chore(deps): bump the npm group across 1 directory with 3 updates#3089
Conversation
Bugbot is paused — on-demand spend limit reachedBugbot uses usage-based billing for this team and has hit its on-demand spend limit. A team admin can raise the spend limit in the Cursor dashboard, or wait for the next billing cycle to continue. |
There was a problem hiding this comment.
🤖 AI Code Reviewer
Reviewed by 3 agents | Quality score: 75% | Review time: 281.5s
🟡 Warning (2)
1. Major version bump of astro (v5 → v7) is a breaking change requiring manual verification
File: docs-site/package.json (line 14-16) | Consensus: 1/3 agents
The astro dependency jumps from ^5.14.0 to ^7.0.4, skipping an entire major version. Astro v7 drops support for Astro v6 (and by extension v5) APIs, upgrades to Vite v8, and changes compressHTML defaults. The lock file shows the new @astrojs/compiler-rs and rolldown bundler (replacing Rollup) as transitive deps. This PR only updates package.json and package-lock.json — there is no evidence that astro.config.mjs or any MDX/Astro component files were audited for breaking-change compatibility. The Starlight v0.41 changelog explicitly states: 'Make sure you update Astro and any other official integrations at the same time as updating Starlight.' A silent build failure or runtime regression is possible if the config or components use deprecated v5/v6 APIs.
Suggested fix:
Before merging, run `npm run build` (or the CI `check` script) in `docs-site/` and confirm the output is clean. Review the Astro v6→v7 migration guide (https://docs.astro.build/en/guides/upgrade-to/v7/) for any config or component changes needed in `astro.config.mjs` and `src/`.
Found by: patterns-reviewer
2. Major version bump of astro (v5→v7) may break the site without config migration
File: docs-site/package.json (line 14-16) | Consensus: 1/3 agents
The astro dependency jumps from ^5.14.0 to ^7.0.4, which is a two-major-version leap. Astro v7 is a breaking release (drops Astro v6 support, upgrades to Vite v8, changes compressHTML default to 'jsx', and drops support for older browsers). The astro.config.mjs in the repo has not been updated to account for any of these breaking changes. If the CI check script (astro build && node scripts/check-links.mjs) is not run as part of this PR, the breakage will only be discovered after merge. The lock file resolves astro@7.0.4 and vite@8.1.1, confirming the jump is real.
Suggested fix:
Run `npm run check` (or `astro build`) locally against the new versions before merging. Review the Astro v6→v7 migration guide (https://docs.astro.build/en/guides/upgrade-to/v7/) and update `astro.config.mjs` if any deprecated options are used. Also verify the `@astrojs/starlight` 0.41.x peer-dependency requirement (`astro: ^7.0.2`) is satisfied — it is, but the intermediate v6 peer requirement from the old starlight is now gone.
Found by: logic-reviewer
💡 Suggestion (2)
1. Node engine constraint tightened to >=22.12.0 by transitive deps — CI/CD environment may need updating
File: docs-site/package.json (line 14-16) | Consensus: 1/3 agents
The new astro@7 and its transitive dependencies (@astrojs/compiler-binding, @astrojs/compiler-rs, @astrojs/prism, rolldown, readdirp, chokidar, yargs-parser) all declare engines: { node: '^20.19.0 || >=22.12.0' }. If the CI pipeline or any developer machine runs Node 20 < 20.19.0 or Node 21, builds will fail with an engine mismatch. The previous astro@5 supported Node 18+.
Suggested fix:
Verify that the CI Node version (check `.github/workflows/`) is `>=20.19.0` or `>=22.12.0`. Update the workflow matrix if needed.
Found by: patterns-reviewer
2. @astrojs/starlight jumps 5 minor versions (0.36→0.41) including a breaking change
File: docs-site/package.json (line 13-13) | Consensus: 1/3 agents
Starlight 0.41.0 drops support for Astro v6 and introduces a breaking browser-support change (Chrome/Edge <111, Safari <16.4 no longer supported). While the lock file resolves to 0.41.1 (which fixes a dependency resolution bug introduced in 0.41.0), the intermediate releases (0.37–0.40) also contain minor breaking changes and new required peer dependencies (@astrojs/markdown-satteri). The lock file shows @astrojs/markdown-satteri@0.3.2 is now pulled in as a direct dependency of starlight, which was not present before. This is handled automatically by npm, but any custom Starlight plugin or integration in the project should be verified for compatibility.
Suggested fix:
Check the Starlight changelog from 0.36.x to 0.41.1 for any configuration changes that affect the `astro.config.mjs` starlight integration options used in this project (e.g., `expressiveCode`, `sidebar`, `editLink`). The `astro-expressive-code` package is now at 0.44.0 — verify `styleOverrides` keys are still valid.
Found by: logic-reviewer
🤖 Generated by AI Code Reviewer | Review ID: review-9c6553ed
Documentation ReviewThe following documentation may need updates based on the changes in this PR:
|
31dfdef to
611dd57
Compare
There was a problem hiding this comment.
🤖 AI Code Reviewer
Reviewed by 3 agents | Quality score: 72% | Review time: 71.9s
🟡 Warning (3)
1. Major version bump of astro (v5→v7) includes breaking changes
File: docs-site/package.json (line 14-16) | Consensus: 1/3 agents
The astro package jumps from ^5.14.0 to ^7.0.4, which is a two-major-version leap. Astro v7 drops support for Astro v6 (and by extension v5), upgrades to Vite v8, changes the default compressHTML value to 'jsx', and raises the minimum Node.js requirement to >=22.12.0. The lock file confirms the new engine constraint ("node": ">=22.12.0"). If the CI/CD environment or any developer machine runs Node 20.x, builds will fail. The astro.config.mjs uses several integration APIs (Starlight, expressive-code) that may have changed behaviour under Astro v7. Verify the Node version in CI and all deployment environments before merging.
Suggested fix:
Pin the Node version in CI to >=22.12.0 (e.g. in `.nvmrc`, `engines` field, or the workflow matrix). Run `npm run build` and `npm run check` in CI against the new versions to confirm no regressions before merging.
Found by: patterns-reviewer
2. Major version bump of astro (v5→v7) is a breaking change requiring config/content validation
File: docs-site/package.json (line 14-16) | Consensus: 1/3 agents
The astro dependency jumps from ^5.14.0 to ^7.0.4, which is a two-major-version leap. Astro v7 drops support for Astro v6 (and by extension v5) APIs, upgrades to Vite v8, and changes the default compressHTML value to 'jsx'. The astro.config.mjs in this repo uses Starlight-specific configuration that may be affected. Additionally, the @astrojs/starlight bump from 0.36.x to 0.41.x includes a breaking change (0.41.0) that drops Astro v6 support and requires Astro v7. While the lockfile resolves consistently, the astro.config.mjs has not been updated to account for any v7 breaking changes (e.g., compressHTML default change, Vite v8 plugin API changes). The PR description and diff show only dependency version bumps with no corresponding config or content changes, which is a risk for a two-major-version jump.
Suggested fix:
Verify the docs site builds successfully after this bump by running `npm run build` in `docs-site/`. Check the Astro v6→v7 migration guide (https://docs.astro.build/en/guides/upgrade-to/v7/) for any required config changes, particularly around `compressHTML`, Vite v8 plugin compatibility, and the new Node.js engine requirement (>=22.12.0 per the lockfile entries).
Found by: logic-reviewer
3. Node.js engine requirement silently raised to >=22.12.0 by transitive dependencies
File: docs-site/package.json (line 14-16) | Consensus: 1/3 agents
The updated lockfile shows that astro@7.0.4, @astrojs/compiler-rs@0.3.0, @astrojs/prism@4.0.2, readdirp@5.0.0, chokidar@5.0.0, and yargs-parser@22.0.0 all require node: '^20.19.0 || >=22.12.0' or node: '>=22.12.0'. The package.json has no engines field, so CI or developer environments running Node 20.x (below 20.19.0) or Node 21.x will silently fail at runtime rather than at install time. The previous astro v5 required Node 18+.
Suggested fix:
Add an `engines` field to `docs-site/package.json` to make the constraint explicit and fail fast: `"engines": { "node": "^20.19.0 || >=22.12.0" }`. Also verify that CI runners and any deployment pipelines use a compatible Node version.
Found by: logic-reviewer
💡 Suggestion (1)
1. Node engine constraint not declared in package.json
File: docs-site/package.json (line 14-16) | Consensus: 1/3 agents
The new astro@7 and its compiler binding require Node ^20.19.0 || >=22.12.0 (visible in the lock file for @astrojs/compiler-binding, @astrojs/prism, etc.), but docs-site/package.json has no engines field. Without it, developers on older Node versions will get cryptic native-binding errors rather than a clear message.
Suggested fix:
Add `"engines": { "node": "^20.19.0 || >=22.12.0" }` to `docs-site/package.json`.
Found by: patterns-reviewer
🤖 Generated by AI Code Reviewer | Review ID: review-61fb7573
611dd57 to
6bf14b5
Compare
Bugbot is paused — on-demand spend limit reachedBugbot uses usage-based billing for this team and has hit its on-demand spend limit. A team admin can raise the spend limit in the Cursor dashboard, or wait for the next billing cycle to continue. |
There was a problem hiding this comment.
🤖 AI Code Reviewer
Reviewed by 3 agents | Quality score: 81% | Review time: 352.4s
🟡 Warning (1)
1. Major version bump of astro (v5→v7) is a breaking change requiring manual validation
File: docs-site/package.json (line 14-16) | Consensus: 1/3 agents
The astro dependency jumps from ^5.14.0 to ^7.0.4, skipping an entire major version. Astro v7 drops support for Astro v6 (and by extension v5), upgrades to Vite v8, and changes the default compressHTML value. The lock file shows the new compiler requires Node >=22.12.0, while the previous version supported Node >=18. If CI or production runs an older Node version, the build will fail silently or produce unexpected output. The PR description notes this is a breaking change but there is no evidence of CI node version validation or a tested upgrade path.
Suggested fix:
Verify the CI/CD pipeline and any deployment environments use Node >=22.12.0. Check the Astro v7 migration guide (https://docs.astro.build/en/guides/upgrade-to/v7/) for any config changes needed in astro.config.mjs. Consider adding an engines field to package.json: `"engines": { "node": ">=22.12.0" }`.
Found by: patterns-reviewer
💡 Suggestion (1)
1. Node engine constraint in lock file (>=22.12.0) not reflected in package.json
File: docs-site/package-lock.json (line 1-10) | Consensus: 1/3 agents
Multiple packages in the lock file (esbuild, @astrojs/compiler-binding, rolldown, chokidar, readdirp, yargs-parser) require Node ^20.19.0 || >=22.12.0 or >=22.12.0. The root package.json has no engines field, so contributors and CI may unknowingly run on an incompatible Node version and get cryptic errors rather than a clear message.
Suggested fix:
Add to docs-site/package.json: `"engines": { "node": "^20.19.0 || >=22.12.0" }` to match the most restrictive transitive requirement.
Found by: patterns-reviewer
🤖 Generated by AI Code Reviewer | Review ID: review-4e307859
Bumps the npm group with 3 updates in the /docs-site directory: [@astrojs/starlight](https://github.com/withastro/starlight/tree/HEAD/packages/starlight), [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) and [sharp](https://github.com/lovell/sharp). Updates `@astrojs/starlight` from 0.36.3 to 0.41.3 - [Release notes](https://github.com/withastro/starlight/releases) - [Changelog](https://github.com/withastro/starlight/blob/main/packages/starlight/CHANGELOG.md) - [Commits](https://github.com/withastro/starlight/commits/@astrojs/starlight@0.41.3/packages/starlight) Updates `astro` from 5.18.2 to 7.0.6 - [Release notes](https://github.com/withastro/astro/releases) - [Changelog](https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md) - [Commits](https://github.com/withastro/astro/commits/astro@7.0.6/packages/astro) Updates `sharp` from 0.34.5 to 0.35.3 - [Release notes](https://github.com/lovell/sharp/releases) - [Commits](lovell/sharp@v0.34.5...v0.35.3) --- updated-dependencies: - dependency-name: "@astrojs/starlight" dependency-version: 0.41.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm - dependency-name: astro dependency-version: 7.0.4 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm - dependency-name: sharp dependency-version: 0.35.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com>
6bf14b5 to
05bbe9e
Compare
There was a problem hiding this comment.
🤖 AI Code Reviewer
Reviewed by 3 agents | Quality score: 66% | Review time: 395.1s
🟡 1 warnings. See inline comments.
🤖 Generated by AI Code Reviewer | Review ID: review-4ce17c7b
| "@astrojs/starlight": "^0.36.0", | ||
| "astro": "^5.14.0", | ||
| "sharp": "^0.34.0" | ||
| "@astrojs/starlight": "^0.41.3", |
There was a problem hiding this comment.
🟡 Astro 7 requires Node >=22.12.0, but docs CI pins Node 20
This bump jumps astro from ^5.14.0 straight to ^7.0.6 (skipping v6 entirely). The resolved astro@7.0.6 package in docs-site/package-lock.json declares "engines": {"node": ">=22.12.0", ...}, and several of its transitive deps (e.g. vite@8.1.3, esbuild@0.28.1, @astrojs/compiler-rs) also require modern Node (>=18/>=20/>=22). However, both .github/workflows/docs-ci.yml and .github/workflows/docs-site.yml (the PR-check and GitHub Pages deploy jobs for this exact docs-site/ directory) still pin node-version: 20 via actions/setup-node. Since there is no .npmrc with engine-strict=true in the repo, npm ci will likely only emit an EBADENGINE warning rather than fail outright, but astro build/astro dev may then fail or misbehave at runtime because they were built against Node >=22.12 APIs. This will silently break the docs CI (npm run check) and the Pages deploy workflow the next time either runs against this lockfile.
Suggested fix:
Bump `node-version` to at least 22.12 (or 22 LTS) in .github/workflows/docs-ci.yml and .github/workflows/docs-site.yml alongside this dependency bump, and verify `npm ci && npm run build` succeeds locally/in CI with that Node version before merging.
Astro now requires Node >=22.12, so bump setup-node to 22 in the docs workflows. The new compiler also rejects literal braces in template text; escape them in EntityStorage.astro. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
There was a problem hiding this comment.
🤖 AI Code Reviewer
Reviewed by 3 agents | Quality score: 95% | Review time: 485.0s
✅ No Issues Found
All agents reviewed the code and found no issues. LGTM! 🎉
🤖 Generated by AI Code Reviewer | Review ID: review-fd8652a5
There was a problem hiding this comment.
🤖 AI Code Reviewer
Reviewed by 3 agents | Quality score: 95% | Review time: 425.2s
✅ No Issues Found
All agents reviewed the code and found no issues. LGTM! 🎉
🤖 Generated by AI Code Reviewer | Review ID: review-ccaf6226
Bumps the npm group with 3 updates in the /docs-site directory: @astrojs/starlight, astro and sharp.
Updates
@astrojs/starlightfrom 0.36.3 to 0.41.3Release notes
Sourced from @astrojs/starlight's releases.
... (truncated)
Changelog
Sourced from @astrojs/starlight's changelog.
... (truncated)
Commits
96cee6e[ci] release (#4032)1686eccfix(MobileMenuToggle): trap keyboard focus inside the mobile menu (#3911)3948048[ci] release (#4016)1a209c5[ci] format58a3520fix(css): prevent TOC overflow with custom --sl-content-width (#4008)bdbfffcFix aside icons when MDX optimization is disabled (#4015)a2266b9Update playwright (#4013)c1a3d6d[ci] release (#3989)72e63dcAdd link icons and dedupe Markdown/component icons (#3967)ac55cfaUpdateastro-expressive-code(#3988)Updates
astrofrom 5.18.2 to 7.0.6Release notes
Sourced from astro's releases.
... (truncated)
Changelog
Sourced from astro's changelog.
... (truncated)
Commits
a86160e[ci] release (#17256)f94280dFix route generator throwing on a dynamic param value of 0 (#17247)6f11739fix(css): use raw module ID for virtual CSS cache lookup in dev mode (#17267)...26c68f6[ci] format2aeaa44FixinferSizefor remote images in thePicturecomponent (#17279)b428648Resolve extensionless imports in island component paths (#17272)14524c0Keep component scripts in place when rendered via Astro.slots.render() (#17260)8c3579bfix: add render() type overload for live collection entries (#16688) (#17274)94dd2aa[ci] format5240e26Validate attribute names on custom HTML elements during SSR (#17251)Updates
sharpfrom 0.34.5 to 0.35.3Release notes
Sourced from sharp's releases.
... (truncated)
Commits
1018449Release v0.35.3ba303a7Prerelease v0.35.3-rc.24f94fc5Upgrade to sharp-libvips v1.3.2c5e7a3fBump devDeps, fix Deno/Windows smoke tests9a8d002Docs: Add changelog entry and note about transferable #45208694db0TypeScript: Return more preciseBuffer\<ArrayBuffer>fromtoBuffer(#4520)e000d0bPrerelease v0.35.3-rc.19554ca9Prerelease v0.35.3-rc.06a29fd5Emit warning about native binaries on Linux Electron540d2eaIncrease default concurrency when use of MALLOC_ARENA_MAX detected