Skip to content

build(deps): bump the patch-updates group across 1 directory with 9 updates#4

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot-npm_and_yarn-patch-updates-7907fc803b
Open

build(deps): bump the patch-updates group across 1 directory with 9 updates#4
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot-npm_and_yarn-patch-updates-7907fc803b

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps the patch-updates group with 9 updates in the / directory:

Package From To
@astrojs/check 0.9.6 0.9.9
@astrojs/rss 4.0.14 4.0.19
@astrojs/svelte 7.2.3 7.2.5
@fontsource/roboto 5.2.9 5.2.10
@iconify-json/material-symbols 1.2.50 1.2.81
@tailwindcss/typography 0.5.19 0.5.20
sanitize-html 2.17.0 2.17.5
@types/sanitize-html 2.16.0 2.16.1
@astrojs/ts-plugin 1.10.6 1.10.9

Updates @astrojs/check from 0.9.6 to 0.9.9

Changelog

Sourced from @​astrojs/check's changelog.

0.9.9

Patch Changes

0.9.8

Patch Changes

0.9.7

Patch Changes

0.9.7-beta.1

Patch Changes

0.9.6-beta.1

Patch Changes

0.9.6-alpha.0

Patch Changes

  • Updated dependencies [df6d2d7]:
    • @​astrojs/language-server@​2.16.1-alpha.0
Commits

Updates @astrojs/rss from 4.0.14 to 4.0.19

Release notes

Sourced from @​astrojs/rss's releases.

@​astrojs/rss@​4.0.19

Patch Changes

  • #17209 fbcfa03 Thanks @​matthewp! - Hardens RSS feed generation by escaping the source and enclosure item fields. These fields are now serialized as structured XML values, ensuring that special characters in values like source.title and enclosure.type are always treated as text rather than markup, consistent with how other feed fields are handled.
Changelog

Sourced from @​astrojs/rss's changelog.

4.0.19

Patch Changes

  • #17209 fbcfa03 Thanks @​matthewp! - Hardens RSS feed generation by escaping the source and enclosure item fields. These fields are now serialized as structured XML values, ensuring that special characters in values like source.title and enclosure.type are always treated as text rather than markup, consistent with how other feed fields are handled.

4.0.18

Patch Changes

4.0.17

Patch Changes

4.0.16

Patch Changes

4.0.15-beta.4

Patch Changes

4.0.15-beta.3

Patch Changes

4.0.15-beta.2

Patch Changes

... (truncated)

Commits

Updates @astrojs/svelte from 7.2.3 to 7.2.5

Changelog

Sourced from @​astrojs/svelte's changelog.

7.2.5

Patch Changes

7.2.4

Patch Changes

  • #15004 16f3994 Thanks @​antonyfaris! - Fixes an issue where Svelte components used in Astro files would incorrectly report type errors when using client:* directives.
Commits

Updates @fontsource/roboto from 5.2.9 to 5.2.10

Commits

Updates @iconify-json/material-symbols from 1.2.50 to 1.2.81

Commits

Updates @tailwindcss/typography from 0.5.19 to 0.5.20

Release notes

Sourced from @​tailwindcss/typography's releases.

v0.5.20

Fixed

  • Support installing with stable versions of Tailwind CSS v4 (#424)
Changelog

Sourced from @​tailwindcss/typography's changelog.

[0.5.20] - 2026-06-08

Fixed

  • Support installing with stable versions of Tailwind CSS v4 (#424)
Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tailwindcss/typography since your current version.


Updates sanitize-html from 2.17.0 to 2.17.5

Changelog

Sourced from sanitize-html's changelog.

2.17.5 (2026-06-10)

Security

  • Added a number of new attributes to be protected against unsafe URLs, e.g. javascript: and similar. None of these are used in the default configuration of sanitize-html or apostrophe or likely to be used there, and some attributes, like an action for a form, are inherently unsafe to allow if XSS protection is your goal. Nevertheless it makes sense to block certain URL types where they are not appropriate. Some attributes are not supported at all by modern browsers but are included for completeness. Thanks to crattack for reporting the vulnerability.
  • Address a potential vulnerability when nonTextTags is configured in a nonstandard way. While it is never a good idea to remove known non-text tags from the standard list e.g. script, styles, etc., this change ensures that doing so does not result in nested tags being passed through without sanitization when they are not expressly allowed. (ApostropheCMS would never trigger this situation.) Thanks to Dipanshu singh for pointing out the issue and contributing the fix.

2.17.4

Changes

  • sanitize-html and launder now share a single implementation of naughtyHref, based on that which previously existed in sanitize-html.

Security

  • Security vulnerability: the xmp tag could be used to pass forbidden markup through sanitize-html, even when xmp itself is not explicitly allowed All users of sanitize-html should update immediately. Thanks to Vincenzo Turturro for reporting the vulnerability.

2.17.3 (2026-04-15)

Security

  • Fix vulnerability introduced in version 2.17.2 that allowed XSS attacks if the developer chose to permit option tags. There was no vulnerability when not explicitly allowing option tags.

2.17.2 (2026-03-19)

Changes

  • Upgrade htmlparser2 from 8.x to 10.1.0. This improves security by correctly decoding zero-padded numeric character references (e.g., &[#0000001](https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html/issues/0000001)) that previously bypassed javascript: URL detection. Also fixes double-encoding of entities inside raw text elements like textarea and option.

2.17.1 (2026-02-18)

Fixes

  • Fix unclosed tags (e.g., <hello) returning empty string in escape and recursiveEscape modes. Fixes #706. Thanks to Byeong Hyeon for the fix.
Commits

Updates @types/sanitize-html from 2.16.0 to 2.16.1

Commits

Updates @astrojs/ts-plugin from 1.10.6 to 1.10.9

Changelog

Sourced from @​astrojs/ts-plugin's changelog.

1.10.9

Patch Changes

1.10.8

Patch Changes

1.10.7

Patch Changes

Commits

Updates @types/sanitize-html from 2.16.0 to 2.16.1

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 29, 2026
…pdates

Bumps the patch-updates group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@astrojs/check](https://github.com/withastro/astro/tree/HEAD/packages/language-tools/astro-check) | `0.9.6` | `0.9.9` |
| [@astrojs/rss](https://github.com/withastro/astro/tree/HEAD/packages/astro-rss) | `4.0.14` | `4.0.19` |
| [@astrojs/svelte](https://github.com/withastro/astro/tree/HEAD/packages/integrations/svelte) | `7.2.3` | `7.2.5` |
| [@fontsource/roboto](https://github.com/fontsource/font-files/tree/HEAD/fonts/google/roboto) | `5.2.9` | `5.2.10` |
| [@iconify-json/material-symbols](https://github.com/iconify/icon-sets) | `1.2.50` | `1.2.81` |
| [@tailwindcss/typography](https://github.com/tailwindlabs/tailwindcss-typography) | `0.5.19` | `0.5.20` |
| [sanitize-html](https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html) | `2.17.0` | `2.17.5` |
| [@types/sanitize-html](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/sanitize-html) | `2.16.0` | `2.16.1` |
| [@astrojs/ts-plugin](https://github.com/withastro/astro/tree/HEAD/packages/language-tools/ts-plugin) | `1.10.6` | `1.10.9` |



Updates `@astrojs/check` from 0.9.6 to 0.9.9
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/main/packages/language-tools/astro-check/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/@astrojs/check@0.9.9/packages/language-tools/astro-check)

Updates `@astrojs/rss` from 4.0.14 to 4.0.19
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/main/packages/astro-rss/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/@astrojs/rss@4.0.19/packages/astro-rss)

Updates `@astrojs/svelte` from 7.2.3 to 7.2.5
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/main/packages/integrations/svelte/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/@astrojs/svelte@7.2.5/packages/integrations/svelte)

Updates `@fontsource/roboto` from 5.2.9 to 5.2.10
- [Changelog](https://github.com/fontsource/font-files/blob/main/CHANGELOG.md)
- [Commits](https://github.com/fontsource/font-files/commits/HEAD/fonts/google/roboto)

Updates `@iconify-json/material-symbols` from 1.2.50 to 1.2.81
- [Commits](https://github.com/iconify/icon-sets/commits)

Updates `@tailwindcss/typography` from 0.5.19 to 0.5.20
- [Release notes](https://github.com/tailwindlabs/tailwindcss-typography/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss-typography/blob/main/CHANGELOG.md)
- [Commits](tailwindlabs/tailwindcss-typography@v0.5.19...v0.5.20)

Updates `sanitize-html` from 2.17.0 to 2.17.5
- [Changelog](https://github.com/apostrophecms/apostrophe/blob/main/packages/sanitize-html/CHANGELOG.md)
- [Commits](https://github.com/apostrophecms/apostrophe/commits/sanitize-html@2.17.5/packages/sanitize-html)

Updates `@types/sanitize-html` from 2.16.0 to 2.16.1
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/sanitize-html)

Updates `@astrojs/ts-plugin` from 1.10.6 to 1.10.9
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/main/packages/language-tools/ts-plugin/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/@astrojs/ts-plugin@1.10.9/packages/language-tools/ts-plugin)

Updates `@types/sanitize-html` from 2.16.0 to 2.16.1
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/sanitize-html)

---
updated-dependencies:
- dependency-name: "@astrojs/check"
  dependency-version: 0.9.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: "@astrojs/rss"
  dependency-version: 4.0.18
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: "@astrojs/svelte"
  dependency-version: 7.2.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: "@astrojs/ts-plugin"
  dependency-version: 1.10.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: "@fontsource/roboto"
  dependency-version: 5.2.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: "@iconify-json/material-symbols"
  dependency-version: 1.2.81
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: "@tailwindcss/typography"
  dependency-version: 0.5.20
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: "@types/sanitize-html"
  dependency-version: 2.16.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: "@types/sanitize-html"
  dependency-version: 2.16.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: sanitize-html
  dependency-version: 2.17.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title build(deps): bump the patch-updates group with 9 updates build(deps): bump the patch-updates group across 1 directory with 9 updates Jun 30, 2026
@dependabot dependabot Bot force-pushed the dependabot-npm_and_yarn-patch-updates-7907fc803b branch from 6db3a5f to 729fdcf Compare June 30, 2026 16:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants