[community-group] Pull Request: build(deps): bump astro from 5.13.8 to 5.14.3 in /www

dependabot[bot] has just submitted a new pull request for https://github.com/design-tokens/community-group:

== build(deps): bump astro from 5.13.8 to 5.14.3 in /www ==
Bumps [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) from 5.13.8 to 5.14.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/withastro/astro/releases">astro's releases</a>.</em></p>
<blockquote>
<h2>astro@5.14.3</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/14505">#14505</a> <a href="https://github.com/withastro/astro/commit/28b2a1db4f3f265632f280b0dbc4c5f241c387e2"><code>28b2a1d</code></a> Thanks <a href="https://github.com/matthewp"><code>@​matthewp</code></a>! - Fixes <code>Cannot set property manifest</code> error in test utilities by adding a protected setter for the manifest property</p>
</li>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/14235">#14235</a> <a href="https://github.com/withastro/astro/commit/c4d84bb654c9a5064b243e971c3b5b280e2b3791"><code>c4d84bb</code></a> Thanks <a href="https://github.com/toxeeec"><code>@​toxeeec</code></a>! - Fixes a bug where the &quot;tap&quot; prefetch strategy worked only on the first clicked link with view transitions enabled</p>
</li>
</ul>
<h2>astro@5.14.1</h2>
<h3>Patch Changes</h3>
<ul>
<li><a href="https://redirect.github.com/withastro/astro/pull/14440">#14440</a> <a href="https://github.com/withastro/astro/commit/a3e16ab6dd0bef9ab6259f23bfeebed747e27497"><code>a3e16ab</code></a> Thanks <a href="https://github.com/florian-lefebvre"><code>@​florian-lefebvre</code></a>! - Fixes a case where the URLs generated by the experimental Fonts API would be incorrect in dev</li>
</ul>
<h2>astro@5.14.0</h2>
<h3>Minor Changes</h3>
<ul>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/13520">#13520</a> <a href="https://github.com/withastro/astro/commit/a31edb8daad8632bacd1861adf6ac720695f7173"><code>a31edb8</code></a> Thanks <a href="https://github.com/openscript"><code>@​openscript</code></a>! - Adds a new property <code>routePattern</code> available to <code>GetStaticPathsOptions</code></p>
<p>This provides the original, dynamic segment definition in a routing file path (e.g. <code>/[...locale]/[files]/[slug]</code>) from the Astro render context that would not otherwise be available within the scope of <code>getStaticPaths()</code>. This can be useful to calculate the <code>params</code> and <code>props</code> for each page route.</p>
<p>For example, you can now localize your route segments and return an array of static paths by passing <code>routePattern</code> to a custom <code>getLocalizedData()</code> helper function. The <code>params</code> object will be set with explicit values for each route segment (e.g. <code>locale</code>, <code>files</code>, and <code>slug)</code>. Then, these values will be used to generate the routes and can be used in your page template via <code>Astro.params</code>.</p>
<pre lang="astro"><code>// src/pages/[...locale]/[files]/[slug].astro
<p>import { getLocalizedData } from &quot;../../../utils/i18n&quot;; export async function getStaticPaths({ routePattern
}) { const response = await fetch('...'); const data = await response.json(); console.log(routePattern);
// [...locale]/[files]/[slug] // Call your custom helper with <code>routePattern</code> to generate the static
paths return data.flatMap((file) =&gt; getLocalizedData(file, routePattern)); } const { locale, files,
slug } = Astro.params;
</code></pre></p>
<p>For more information about this advanced routing pattern, see Astro's <a href="https://docs.astro.build/en/reference/routing-reference/#routepattern">routing reference</a>.</p>
</li>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/13651">#13651</a> <a href="https://github.com/withastro/astro/commit/dcfbd8c9d5dc798d1bcb9b36531c2eded301050d"><code>dcfbd8c</code></a> Thanks <a href="https://github.com/ADTC"><code>@​ADTC</code></a>! - Adds a new <code>SvgComponent</code> type</p>
<p>You can now more easily enforce type safety for your <code>.svg</code> assets by directly importing <code>SVGComponent</code> from <code>astro/types</code>:</p>
<pre lang="astro"><code>---
// src/components/Logo.astro
import type { SvgComponent } from 'astro/types';
import HomeIcon from './Home.svg';
interface Link {
  url: string;
  text: string;
  icon: SvgComponent;
}
const links: Link[] = [
  {
    url: '/',
</code></pre>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md">astro's changelog</a>.</em></p>
<blockquote>
<h2>5.14.3</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/14505">#14505</a> <a href="https://github.com/withastro/astro/commit/28b2a1db4f3f265632f280b0dbc4c5f241c387e2"><code>28b2a1d</code></a> Thanks <a href="https://github.com/matthewp"><code>@​matthewp</code></a>! - Fixes <code>Cannot set property manifest</code> error in test utilities by adding a protected setter for the manifest property</p>
</li>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/14235">#14235</a> <a href="https://github.com/withastro/astro/commit/c4d84bb654c9a5064b243e971c3b5b280e2b3791"><code>c4d84bb</code></a> Thanks <a href="https://github.com/toxeeec"><code>@​toxeeec</code></a>! - Fixes a bug where the &quot;tap&quot; prefetch strategy worked only on the first clicked link with view transitions enabled</p>
</li>
</ul>
<h2>5.14.2</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/14459">#14459</a> <a href="https://github.com/withastro/astro/commit/916f9c2e094f19562cfe722ca0a5fafb0f313c2e"><code>916f9c2</code></a> Thanks <a href="https://github.com/florian-lefebvre"><code>@​florian-lefebvre</code></a>! - Improves font files URLs in development when using the experimental fonts API by showing the subset if present</p>
</li>
<li>
<p><a href="https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7"><code>b8ca69b</code></a> Thanks <a href="https://github.com/ascorbic"><code>@​ascorbic</code></a>! - Aligns dev image server file base with Vite rules</p>
</li>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/14469">#14469</a> <a href="https://github.com/withastro/astro/commit/1c090b00c1f5c3d8e938ac873fc63ab2f1ae37f1"><code>1c090b0</code></a> Thanks <a href="https://github.com/delucis"><code>@​delucis</code></a>! - Updates <code>tinyexec</code> dependency</p>
</li>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/14460">#14460</a> <a href="https://github.com/withastro/astro/commit/008dc75d860eadbb394e86dac68c7f4962e40489"><code>008dc75</code></a> Thanks <a href="https://github.com/florian-lefebvre"><code>@​florian-lefebvre</code></a>! - Fixes a case where <code>astro:config/server</code> values typed as URLs would be serialized as strings</p>
</li>
<li>
<p><a href="https://redirect.github.com/withastro/astro/pull/13730">#13730</a> <a href="https://github.com/withastro/astro/commit/72603676818d1c433ac2751843a8a9b0cc9b48c9"><code>7260367</code></a> Thanks <a href="https://github.com/razonyang"><code>@​razonyang</code></a>! - Fixes a bug in i18n, where Astro caused an infinite loop when a locale that doesn't have an index, and Astro falls back to the index of the default locale.</p>
</li>
<li>
<p><a href="https://github.com/withastro/astro/commit/6ee63bfac4856f21b4d4633021b3d2ee059e553f"><code>6ee63bf</code></a> Thanks <a href="https://github.com/matthewp"><code>@​matthewp</code></a>! - Adds <code>security.allowedDomains</code> configuration to validate <code>X-Forwarded-Host</code> headers in SSR</p>
<p>The <code>X-Forwarded-Host</code> header will now only be trusted if it matches one of the configured allowed host patterns. This prevents <a href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection">host header injection attacks</a> that can lead to cache poisoning and other security vulnerabilities.</p>
<p>Configure allowed host patterns to enable <code>X-Forwarded-Host</code> support:</p>
<pre lang="js"><code>// astro.config.mjs
export default defineConfig({
  output: 'server',
  adapter: node(),
  security: {
    allowedDomains: [
      { hostname: 'example.com' },
      { hostname: '*.example.com' },
      { hostname: 'cdn.example.com', port: '443' },
    ],
  },
});
</code></pre>
<p>The patterns support wildcards (<code>*</code> and <code>**</code>) for flexible hostname matching and can optionally specify protocol and port.</p>
<h3>Breaking change</h3>
<p>Previously, <code>Astro.url</code> would reflect the value of the <code>X-Forwarded-Host</code> header. While this header is commonly used by reverse proxies like Nginx to communicate the original host, it can be sent by any client, potentially allowing malicious actors to poison caches with incorrect URLs.</p>
<p>If you were relying on <code>X-Forwarded-Host</code> support, add <code>security.allowedDomains</code> to your configuration to restore this functionality securely. When <code>allowedDomains</code> is not configured, <code>X-Forwarded-Host</code> headers are now ignored by default.</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/withastro/astro/commit/fe1d35cc950b16a6462102b98b48753d27395e03"><code>fe1d35c</code></a> [ci] release (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/14507">#14507</a>)</li>
<li><a href="https://github.com/withastro/astro/commit/7926882013c2f493aeb2fe9b162e515e65e68e81"><code>7926882</code></a> [ci] format</li>
<li><a href="https://github.com/withastro/astro/commit/c4d84bb654c9a5064b243e971c3b5b280e2b3791"><code>c4d84bb</code></a> fix(prefetch): Fix &quot;tap&quot; prefetch strategy when view transitions are enabled ...</li>
<li><a href="https://github.com/withastro/astro/commit/3bb14b7dbbc236f55096631401703a290321031e"><code>3bb14b7</code></a> [ci] release (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/14466">#14466</a>)</li>
<li><a href="https://github.com/withastro/astro/commit/7a5aafff7b6d424164bf76d25c231d8860a26e25"><code>7a5aaff</code></a> [ci] format</li>
<li><a href="https://github.com/withastro/astro/commit/28b2a1db4f3f265632f280b0dbc4c5f241c387e2"><code>28b2a1d</code></a> Fix failing x-forwarded-host tests (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/14505">#14505</a>)</li>
<li><a href="https://github.com/withastro/astro/commit/ec307b02e3e866fa53ea6715b5f6f05dbb323953"><code>ec307b0</code></a> [ci] format</li>
<li><a href="https://github.com/withastro/astro/commit/6ee63bfac4856f21b4d4633021b3d2ee059e553f"><code>6ee63bf</code></a> Merge commit from fork</li>
<li><a href="https://github.com/withastro/astro/commit/72603676818d1c433ac2751843a8a9b0cc9b48c9"><code>7260367</code></a> fix(i18n): ensure the redirect pathname is non-empty (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/13730">#13730</a>)</li>
<li><a href="https://github.com/withastro/astro/commit/d1b3409c213c35abdf3c25154fc5430ce34398d3"><code>d1b3409</code></a> [ci] format</li>
<li>Additional commits viewable in <a href="https://github.com/withastro/astro/commits/astro@5.14.3/packages/astro">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=astro&package-manager=npm_and_yarn&previous-version=5.13.8&new-version=5.14.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/design-tokens/community-group/network/alerts).

</details>

See https://github.com/design-tokens/community-group/pull/317


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 11 October 2025 00:50:06 UTC