- From: dependabot[bot] via GitHub <noreply@w3.org>
- Date: Thu, 13 Nov 2025 22:57:58 +0000
- To: public-design-tokens-log@w3.org
dependabot[bot] has just submitted a new pull request for https://github.com/design-tokens/community-group:
== build(deps): bump astro from 5.13.8 to 5.15.6 in /www ==
Bumps [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) from 5.13.8 to 5.15.6.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/withastro/astro/releases">astro's releases</a>.</em></p>
<blockquote>
<h2>astro@5.15.6</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/14751">#14751</a> <a href="https://github.com/withastro/astro/commit/18c55e15eaef56cbe06626b6bdb43ab250ab6f49"><code>18c55e1</code></a> Thanks <a href="https://github.com/delucis"><code>@delucis</code></a>! - Fixes hydration of client components when running the dev server and using a barrel file that re-exports both Astro and UI framework components.</p>
</li>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/14750">#14750</a> <a href="https://github.com/withastro/astro/commit/35122c278f987f9213b8e1094382398a16090aff"><code>35122c2</code></a> Thanks <a href="https://github.com/florian-lefebvre"><code>@florian-lefebvre</code></a>! - Updates the experimental Fonts API to log a warning if families with a conflicting <code>cssVariable</code> are provided</p>
</li>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/14737">#14737</a> <a href="https://github.com/withastro/astro/commit/74c8852c534cc23217a78979e10885429b290e0b"><code>74c8852</code></a> Thanks <a href="https://github.com/Arecsu"><code>@Arecsu</code></a>! - Fixes an error when using <code>transition:persist</code> with components that use declarative Shadow DOM. Astro now avoids re-attaching a shadow root if one already exists, preventing <code>"Unable to re-attach to existing ShadowDOM"</code> navigation errors.</p>
</li>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/14750">#14750</a> <a href="https://github.com/withastro/astro/commit/35122c278f987f9213b8e1094382398a16090aff"><code>35122c2</code></a> Thanks <a href="https://github.com/florian-lefebvre"><code>@florian-lefebvre</code></a>! - Updates the experimental Fonts API to allow for more granular configuration of remote font families</p>
<p>A font family is defined by a combination of properties such as weights and styles (e.g. <code>weights: [500, 600]</code> and <code>styles: ["normal", "bold"]</code>), but you may want to download only certain combinations of these.</p>
<p>For greater control over which font files are downloaded, you can specify the same font (ie. with the same <code>cssVariable</code>, <code>name</code>, and <code>provider</code> properties) multiple times with different combinations. Astro will merge the results and download only the required files. For example, it is possible to download normal <code>500</code> and <code>600</code> while downloading only italic <code>500</code>:</p>
<pre lang="js"><code>// astro.config.mjs
import { defineConfig, fontProviders } from 'astro/config';
<p>export default defineConfig({
experimental: {
fonts: [
{
name: 'Roboto',
cssVariable: '--roboto',
provider: fontProviders.google(),
weights: [500, 600],
styles: ['normal'],
},
{
name: 'Roboto',
cssVariable: '--roboto',
provider: fontProviders.google(),
weights: [500],
styles: ['italic'],
},
],
},
});
</code></pre></p>
</li>
</ul>
<h2>astro@5.15.5</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/14712">#14712</a> <a href="https://github.com/withastro/astro/commit/91780cffa7cf97cc22694d55962710609a5475b0"><code>91780cf</code></a> Thanks <a href="https://github.com/florian-lefebvre"><code>@florian-lefebvre</code></a>! - Fixes a case where build's <code>process.env</code> would be inlined in the server output</p>
</li>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/14713">#14713</a> <a href="https://github.com/withastro/astro/commit/666d5a7ef486aa57f20f87b6cb210619dabd9c4c"><code>666d5a7</code></a> Thanks <a href="https://github.com/florian-lefebvre"><code>@florian-lefebvre</code></a>! - Improves fallbacks generation when using the experimental Fonts API</p>
</li>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/14743">#14743</a> <a href="https://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4"><code>dafbb1b</code></a> Thanks <a href="https://github.com/matthewp"><code>@matthewp</code></a>! - Improves <code>X-Forwarded</code> header validation to prevent cache poisoning and header injection attacks. Now properly validates <code>X-Forwarded-Proto</code>, <code>X-Forwarded-Host</code>, and <code>X-Forwarded-Port</code> headers against configured <code>allowedDomains</code> patterns, rejecting malformed or suspicious values. This is especially important when running behind a reverse proxy or load balancer.</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md">astro's changelog</a>.</em></p>
<blockquote>
<h2>5.15.6</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/14751">#14751</a> <a href="https://github.com/withastro/astro/commit/18c55e15eaef56cbe06626b6bdb43ab250ab6f49"><code>18c55e1</code></a> Thanks <a href="https://github.com/delucis"><code>@delucis</code></a>! - Fixes hydration of client components when running the dev server and using a barrel file that re-exports both Astro and UI framework components.</p>
</li>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/14750">#14750</a> <a href="https://github.com/withastro/astro/commit/35122c278f987f9213b8e1094382398a16090aff"><code>35122c2</code></a> Thanks <a href="https://github.com/florian-lefebvre"><code>@florian-lefebvre</code></a>! - Updates the experimental Fonts API to log a warning if families with a conflicting <code>cssVariable</code> are provided</p>
</li>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/14737">#14737</a> <a href="https://github.com/withastro/astro/commit/74c8852c534cc23217a78979e10885429b290e0b"><code>74c8852</code></a> Thanks <a href="https://github.com/Arecsu"><code>@Arecsu</code></a>! - Fixes an error when using <code>transition:persist</code> with components that use declarative Shadow DOM. Astro now avoids re-attaching a shadow root if one already exists, preventing <code>"Unable to re-attach to existing ShadowDOM"</code> navigation errors.</p>
</li>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/14750">#14750</a> <a href="https://github.com/withastro/astro/commit/35122c278f987f9213b8e1094382398a16090aff"><code>35122c2</code></a> Thanks <a href="https://github.com/florian-lefebvre"><code>@florian-lefebvre</code></a>! - Updates the experimental Fonts API to allow for more granular configuration of remote font families</p>
<p>A font family is defined by a combination of properties such as weights and styles (e.g. <code>weights: [500, 600]</code> and <code>styles: ["normal", "bold"]</code>), but you may want to download only certain combinations of these.</p>
<p>For greater control over which font files are downloaded, you can specify the same font (ie. with the same <code>cssVariable</code>, <code>name</code>, and <code>provider</code> properties) multiple times with different combinations. Astro will merge the results and download only the required files. For example, it is possible to download normal <code>500</code> and <code>600</code> while downloading only italic <code>500</code>:</p>
<pre lang="js"><code>// astro.config.mjs
import { defineConfig, fontProviders } from 'astro/config';
<p>export default defineConfig({
experimental: {
fonts: [
{
name: 'Roboto',
cssVariable: '--roboto',
provider: fontProviders.google(),
weights: [500, 600],
styles: ['normal'],
},
{
name: 'Roboto',
cssVariable: '--roboto',
provider: fontProviders.google(),
weights: [500],
styles: ['italic'],
},
],
},
});
</code></pre></p>
</li>
</ul>
<h2>5.15.5</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/14712">#14712</a> <a href="https://github.com/withastro/astro/commit/91780cffa7cf97cc22694d55962710609a5475b0"><code>91780cf</code></a> Thanks <a href="https://github.com/florian-lefebvre"><code>@florian-lefebvre</code></a>! - Fixes a case where build's <code>process.env</code> would be inlined in the server output</p>
</li>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/14713">#14713</a> <a href="https://github.com/withastro/astro/commit/666d5a7ef486aa57f20f87b6cb210619dabd9c4c"><code>666d5a7</code></a> Thanks <a href="https://github.com/florian-lefebvre"><code>@florian-lefebvre</code></a>! - Improves fallbacks generation when using the experimental Fonts API</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/withastro/astro/commit/190106149908ef6826899459146ef9f0ead602ab"><code>1901061</code></a> [ci] release (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/14745">#14745</a>)</li>
<li><a href="https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91"><code>790d942</code></a> Merge commit from fork</li>
<li><a href="https://github.com/withastro/astro/commit/35122c278f987f9213b8e1094382398a16090aff"><code>35122c2</code></a> feat(fonts): merge families (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/14750">#14750</a>)</li>
<li><a href="https://github.com/withastro/astro/commit/72381ef77434aca5f9f83e37b3b75067af7a45d0"><code>72381ef</code></a> chore: upgrade <code>@playwright/test</code> (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/14749">#14749</a>)</li>
<li><a href="https://github.com/withastro/astro/commit/18c55e15eaef56cbe06626b6bdb43ab250ab6f49"><code>18c55e1</code></a> Stub out <code>.astro</code> imports in client modules (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/14751">#14751</a>)</li>
<li><a href="https://github.com/withastro/astro/commit/5bc37fd5cade62f753aef66efdf40f982379029a"><code>5bc37fd</code></a> fix(deps): update astro dependencies (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/14739">#14739</a>)</li>
<li><a href="https://github.com/withastro/astro/commit/74c8852c534cc23217a78979e10885429b290e0b"><code>74c8852</code></a> fix: skip re-attaching shadow roots during view transitions (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/14737">#14737</a>)</li>
<li><a href="https://github.com/withastro/astro/commit/ab34340fc7bea4153018bb8b25b5f521cb08566c"><code>ab34340</code></a> [ci] release (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/14732">#14732</a>)</li>
<li><a href="https://github.com/withastro/astro/commit/535fa3658edbc3cc81b5f9f981af9935b154ccc0"><code>535fa36</code></a> [ci] format</li>
<li><a href="https://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4"><code>dafbb1b</code></a> Prevent cache poisoning in x-forwarded headers (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/14743">#14743</a>)</li>
<li>Additional commits viewable in <a href="https://github.com/withastro/astro/commits/astro@5.15.6/packages/astro">compare view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by [GitHub Actions](<a href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a> Actions), a new releaser for astro since your current version.</p>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/design-tokens/community-group/network/alerts).
</details>
See https://github.com/design-tokens/community-group/pull/351
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 13 November 2025 22:57:59 UTC