build(deps): Bump the patch-minor group across 1 directory with 10 updates

[dependabot]

Bumps the patch-minor group with 10 updates in the / directory:

Package	From	To
@astrojs/check	0.9.8	0.9.9
@astrojs/db	0.20.1	0.21.1
@astrojs/markdown-remark	7.1.0	7.1.1
@astrojs/react	5.0.3	5.0.4
cssnano	7.1.5	7.1.8
nanoid	5.1.9	5.1.11
@axe-core/playwright	4.11.2	4.11.3
@biomejs/biome	2.4.12	2.4.14
html-validate	10.13.1	10.15.0
knip	6.5.0	6.11.0

Updates @astrojs/check from 0.9.8 to 0.9.9

Release notes

Sourced from @​astrojs/check's releases.

@​astrojs/check@​0.9.9

Patch Changes

• #16471 f56bb3f Thanks @​delucis! - Adds support for TypeScript v6 to peer dependencies range

• Updated dependencies [8c62159]:

  • @​astrojs/language-server@​2.16.7

Changelog

Sourced from @​astrojs/check's changelog.

0.9.9

Patch Changes

• #16471 f56bb3f Thanks @​delucis! - Adds support for TypeScript v6 to peer dependencies range

• Updated dependencies [8c62159]:

  • @​astrojs/language-server@​2.16.7

Commits

• c1f2e4f [ci] release (#16467)
• f56bb3f Widen typescript peer dependency range to allow v6 (#16471)
• 184700c fix(deps): update language tools (#16230)
• 88fcc98 fix integrations links across docs (#16098)
• b9e96da fix(deps): update dependency vitest to v4 (#15372)
• See full diff in compare view

Updates @astrojs/db from 0.20.1 to 0.21.1

Release notes

Sourced from @​astrojs/db's releases.

@​astrojs/db@​0.21.1

Patch Changes

• #16534 5cf6c51 Thanks @​matthewp! - Fixes compatibility with Zod 4.4.0 for the server config property and error formatting

@​astrojs/db@​0.21.0

Minor Changes

• #16289 5d580c0 Thanks @​maxmalkin! - Adds a new getDbError() helper exported from astro:db. It walks the error .cause chain and returns the underlying LibsqlError, or undefined if the error did not originate from libSQL. This is needed because drizzle-orm 0.44+ wraps query errors in a DrizzleQueryError whose .cause is the real LibsqlError.

  Upgrading

  Code that reads .code or .message after catching a database error should migrate from isDbError() to getDbError():

  // Before
  import { isDbError } from 'astro:db';
  try {
    await db.insert(MyTable).values({ ... });
  } catch (e) {
    if (isDbError(e)) {
      console.error(e.code, e.message);
    }
  }
  // After
  import { getDbError } from 'astro:db';
  try {
  await db.insert(MyTable).values({ ... });
  } catch (e) {
  const dbError = getDbError(e);
  if (dbError) {
  console.error(dbError.code, dbError.message);
  }
  }

  isDbError() is still exported and still returns true for wrapped errors, but its return type is now boolean instead of the err is LibsqlError type predicate. Code that relied on the narrowing to access .code or .message directly will now produce a TypeScript error pointing you to getDbError().

Patch Changes

• #16289 5d580c0 Thanks @​maxmalkin! - Fixes a SQL injection vulnerability by updating drizzle-orm to ^0.45.2, patching GHSA-gpj5-g38j-94v9 (CVE-2026-39356).

Changelog

Sourced from @​astrojs/db's changelog.

0.21.1

Patch Changes

• #16534 5cf6c51 Thanks @​matthewp! - Fixes compatibility with Zod 4.4.0 for the server config property and error formatting

0.21.0

Minor Changes

• #16289 5d580c0 Thanks @​maxmalkin! - Adds a new getDbError() helper exported from astro:db. It walks the error .cause chain and returns the underlying LibsqlError, or undefined if the error did not originate from libSQL. This is needed because drizzle-orm 0.44+ wraps query errors in a DrizzleQueryError whose .cause is the real LibsqlError.

  Upgrading

  Code that reads .code or .message after catching a database error should migrate from isDbError() to getDbError():

  // Before
  import { isDbError } from 'astro:db';
  try {
    await db.insert(MyTable).values({ ... });
  } catch (e) {
    if (isDbError(e)) {
      console.error(e.code, e.message);
    }
  }
  // After
  import { getDbError } from 'astro:db';
  try {
  await db.insert(MyTable).values({ ... });
  } catch (e) {
  const dbError = getDbError(e);
  if (dbError) {
  console.error(dbError.code, dbError.message);
  }
  }

  isDbError() is still exported and still returns true for wrapped errors, but its return type is now boolean instead of the err is LibsqlError type predicate. Code that relied on the narrowing to access .code or .message directly will now produce a TypeScript error pointing you to getDbError().

Patch Changes

• #16289 5d580c0 Thanks @​maxmalkin! - Fixes a SQL injection vulnerability by updating drizzle-orm to ^0.45.2, patching GHSA-gpj5-g38j-94v9 (CVE-2026-39356).

Commits

• cc02799 [ci] release (#16533)
• 5cf6c51 fix: Zod 4.4.0 compat for server config and error map (#16534)
• 8884edf refactor(db): use correct virtual types for tests (#16499)
• c1f2e4f [ci] release (#16467)
• 5c543c5 refactor(astro): add internal entry points for test (#16473)
• 5d580c0 fix: bump drizzle-orm version for CVE-2026-39356 (#16289)
• 99464ed Bump vite, picomatch, and unstorage to latest patch versions (#16448)
• f7566b8 refactor: unify test setup (#16445)
• f31a80d refactor(db): migrate tests to typescript (#16403)
• 88fcc98 fix integrations links across docs (#16098)
• See full diff in compare view

Updates @astrojs/markdown-remark from 7.1.0 to 7.1.1

Release notes

Sourced from @​astrojs/markdown-remark's releases.

@​astrojs/markdown-remark@​7.1.1

Patch Changes

• #16419 f3485c3 Thanks @​matthewp! - Hardens nested object and package metadata lookups to ignore prototype keys in content handling and project scaffolding

• Updated dependencies [99464ed, f3485c3]:

  • @​astrojs/internal-helpers@​0.9.0

Changelog

Sourced from @​astrojs/markdown-remark's changelog.

7.1.1

Patch Changes

• #16419 f3485c3 Thanks @​matthewp! - Hardens nested object and package metadata lookups to ignore prototype keys in content handling and project scaffolding

• Updated dependencies [99464ed, f3485c3]:

  • @​astrojs/internal-helpers@​0.9.0

Commits

• 21ca872 [ci] release (#16399)
• f3485c3 Harden nested object path lookups (#16419)
• f7566b8 refactor: unify test setup (#16445)
• 28a7de8 refactor(remark): migrate tests to typescript (#16392)
• 4198232 test(shiki): move integration tests to unit tests (#16121)
• See full diff in compare view

Updates @astrojs/react from 5.0.3 to 5.0.4

Release notes

Sourced from @​astrojs/react's releases.

@​astrojs/react@​5.0.4

Patch Changes

• Updated dependencies [99464ed, f3485c3]:
  • @​astrojs/internal-helpers@​0.9.0

Changelog

Sourced from @​astrojs/react's changelog.

5.0.4

Patch Changes

• Updated dependencies [99464ed, f3485c3]:
  • @​astrojs/internal-helpers@​0.9.0

Commits

• 21ca872 [ci] release (#16399)
• 99464ed Bump vite, picomatch, and unstorage to latest patch versions (#16448)
• f7566b8 refactor: unify test setup (#16445)
• ba2dbf1 refactor(astro): correct Fixture type signatures in test-utils (#16380)
• 5ed467f refactor: migrate react tests to typescript (#16318)
• See full diff in compare view

Updates cssnano from 7.1.5 to 7.1.8

Release notes

Sourced from cssnano's releases.

v7.1.8

What's Changed

• fix(postcss-minify-selectors): reject :is() fold for :nth-child(... of S) to preserve cascade by @​dkryaklin in cssnano/cssnano#1785
• Update postcss and @​colordx/core by @​ludofischer in cssnano/cssnano#1786

Full Changelog: https://github.com/cssnano/cssnano/compare/[email protected]@7.1.8

v.7.1.7

This release is idnetical to the previous one, but is being published to ensure that the latest versions of postcss-normalize-repeat-style and postcss-normalize-positions are uploaded to the npm registry.

v7.1.6

New feature

• feat(postcss-minify-selectors): fold selector lists into :is() (#1703) by @​dkryaklin in cssnano/cssnano#1775

Bug fixes

• fix: update colordx and autoprefixer
• fix: update postcss peer dependency by @​ludofischer in cssnano/cssnano#1779 Solves possible security issue

Full Changelog: https://github.com/cssnano/cssnano/compare/[email protected]@7.1.6

Commits

• ed403db Publish cssnano 7.1.8
• 7e56dba fix: update postcss
• d1780fd fix: update @​colordx-core
• 0005443 chore: add changeset
• bedd609 fix(postcss-minify-selectors): reject :is() fold for :nth-child(... of S) to ...
• aed9ec0 docs: update website for release
• 6afa2c9 chore: create new versions to fix missing dependencies
• 80e57b9 Publish cssnano 7.1.6
• 322ad33 fix: update postcss peer dependency
• 587f28d chore: pin codecov action
• Additional commits viewable in compare view

Updates nanoid from 5.1.9 to 5.1.11

Release notes

Sourced from nanoid's releases.

5.1.11

• Fixed breaking Nano ID by requesting big ID.

5.1.10

• Fixed breaking nanoid by requesting big ID (by @​alanzabihi).

Changelog

Sourced from nanoid's changelog.

5.1.11

• Fixed breaking Nano ID by requesting big ID.

5.1.10

• Fixed breaking Nano ID by requesting big ID (by @​alanzabihi).

Commits

• 5423cf5 Release 5.1.11 version
• 2183894 Backport 3.3.12 changelog
• 7087969 Limit ID even more
• 013517b Temporary add pnpm-workspace.yaml to npm ignore
• 5db09ee Release 5.1.10 version
• be7901a Fix random pool break
• 974f73b Structure tests with describe() instead of prefix
• fe3e7ec Update dependencies
• 043a7c1 Move to pnpm 11
• See full diff in compare view

Updates @axe-core/playwright from 4.11.2 to 4.11.3

Changelog

Sourced from @​axe-core/playwright's changelog.

Change Log

All notable changes to this project will be documented in this file. See Conventional Commits for commit guidelines.

Commits

• See full diff in compare view

Updates @biomejs/biome from 2.4.12 to 2.4.14

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.14

2.4.14

Patch Changes

• #9393 491b171 Thanks @​dyc3! - Added the nursery rule useTestHooksOnTop in the test domain. The rule flags lifecycle hooks (beforeEach, beforeAll, afterEach, afterAll) that appear after test cases in the same block, enforcing that hooks are defined before any test case.

• #10157 eefc5ab Thanks @​dyc3! - Fixed #7882: The HTML parser will now emit better diagnostics when it encounters a void element with a closing tag, such as <br></br>. Previously, the parser would emit multiple diagnostics with conflicting advice. Now it emits a single diagnostic that clearly states that void elements should not have closing tags.

• #10054 0e9f569 Thanks @​minseong0324! - noMisleadingReturnType no longer misses widening from concrete object types, class instances, object literals, tuples, functions, and regular expressions to : object.

  A function annotated : object returning an object literal:

  function f(): object {
    return { retry: true };
  }

• #10116 53269eb Thanks @​jiwon79! - Fixed #6201: noUselessEscapeInRegex no longer flags an escaped backslash followed by - as a useless escape. Patterns like /[\\-]/ are now considered valid because the second \ is the escaped backslash, not an unnecessary escape of the trailing dash.

• #10092 33d8543 Thanks @​Conaclos! - Fixed #9097: organizeImports no longer adds a blank line between a never-matched group and a matched group.

  Given the following organizeImports options:

  {
    "groups": [":NODE:", ":BLANK_LINE:", ":PACKAGE:", ":BLANK_LINE:", ":PATH:"]
  }

  The following code...

  // Comment
  import "package";
  import "./file.js";

  ...was organized as:

  +
    // Comment
    import "package";
  +
    import "./file.js";

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.14

Patch Changes

• #9393 491b171 Thanks @​dyc3! - Added the nursery rule useTestHooksOnTop in the test domain. The rule flags lifecycle hooks (beforeEach, beforeAll, afterEach, afterAll) that appear after test cases in the same block, enforcing that hooks are defined before any test case.

• #10157 eefc5ab Thanks @​dyc3! - Fixed #7882: The HTML parser will now emit better diagnostics when it encounters a void element with a closing tag, such as <br></br>. Previously, the parser would emit multiple diagnostics with conflicting advice. Now it emits a single diagnostic that clearly states that void elements should not have closing tags.

• #10054 0e9f569 Thanks @​minseong0324! - noMisleadingReturnType no longer misses widening from concrete object types, class instances, object literals, tuples, functions, and regular expressions to : object.

  A function annotated : object returning an object literal:

  function f(): object {
    return { retry: true };
  }

• #10116 53269eb Thanks @​jiwon79! - Fixed #6201: noUselessEscapeInRegex no longer flags an escaped backslash followed by - as a useless escape. Patterns like /[\\-]/ are now considered valid because the second \ is the escaped backslash, not an unnecessary escape of the trailing dash.

• #10092 33d8543 Thanks @​Conaclos! - Fixed #9097: organizeImports no longer adds a blank line between a never-matched group and a matched group.

  Given the following organizeImports options:

  {
    "groups": [":NODE:", ":BLANK_LINE:", ":PACKAGE:", ":BLANK_LINE:", ":PATH:"]
  }

  The following code...

  // Comment
  import "package";
  import "./file.js";

  ...was organized as:

  +
    // Comment
    import "package";
  +
    import "./file.js";

  A blank line was added even though the group ':NODE:' doesn't match any imports here. :BLANK_LINE: between never-matched groups and matched groups are now ignored.

... (truncated)

Commits

• 46393e0 ci: release (#10100)
• ae659dd feat(lint/js): add noExcessiveNestedCallbacks (#10188)
• d62b331 feat(lint/js): add useMathMinMax (#9926)
• 7acf1e0 feat(lint/js): add noReactStringRefs (#9922)
• 491b171 feat(lint/js): add useTestHooksOnTop (#9393)
• 4a664c1 fix(noShadow): make sure it doesn't shadow types (#10083)
• e316150 ci: release (#9991)
• 11ddc05 feat(lint): add useReactNativePlatformComponents rule and options (#10033)
• 1603f78 feat(js_analyze): implement noJsxLeakedDollar (#9911)
• c5eb92b feat(linter): add nursery rule noUnnecessaryTemplateExpression (#9969)
• Additional commits viewable in compare view

Updates html-validate from 10.13.1 to 10.15.0

Release notes

Sourced from html-validate's releases.

v10.15.0

10.15.0 (2026-05-04)

Features

• cli: add --performance to help debug performance issues (1451915)

Performance Improvements

• optimize loading global attributes onto element metadata (11228b8)

v10.14.0

10.14.0 (2026-05-02)

Features

• html5: add support for more global attributes (db89087)

Bug Fixes

• parser: improve handling of implicit tag closures (9070a61)

Performance Improvements

• improve performance by caching child elements (cc938fb)

Changelog

Sourced from html-validate's changelog.

10.15.0 (2026-05-04)

Features

• cli: add --performance to help debug performance issues (1451915)

Performance Improvements

• optimize loading global attributes onto element metadata (11228b8)

10.14.0 (2026-05-02)

Features

• html5: add support for more global attributes (db89087)

Bug Fixes

• parser: improve handling of implicit tag closures (9070a61)

Performance Improvements

• improve performance by caching child elements (cc938fb)

Commits

• 99ffc38 chore(release): 10.15.0
• b5d4bba Merge branch 'docs/discord-link' into 'master'
• 2ec6cb7 docs: add link to discord
• 9a6a846 Merge branch 'perf/global-attr-loading' into 'master'
• 11228b8 perf: optimize loading global attributes onto element metadata
• 00e9585 Merge branch 'feature/performance' into 'master'
• 1451915 feat(cli): add --performance to help debug performance issues
• bc3002b chore(deps): lock file maintenance
• 317d3fa Merge branch 'refactor/condition-union' into 'master'
• 8d0d516 refactor: rename current selector implementation ComplexSelector
• Additional commits viewable in compare view

Updates knip from 6.5.0 to 6.11.0

Release notes

Sourced from knip's releases.

Release 6.11.0

• Ignore & remove uninteresting lines in snapshots (767ebaf9b20d02f271d2a083404b60cba63119d7)
• Flag stale @internal tags in production mode (resolve #1658) (dd1caeda80784d6070b028c781a3502b33e9765a)
• Add compiler-extensions in tsc-files mode (resolve #1708) (ea867ad4bb9195f556ff58dae010d0d77c57bb25)

Release 6.10.0

• Ecosystem patches → snapshots (1803f9f94d42ebe88730465c002098de54c6650a)
• Fix unlisted pkg when only @​types/pkg listed (resolve #1707) (62082b69b382ea56d86e718da623ccadb9281a14)
• Don't report imports matching engines.X as unlisted (23582e0f4da7a98cfe50c065b63d38a75870911e)
• Treat imports in .d.ts files as type-only (84caac58d99f39fde56c664f42bad2c000d8943e)
• Treat tsconfig compilerOptions.types as type-only (ce18854b0a008f1060e30c660eee820eba1568e5)
• Resolve hoisted deps from monorepo root in single-package mode (resolve #1711) (23b756fb0becacaa19fbd71a0d9a0264f8647e88)

Release 6.9.0

• Expose types for JSON reporter (961b734f398b451bc26708f8d3bfa72a71983dcc)

Release 6.8.0

• feat: add WXT plugin (#1703) (9167557755a0aef81947aaedfa4745805ffaa571) - thanks @​sebastianbreguel!
• Add support for pnpm@11 new commands (#1706) (c937697a68caaf1ac224627537993b32d37cc91b) - thanks @​PatrykWalach!
• Fix case of spread export → other exports used (resolve #1705) (0f94d2d2b024d268df2395677a0ca0f6fd95503d)
• Add more pnpm commands + tests (f2819b3474b6d6ff7c24197be54072d2291d15b6)
• Bump oxc-parser (5c21d278814436c4c084d0ee609360eddaedd676)

Release 6.7.0

• Fix markdown reporter column width (resolve #1700) (4713108de98bcfe76eb606036b9f968abe3e89a0)
• Handle Vitest agent and minimal reporters (#1701) (a71ead11b99aaa67f31eed7b35628907b2dddd06) - thanks @​dskwrite!
• Add e2e tests w/ tsgo defs + lib consumption (98113e61d913e47631748b58c25d1042c8dd387e)
• Fix pkg name inconsistencies (544c3e68d72dd754b20f8e0b0bf8ed107c05d677)
• Add export {} to maintain module shape (27d8a0230c10f2827ba1e1a8b2c65020554f61f8)
• Strip leading UTF-8 BOM before parsing package.json (47e4029c39ff95043cd495681e4c7558970b0ed9)
• Skip workspace with invalid JSON manifest (bfb48670966387a3cd26005b9fb9d8769b2a1213)
• Preserve out-of-bound writes to stdout/err (95faad8d6219ba456a3700df697273eb154c1dd9)
• Consistent prefix in logError/logWarning (2c6d8a049d1c20d9427425b4abae3b76ac7a5720)
• Don't exit on config file load error (0914bd3832b1851e4d34137577c0d08efaf8aef6)
• Fix tsgo resolution in e2e tests (a68950131e33214ef2a4f13d11fab1a78c16bad6)

Release 6.6.3

• Use venz chart svg directly from CDN (ba7e9073d1770e4a21ec18435bcb61f394db0d1c)
• Bump that plugin counter (abae75bbd3030e006fe67d3f63641a31a65e671c)
• Fix plugin title (f2b8fcfc94bb78fb70dfe2be3f48ef8f254066f7)
• Work Table util class: fix bugs, tighten API, water-fill widths (2eb4045e0f34c2638875504b9b64e881e9a74db5)
• Questionable.. (970a0dbdfc7b59df2fd0a3064a4bd6be4e5a59bc)
• Fmt (14538ec1fe94cdf3c45798515160609f3ffbec9d)
• Ensure output is flushed on exit (#1699) (9533365115d4704e9b057b7ba8d5f43fd553d1a1) - thanks @​joshkel!
• Use currentColor to support light/dark themes (7ea055aa68b86ccc6cb302a3092c2da9e56cdde6)
• Tighten type-chain alignment + gate via ignoreExportsUsedInFile (resolve #1698) (0910b33fc6c07867a751af2e26989a61c8a6c548)
• Eating our own dog food ↻ (d5aa1f6b007a2dfef1a8326000dc1802510d64ab)

Release 6.6.2

• Don't track typeof value refs at top of exported type alias (resolve #1697) (1a9904832878f5e8e4b633bdb08fb327baa17ed6)

... (truncated)

Commits

• c9b80b1 Release [email protected]
• ea867ad Add compiler-extensions in tsc-files mode (resolve #1708)
• dd1caed Flag stale @internal tags in production mode (resolve #1658)
• d604ff3 Release [email protected]
• 23b756f Resolve hoisted deps from monorepo root in single-package mode (resolve #1711)
• ce18854 Treat tsconfig compilerOptions.types as type-only
• 84caac5 Treat imports in .d.ts files as type-only
• 23582e0 Don't report imports matching engines.X as unlisted
• 62082b6 Fix unlisted pkg when only @​types/pkg listed (resolve #1707)
• 9ffd437 Release [email protected]
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[netlify]

❌ Deploy Preview for ky-fyi failed.

Name	Link
🔨 Latest commit	669709b
🔍 Latest deploy log	https://app.netlify.com/projects/ky-fyi/deploys/69fb6eb53df3120008fbeb84

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.