🚨 [security] Update @astrojs/mdx 4.3.4 → 5.0.4 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ @​astrojs/mdx (4.3.4 → 5.0.4) · Repo

Sorry, we couldn't find anything useful about this release.

✳️ js-yaml (4.1.0 → 4.1.1) · Repo · Changelog

Security Advisories 🚨

🚨 js-yaml has prototype pollution in merge (<<)

Impact

In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted.

Patches

Problem is patched in js-yaml 4.1.1 and 3.14.2.

Workarounds

You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).

References

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

Release Notes

4.1.1 (from changelog)

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

• 4.1.1 released
• dist rebuild
• lint fix
• fix prototype pollution in merge (<<)
• README.md: HTTP => HTTPS (#678)
• doc: 'empty' style option for !!null
• Fix demo link (#618)

↗️ @​mdx-js/mdx (indirect, 3.1.0 → 3.1.1) · Repo · Changelog

Release Notes

3.1.1

Fix

• 3cad7d7 @mdx-js/mdx: add dependency on acorn
• 0dc4472 @mdx-js/esbuild: fix crash with esbuild loader and jsx option
  by @egnor in #2593
• 84ec66e @mdx-js/esbuild: refactor to improve error conversion in esbuild
  by @egnor in #2595
• 2b3381a @mdx-js/rollup: fix support for query parameters in Vite
  by @markdalgleish in #2629

Types

• 933ab44 @mdx-js/mdx: add attributes to export/import declarations

Docs

• c156a1f Add rehype-mdx-toc to list of plugin
  by @boning-w in #2622
• 913659c Add recma-module-to-function to list of plugins
  by @remcohaszing in #2605
• 67fb1d0 Remove unneeded JSX type casting in docs, tests
• f0d20da Remove local use of JSX
  by @remcohaszing in #2604
• 63f39ce Remove references to twitter
• 35ac59d Refactor some docs regarding recma plugins

Full Changelog: 3.1.0...3.1.1

Does any of this look wrong? Please let us know.

↗️ acorn (indirect, 8.15.0 → 8.16.0) · Repo

Commits

See the full diff on Github. The new version differs by 22 commits:

• Mark version 8.16.0
• Mark acorn-walk 8.3.5
• Properly check for presence of node.attributes in walkers
• Bump test262
• Bump Unicode 17, regenerate script values
• Properly throw an error, not a raw string
• More explicit error when walking a tree and a node type isn't registered.
• Rename eslint config file to suppress warning
• Update to ESLint 9
• Add Unicode v17 support
• Use consistent semicolon-less style in readmes
• Docs: Announce both ESM and CommonJS imports are supported, change all examples to ESM imports
• Clean up identifier char handling in keyword lookahead functions
• Increase accuracy of isAsyncFunction when followed by a backslash
• Fix await using double lookahead edge case
• Mark acorn-loose 8.5.2
• Bump dependency on acorn in acorn-loose
• Add support for sourceType: commonjs option
• Reject return statement in static block, even if allowReturnOutsideFunction is used
• Reject using declarations directly in for loop or switch scopes.
• Improve lookahead test for using syntax
• Mark acorn-loose 8.5.1

↗️ remark-mdx (indirect, 3.1.0 → 3.1.1) · Repo · Changelog

Release Notes

3.1.1

Fix

• 3cad7d7 @mdx-js/mdx: add dependency on acorn
• 0dc4472 @mdx-js/esbuild: fix crash with esbuild loader and jsx option
  by @egnor in #2593
• 84ec66e @mdx-js/esbuild: refactor to improve error conversion in esbuild
  by @egnor in #2595
• 2b3381a @mdx-js/rollup: fix support for query parameters in Vite
  by @markdalgleish in #2629

Types

• 933ab44 @mdx-js/mdx: add attributes to export/import declarations

Docs

• c156a1f Add rehype-mdx-toc to list of plugin
  by @boning-w in #2622
• 913659c Add recma-module-to-function to list of plugins
  by @remcohaszing in #2605
• 67fb1d0 Remove unneeded JSX type casting in docs, tests
• f0d20da Remove local use of JSX
  by @remcohaszing in #2604
• 63f39ce Remove references to twitter
• 35ac59d Refactor some docs regarding recma plugins

Full Changelog: 3.1.0...3.1.1

Does any of this look wrong? Please let us know.

↗️ smol-toml (indirect, 1.4.2 → 1.6.1) · Repo

Security Advisories 🚨

🚨 smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines

Summary

An attacker can send a maliciously crafted TOML to cause the parser to crash, because of a stack overflow caused by thousands of consecutive commented lines.

The library uses recursion internally while parsing to skip over commented lines, which can be exploited to crash an application that is processing arbitrary TOML documents.

Proof of concept

require("smol-toml").parse('# comment\n'.repeat(8000) + 'key = "value"')

Impact

Applications which parse arbitrary TOML documents may suffer availability issues if they receive malicious input. If uncaught, the crash may cause the application itself to crash. The impact is deemed minor, as the function is already likely to throw errors on invalid input. Downstream users are supposed to properly handle errors in such situations.

Due to the design of most JavaScript runtimes, the uncontrolled recursion does not lead to excessive memory usage and the execution is quickly aborted.

As a reminder, it is strongly advised when working with untrusted user input to expect errors to occur and to appropriately catch them.

Patches

Version 1.6.1 uses a different approach for parsing comments, which no longer involves recursion.

Workarounds

Wrap all invocations of parse and stringify in a try/catch block when dealing with untrusted user input.

Release Notes

1.6.1

This release addresses a minor security vulnerability where an attacker-controlled TOML document can exploit an unrestricted recustion and cause a stack overflow error with a document that contains thousands of sucessive commented lines. Security advisory: GHSA-v3rj-xjv7-4jmq

1.6.0

As of this version, smol-toml now supports the newly released TOML 1.1.0 specification!

Highlights

Multiline inline tables

TOML 1.1.0 now allows inline tables to have newlines, as well as trailing commas.

database = {
  driver = "postgresql",
  server = {
    host = "127.0.0.1",
    port = 3307,
  },
}

Omitting seconds in datetime and time

TOML 1.1.0 renders the seconds component of time elements optional.

datetime-tz = 1979-05-27 07:32Z
datetime = 2001-09-21 10:17
time = 13:37

New string escapes

Strings now support 2 additional escape sequences:

• \xHH for code points between 0 and 255
• \e for the escape character (U+001B)

What's Changed

• feat: toml 1.1 support by @cyyynthia in #49

Full Changelog: v1.5.2...v1.6.0

1.5.2

Hot fix for v1.5.1... 🙃

What's Changed

• fix: properly stringify arrays of tables by @cyyynthia

Full Changelog: v1.5.1...v1.5.2

1.5.1

Smol fix that makes newlines actually consistent when stringifying objects to TOML.

What's Changed

• fix: actually consistent newlines by @cyyynthia

Full Changelog: v1.5.0...v1.5.1

1.5.0

This version improves the TOML output of the library when stringifying objects, courtesy of the folks over at Cloudflare.

Most notably, the lib no longer emits unnecessary table headers, and doesn't add an empty line between successive table headers anymore:

[look.at.me]
note = "In earlier versions, there would've been [look] and [look.at] generated as well."
[empty.table]

[another.empty.table]

[look.how.compact]

this = "looks"

What's Changed

• Simplify nested tables by @penalosa in #46

New Contributors

• @penalosa made their first contribution in #46

Full Changelog: v1.4.2...v1.5.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 23 commits:

• chore: version bump
• chore: upgrade dependencies and actions
• fix: don't use recursion in skipVoid
• chore: version bump
• Merge pull request #49 from squirrelchat/toml-110
• fix: properly test \e escape
• fix: properly run toml-test v2
• docs: toml 1.1.0 in the readme
• chore: upgrade dependencies, actions
• feat: allow omitting seconds in datetime and time values
• feat: support \e unicode escape in strings
• feat: support \xHH unicode escape in strings
• feat: toml 1.1 allows newline and trailing comma in inline tables
• chore: version bump
• fix: properly stringify arrays of tables
• chore: version bump
• fix: actually consistent newlines
• chore: yml -> yaml in readme
• chore: version bump
• chore: deps upgrade
• chore: update action versions
• chore: npm trusted publisher
• feat: simplify nested tables (#46)

↗️ source-map (indirect, 0.7.4 → 0.7.6) · Repo · Changelog

Release Notes

0.7.6

Full Changelog: 0.7.5...0.7.6

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ style-to-object (indirect, 1.0.9 → 1.0.14) · Repo · Changelog

Release Notes

1.0.14

1.0.14 (2025-11-16)

Build System

• deps: bump inline-style-parser from 0.2.6 to 0.2.7 (#818) (31ca552)

1.0.13

1.0.13 (2025-11-16)

Documentation

• readme: replace badgen.net with shields.io status badges (34d0947)

1.0.12

1.0.12 (2025-10-24)

Build System

• deps: bump inline-style-parser from 0.2.4 to 0.2.6 (#774) (50aa645)

1.0.11

1.0.11 (2025-10-03)

Bug Fixes

• package: fix esm types (#769) (cf23bb7)

1.0.10

1.0.10 (2025-10-02)

Bug Fixes

• remove esm build dir (79df2e8) @nathancahill
• switch to true esm build (8e7b7ed) @nathancahill

Miscellaneous Chores

• export StyleObject interface (45e8343) @xthezealot

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ unist-util-visit (indirect, 5.0.0 → 5.1.0) · Repo

Release Notes

5.1.0

Types

• 8607d64 Refactor to use @imports
• efbed8a Add declaration maps
• 639c0e5 Fix type support for readonly arrays
  by @JounQin in #40

Full Changelog: 5.0.0...5.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

• 5.1.0
• Update node in actions
• Update actions
• Update dev-dependencies
• Refactor to use `@import`s
• Add declaration maps
• Add `.tsbuildinfo` to `.gitignore`
• Fix type support for readonly arrays
• Update dev-dependencies

↗️ unist-util-visit-parents (indirect, 6.0.1 → 6.0.2) · Repo

Release Notes

6.0.2

• 579ffbc Fix type support for readonly arrays

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 6 commits:

• 6.0.2
• Fix type support for readonly arrays
• Add declaration maps
• Update dev-dependencies
• Add `.tsbuildinfo` to `.gitignore`
• Update dev-dependencies

🆕 @​shikijs/primitive (added, 4.0.2)

🆕 piccolore (added, 0.1.3)

🗑️ yaml (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)