chore(deps): bump the github-actions group across 1 directory with 4 updates

[dependabot]

Bumps the github-actions group with 4 updates in the / directory: astro, tsx, vercel and vitest.

Updates astro from 6.3.3 to 6.3.8

Release notes

Sourced from astro's releases.

astro@6.3.8

Patch Changes

• #16830 f2bf3cb Thanks @​matthewp! - Fixes 404s for dynamically imported JS chunks when using an adapter with assetQueryParams (e.g. Vercel skew protection)

• #16831 ace96ba Thanks @​astrobot-houston! - Fixes a misleading GetStaticPathsRequired error when a redirect is configured from a dynamic route to a static (or less-dynamic) destination. For example, '/project/[slug]': '/' previously produced a confusing error pointing at index.astro. Astro now detects the parameter mismatch at config validation time and throws a clear InvalidRedirectDestination error naming the missing parameters.

• #16702 b7d1758 Thanks @​matthewp! - Fixes scoped styles from .astro components being dropped when rendered inside MDX content (<Content /> from render(entry)) passed through a named slot using <Fragment slot="X">. The Fragment component now eagerly evaluates its slot contents to ensure propagating components register their styles before head content is flushed.

• #16823 3df6a45 Thanks @​astrobot-houston! - Fixes missing CSS for conditionally rendered Svelte components in production builds

• #16836 3d7adfa Thanks @​LongYC! - Document compressHTML: "jsx" config is only available since Astro v6.2.0

• #16864 334ce13 Thanks @​cheets! - Fixes a false-positive Internal Warning: route cache overwritten logged on every SSR request for dynamic routes

astro@6.3.7

Patch Changes

• #16821 9c76b12 Thanks @​astrobot-houston! - Fixes request body handling in the Node adapter when req.body is a Buffer, Uint8Array, or ArrayBuffer. Previously, binary body data was incorrectly JSON-stringified (producing {"type":"Buffer","data":[...]}) instead of being passed through directly. This affected libraries like serverless-http that set req.body to a Buffer.

• #16785 de96360 Thanks @​astrobot-houston! - Fixes vite.build.minify, vite.build.sourcemap, and vite.build.rollupOptions.output (e.g. compact) being ignored for client-side builds. These top-level Vite build options are now properly forwarded to the client environment, with environment-specific overrides (vite.environments.client.build.*) taking priority when set.

• #16819 b5dd8f1 Thanks @​astrobot-houston! - Fixes custom elements in MDX files bypassing the renderer pipeline. Custom elements (tags containing hyphens like <my-element>) in .mdx files are now routed through registered renderers for SSR, matching the behavior of .astro files. If no renderer claims the element, it falls back to rendering as raw HTML.

• #16808 765896c Thanks @​ematipico! - Fixes dynamic routes returning 400 Bad Request when the URL contains a literal % character, such as paths built with encodeURIComponent('%?.pdf')

• #16804 90d2aca Thanks @​jp-knj! - Fixes a v6 regression where astro:i18n could not be imported from client <script> blocks.

astro@6.3.6

Patch Changes

• #16774 8f77583 Thanks @​astrobot-houston! - Fixes markdown images with empty alt text (![](https://github.com/withastro/astro/tree/HEAD/packages/astro/blob/HEAD/image.jpg)) in content collections dropping the alt attribute entirely. The alt="" attribute is now correctly preserved in the rendered HTML output, which is important for accessibility (indicating decorative images).

• #16776 3d10b5e Thanks @​matthewp! - Fixes HMR serving stale content when components are passed as props via getStaticPaths()

• #16784 7453860 Thanks @​ematipico! - Improved the printing of the build time if it goes over the 60 seconds.

• #16665 3dbbcee Thanks @​Princesseuh! - Fixes remote SVG sources erroring with dangerouslyProcessSVG after the v6.3 SVG-processing gate. The default Sharp service now resolves the output format from the source up-front when it can (URL extension, data: MIME, ESM metadata), and from the actual buffer at request time when it can't, so SVG sources pass through untouched without needing to set image.dangerouslyProcessSVG: true or an explicit format="svg".

  The error message has also been updated to point at format="svg" as the simpler workaround when an SVG source is encountered without dangerouslyProcessSVG enabled.

• #16777 1754b91 Thanks @​matthewp! - Fixes HMR serving stale content for dynamically imported components through barrel files

• #16730 068d924 Thanks @​harshagarwalnyu! - Fixes an issue where the file() content loader did not generate a valid JSON Schema for collections whose JSON or YAML data is a top-level array instead of an object.

astro@6.3.5

Patch Changes

• #16771 07c8805 Thanks @​ematipico! - Fixes position prop on <Image> and <Picture> components breaking Content Security Policy (CSP).

... (truncated)

Changelog

Sourced from astro's changelog.

6.3.8

Patch Changes

• #16830 f2bf3cb Thanks @​matthewp! - Fixes 404s for dynamically imported JS chunks when using an adapter with assetQueryParams (e.g. Vercel skew protection)

• #16831 ace96ba Thanks @​astrobot-houston! - Fixes a misleading GetStaticPathsRequired error when a redirect is configured from a dynamic route to a static (or less-dynamic) destination. For example, '/project/[slug]': '/' previously produced a confusing error pointing at index.astro. Astro now detects the parameter mismatch at config validation time and throws a clear InvalidRedirectDestination error naming the missing parameters.

• #16702 b7d1758 Thanks @​matthewp! - Fixes scoped styles from .astro components being dropped when rendered inside MDX content (<Content /> from render(entry)) passed through a named slot using <Fragment slot="X">. The Fragment component now eagerly evaluates its slot contents to ensure propagating components register their styles before head content is flushed.

• #16823 3df6a45 Thanks @​astrobot-houston! - Fixes missing CSS for conditionally rendered Svelte components in production builds

• #16836 3d7adfa Thanks @​LongYC! - Document compressHTML: "jsx" config is only available since Astro v6.2.0

• #16864 334ce13 Thanks @​cheets! - Fixes a false-positive Internal Warning: route cache overwritten logged on every SSR request for dynamic routes

6.3.7

Patch Changes

• #16821 9c76b12 Thanks @​astrobot-houston! - Fixes request body handling in the Node adapter when req.body is a Buffer, Uint8Array, or ArrayBuffer. Previously, binary body data was incorrectly JSON-stringified (producing {"type":"Buffer","data":[...]}) instead of being passed through directly. This affected libraries like serverless-http that set req.body to a Buffer.

• #16785 de96360 Thanks @​astrobot-houston! - Fixes vite.build.minify, vite.build.sourcemap, and vite.build.rollupOptions.output (e.g. compact) being ignored for client-side builds. These top-level Vite build options are now properly forwarded to the client environment, with environment-specific overrides (vite.environments.client.build.*) taking priority when set.

• #16819 b5dd8f1 Thanks @​astrobot-houston! - Fixes custom elements in MDX files bypassing the renderer pipeline. Custom elements (tags containing hyphens like <my-element>) in .mdx files are now routed through registered renderers for SSR, matching the behavior of .astro files. If no renderer claims the element, it falls back to rendering as raw HTML.

• #16808 765896c Thanks @​ematipico! - Fixes dynamic routes returning 400 Bad Request when the URL contains a literal % character, such as paths built with encodeURIComponent('%?.pdf')

• #16804 90d2aca Thanks @​jp-knj! - Fixes a v6 regression where astro:i18n could not be imported from client <script> blocks.

6.3.6

Patch Changes

• #16774 8f77583 Thanks @​astrobot-houston! - Fixes markdown images with empty alt text (![](https://github.com/withastro/astro/blob/main/packages/astro/image.jpg)) in content collections dropping the alt attribute entirely. The alt="" attribute is now correctly preserved in the rendered HTML output, which is important for accessibility (indicating decorative images).

• #16776 3d10b5e Thanks @​matthewp! - Fixes HMR serving stale content when components are passed as props via getStaticPaths()

• #16784 7453860 Thanks @​ematipico! - Improved the printing of the build time if it goes over the 60 seconds.

• #16665 3dbbcee Thanks @​Princesseuh! - Fixes remote SVG sources erroring with dangerouslyProcessSVG after the v6.3 SVG-processing gate. The default Sharp service now resolves the output format from the source up-front when it can (URL extension, data: MIME, ESM metadata), and from the actual buffer at request time when it can't, so SVG sources pass through untouched without needing to set image.dangerouslyProcessSVG: true or an explicit format="svg".

  The error message has also been updated to point at format="svg" as the simpler workaround when an SVG source is encountered without dangerouslyProcessSVG enabled.

• #16777 1754b91 Thanks @​matthewp! - Fixes HMR serving stale content for dynamically imported components through barrel files

• #16730 068d924 Thanks @​harshagarwalnyu! - Fixes an issue where the file() content loader did not generate a valid JSON Schema for collections whose JSON or YAML data is a top-level array instead of an object.

6.3.5

... (truncated)

Commits

• 1e49163 [ci] release (#16832)
• 2f3bbf1 refactor: move integration tests to unit tests (#16866)
• 4591fb0 [ci] format
• 334ce13 fix(core): include mod in SSR route-cache entry to silence false-positive w...
• 3df6a45 Fix missing CSS for conditionally rendered Svelte components (#16823)
• 221bb4b fix(core): cache resolved actions in base pipeline (#16859)
• 4f5a9a8 chore: remove fixtures and move slot tests to unit (#16773)
• b22af11 fix(docs): update InvalidRedirectDestination error message (#16840)
• e542226 [ci] format
• b7d1758 fix(render): propagate styles through Fragment named slots (#16181) (#16702)
• Additional commits viewable in compare view

Updates tsx from 4.22.1 to 4.22.3

Release notes

Sourced from tsx's releases.

v4.22.3

4.22.3 (2026-05-19)

Bug Fixes

• decode typed loader source (dce02fc)
• preserve entrypoint with TypeScript preload hooks (68f72f3)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.2

4.22.2 (2026-05-18)

Bug Fixes

• preserve CJS JSON require in ESM hooks (35b700b)
• preserve named exports from CommonJS TypeScript (11de737)
• support module.exports require(esm) interop (cf8f199)

---

This release is also available on:

• npm package (@​latest dist-tag)

Commits

• dce02fc fix: decode typed loader source
• 68f72f3 fix: preserve entrypoint with TypeScript preload hooks
• 69455cf test: cover package exports for ambiguous ESM reexports
• 35b700b fix: preserve CJS JSON require in ESM hooks
• ef807db chore: update testing dependencies
• 3917090 test: document compatibility test taxonomy
• de8113f refactor: centralize Node capability facts
• c1f62db test: consolidate tsconfig path edge coverage
• 4e08174 test: consolidate loader hook coverage
• 674bb30 test: consolidate tsImport commonjs mts coverage
• Additional commits viewable in compare view

Updates vercel from 54.1.0 to 54.5.1

Release notes

Sourced from vercel's releases.

vercel@54.5.1

Patch Changes

• 57ea4ba: Reduce duplicate user and team lookups during CLI scope resolution.
• b66bd3e: Fix prebuilt deployments failing with "invalid relative path" when using the --standalone flag in pnpm monorepos by skipping external node_modules symlinks and copying traced files at their logical paths instead.
• 9ad632d: Handle CLI update flows safely for native binary installs.
• Updated dependencies [b66bd3e]
• Updated dependencies [0e04bc5]
• Updated dependencies [eecd10d]
  • @​vercel/build-utils@​13.26.3
  • @​vercel/python@​6.43.3
  • @​vercel/node@​5.8.6
  • @​vercel/backends@​0.8.1
  • @​vercel/elysia@​0.1.82
  • @​vercel/express@​0.1.92
  • @​vercel/fastify@​0.1.85
  • @​vercel/go@​3.8.0
  • @​vercel/h3@​0.1.91
  • @​vercel/hono@​0.2.85
  • @​vercel/hydrogen@​1.3.8
  • @​vercel/koa@​0.1.65
  • @​vercel/nestjs@​0.2.86
  • @​vercel/next@​4.17.4
  • @​vercel/redwood@​2.4.14
  • @​vercel/remix-builder@​5.8.3
  • @​vercel/ruby@​2.4.0
  • @​vercel/rust@​1.3.0
  • @​vercel/static-build@​2.9.32

Changelog

Sourced from vercel's changelog.

54.5.1

Patch Changes

• 57ea4ba: Reduce duplicate user and team lookups during CLI scope resolution.
• b66bd3e: Fix prebuilt deployments failing with "invalid relative path" when using the --standalone flag in pnpm monorepos by skipping external node_modules symlinks and copying traced files at their logical paths instead.
• 9ad632d: Handle CLI update flows safely for native binary installs.
• Updated dependencies [b66bd3e]
• Updated dependencies [0e04bc5]
• Updated dependencies [eecd10d]
  • @​vercel/build-utils@​13.26.3
  • @​vercel/python@​6.43.3
  • @​vercel/node@​5.8.6
  • @​vercel/backends@​0.8.1
  • @​vercel/elysia@​0.1.82
  • @​vercel/express@​0.1.92
  • @​vercel/fastify@​0.1.85
  • @​vercel/go@​3.8.0
  • @​vercel/h3@​0.1.91
  • @​vercel/hono@​0.2.85
  • @​vercel/hydrogen@​1.3.8
  • @​vercel/koa@​0.1.65
  • @​vercel/nestjs@​0.2.86
  • @​vercel/next@​4.17.4
  • @​vercel/redwood@​2.4.14
  • @​vercel/remix-builder@​5.8.3
  • @​vercel/ruby@​2.4.0
  • @​vercel/rust@​1.3.0
  • @​vercel/static-build@​2.9.32

54.5.0

Minor Changes

• 6860c32: Add project manifest to rust builder.
• 2c17a12: Added --open and --view flags to vercel traces get. --open opens the trace in the Vercel Dashboard instead of printing the markdown summary. --view <timeline|tree|gantt> selects the dashboard view and is only valid with --open.

Patch Changes

• 620bcfa: Add --type, --service, and --search filter flags to vercel connect list.
• ff2a980: Add a vercel domains check subcommand for registrar availability and extend vercel domains price to support bulk price lookups for multiple domains.
• Updated dependencies [1318682]
• Updated dependencies [6860c32]
• Updated dependencies [e917989]
• Updated dependencies [baac149]
• Updated dependencies [ecf5033]
• Updated dependencies [73dbbe6]
• Updated dependencies [647c1e8]
• Updated dependencies [b1f766a]

... (truncated)

Commits

• a8488f5 Version Packages (#16434)
• b66bd3e fix(cli): skip external symlinks in standalone prebuilt deploys (PIPE-6621) (...
• 93f6c51 [CLI] adding version and auto update fixes (#16440)
• 9ad632d [CLI] disabling auto update for binary for right now (#16421)
• 57ea4ba Improve deployment scope lookup speed (#16419)
• 09a1436 Version Packages (#16414)
• ff2a980 [cli] add domains check command and bulk price/availability (#16429)
• 2c17a12 [cli] Add --open and --view flags to vc traces get (#16392)
• 620bcfa [vercel] connect list: add --type, --service, --search filter flags (#16411)
• 862bada Version Packages (#16402)
• Additional commits viewable in compare view

Updates vitest from 4.1.6 to 4.1.7

Release notes

Sourced from vitest's releases.

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

Commits

• a09d472 chore: release v4.1.7
• See full diff in compare view

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
openresource-dev	Ready	Preview, Comment	Jun 4, 2026 7:24am