evaluation when an error is thrown (#4461, #4467)

  If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

• Fix some edge cases around the new operator (#4477)

  Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

  // Original code
  new (foo()`bar`)()
  new (foo()?.bar)()
  // Old output
  new foo()bar();
  new (foo())?.bar();

... (truncated)

Commits

• bb9db84 publish 0.28.1 to npm
• 9ff053e security: add integrity checks to the Deno API
• 0a9bf21 enforce non-negative size in gzip parser
• e2a1a71 security: forbid \\ in local dev server requests
• 83a2cbf fix #4482: don't inline using declarations
• 308ad74 fix #4471: renaming of nested var declarations
• f013f5f fix some typos
• aafd6e4 chore: fix some minor issues in comments (#4462)
• 15300c3 follow up: cjs evaluation fixes
• 1bda0c3 fix #4461, fix #4467: esm evaluation fixes
• Additional commits viewable in compare view

Updates @mariozechner/pi-coding-agent from 0.65.2 to 0.73.1

Release notes

Sourced from @​mariozechner/pi-coding-agent's releases.

v0.73.1

New Features

• Self-update support for the npm scope migration: pi update --self now supports the upcoming package rename from @mariozechner/pi-coding-agent to @earendil-works/pi-coding-agent. After the new package is published, existing global installs can update through the normal self-update flow; pi will uninstall the old global package and install the package name returned by the version check endpoint.
• Interactive OAuth login selection: OAuth providers can now present multiple login choices in /login, enabling provider-specific interactive authentication flows. See Providers.
• JSONC-style models.json parsing: models.json now allows comments and trailing commas, making custom provider and model configuration easier to maintain. See Providers and Custom Providers.

Added

• Added interactive login selection support so OAuth providers can present multiple login choices (#4190 by @​mitsuhiko).

Changed

• Changed pi update --self to honor the active package name returned by the Pi version check endpoint, defaulting to the current package when omitted and uninstalling the old global package before installing a renamed package.
• Changed extension loading to use upstream jiti 2.7 instead of the @mariozechner/jiti fork (#4244 by @​pi0).
• Changed models.json parsing to allow comments and trailing commas (#4162 by @​julien-c).

Fixed

• Fixed pi -p treating prompts that start with YAML frontmatter as extension flags instead of user messages (#4163).
• Fixed pending tool results not updating in the live TUI after toggling thinking block visibility while the tool is running (#4167).
• Fixed /copy reporting success on Linux without writing the clipboard on Wayland-only compositors (Hyprland, Niri, ...) by skipping the X11-only native addon on Linux and routing through wl-copy/xclip/xsel instead (#4177).
• Fixed HTML session exports to strip skill wrapper XML from rendered user messages (#4234 by @​aliou).
• Fixed OpenAI-compatible chat completion streams that interleave content and tool-call deltas in the same choice.
• Fixed OpenAI Codex OAuth refresh failures writing directly to stderr while the TUI is active (#4141).
• Fixed OpenAI Codex Responses requests to send a non-empty system prompt (#4184).
• Fixed Kimi For Coding model resolution for the Kimi K2 P6 alias (#4218).
• Fixed Kitty inline image redraws to stay within TUI-owned terminal regions and avoid writing below the active viewport.
• Fixed Kitty inline image rendering by letting the terminal allocate image ids and bounding parsed image ids to valid values.
• Fixed inline image capability detection to disable inline images in cmux terminals.

v0.73.0

New Features

• Xiaomi MiMo API billing and regional Token Plan providers - xiaomi now uses API billing, with separate xiaomi-token-plan-{cn,ams,sgp} providers. See https://github.com/badlogic/pi-mono/tree/HEAD/packages/coding-agent/blob/HEAD/docs/providers.md#api-keys and https://github.com/badlogic/pi-mono/tree/HEAD/packages/coding-agent/blob/HEAD/README.md#providers--models. (#4112 by @​Phoen1xCode)
• Incremental bash output streaming - Bash tool output now appears while commands run instead of only after completion. (#4145)
• Compact read rendering - Interactive read output for Pi docs, context files, and skills is collapsed by default and shows selected line ranges.

Breaking Changes

• Switched the built-in xiaomi provider from Token Plan AMS to Xiaomi's API billing endpoint, and renamed its /login display from "Xiaomi MiMo Token Plan" to "Xiaomi MiMo". XIAOMI_API_KEY now refers to the API billing key from platform.xiaomimimo.com. Users on Token Plan should switch to the appropriate xiaomi-token-plan-* provider and set the corresponding env var (#4112 by @​Phoen1xCode).

Added

• Added three Xiaomi MiMo Token Plan regional providers visible in /login: xiaomi-token-plan-cn (XIAOMI_TOKEN_PLAN_CN_API_KEY), xiaomi-token-plan-ams (XIAOMI_TOKEN_PLAN_AMS_API_KEY), xiaomi-token-plan-sgp (XIAOMI_TOKEN_PLAN_SGP_API_KEY). Each defaults to mimo-v2.5-pro (#4112 by @​Phoen1xCode).

Changed

... (truncated)

Changelog

Sourced from @​mariozechner/pi-coding-agent's changelog.

[0.73.1] - 2026-05-07

New Features

• Self-update support for the npm scope migration: pi update --self now supports the upcoming package rename from @mariozechner/pi-coding-agent to @earendil-works/pi-coding-agent. After the new package is published, existing global installs can update through the normal self-update flow; pi will uninstall the old global package and install the package name returned by the version check endpoint.
• Interactive OAuth login selection: OAuth providers can now present multiple login choices in /login, enabling provider-specific interactive authentication flows. See Providers.
• JSONC-style models.json parsing: models.json now allows comments and trailing commas, making custom provider and model configuration easier to maintain. See Providers and Custom Providers.

Added

• Added interactive login selection support so OAuth providers can present multiple login choices (#4190 by @​mitsuhiko).

Changed

• Changed pi update --self to honor the active package name returned by the Pi version check endpoint, defaulting to the current package when omitted and uninstalling the old global package before installing a renamed package.
• Changed extension loading to use upstream jiti 2.7 instead of the @mariozechner/jiti fork (#4244 by @​pi0).
• Changed models.json parsing to allow comments and trailing commas (#4162 by @​julien-c).

Fixed

• Fixed pi -p treating prompts that start with YAML frontmatter as extension flags instead of user messages (#4163).
• Fixed pending tool results not updating in the live TUI after toggling thinking block visibility while the tool is running (#4167).
• Fixed /copy reporting success on Linux without writing the clipboard on Wayland-only compositors (Hyprland, Niri, ...) by skipping the X11-only native addon on Linux and routing through wl-copy/xclip/xsel instead (#4177).
• Fixed HTML session exports to strip skill wrapper XML from rendered user messages (#4234 by @​aliou).
• Fixed OpenAI-compatible chat completion streams that interleave content and tool-call deltas in the same choice.
• Fixed OpenAI Codex OAuth refresh failures writing directly to stderr while the TUI is active (#4141).
• Fixed OpenAI Codex Responses requests to send a non-empty system prompt (#4184).
• Fixed Kimi For Coding model resolution for the Kimi K2 P6 alias (#4218).
• Fixed Kitty inline image redraws to stay within TUI-owned terminal regions and avoid writing below the active viewport.
• Fixed Kitty inline image rendering by letting the terminal allocate image ids and bounding parsed image ids to valid values.
• Fixed inline image capability detection to disable inline images in cmux terminals.

[0.73.0] - 2026-05-04

New Features

• Xiaomi MiMo API billing and regional Token Plan providers - xiaomi now uses API billing, with separate xiaomi-token-plan-{cn,ams,sgp} providers. See https://github.com/earendil-works/pi/blob/main/packages/coding-agent/docs/providers.md#api-keys and https://github.com/earendil-works/pi/blob/main/packages/coding-agent/README.md#providers--models. (#4112 by @​Phoen1xCode)
• Incremental bash output streaming - Bash tool output now appears while commands run instead of only after completion. (#4145)
• Compact read rendering - Interactive read output for Pi docs, context files, and skills is collapsed by default and shows selected line ranges.

Breaking Changes

• Switched the built-in xiaomi provider from Token Plan AMS to Xiaomi's API billing endpoint, and renamed its /login display from "Xiaomi MiMo Token Plan" to "Xiaomi MiMo". XIAOMI_API_KEY now refers to the API billing key from platform.xiaomimimo.com. Users on Token Plan should switch to the appropriate xiaomi-token-plan-* provider and set the corresponding env var (#4112 by @​Phoen1xCode).

Added

• Added three Xiaomi MiMo Token Plan regional providers visible in /login: xiaomi-token-plan-cn (XIAOMI_TOKEN_PLAN_CN_API_KEY), xiaomi-token-plan-ams (XIAOMI_TOKEN_PLAN_AMS_API_KEY), xiaomi-token-plan-sgp (XIAOMI_TOKEN_PLAN_SGP_API_KEY). Each defaults to mimo-v2.5-pro (#4112 by @​Phoen1xCode).

Changed

... (truncated)

Commits

• 781152f Release v0.73.1
• 7fa924b docs: audit unreleased changelog entries
• 5e1e4c3 feat(coding-agent): support renamed self-update package
• 50993d7 chore(coding-agent): switch back from fork to upstream jiti 2.7 (#4244)
• 8861966 fix(coding-agent): strip skill wrapper XML from HTML export user messages (#4...
• 060c10b fix(coding-agent): skip X11-only native addon for /copy on Linux
• 755da30 fix(coding-agent): keep pending tool renders after thinking toggle
• b5755fd feat(oauth): support interactive login selection (#4190)
• bb25a39 feat(coding-agent): allow comments and trailing commas in models.json (#4162)
• bac2df3 fix(coding-agent): handle frontmatter prompts in print mode
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
grclanker	Ready	Preview, Comment	Jun 20, 2026 7:20am

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	grclanker	d871df7	Jun 20 2026, 07:20 AM