chore(deps): bump the minor-patch group across 1 directory with 3 updates

[dependabot]

Bumps the minor-patch group with 3 updates in the / directory: @astrojs/starlight, astro and otpauth.

Updates @astrojs/starlight from 0.38.3 to 0.38.4

Release notes

Sourced from @​astrojs/starlight's releases.

@​astrojs/starlight@​0.38.4

Patch Changes

• #3828 342038b Thanks @​MangelMaxime! - Fixes aside styling when used without any content

• #3853 563e11b Thanks @​delucis! - Fixes a type-checking issue for users on newer versions of TypeScript

Changelog

Sourced from @​astrojs/starlight's changelog.

0.38.4

Patch Changes

• #3828 342038b Thanks @​MangelMaxime! - Fixes aside styling when used without any content

• #3853 563e11b Thanks @​delucis! - Fixes a type-checking issue for users on newer versions of TypeScript

Commits

• d986558 [ci] release (#3844)
• 563e11b Ignore type error in i18n util with newer TypeScript versions (#3853)
• 04fcec0 [ci] format
• 342038b fix: empty aside alignment (#3828)
• See full diff in compare view

Updates astro from 6.1.8 to 6.1.10

Release notes

Sourced from astro's releases.

[email protected]

Patch Changes

• #16479 1058428 Thanks @​matthewp! - Fixes a spurious [WARN] [content] Content config not loaded warning during astro dev for projects that don't use content collections

• #16457 3d82220 Thanks @​matthewp! - Hardens server island encryption to prevent encrypted data from one island component being replayed against a different one

• #16481 152700e Thanks @​matthewp! - Fixes a spurious 404 request for a dev toolbar sourcemap during astro dev caused by the browser mis-resolving a relative sourceMappingURL from the /@id/ URL prefix

• #16480 1bcb43b Thanks @​matthewp! - Fixes an unnecessary full page reload on first navigation during dev

[email protected]

Patch Changes

• #16448 99464ed Thanks @​matthewp! - Updates vite, picomatch, and unstorage to latest patch versions

• #16422 a3951d7 Thanks @​matthewp! - Hardens astro-island export resolution and hydration error handling for malformed component metadata

• #16420 e21de1d Thanks @​matthewp! - Hardens Astro's error overlay and server logging paths to avoid unsafe HTML insertion and format-string interpolation

• #16419 f3485c3 Thanks @​matthewp! - Hardens nested object and package metadata lookups to ignore prototype keys in content handling and project scaffolding

• #16022 a002540 Thanks @​mathieumaf! - Fixes an issue where i18n domains would return 404 when trailingSlash is set to never.

• Updated dependencies [99464ed, f3485c3]:

  • @​astrojs/internal-helpers@​0.9.0
  • @​astrojs/markdown-remark@​7.1.1

Changelog

Sourced from astro's changelog.

6.1.10

Patch Changes

• #16479 1058428 Thanks @​matthewp! - Fixes a spurious [WARN] [content] Content config not loaded warning during astro dev for projects that don't use content collections

• #16457 3d82220 Thanks @​matthewp! - Hardens server island encryption to prevent encrypted data from one island component being replayed against a different one

• #16481 152700e Thanks @​matthewp! - Fixes a spurious 404 request for a dev toolbar sourcemap during astro dev caused by the browser mis-resolving a relative sourceMappingURL from the /@id/ URL prefix

• #16480 1bcb43b Thanks @​matthewp! - Fixes an unnecessary full page reload on first navigation during dev

6.1.9

Patch Changes

• #16448 99464ed Thanks @​matthewp! - Updates vite, picomatch, and unstorage to latest patch versions

• #16422 a3951d7 Thanks @​matthewp! - Hardens astro-island export resolution and hydration error handling for malformed component metadata

• #16420 e21de1d Thanks @​matthewp! - Hardens Astro's error overlay and server logging paths to avoid unsafe HTML insertion and format-string interpolation

• #16419 f3485c3 Thanks @​matthewp! - Hardens nested object and package metadata lookups to ignore prototype keys in content handling and project scaffolding

• #16022 a002540 Thanks @​mathieumaf! - Fixes an issue where i18n domains would return 404 when trailingSlash is set to never.

• Updated dependencies [99464ed, f3485c3]:

  • @​astrojs/internal-helpers@​0.9.0
  • @​astrojs/markdown-remark@​7.1.1

Commits

• c1f2e4f [ci] release (#16467)
• 345fb9e chore: fix flaky dev toolbar render time test (#16500)
• 5120ecd [ci] format
• 3d82220 Add AEAD context binding to server island encryption (#16457)
• 1bcb43b Prebundle dev toolbar entrypoint in client environment (#16480)
• 93101cc [ci] format
• 152700e fix: strip sourceMappingURL from dev toolbar entrypoint during dep optimizati...
• bc83041 refactor(astro): migrate test utils to typescript (#16492)
• 5c543c5 refactor(astro): add internal entry points for test (#16473)
• 1058428 Suppress content config warning for projects without content collections (#16...
• Additional commits viewable in compare view

Updates otpauth from 9.5.0 to 9.5.1

Release notes

Sourced from otpauth's releases.

v9.5.1

What's Changed

• Bump rollup from 4.57.1 to 4.59.0 by @​dependabot[bot] in hectorm/otpauth#674
• Bump minimatch by @​dependabot[bot] in hectorm/otpauth#673
• Bump the github-actions-all group with 3 updates by @​dependabot[bot] in hectorm/otpauth#675
• Bump the npm-development-minor-patch group across 1 directory with 7 updates by @​dependabot[bot] in hectorm/otpauth#677
• Bump the github-actions-all group with 3 updates by @​dependabot[bot] in hectorm/otpauth#679
• Bump @​rollup/plugin-terser from 0.4.4 to 1.0.0 by @​dependabot[bot] in hectorm/otpauth#680
• Bump eslint from 9.39.2 to 10.0.3 by @​dependabot[bot] in hectorm/otpauth#678
• Bump @​eslint/js from 9.39.2 to 10.0.1 by @​dependabot[bot] in hectorm/otpauth#670
• Bump the npm-development-minor-patch group across 1 directory with 8 updates by @​dependabot[bot] in hectorm/otpauth#686
• Bump the github-actions-all group with 5 updates by @​dependabot[bot] in hectorm/otpauth#685
• Bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in hectorm/otpauth#684
• Bump flatted from 3.3.3 to 3.4.2 by @​dependabot[bot] in hectorm/otpauth#682
• Bump the github-actions-all group with 4 updates by @​dependabot[bot] in hectorm/otpauth#692
• Bump @​noble/hashes from 2.0.1 to 2.2.0 in the npm-production-minor-patch group by @​dependabot[bot] in hectorm/otpauth#688
• Bump the npm-development-minor-patch group across 1 directory with 8 updates by @​dependabot[bot] in hectorm/otpauth#690

Full Changelog: hectorm/otpauth@v9.5.0...v9.5.1

Commits

• 4903d3d 9.5.1
• b5c6df7 Add 7 day cooldown for new dependency versions
• 01f7caf Update dependencies
• adff202 Bump the npm-development-minor-patch group across 1 directory with 8 updates ...
• 0e4fa84 Bump @​noble/hashes in the npm-production-minor-patch group (#688)
• b7f24c9 Bump the github-actions-all group with 4 updates (#692)
• 80b053d Bump flatted from 3.3.3 to 3.4.2 (#682)
• 4d0f0cc Bump picomatch from 4.0.3 to 4.0.4 (#684)
• 2f0e384 Bump the github-actions-all group with 5 updates (#685)
• 7097f14 Bump the npm-development-minor-patch group across 1 directory with 8 updates ...
• Additional commits viewable in compare view

Summary by CodeRabbit

• Chores
  • Updated project dependencies to latest patch versions for improved stability and compatibility.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates three dependencies in package.json: @astrojs/starlight to 0.38.4, astro to 6.1.10, and otpauth to ^9.5.1.

Changes

Cohort / File(s)	Summary
Dependency Version Updates package.json	Bumped @astrojs/starlight from 0.38.3 to 0.38.4, astro from 6.1.8 to 6.1.10, and otpauth from ^9.5.0 to ^9.5.1.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: a dependency bump of three packages across the project's package.json file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 13: package-lock.json is out of sync with the package.json updates for
`@astrojs/starlight`, astro, and otpauth (bun.lock was updated but
package-lock.json still pins older versions); regenerate or remove
package-lock.json so npm users get the updated versions: either run npm install
(or npm ci after deleting node_modules) to regenerate package-lock.json
reflecting the new `@astrojs/starlight/astro/otpauth` versions, or remove
package-lock.json if the project intends to rely only on bun.lock, and commit
the resulting change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: c44ac932-f09b-4f7c-b602-e601596641b6

📥 Commits

Reviewing files that changed from the base of the PR and between 612eb64 and 51fd1f4.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• package.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "1) Confirm updated versions in package.json"
rg -n '"@astrojs/starlight":|"astro":|"otpauth":' package.json

echo
echo "2) Confirm lockfile contains resolved updates (if present)"
fd -HI 'bun.lock|bun.lockb|package-lock.json|pnpm-lock.yaml|yarn.lock' . | while read -r f; do
  echo "--- $f ---"
  rg -n '@astrojs/starlight|astro@|otpauth' "$f" || true
done

echo
echo "3) Reconfirm OTPAuth usage points for focused smoke tests"
rg -n 'from "otpauth"|new Secret|new TOTP|toString\(' src/lib/generate-totp.ts

Repository: tinyauthapp/docs

Length of output: 3960

---

Regenerate package-lock.json before merge—it is out of sync with package.json updates.

The patch bumps to @astrojs/starlight, astro, and otpauth are reasonable. However, bun.lock has been updated with the new versions while package-lock.json remains stale:

• package-lock.json still shows @astrojs/[email protected] and [email protected] (old versions)
• bun.lock correctly reflects all three updates

If npm or other tools could be used to install dependencies, this mismatch will cause old versions to be installed despite the updated package.json. Regenerate package-lock.json (or remove it if only bun.lock should exist) to keep lockfiles in sync.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 13, package-lock.json is out of sync with the
package.json updates for `@astrojs/starlight`, astro, and otpauth (bun.lock was
updated but package-lock.json still pins older versions); regenerate or remove
package-lock.json so npm users get the updated versions: either run npm install
(or npm ci after deleting node_modules) to regenerate package-lock.json
reflecting the new `@astrojs/starlight/astro/otpauth` versions, or remove
package-lock.json if the project intends to rely only on bun.lock, and commit
the resulting change.