chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the / directory: vitest and astro.
Bumps the npm_and_yarn group with 1 update in the /apps/docs directory: astro.

Updates vitest from 3.2.6 to 4.1.8

Release notes

Sourced from vitest's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in vitest-dev/vitest#10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in vitest-dev/vitest#10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in vitest-dev/vitest#10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in vitest-dev/vitest#10276 (9f7b1)

    View changes on GitHub

v4.1.5

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in vitest-dev/vitest#10119 (0e0ff)

   🐞 Bug Fixes

• --project negation excludes browser instances  -  by @​felamaslen in vitest-dev/vitest#10131 (9423d)
• Project color label on html reporter  -  by @​hi-ogawa in vitest-dev/vitest#10142 (596f7)
• Fix vi.defineHelper called as object method  -  by @​hi-ogawa in vitest-dev/vitest#10163 (122c2)
• Alias agent reporter to minimal  -  by @​sheremet-va in vitest-dev/vitest#10157 (663b9)
• Respect diff config options in soft assertions  -  by @​Copilot, sheremet-va and @​sheremet-va in vitest-dev/vitest#8696 (9787d)
• Respect diff config options in soft assertions "  -  by @​sheremet-va in vitest-dev/vitest#8696 (7dc6d)
• ast-collect: Recognize _vi_import prefix in static test discovery  -  by @​Yejneshwar in vitest-dev/vitest#10129 (32546)
• coverage: Descriptive error message when reports directory is removed during test run  -  by @​DaveT1991 and @​AriPerkkio in vitest-dev/vitest#10117 (14133)
• snapshot: Increase default snapshot max output length  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10150 (21e66)
• ui: Fix jsx/tsx syntax highlight  -  by @​hi-ogawa in vitest-dev/vitest#10152 (f1b1f)
• web-worker: Support MessagePort objects referenced inside postMessage data  -  by @​whitphx and Claude Opus 4.6 (1M context) in vitest-dev/vitest#9927 and vitest-dev/vitest#10124 (7ad7d)
• api: Make test-specification options writable  -  by @​sheremet-va in vitest-dev/vitest#10154 (6abd5)

    View changes on GitHub

... (truncated)

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• a09d472 chore: release v4.1.7
• a8fd24c chore: release v4.1.6
• 18af98c fix(browser): simplify orchestrator otel carrier (#10285)
• 3188260 feat(browser): provide project reference in ToMatchScreenshotResolvePath (#...
• e399846 chore: release v4.1.5
• 7dc6d54 Revert "fix: respect diff config options in soft assertions (#8696)"
• 9787ded fix: respect diff config options in soft assertions (#8696)
• 325463a fix(ast-collect): recognize _vi_import prefix in static test discovery (#10...
• Additional commits viewable in compare view

Updates astro from 5.18.2 to 6.4.2

Release notes

Sourced from astro's releases.

astro@6.4.2

Patch Changes

• #16889 b94bcfd Thanks @​Princesseuh! - Fixes a plugins is not iterable crash when using a pre-6.0 @astrojs/mdx alongside integrations (e.g. Starlight) that set markdown.remarkPlugins, markdown.rehypePlugins, or markdown.remarkRehype.

• #16878 b9f6bb9 Thanks @​fkatsuhiro! - Fixes an issue where on-demand (SSR) dynamic routes would return 404 when a prerendered dynamic route with the same URL pattern was sorted first alphabetically. In production builds with @astrojs/node adapter, if [a_prebuild].astro (prerender=true) came before [b_ssr].astro alphabetically, requests to URLs not in the prerendered route's static paths would 404 instead of falling through to the SSR route. The fix adds fallthrough logic so that when a prerendered dynamic route matches but can't serve the request, Astro tries subsequent matching routes.

astro@6.4.0

Minor Changes

• #16468 4cff3a1 Thanks @​matthewp! - Adds a new preserveBuildServerDir adapter feature

  Adapters can now set preserveBuildServerDir: true in their adapter features to keep the dist/server/ directory structure for static builds, mirroring the existing preserveBuildClientDir option. This is useful for adapters that require a consistent dist/client/ and dist/server/ layout regardless of build output type.

  setAdapter({
    name: 'my-adapter',
    adapterFeatures: {
      buildOutput,
      preserveBuildClientDir: true,
      preserveBuildServerDir: true,
    },
  });

• #16848 f732f3c Thanks @​Princesseuh! - Adds a new markdown.processor configuration option, allowing you to choose an alternative Markdown processor.

  Websites with many Markdown/MDX files tend to be slow to build because the unified ecosystem (e.g., remark, rehype) is slow to process. This feature introduces the ability to replace this part of the build pipeline with another processor.

  The default processor is unified(). This means that existing configurations remain unchanged and your remark/rehype plugins continue to work.

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  import { unified } from '@astrojs/markdown-remark';
  import remarkToc from 'remark-toc';
  export default defineConfig({
  markdown: {
  processor: unified({
  remarkPlugins: [remarkToc],
  }),
  },
  });

  In addition to this new configuration option, Astro provides a new alternative processor based on Rust: Sätteri. You can choose to use it now by installing @astrojs/markdown-satteri, importing the satteri() processor, and adapting your existing configuration:

  // astro.config.mjs

... (truncated)

Changelog

Sourced from astro's changelog.

6.4.2

Patch Changes

• #16889 b94bcfd Thanks @​Princesseuh! - Fixes a plugins is not iterable crash when using a pre-6.0 @astrojs/mdx alongside integrations (e.g. Starlight) that set markdown.remarkPlugins, markdown.rehypePlugins, or markdown.remarkRehype.

• #16878 b9f6bb9 Thanks @​fkatsuhiro! - Fixes an issue where on-demand (SSR) dynamic routes would return 404 when a prerendered dynamic route with the same URL pattern was sorted first alphabetically. In production builds with @astrojs/node adapter, if [a_prebuild].astro (prerender=true) came before [b_ssr].astro alphabetically, requests to URLs not in the prerendered route's static paths would 404 instead of falling through to the SSR route. The fix adds fallthrough logic so that when a prerendered dynamic route matches but can't serve the request, Astro tries subsequent matching routes.

6.4.1

Patch Changes

• #16883 eeb064c Thanks @​Princesseuh! - Restores the astro/jsx/rehype.js entry point so that older versions of @astrojs/mdx continue to work when used with Astro 6.x. This entry point will be removed in Astro 7.0.

6.4.0

Minor Changes

• #16468 4cff3a1 Thanks @​matthewp! - Adds a new preserveBuildServerDir adapter feature

  Adapters can now set preserveBuildServerDir: true in their adapter features to keep the dist/server/ directory structure for static builds, mirroring the existing preserveBuildClientDir option. This is useful for adapters that require a consistent dist/client/ and dist/server/ layout regardless of build output type.

  setAdapter({
    name: 'my-adapter',
    adapterFeatures: {
      buildOutput,
      preserveBuildClientDir: true,
      preserveBuildServerDir: true,
    },
  });

• #16848 f732f3c Thanks @​Princesseuh! - Adds a new markdown.processor configuration option, allowing you to choose an alternative Markdown processor.

  Websites with many Markdown/MDX files tend to be slow to build because the unified ecosystem (e.g., remark, rehype) is slow to process. This feature introduces the ability to replace this part of the build pipeline with another processor.

  The default processor is unified(). This means that existing configurations remain unchanged and your remark/rehype plugins continue to work.

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  import { unified } from '@astrojs/markdown-remark';
  import remarkToc from 'remark-toc';
  export default defineConfig({
  markdown: {
  processor: unified({
  remarkPlugins: [remarkToc],
  }),

... (truncated)

Commits

• b82137b [ci] release (#16885)
• c8625e2 [ci] format
• b94bcfd fix(config): Keep legacy plugins data on the config (#16889)
• b9f6bb9 Fix SSR dynamic routes blocked by prerendered dynamic routes (#16878)
• 3b75dc6 [ci] release (#16884)
• eeb064c fix(mdx): Restore MDX rehype plugin entrypoint (#16883)
• c7157e6 [ci] release (#16870)
• f387eba [ci] format
• e0e26db Resolve X-Forwarded-* headers inside FetchState (#16811)
• 8153f8d [ci] format
• Additional commits viewable in compare view

Updates astro from 5.18.2 to 6.4.2

Release notes

Sourced from astro's releases.

astro@6.4.2

Patch Changes

• #16889 b94bcfd Thanks @​Princesseuh! - Fixes a plugins is not iterable crash when using a pre-6.0 @astrojs/mdx alongside integrations (e.g. Starlight) that set markdown.remarkPlugins, markdown.rehypePlugins, or markdown.remarkRehype.

• #16878 b9f6bb9 Thanks @​fkatsuhiro! - Fixes an issue where on-demand (SSR) dynamic routes would return 404 when a prerendered dynamic route with the same URL pattern was sorted first alphabetically. In production builds with @astrojs/node adapter, if [a_prebuild].astro (prerender=true) came before [b_ssr].astro alphabetically, requests to URLs not in the prerendered route's static paths would 404 instead of falling through to the SSR route. The fix adds fallthrough logic so that when a prerendered dynamic route matches but can't serve the request, Astro tries subsequent matching routes.

astro@6.4.0

Minor Changes

• #16468 4cff3a1 Thanks @​matthewp! - Adds a new preserveBuildServerDir adapter feature

  Adapters can now set preserveBuildServerDir: true in their adapter features to keep the dist/server/ directory structure for static builds, mirroring the existing preserveBuildClientDir option. This is useful for adapters that require a consistent dist/client/ and dist/server/ layout regardless of build output type.

  setAdapter({
    name: 'my-adapter',
    adapterFeatures: {
      buildOutput,
      preserveBuildClientDir: true,
      preserveBuildServerDir: true,
    },
  });

• #16848 f732f3c Thanks @​Princesseuh! - Adds a new markdown.processor configuration option, allowing you to choose an alternative Markdown processor.

  Websites with many Markdown/MDX files tend to be slow to build because the unified ecosystem (e.g., remark, rehype) is slow to process. This feature introduces the ability to replace this part of the build pipeline with another processor.

  The default processor is unified(). This means that existing configurations remain unchanged and your remark/rehype plugins continue to work.

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  import { unified } from '@astrojs/markdown-remark';
  import remarkToc from 'remark-toc';
  export default defineConfig({
  markdown: {
  processor: unified({
  remarkPlugins: [remarkToc],
  }),
  },
  });

  In addition to this new configuration option, Astro provides a new alternative processor based on Rust: Sätteri. You can choose to use it now by installing @astrojs/markdown-satteri, importing the satteri() processor, and adapting your existing configuration:

  // astro.config.mjs

... (truncated)

Changelog

Sourced from astro's changelog.

6.4.2

Patch Changes

• #16889 b94bcfd Thanks @​Princesseuh! - Fixes a plugins is not iterable crash when using a pre-6.0 @astrojs/mdx alongside integrations (e.g. Starlight) that set markdown.remarkPlugins, markdown.rehypePlugins, or markdown.remarkRehype.

• #16878 b9f6bb9 Thanks @​fkatsuhiro! - Fixes an issue where on-demand (SSR) dynamic routes would return 404 when a prerendered dynamic route with the same URL pattern was sorted first alphabetically. In production builds with @astrojs/node adapter, if [a_prebuild].astro (prerender=true) came before [b_ssr].astro alphabetically, requests to URLs not in the prerendered route's static paths would 404 instead of falling through to the SSR route. The fix adds fallthrough logic so that when a prerendered dynamic route matches but can't serve the request, Astro tries subsequent matching routes.

6.4.1

Patch Changes

• #16883 eeb064c Thanks @​Princesseuh! - Restores the astro/jsx/rehype.js entry point so that older versions of @astrojs/mdx continue to work when used with Astro 6.x. This entry point will be removed in Astro 7.0.

6.4.0

Minor Changes

• #16468 4cff3a1 Thanks @​matthewp! - Adds a new preserveBuildServerDir adapter feature

  Adapters can now set preserveBuildServerDir: true in their adapter features to keep the dist/server/ directory structure for static builds, mirroring the existing preserveBuildClientDir option. This is useful for adapters that require a consistent dist/client/ and dist/server/ layout regardless of build output type.

  setAdapter({
    name: 'my-adapter',
    adapterFeatures: {
      buildOutput,
      preserveBuildClientDir: true,
      preserveBuildServerDir: true,
    },
  });

• #16848 f732f3c Thanks @​Princesseuh! - Adds a new markdown.processor configuration option, allowing you to choose an alternative Markdown processor.

  Websites with many Markdown/MDX files tend to be slow to build because the unified ecosystem (e.g., remark, rehype) is slow to process. This feature introduces the ability to replace this part of the build pipeline with another processor.

  The default processor is unified(). This means that existing configurations remain unchanged and your remark/rehype plugins continue to work.

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  import { unified } from '@astrojs/markdown-remark';
  import remarkToc from 'remark-toc';
  export default defineConfig({
  markdown: {
  processor: unified({
  remarkPlugins: [remarkToc],
  }),

... (truncated)

Commits

• b82137b [ci] release (#16885)
• c8625e2 [ci] format
• b94bcfd fix(config): Keep legacy plugins data on the config (#16889)
• b9f6bb9 Fix SSR dynamic routes blocked by prerendered dynamic routes (#16878)
• 3b75dc6 [ci] release (#16884)
• eeb064c fix(mdx): Restore MDX rehype plugin entrypoint (#16883)
• c7157e6 [ci] release (#16870)
• f387eba [ci] format
• e0e26db Resolve X-Forwarded-* headers inside FetchState (#16811)
• 8153f8d [ci] format
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[beeeku]

Audit note (scheduled routine): this PR has been red for 12 days and the underlying upgrade is already tracked, so nothing here is mergeable as a drive-by.

• astro 5.7.0 → 6.4.2 is the exact bump docs: Astro 6 upgrade tracker (apps/docs) — blocked on Starlight #115 was filed to block — @astrojs/starlight@0.33.2 peer-deps astro: ^5.1.5, so no Starlight release supports Astro 6 yet. CI has been failing for the same reason since 2026-04-21.
• vitest ^3 → ^4.1.8 is a separate untracked major. Workspace currently pins ^3.0.0; vitest 4 ships a breaking config + browser-runtime overhaul. Worth its own deliberate bump, not a Dependabot drive-by alongside Astro.

Recommendation (matches the close-out plan documented in #115):

• Reply @dependabot ignore this major version on this PR to close both bumps without losing the security-bump cadence within the current major lines.
• Open a discrete tracking ticket for the vitest 3 → 4 migration so dependabot doesn't keep re-proposing it; the Astro side already has docs: Astro 6 upgrade tracker (apps/docs) — blocked on Starlight #115.

Happy to file the vitest tracking issue if you want — say the word.

---

Generated by Claude Code

[beeeku]

Filed the vitest 3 → 4 tracking issue as #120 so the major bump doesn't keep getting re-proposed alongside Astro. Both blockers (#115 Astro 6, #120 Vitest 4) are now captured.

Next step to close this PR out cleanly per the documented plan:

·@·d·ependabot i·gnore t·his major version

That tells Dependabot to stop re-proposing the Astro 6 and Vitest 4 majors on this group while #115 and #120 stay open as the real tracking surfaces. Security and minor bumps within astro@5.x / vitest@3.x will keep flowing.

---

Generated by Claude Code

[beeeku]

Closing per the plan documented in #120 (Vitest 4) and #115 (Astro 6). Both upgrades are tracked in dedicated migration issues; neither can ride along as a drive-by bump. Resume bumping within v3 / v5 in the meantime.

·@·d·ependabot i·gnore t·his major version

---

Generated by Claude Code

[beeeku]

Closing per the migration trackers — both upgrades are blocked on upstream work and can't ride along with a Dependabot drive-by:

• vitest 3 → 4 → tracked in chore(deps): Vitest 4 upgrade tracker — workspace-wide migration from v3 #120 (workspace-wide migration; needs defineWorkspace rewrite + coverage-defaults audit + per-package test refresh).
• astro 5 → 6 → tracked in docs: Astro 6 upgrade tracker (apps/docs) — blocked on Starlight #115 (gated on @astrojs/starlight shipping v6 support + @astrojs/tailwind → Vite Tailwind v4 plugin migration).

Issuing the ignore-major commands #120 / #115 recommend so Dependabot keeps bumping within the current major:

@dependabot ignore vitest major version
@dependabot ignore astro major version

---

Generated by Claude Code — scheduled audit routine

---

Generated by Claude Code

[beeeku]

Closing per the migration trackers — both bumps in this group are real majors that need their own plan, not a drive-by:

• vitest 3 → 4 — tracked in chore(deps): Vitest 4 upgrade tracker — workspace-wide migration from v3 #120 (workspace-wide migration, defineWorkspace gone, Node 18 dropped, 33+ packages touched).
• astro 5 → 6 — tracked in docs: Astro 6 upgrade tracker (apps/docs) — blocked on Starlight #115 (blocked upstream on @astrojs/starlight shipping v6 support).

Both tracker issues explicitly say to ignore the major bump here until they're actionable. Stopping the v4/v6 majors so the group can resume bumping within v3/v5.

@dependabot ignore vitest major version
@dependabot ignore astro major version

---

Generated by Claude Code