chore(deps): bump the npm_and_yarn group across 5 directories with 6 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the /packages/web directory: @astrojs/cloudflare and astro.
Bumps the npm_and_yarn group with 1 update in the /packages/ui directory: dompurify.
Bumps the npm_and_yarn group with 1 update in the /packages/opencode directory: minimatch.
Bumps the npm_and_yarn group with 1 update in the /packages/desktop-electron directory: electron.
Bumps the npm_and_yarn group with 1 update in the /packages/console/app directory: wrangler.

Updates @astrojs/cloudflare from 12.6.3 to 12.6.6

Changelog

Sourced from @​astrojs/cloudflare's changelog.

12.6.6

Patch Changes

• 9ecf359 Thanks @​alexanderniebuhr! - Improves the image proxy endpoint when using the default compile option to adhere to user configuration regarding the allowed remote domains

• Updated dependencies []:

  • @​astrojs/underscore-redirects@​1.0.0

12.6.5

Patch Changes

• #14259 02366e9 Thanks @​ascorbic! - Removes warning when using the adapter with a static build.

  The Cloudflare adapter now has several uses outside of on-demand rendered pages, so this warning is misleading. Similar warnings have already been removed from other adapters.

• #14234 15b55f3 Thanks @​yanthomasdev! - Fixes an issue that could cause duplicate exports when configuring workerEntrypoint.namedExports

• #14240 77b18fb Thanks @​delucis! - Increases the minimum supported version of Astro to 5.7.0

• Updated dependencies []:

  • @​astrojs/underscore-redirects@​1.0.0

12.6.4

Patch Changes

• Updated dependencies [4d16de7]:
  • @​astrojs/internal-helpers@​0.7.2
  • @​astrojs/underscore-redirects@​1.0.0

Commits

• 24b04c1 [ci] release (#14267)
• fbec0e0 [ci] format
• 9ecf359 Merge commit from fork
• 4823c42 feat(netlify): dev context (#14269)
• d471be5 [ci] release (#14242)
• 02366e9 fix: don't warnign when using in static build (#14259)
• 15b55f3 Filter duplicate exports from Cloudflare adapter's namedExports (#14234)
• 77b18fb Update Astro peer dependency in adapters with auto-enabled sessions (#14240)
• 9288133 [ci] release (#14232)
• See full diff in compare view

Updates astro from 5.7.13 to 5.18.1

Release notes

Sourced from astro's releases.

astro@5.18.1

Patch Changes

• Updated dependencies [c2cd371]:
  • @​astrojs/internal-helpers@​0.7.6
  • @​astrojs/markdown-remark@​6.3.11

Changelog

Sourced from astro's changelog.

5.18.1

Patch Changes

• Updated dependencies [c2cd371]:
  • @​astrojs/internal-helpers@​0.7.6
  • @​astrojs/markdown-remark@​6.3.11

5.18.0

Minor Changes

• #15589 b7dd447 Thanks @​qzio! - Adds a new security.actionBodySizeLimit option to configure the maximum size of Astro Actions request bodies.

  This lets you increase the default 1 MB limit when your actions need to accept larger payloads. For example, actions that handle file uploads or large JSON payloads can now opt in to a higher limit.

  If you do not set this option, Astro continues to enforce the 1 MB default to help prevent abuse.

  // astro.config.mjs
  export default defineConfig({
    security: {
      actionBodySizeLimit: 10 * 1024 * 1024, // set to 10 MB
    },
  });

Patch Changes

• #15594 efae11c Thanks @​qzio! - Fix X-Forwarded-Proto validation when allowedDomains includes both protocol and hostname fields. The protocol check no longer fails due to hostname mismatch against the hardcoded test URL.

5.17.3

Patch Changes

• #15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #15569 e01e98b Thanks @​matthewp! - Respect image allowlists when inferring remote image sizes and reject remote redirects.

5.17.2

Patch Changes

• c13b536 Thanks @​matthewp! - Improves Host header handling for SSR deployments behind proxies

5.17.1

Patch Changes

• #15334 d715f1f Thanks @​florian-lefebvre! - BREAKING CHANGE to the experimental Fonts API only

... (truncated)

Commits

• 434d9cc [ci] release (#15829)
• c2cd371 fix(helpers): Backport remote patterns segments fix (#15828)
• 011f061 [ci] release (#15597)
• efae11c fix: X-Forwarded-Proto rejected when allowedDomains includes protocol… (#15594)
• 751ccf0 Update actionBodySizeLimit changeset and make minor (#15600)
• b7dd447 make actionBodySizeLimit configurable (#15589)
• e0f1a2b [ci] release (#15571)
• 522f880 Limit action request body size (#15564)
• 436962a chore: Upgrade Vite and esbuild (#15554)
• e01e98b Respect remote image allowlists (#15569)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for astro since your current version.

Updates dompurify from 3.3.1 to 3.3.2

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.2

• Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
• Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
• Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
• Bumped and removed several dependencies, thanks @​Rotzbua
• Fixed the test suite after bumping dependencies, thanks @​Rotzbua

Commits

• 5e56114 Getting 3.x branch ready for 3.3.2 release (#1208)
• e8c95f4 fix: Fixed the broken package-lock.json
• 9636037 Update package-lock.json
• 5cad4ce Getting 3.x branch ready for 3.3.2 releas (#1205)
• See full diff in compare view

Updates minimatch from 10.0.3 to 10.2.3

Changelog

Sourced from minimatch's changelog.

change log

10.2

• Add braceExpandMax option

10.1

• Add magicalBraces option for escape
• Fix makeRe when partial: true is set.
• Fix makeRe when pattern ends in a final ** path part.

10.0

• Require node 20 or 22 and higher

9.0

• No default export, only named exports.

8.0

• Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions
• Bump required Node.js version

7.4

• Add escape() method
• Add unescape() method
• Add Minimatch.hasMagic() method

7.3

• Add support for posix character classes in a unicode-aware way.

7.2

• Add windowsNoMagicRoot option

7.1

• Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

... (truncated)

Commits

• ea94840 10.2.3
• 0873fba update deps
• cecaad1 more extglob coalescing for performance
• 11d0df6 limit nested extglob recursion, flatten extglobs
• c3448c4 update assertValidPattern param type to unknown from any
• 0bf499a limit recursion for **, improve perf considerably
• 9f15c58 update deps
• f42b239 10.2.2
• fa2133b update deps
• b9d0153 ci: update action workflows
• Additional commits viewable in compare view

Updates electron from 40.4.1 to 40.8.4

Release notes

Sourced from electron's releases.

electron v40.8.4

Release Notes for v40.8.4

Fixes

• Fixed an issue where nodeIntegrationInWorker overrides in setWindowOpenHandler were not honored for child windows sharing a renderer process with their opener. #50467 (Also in 38, 39, 41)
• Fixed crash when handling JavaScript dialogs from windows opened with invalid or empty URLs. #50401 (Also in 39, 41, 42)
• Fixed improper focus tracking in BaseWindow on MacOS. #50337 (Also in 39, 41, 42)
• Fixed logic bug that rendered certain window types un-resizable on MAS builds. #50355 (Also in 41, 42)
• Fixed utilityProcess exit event reporting incorrect exit codes on Windows when the exit code has the high bit. #50387 (Also in 41, 42)
• Fixed window freeze when failing to enter/exit fullscreen on macOS. #50344 (Also in 39, 41, 42)

Other Changes

• Added support for using a proxy during yarn install. #50352 (Also in 39, 41, 42)
• Backported fix for 485935305. #50441
• Backported fix for 489381399. #50449
• Backported fixes for 484751092, 487117772. #50460

electron v40.8.3

Release Notes for v40.8.3

Fixes

• Added additional ASAR support to additional fs copy methods. #50287 (Also in 39, 41, 42)
• Fixed an issue where some DevTools functionality didn't work as expected. #50275 (Also in 41, 42)
• Fixed user resizing of transparent windows on win32 platform. #50301 (Also in 39, 41, 42)

electron v40.8.2

Release Notes for v40.8.2

Other Changes

• Backported fix for b/491421267. #50229
• Fixed an issue where running app icons were not correctly retrieved on macOS Tahoe. #50188

electron v40.8.1

Release Notes for v40.8.1

Fixes

• Added validation to protocol client methods to reject protocol names that do not conform to the RFC 3986 URI scheme grammar. #50158 (Also in 38, 39, 41)
• Fixed an issue on macOS where calling autoUpdater.quitAndInstall() could fail if checkForUpdates() was called again after an update was already downloaded. #50216 (Also in 39, 41)
• Fixed an issue where Chrome Devtools menus may not appear in certain embedded windows. #50138 (Also in 39, 41)
• Fixed an issue where additionalData passed to app.requestSingleInstanceLock on Windows could be truncated or fail to deserialize in the primary instance's second-instance event. #50162 (Also in 38, 39, 41)
• Fixed an issue where screen.getCursorScreenPoint() crashed on Wayland when it was called before a BrowserWindow had been created. #50104 (Also in 39, 41)
• Fixed an issue where calling setBounds on a WebContentsView could trigger redundant page-favicon-updated events even when the favicon had not changed. #50084 (Also in 39, 41)
• Fixed an issue where invalid characters in custom protocol or webRequest response header values were not rejected. #50131 (Also in 38, 39, 41)
• Fixed an issue where permission and device-chooser handlers received the top-level page origin instead of the requesting subframe's origin. #50149 (Also in 38, 39, 41)
• Fixed an issue where traffic light buttons would flash at position (0,0) when restoring a window with a custom trafficLightPosition from minimization on macOS. #50207 (Also in 39, 41)
• Fixed bug where opening a message box immediately upon closing a child window may cause the parent window to freeze on Windows. #50189 (Also in 39, 41)

... (truncated)

Commits

• 2871c1d fix: read nodeIntegrationInWorker from per-frame WebPreferences (#50122) (#50...
• 0d3f57f chore: cherry-pick 074d472db745 from chromium (#50449)
• 6247116 chore: cherry-pick 3 changes from chromium (#50460)
• 5a1bda2 chore: cherry-pick 50b057660b4d from chromium (#50441)
• cca4a73 fix: don't re-parse URL unnecessarily when handling dialogs (#50401)
• a8dfe36 fix: correct utility process exit code on Windows (#50387)
• a495539 ci: output build cache hit rate as GHA annotation (#50368)
• bd193de fix: correctly track BaseWindow::IsActive() on MacOS (#50337)
• ef66db3 chore: Respect HTTP(S) proxy env variable for Yarn (#50352)
• 00827a2 fix: always call the original impl in swizzled mousedown impls (#50355)
• Additional commits viewable in compare view

Updates wrangler from 4.50.0 to 4.59.1

Commits

• 37a8607 Version Packages (#11890)
• 99b1f32 fix: execute git commands in pages deploy safely (#11889)
• e98c95a Version Packages (#11836)
• ad65efa Add --check flag to wrangler types (#11852)
• beb96af feat(unenv-preset): add support for native node:sqlite module (#11841)
• b0e54b2 [wrangler] Add AI agent detection to analytics events (#11820)
• 2203af4 Add Node.js 24 and 25 compatibility to the test suites for Miniflare, Wrangle...
• b6148ed chore(deps): bump the workerd-and-workers-types group with 2 updates (#11872)
• 0eb973d Do not warn user when using a redirected config that came from a config with ...
• 0f8d69d containers: users can set multiple tiers for constraints (#11755)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[roomote-v0]

Rooviewer   See task

Reviewed the dependency bumps across 5 packages. The version changes themselves look reasonable (all patch/minor within semver range), but two issues need attention before merging:

• bun.lock is not updated -- Dependabot does not support bun lockfiles, so bun install needs to be run and the regenerated lockfile committed
• astro jumps from 5.7.13 to 5.18.1 (11 minor versions) while @astrojs/markdown-remark remains pinned at 6.3.1; verify the build works and consider bumping co-dependencies

_{Mention @roomote in a comment to request specific changes to this pull request or fix all unresolved issues.}

[roomote-v0]

The bun.lock file is not updated in this PR. Dependabot doesn't natively support bun lockfiles, so the lockfile still references the old package versions (e.g., @astrojs/cloudflare@12.6.3, astro@5.7.13). After merging, bun install will need to be run and the regenerated lockfile committed separately -- otherwise CI or local builds that rely on the lockfile will still resolve the old versions.

_{Fix it with Roo Code or mention @roomote and request a fix.}

[roomote-v0]

This is a large minor version jump (5.7 to 5.18, spanning 11 minor releases). The @astrojs/markdown-remark dependency in this same file is still pinned at 6.3.1, while astro@5.18.1 internally depends on @astrojs/markdown-remark@6.3.11. This version mismatch could cause subtle build or rendering issues if the two packages expect aligned behavior. Worth verifying the build still works and considering whether @astrojs/markdown-remark should be bumped as well.

_{Fix it with Roo Code or mention @roomote and request a fix.}