build(deps): bump the npm-production group across 1 directory with 3 updates

[dependabot]

Bumps the npm-production group with 2 updates in the / directory: @astrojs/vercel and @astrojs/node.

Updates @astrojs/vercel from 9.0.2 to 9.0.4

Changelog

Sourced from @​astrojs/vercel's changelog.

9.0.4

Patch Changes

• #14863 29fd188 Thanks @​drwpow! - Improves error message when using Node builtins inside Edge middlewares

9.0.3

Patch Changes

• #15116 9fc4562 Thanks @​Raanelom! - Updates Node versions data to account for v24 as the default

Commits

• 44f4e78 [ci] release (#15188)
• 8068bad [ci] format
• 29fd188 Revert fix: Allow node: prefix for Node builtins for Vercel middleware (#14863)
• fc1f331 fix(deps): update astro adapters (#15173)
• e73deb8 [ci] release (#15031)
• 9fc4562 Feature/allow node 24 vercel adapter (#15116)
• 5fdd541 fix(deps): update astro adapters (#15084)
• See full diff in compare view

Updates @astrojs/node from 9.5.1 to 9.5.4

Release notes

Sourced from @​astrojs/node's releases.

@​astrojs/node@​9.5.4

Patch Changes

• #15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #15572 ef851bf Thanks @​matthewp! - Upgrade astro package support

  astro@5.17.3 includes a fix to prevent Action payloads from exhausting memory. @​astrojs/node now depends on this version of Astro as a minimum requirement.

@​astrojs/node@​9.5.3

Patch Changes

• c13b536 Thanks @​matthewp! - Improves error page loading to read from disk first before falling back to configured host

Changelog

Sourced from @​astrojs/node's changelog.

9.5.4

Patch Changes

• #15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #15572 ef851bf Thanks @​matthewp! - Upgrade astro package support

  astro@5.17.3 includes a fix to prevent Action payloads from exhausting memory. @​astrojs/node now depends on this version of Astro as a minimum requirement.

9.5.3

Patch Changes

• c13b536 Thanks @​matthewp! - Improves error page loading to read from disk first before falling back to configured host

9.5.2

Patch Changes

• #15196 a8317c1 Thanks @​ematipico! - Fixes an issue where some prendered pages weren't correctly rendered when using the Node.js adapter in middleware mode.

• #15169 b803d8b Thanks @​rururux! - fix: fix image 500 error when moving dist directory in standalone Node

Commits

• e0f1a2b [ci] release (#15571)
• ef851bf Update minimum astro version support in @​astrojs/node (#15572)
• f2955fb [ci] release (#15474)
• c13b536 Validate Host header against allowedDomains
• c19b70e fix(deps): update astro adapters (#15243)
• 7fe9e1b fix: update devalue to the latest (#15222)
• 44f4e78 [ci] release (#15188)
• 2fa19c4 fix(core): add defensive validation for mod.page in App.render (#15148)
• 8d74e9e [ci] format
• a8317c1 fix(node): hash URL stripping (#15196)
• Additional commits viewable in compare view

Updates astro from 5.16.6 to 5.18.0

Release notes

Sourced from astro's releases.

astro@5.18.0

Minor Changes

• #15589 b7dd447 Thanks @​qzio! - Adds a new security.actionBodySizeLimit option to configure the maximum size of Astro Actions request bodies.

  This lets you increase the default 1 MB limit when your actions need to accept larger payloads. For example, actions that handle file uploads or large JSON payloads can now opt in to a higher limit.

  If you do not set this option, Astro continues to enforce the 1 MB default to help prevent abuse.

  // astro.config.mjs
  export default defineConfig({
    security: {
      actionBodySizeLimit: 10 * 1024 * 1024, // set to 10 MB
    },
  });

Patch Changes

• #15594 efae11c Thanks @​qzio! - Fix X-Forwarded-Proto validation when allowedDomains includes both protocol and hostname fields. The protocol check no longer fails due to hostname mismatch against the hardcoded test URL.

astro@5.17.3

Patch Changes

• #15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #15569 e01e98b Thanks @​matthewp! - Respect image allowlists when inferring remote image sizes and reject remote redirects.

astro@5.17.2

Patch Changes

• c13b536 Thanks @​matthewp! - Improves Host header handling for SSR deployments behind proxies

astro@5.17.1

Patch Changes

• #15334 d715f1f Thanks @​florian-lefebvre! - BREAKING CHANGE to the experimental Fonts API only

  Removes the getFontBuffer() helper function exported from astro:assets when using the experimental Fonts API

  This experimental feature introduced in v15.6.13 ended up causing significant memory usage during build. This feature has been removed and will be reintroduced after further exploration and testing.

  If you were relying on this function, you can replicate the previous behavior manually:

  • On prerendered routes, read the file using node:fs
  • On server rendered routes, fetch files using URLs from fontData and context.url

astro@5.17.0

Minor Changes

... (truncated)

Changelog

Sourced from astro's changelog.

5.18.0

Minor Changes

• #15589 b7dd447 Thanks @​qzio! - Adds a new security.actionBodySizeLimit option to configure the maximum size of Astro Actions request bodies.

  This lets you increase the default 1 MB limit when your actions need to accept larger payloads. For example, actions that handle file uploads or large JSON payloads can now opt in to a higher limit.

  If you do not set this option, Astro continues to enforce the 1 MB default to help prevent abuse.

  // astro.config.mjs
  export default defineConfig({
    security: {
      actionBodySizeLimit: 10 * 1024 * 1024, // set to 10 MB
    },
  });

Patch Changes

• #15594 efae11c Thanks @​qzio! - Fix X-Forwarded-Proto validation when allowedDomains includes both protocol and hostname fields. The protocol check no longer fails due to hostname mismatch against the hardcoded test URL.

5.17.3

Patch Changes

• #15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #15569 e01e98b Thanks @​matthewp! - Respect image allowlists when inferring remote image sizes and reject remote redirects.

5.17.2

Patch Changes

• c13b536 Thanks @​matthewp! - Improves Host header handling for SSR deployments behind proxies

5.17.1

Patch Changes

• #15334 d715f1f Thanks @​florian-lefebvre! - BREAKING CHANGE to the experimental Fonts API only

  Removes the getFontBuffer() helper function exported from astro:assets when using the experimental Fonts API

  This experimental feature introduced in v15.6.13 ended up causing significant memory usage during build. This feature has been removed and will be reintroduced after further exploration and testing.

  If you were relying on this function, you can replicate the previous behavior manually:

  • On prerendered routes, read the file using node:fs
  • On server rendered routes, fetch files using URLs from fontData and context.url

... (truncated)

Commits

• 011f061 [ci] release (#15597)
• efae11c fix: X-Forwarded-Proto rejected when allowedDomains includes protocol… (#15594)
• 751ccf0 Update actionBodySizeLimit changeset and make minor (#15600)
• b7dd447 make actionBodySizeLimit configurable (#15589)
• e0f1a2b [ci] release (#15571)
• 522f880 Limit action request body size (#15564)
• 436962a chore: Upgrade Vite and esbuild (#15554)
• e01e98b Respect remote image allowlists (#15569)
• f2955fb [ci] release (#15474)
• c13b536 Validate Host header against allowedDomains
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions