fix(deps): update @astrojs packages

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@astrojs/node (source)	10.0.5 → 10.0.6
@astrojs/react (source)	5.0.3 → 5.0.4
astro (source)	6.1.8 → 6.1.9

---

Release Notes

withastro/astro (@​astrojs/node)

v10.0.6

Compare Source

Patch Changes

• Updated dependencies [99464ed, f3485c3]:
  • @​astrojs/internal-helpers@​0.9.0

withastro/astro (@​astrojs/react)

v5.0.4

Compare Source

Patch Changes

• Updated dependencies [99464ed, f3485c3]:
  • @​astrojs/internal-helpers@​0.9.0

withastro/astro (astro)

v6.1.9

Compare Source

Patch Changes

• #​16448 99464ed Thanks @​matthewp! - Updates vite, picomatch, and unstorage to latest patch versions

• #​16422 a3951d7 Thanks @​matthewp! - Hardens astro-island export resolution and hydration error handling for malformed component metadata

• #​16420 e21de1d Thanks @​matthewp! - Hardens Astro's error overlay and server logging paths to avoid unsafe HTML insertion and format-string interpolation

• #​16419 f3485c3 Thanks @​matthewp! - Hardens nested object and package metadata lookups to ignore prototype keys in content handling and project scaffolding

• #​16022 a002540 Thanks @​mathieumaf! - Fixes an issue where i18n domains would return 404 when trailingSlash is set to never.

• Updated dependencies [99464ed, f3485c3]:

  • @​astrojs/internal-helpers@​0.9.0
  • @​astrojs/markdown-remark@​7.1.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

🚀 Preview deployment ready!

✅ Preview URL: https://pr-1591---web-njpdbbjcea-an.a.run.app
📝 Commit SHA: 6ac22bf (view commit)

This comment was automatically generated by the deploy-preview workflow.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

This PR updates three Astro packages with patch-level security and stability fixes:

1. astro: 6.1.8 → 6.1.9

Security Hardening (4 PRs merged):

• #16422: Hardens astro-island export resolution to prevent malformed component metadata exploitation. Validates dot-separated component-export paths and rejects unsafe property names before module traversal
• #16420: Eliminates unsafe HTML insertion in error overlay (replaced insertAdjacentHTML with DOM node creation) and prevents format-string interpolation in server logging
• #16419: Implements prototype pollution protection by blocking __proto__, constructor, and prototype keys in action handlers, user preferences (dlv.ts), and MDX frontmatter processing

Dependency Updates:

• #16448: Updates vite (^7.3.1→^7.3.2), picomatch (^4.0.3→^4.0.4), unstorage (^1.17.4→^1.17.5) to latest patch versions addressing multiple security advisories
• Transitive updates: defu (6.1.4→6.1.7), h3 (1.15.11), cookie-es (1.2.3), lru-cache (11.3.5)

Bug Fix:

• #16022: Fixes i18n domain routing 404 errors when trailingSlash: "never". The computePathnameFromDomain() function now respects trailingSlash configuration instead of always preserving the original URL's trailing slash

2. @astrojs/react: 5.0.3 → 5.0.4

• Dependencies only: Updates @astrojs/internal-helpers (0.8.0→0.9.0) to receive the prototype pollution protection fixes

3. @astrojs/node: 10.0.5 → 10.0.6

• Dependencies only: Updates @astrojs/internal-helpers (0.8.0→0.9.0) to receive the prototype pollution protection fixes

Breaking Changes: None
New Features: None
API Changes: None

🎯 Impact Scope Investigation

Package Usage Analysis:

1. astro: Core framework

   • Used in: astro.config.ts, all .astro files (13 files), build pipeline
   • Impact: Internal security hardening only—no API changes affecting user code

2. @astrojs/react: React integration

   • Configured in: astro.config.ts:20 (integrations: [sitemap(), react()])
   • Used for: Interactive components with client:idle directives (ArticleSummarizer.tsx, LikeButton.tsx, TTSControls.tsx in PostDetailPage.astro:82, 122, 137)
   • Impact: No changes to React integration API

3. @astrojs/node: SSR adapter

   • Configured in: astro.config.ts:58-60 (adapter: node({ mode: 'standalone' }))
   • Output mode: static (astro.config.ts:57)
   • Impact: No adapter API changes; dependency updates only

i18n Configuration Check:

• Current config: i18n: { defaultLocale: 'ja', locales: ['ja', 'en'] } (astro.config.ts:39-42)
• trailingSlash: NOT explicitly configured (defaults to "ignore")
• Impact of #16022 fix: No impact—this codebase doesn't use trailingSlash: "never" nor i18n domains

Security Hardening Relevance:

• Prototype pollution fixes protect internal object traversal (action handlers, user preferences, MDX frontmatter)
• Error overlay hardening applies to dev environment only
• astro-island export validation protects component hydration—this codebase uses client:idle on 3 React components (ArticleSummarizer, LikeButton, TTSControls)

Dependency Chain Impact:

• vite, picomatch, unstorage updates are transitive—no direct API usage detected in codebase
• All updates maintain backward compatibility

💡 Recommended Actions

Immediate Action: Merge without manual migration

This is a patch-level security release with:

• Zero breaking changes
• Zero API modifications
• Internal-only security hardening
• Backward-compatible dependency updates

Pre-merge Validation:

# Run full test suite
pnpm test

# Verify build succeeds
pnpm build

# Check linting/formatting
pnpm lint
pnpm format:check

Post-merge Verification (via CI):

• Verify dev server starts without errors (pnpm dev)
• Confirm React component hydration works (ArticleSummarizer, LikeButton with client:idle)
• Check i18n routing for both locales (ja/en)
• Validate production build deploys successfully

No Code Changes Required: All security fixes are internal framework improvements with no user-facing API changes.

🔗 Reference Links

• Astro 6.1.9 CHANGELOG
• PR #16448: Dependency updates (vite, picomatch, unstorage)
• PR #16422: astro-island export resolution hardening
• PR #16420: Error overlay & server logging hardening
• PR #16419: Prototype pollution protection
• PR #16022: i18n domain routing fix for trailingSlash
• @astrojs/node 10.0.6 CHANGELOG
• @astrojs/react 5.0.4 CHANGELOG

Generated by koki-develop/claude-renovate-review

---

🚫 Permission Denied Tool Executions

The following tool executions that Claude Code attempted were blocked due to insufficient permissions.
Consider adding them to allowed_tools if needed.

Run #25024997465 - 1 tool denied

Tool	Input
WebSearch	{"query":"astro 6.1.9 security patch vite picomatch unstorage 2026"}

Generated by koki-develop/claude-denied-tools