chore(deps-dev): bump astro from 5.18.0 to 6.2.1 by dependabot[bot] · Pull Request #116 · viv/review-loop

dependabot · 2026-05-03T01:23:57Z

Bumps astro from 5.18.0 to 6.2.1.

Release notes

astro@6.2.1

Patch Changes

#16531 76db01d Thanks @rodrigosdev! - Fixes config validation for omitted integrations fields with newer Zod versions.

#16535 7df0fe4 Thanks @rururux! - Fixed an issue where a warning was displayed when the server property was missing during config validation, even though it is not required.

#16534 5cf6c51 Thanks @matthewp! - Fixes compatibility with Zod 4.4.0 for the server config property and error formatting

astro@6.2.0

Minor Changes
#16187 fe58071 Thanks @gllmt! - Adds a waitUntil option to the RenderOptions so that adapters can forward runtime background-task hooks to Astro.

When provided by an adapter, runtime cache providers receive context.waitUntil in CacheProvider.onRequest(), which allows background cache work such as stale-while-revalidate without blocking the response. The Cloudflare adapter now forwards ExecutionContext.waitUntil to this API.

#16290 a49637a Thanks @ViVaLaDaniel! - Ensures that server.allowedHosts (and vite.preview.allowedHosts) configuration is respected when using astro preview with the @astrojs/cloudflare adapter. This improves security by preventing DNS rebinding attacks when previewing Cloudflare builds locally.
#15725 4108ec1 Thanks @meyer! - Adds support for a new 'jsx' value for the compressHTML option. When set, whitespace is stripped using JSX whitespace rules instead of the default HTML compression strategy.
// astro.config.mjs
import { defineConfig } from 'astro/config';
export default defineConfig({
compressHTML: 'jsx',
});
In JSX, whitespaces never matter, as such, no amount of indentation, or newlines will not affect the rendered output. For instance, the following code:
<div>
  <span>foo</span>
  <span>bar</span>
</div>
will be rendered as foobar, whereas with HTML whitespace rules, a space would be present between the words due to the newline and indentation between the tags.
#16477 28fb3e1 Thanks @ematipico! - Adds experimental support for configurable log handlers.

This experimental feature provides better control over Astro's logging infrastructure by allowing users to replace the default console output with custom logging implementations (e.g., structured JSON). This is particularly useful for users using on-demand rendering and wishing to connect their log aggregation services, such as Kibana, Logstash, CloudWatch, Grafana, or Loki.

By default, Astro provides three built-in log handlers (json, node, and console), but you can also create your own.

JSON logging

... (truncated)

Changelog

Sourced from astro's changelog.

6.2.1

Patch Changes

#16531 76db01d Thanks @rodrigosdev! - Fixes config validation for omitted integrations fields with newer Zod versions.

#16535 7df0fe4 Thanks @rururux! - Fixed an issue where a warning was displayed when the server property was missing during config validation, even though it is not required.

#16534 5cf6c51 Thanks @matthewp! - Fixes compatibility with Zod 4.4.0 for the server config property and error formatting

6.2.0

Minor Changes
#16187 fe58071 Thanks @gllmt! - Adds a waitUntil option to the RenderOptions so that adapters can forward runtime background-task hooks to Astro.

When provided by an adapter, runtime cache providers receive context.waitUntil in CacheProvider.onRequest(), which allows background cache work such as stale-while-revalidate without blocking the response. The Cloudflare adapter now forwards ExecutionContext.waitUntil to this API.

#16290 a49637a Thanks @ViVaLaDaniel! - Ensures that server.allowedHosts (and vite.preview.allowedHosts) configuration is respected when using astro preview with the @astrojs/cloudflare adapter. This improves security by preventing DNS rebinding attacks when previewing Cloudflare builds locally.
#15725 4108ec1 Thanks @meyer! - Adds support for a new 'jsx' value for the compressHTML option. When set, whitespace is stripped using JSX whitespace rules instead of the default HTML compression strategy.
// astro.config.mjs
import { defineConfig } from 'astro/config';
export default defineConfig({
compressHTML: 'jsx',
});
In JSX, whitespaces never matter, as such, no amount of indentation, or newlines will not affect the rendered output. For instance, the following code:
<div>
  <span>foo</span>
  <span>bar</span>
</div>
will be rendered as foobar, whereas with HTML whitespace rules, a space would be present between the words due to the newline and indentation between the tags.
#16477 28fb3e1 Thanks @ematipico! - Adds experimental support for configurable log handlers.

This experimental feature provides better control over Astro's logging infrastructure by allowing users to replace the default console output with custom logging implementations (e.g., structured JSON). This is particularly useful for users using on-demand rendering and wishing to connect their log aggregation services, such as Kibana, Logstash, CloudWatch, Grafana, or Loki.

By default, Astro provides three built-in log handlers (json, node, and console), but you can also create your own.

... (truncated)

Commits

cc02799 [ci] release (#16533)
5cf6c51 fix: Zod 4.4.0 compat for server config and error map (#16534)
7df0fe4 fix(astro): make server property correctly optional in config validation (#...
76db01d fix(config): update validation for omitted integrations fields with newer Z...
3af3543 [ci] release (#16512)
b7916ef docs: improve readability of remotePattern section (#16508)
449b51d fix(test): type html minification properties (#16514)
f832c3b fix: cloudflare allowed hosts test (#16513)
b9a5b58 [ci] format
0f7c3c8 feat: svg optimizer (#16333)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) from 5.18.0 to 6.2.1. - [Release notes](https://github.com/withastro/astro/releases) - [Changelog](https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md) - [Commits](https://github.com/withastro/astro/commits/astro@6.2.1/packages/astro) --- updated-dependencies: - dependency-name: astro dependency-version: 6.2.1 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2026-05-03T01:24:15Z

Dependency Review

The following issues were found:

✅ 0 vulnerable package(s)
✅ 0 package(s) with incompatible licenses
✅ 0 package(s) with invalid SPDX license definitions
✅ 0 package(s) with unknown licenses.
⚠️ 1 packages with OpenSSF Scorecard issues.

See the Details below.

OpenSSF Scorecard

Scorecard details

Package

Version

Score

Details

npm/@astrojs/compiler

4.0.0

Unknown

npm/@astrojs/internal-helpers

0.9.0

Unknown

npm/@astrojs/markdown-remark

7.1.1

Unknown

npm/@astrojs/prism

4.0.1

Unknown

npm/@astrojs/telemetry

3.3.1

Unknown

npm/@clack/core

1.3.0

Unknown

npm/@clack/prompts

1.3.0

Unknown

npm/@shikijs/core

4.0.2

🟢 4.6

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	🟢 3	Found 9/29 approved changesets -- score normalized to 3
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/@shikijs/engine-javascript

4.0.2

🟢 4.6

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	🟢 3	Found 9/29 approved changesets -- score normalized to 3
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/@shikijs/engine-oniguruma

4.0.2

🟢 4.6

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	🟢 3	Found 9/29 approved changesets -- score normalized to 3
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/@shikijs/langs

4.0.2

🟢 4.6

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	🟢 3	Found 9/29 approved changesets -- score normalized to 3
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/@shikijs/primitive

4.0.2

🟢 4.6

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	🟢 3	Found 9/29 approved changesets -- score normalized to 3
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/@shikijs/themes

4.0.2

🟢 4.6

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	🟢 3	Found 9/29 approved changesets -- score normalized to 3
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/@shikijs/types

4.0.2

🟢 4.6

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	🟢 3	Found 9/29 approved changesets -- score normalized to 3
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/@types/debug

4.1.13

🟢 6.5

Details

Check	Score	Reason
Code-Review	🟢 8	Found 25/29 approved changesets -- score normalized to 8
Packaging	⚠️ -1	packaging workflow not detected
Maintained	🟢 10	30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Security-Policy	🟢 10	security policy file detected
License	🟢 9	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
Binary-Artifacts	🟢 10	no binaries found in the repo
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Fuzzing	⚠️ 0	project is not fuzzed

npm/astro

6.2.1

Unknown

npm/common-ancestor-path

2.0.0

🟢 3.4

Details

Check	Score	Reason
Code-Review	⚠️ 0	Found 0/11 approved changesets -- score normalized to 0
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	⚠️ 0	0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Binary-Artifacts	🟢 10	no binaries found in the repo
Packaging	⚠️ -1	packaging workflow not detected
SAST	⚠️ 0	no SAST tool detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Security-Policy	🟢 10	security policy file detected

npm/cookie-es

1.2.3

Unknown

npm/defu

6.1.7

🟢 4.3

Details

Check	Score	Reason
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	⚠️ 1	Found 5/27 approved changesets -- score normalized to 1
Binary-Artifacts	🟢 10	no binaries found in the repo
Maintained	🟢 10	14 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	⚠️ 0	security policy file not detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/es-module-lexer

2.1.0

⚠️ 2.9

Details

Check	Score	Reason
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Code-Review	⚠️ 0	Found 2/30 approved changesets -- score normalized to 0
Maintained	⚠️ 2	3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 9	binaries present in source code
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Security-Policy	⚠️ 0	security policy file not detected
Fuzzing	⚠️ 0	project is not fuzzed
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/fast-string-truncated-width

3.0.3

Unknown

npm/fast-string-width

3.0.2

Unknown

npm/fast-wrap-ansi

0.2.0

Unknown

npm/h3

1.15.11

Unknown

npm/is-docker

4.0.0

🟢 3.6

Details

Check	Score	Reason
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	⚠️ 1	Found 4/30 approved changesets -- score normalized to 1
Security-Policy	🟢 10	security policy file detected
Maintained	⚠️ 0	0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Binary-Artifacts	🟢 10	no binaries found in the repo
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/lru-cache

11.3.5

🟢 5.8

Details

Check	Score	Reason
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 10	30 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10
Code-Review	⚠️ 0	Found 0/25 approved changesets -- score normalized to 0
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	🟢 10	security policy file detected
SAST	🟢 10	SAST tool is run on all commits

npm/mdast-util-from-markdown

2.0.3

🟢 4

Details

Check	Score	Reason
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 5	4 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 5
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	⚠️ 0	Found 1/30 approved changesets -- score normalized to 0
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/oniguruma-parser

0.12.2

Unknown

npm/oniguruma-to-es

4.3.6

Unknown

npm/p-limit

7.3.0

🟢 4.5

Details

Check	Score	Reason
Code-Review	⚠️ 1	Found 5/30 approved changesets -- score normalized to 1
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Maintained	🟢 9	7 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 9
Binary-Artifacts	🟢 10	no binaries found in the repo
Security-Policy	🟢 10	security policy file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/p-queue

9.2.0

🟢 4.4

Details

Check	Score	Reason
Maintained	🟢 8	9 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 8
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	⚠️ 1	Found 3/30 approved changesets -- score normalized to 1
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Security-Policy	🟢 10	security policy file detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/p-timeout

7.0.1

🟢 3.8

Details

Check	Score	Reason
Code-Review	🟢 3	Found 11/30 approved changesets -- score normalized to 3
Maintained	⚠️ 0	0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Security-Policy	🟢 10	security policy file detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/picomatch

2.3.2

🟢 6.2

Details

Check	Score	Reason
Code-Review	🟢 3	Found 6/20 approved changesets -- score normalized to 3
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies	🟢 3	dependency not pinned by hash detected -- score normalized to 3
Maintained	🟢 10	20 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
SAST	⚠️ 2	SAST tool is not run on all commits -- score normalized to 2

npm/picomatch

4.0.4

🟢 6.2

Details

Check	Score	Reason
Code-Review	🟢 3	Found 6/20 approved changesets -- score normalized to 3
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies	🟢 3	dependency not pinned by hash detected -- score normalized to 3
Maintained	🟢 10	20 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
SAST	⚠️ 2	SAST tool is not run on all commits -- score normalized to 2

npm/shiki

4.0.2

🟢 4.6

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	🟢 3	Found 9/29 approved changesets -- score normalized to 3
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/smol-toml

1.6.1

Unknown

npm/tinyclip

0.1.12

Unknown

npm/tinyexec

1.1.2

Unknown

npm/unstorage

1.17.5

🟢 4.5

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Code-Review	⚠️ 2	Found 7/30 approved changesets -- score normalized to 2
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies	⚠️ 1	dependency not pinned by hash detected -- score normalized to 1
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Binary-Artifacts	🟢 10	no binaries found in the repo
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
Security-Policy	⚠️ 0	security policy file not detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/vite

7.3.2

🟢 6.7

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 7	Found 20/26 approved changesets -- score normalized to 7
Security-Policy	🟢 10	security policy file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	🟢 5	detected GitHub workflow tokens with excessive permissions
Binary-Artifacts	🟢 5	binaries present in source code
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
SAST	🟢 6	SAST tool is not run on all commits -- score normalized to 6

npm/vitefu

1.1.3

Unknown

npm/yargs-parser

22.0.0

🟢 4

Details

Check	Score	Reason
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	🟢 8	Found 12/15 approved changesets -- score normalized to 8
Binary-Artifacts	🟢 10	no binaries found in the repo
Maintained	⚠️ 0	0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	⚠️ 0	security policy file not detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

Scanned Files

package-lock.json

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 3, 2026

dependabot Bot mentioned this pull request May 3, 2026

chore(deps-dev): bump astro from 5.18.0 to 6.1.9 #111

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps-dev): bump astro from 5.18.0 to 6.2.1#116

chore(deps-dev): bump astro from 5.18.0 to 6.2.1#116
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/astro-6.2.1

dependabot Bot commented on behalf of github May 3, 2026

JSON logging

Uh oh!

github-actions Bot commented May 3, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 3, 2026

astro@6.2.1

Patch Changes

astro@6.2.0

Minor Changes

JSON logging

6.2.1

Patch Changes

6.2.0

Minor Changes

Uh oh!

github-actions Bot commented May 3, 2026

Dependency Review

OpenSSF Scorecard

Scanned Files

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants