Bump the npm_and_yarn group across 1 directory with 23 updates

[dependabot]

Bumps the npm_and_yarn group with 20 updates in the / directory:

Package	From	To
@tinacms/cli	1.6.8	2.1.8
astro	4.16.4	6.1.6
tinacms	2.2.8	3.7.3
rollup	3.29.5	3.30.0
@tinacms/graphql	1.5.4	2.2.4
js-yaml	3.14.1	3.14.2
ajv	8.17.1	8.18.0
axios	1.7.7	1.15.2
brace-expansion	1.1.11	1.1.14
diff	5.2.0	5.2.2
minimatch	9.0.5	9.0.9
minimatch	3.1.2	3.1.5
minimatch	5.1.6	5.1.9
immutable	3.7.6	5.1.5
mdast-util-to-hast	13.2.0	13.2.1
next	14.2.14	15.5.15
next-auth	4.24.10	4.24.14
path-to-regexp	0.1.10	0.1.13
picomatch	2.3.1	2.3.2
qs	6.13.0	6.14.2
svgo	3.3.2	3.3.3
tar	6.2.1	7.5.13

Updates @tinacms/cli from 1.6.8 to 2.1.8

Changelog

Sourced from @​tinacms/cli's changelog.

2.1.8

Patch Changes

• #6450 56d533e Thanks @​18-th! - * Restricted CORS on dev server to localhost by default for GHSA-8pw3-9m7f-q734.
  • Added server.allowedOrigins config option for non-localhost environments.
  • Enabled Vite server.fs.strict with computed allow list for GHSA-m48g-4wr2-j2h6
  • Bind LevelDB TCP server to 127.0.0.1
• Updated dependencies [f23c2a6, d782ca2, 56d533e, 60510bb]:
  • tinacms@3.6.0
  • @​tinacms/schema-tools@​2.7.0
  • @​tinacms/app@​2.3.27
  • @​tinacms/graphql@​2.1.4
  • @​tinacms/search@​1.2.5

2.1.7

Patch Changes

• #6440 c2517c2 Thanks @​18-th! - * Add path traversal protection and tests for GHSA-5hxf-c7j4-279c path traversal vulnerability
  • Add path traversal protection and tests for GHSA-2f24-mg4x-534q path traversal vulnerability
• Updated dependencies [c2517c2, 2738749, dfb4ce8]:
  • @​tinacms/graphql@​2.1.3
  • tinacms@3.5.1
  • @​tinacms/search@​1.2.4
  • @​tinacms/app@​2.3.26

2.1.6

Patch Changes

• #6416 62d0e5b Thanks @​18-th! - Adding tests to confirm that a Security Advisory was fixed

• #6439 bde4e4f Thanks @​kulesy! - Improve error message when content directory is missing a tina/ folder. When using localContentPath, the error now explains that the content directory needs a tina/ folder for generated files and provides the exact mkdir command to fix it, instead of the misleading suggestion to use --rootPath.

• #6419 bd9dabd Thanks @​18-th! - Added tests to confirm that a Security Advisory was fixed

• Updated dependencies [39fa13a, da837f7, f90d47b, 6988450, c806e41, 89aee8a]:

  • @​tinacms/graphql@​2.1.2
  • tinacms@3.5.0
  • @​tinacms/schema-tools@​2.6.0
  • @​tinacms/search@​1.2.3
  • @​tinacms/app@​2.3.25
  • @​tinacms/metrics@​2.0.1

2.1.5

Patch Changes

• #6398 5345122 Thanks @​kulesy! - Preserve key order in tinaSchema config while handling search settings

... (truncated)

Commits

• 661102d Version Packages (#6452)
• 56d533e Restricted CORS and Vite fs access on dev server (#6450)
• 2b04d1d Version Packages (#6445)
• c2517c2 Add path traversal protection (#6440)
• 5d96408 Version Packages (#6401)
• f90d47b Setup opt-in/opt-out, initialize on TinaAdmin (#6438)
• bde4e4f fix(cli): improve error when content dir missing tina/ folder (#6439)
• bd9dabd Added tests to confirm that a security advisory was fixed https://github.com/...
• 62d0e5b Adding tests to confirm that a security advisory was fixed https://github.com...
• ab96550 Version Packages (#6399)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tinacms/cli since your current version.

Updates astro from 4.16.4 to 6.1.6

Release notes

Sourced from astro's releases.

astro@6.1.6

Patch Changes

• #16202 b5c2fba Thanks @​matthewp! - Fixes Actions failing with ActionsWithoutServerOutputError when using output: 'static' with an adapter

• #16303 b06eabf Thanks @​matthewp! - Improves handling of special characters in inline <script> content

• #14924 bb4586a Thanks @​aralroca! - Fixes SCSS and CSS module file changes triggering a full page reload instead of hot-updating styles in place during development

astro@6.1.5

Patch Changes

• #16171 5bcd03c Thanks @​Desel72! - Fixes a build error that occurred when a pre-rendered page used the <Picture> component and another page called render() on content collection entries.

• #16239 7c65c04 Thanks @​dataCenter430! - Fixes sync content inside <Fragment> not streaming to the browser until all async sibling expressions have resolved.

• #16242 686c312 Thanks @​martrapp! - Revives UnoCSS in dev mode when used with the client router.

  This change partly reverts #16089, which in hindsight turned out to be too general. Instead of automatically persisting all style sheets, we now do this only for styles from Vue components.

• #16192 79d86b8 Thanks @​alexanderniebuhr! - Uses today’s date for Cloudflare compatibility_date in astro add cloudflare

  When creating new projects, astro add cloudflare now sets compatibility_date to the current date. Previously, this date was resolved from locally installed packages, which could be unreliable in some package manager environments. Using today’s date is simpler and more reliable across environments, and is supported by workerd.

• #16259 34df955 Thanks @​gameroman! - Removed dlv dependency

astro@6.1.4

Patch Changes

• #16197 21f9fe2 Thanks @​SchahinRohani! - Remove unused re-exports from assets/utils barrel file to fix Vite build warning

• #16059 6d5469e Thanks @​matthewp! - Fixes Expected 'miniflare' to be defined errors and 404 responses in dev mode when using the Cloudflare adapter and the config file changes. Instead of creating a brand new Vite server on config changes, Astro now performs a Vite in-place restart, allowing the Cloudflare adapter to reuse its existing miniflare instance across restarts.

• #16154 7610ba4 Thanks @​Desel72! - Fixes pages with dots in their filenames (e.g. hello.world.astro) returning 404 when accessed with a trailing slash in the dev server. The trailingSlashForPath function now only forces trailingSlash: 'never' for endpoints with file extensions, allowing pages to correctly respect the user's trailingSlash config.

• #16193 23425e2 Thanks @​matthewp! - Fixes trailingSlash: "always" producing redirect HTML instead of the actual response for extensionless endpoints during static builds

astro@6.1.3

Patch Changes

• #16161 b51f297 Thanks @​matthewp! - Fixes a dev rendering issue with the Cloudflare adapter where head metadata could be missing and dev CSS/scripts could be injected in the wrong place

• #16110 de669f0 Thanks @​tmimmanuel! - Fixes skew protection query parameters not being appended to inter-chunk JavaScript imports in client bundles, which could cause version mismatches during rolling deployments on Vercel

• #16162 a0a49e9 Thanks @​rururux! - Fixes an issue where HMR would not trigger when modifying files while using @​astrojs/cloudflare with prerenderEnvironment: 'node' enabled.

• #16142 7454854 Thanks @​rururux! - Fixes HTML content being incorrectly escaped as plain text when rendering a MDX component using the AstroContainer APIs.

• #16116 12602a9 Thanks @​riderx! - Fixes a bug where page-level CSS could leak between unrelated pages when traversing style parents across top-level route boundaries

... (truncated)

Changelog

Sourced from astro's changelog.

4.16.16

Patch Changes

• #12542 65e50eb Thanks @​kadykov! - Fix JPEG image size determination

• #12525 cf0d8b0 Thanks @​ematipico! - Fixes an issue where with i18n enabled, Astro couldn't render the 404.astro component for nonexistent routes.

4.16.15

Patch Changes

• #12498 b140a3f Thanks @​ematipico! - Fixes a regression where Astro was trying to access Request.headers

4.16.14

Patch Changes

• #12480 c3b7e7c Thanks @​matthewp! - Removes the default throw behavior in astro:env

• #12444 28dd3ce Thanks @​ematipico! - Fixes an issue where a server island hydration script might fail case the island ID misses from the DOM.

• #12476 80a9a52 Thanks @​florian-lefebvre! - Fixes a case where the Content Layer glob() loader would not update when renaming or deleting an entry

• #12418 25baa4e Thanks @​oliverlynch! - Fix cached image redownloading if it is the first asset

• #12477 46f6b38 Thanks @​ematipico! - Fixes an issue where the SSR build was emitting the dist/server/entry.mjs file with an incorrect import at the top of the file/

• #12365 a23985b Thanks @​apatel369! - Fixes an issue where Astro.currentLocale was not correctly returning the locale for 404 and 500 pages.

4.16.13

Patch Changes

• #12436 453ec6b Thanks @​martrapp! - Fixes a potential null access in the clientside router

• #12392 0462219 Thanks @​apatel369! - Fixes an issue where scripts were not correctly injected during the build. The issue was triggered when there were injected routes with the same entrypoint and different pattern

4.16.12

Patch Changes

• #12420 acac0af Thanks @​ematipico! - Fixes an issue where the dev server returns a 404 status code when a user middleware returns a valid Response.

4.16.11

Patch Changes

• #12305 f5f7109 Thanks @​florian-lefebvre! - Fixes a case where the error overlay would not escape the message

... (truncated)

Commits

• 1945a93 [ci] release (#16281)
• bb4586a fix: avoid full-reload in scss modules (#14924)
• 5f3085b [ci] format
• b5c2fba Skip actions server-output validation when an adapter is configured (#16202)
• b06eabf Consolidate inline script escaping into shared utility (#16303)
• 92fc030 refactor(core): rename logger internal types (#16271)
• ba18015 [ci] format
• d198e82 test: port 16 routing unit tests to TypeScript (#16266)
• 673a871 [ci] release (#16244)
• fab9c00 chore: upgrade biome (#16246)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for astro since your current version.

Updates tinacms from 2.2.8 to 3.7.3

Release notes

Sourced from tinacms's releases.

tinacms@3.7.3

Patch Changes

• #6548 cd262b3 Thanks @​isaaclombardssw! - Add 'displayOnly' field type for display-only form fields

• #6693 217bfb4 Thanks @​isaaclombardssw! - Fix sidebar file tree: consolidate duplicate roots from multiple useTina() calls, prevent chevron shrinking on long filenames, add bottom padding for last item visibility

• #6678 5feb18d Thanks @​brookjeynes-ssw! - fix: display editorial workflow modal on deleted branches

• #6699 32e145d Thanks @​joshbermanssw! - 💄 Improve UI of Grid Item in Media Manager

• #6682 d998884 Thanks @​kulesy! - Fix React Error #31 when inserting image from Media Library with custom MediaStore

• #6664 c75d871 Thanks @​18-th! - Validate relativePath to reject whitespace and invalid characters

• Updated dependencies [cd262b3, 55dae8e]:

  • @​tinacms/schema-tools@​2.7.2
  • @​tinacms/mdx@​2.1.2
  • @​tinacms/search@​1.2.10

tinacms@3.7.2

Patch Changes

• #6400 3569c95 Thanks @​kulesy! - Improve branch operation error message clarity

• #6633 4315d73 Thanks @​JackDevAU! - refactor: make @​tinacms/schema-tools the single source of truth

• #6617 ff1cd6f Thanks @​18-th! - Improve error messages when a pull request via editorial workflow fails due to missing Git authoring tokens

• #6626 d1ad86e Thanks @​tiagov8! - Fix login screen error message and update modal title

• #6607 e146e92 Thanks @​joshbermanssw! - 🐖 Add Telemetry to new Media Usage dashboard to see how users are interacting with it

• #6602 246ee27 Thanks @​griffenedge! - Reduce the TinaCloud auth modal login image so it appears as a decorative element rather than dominating the modal.

• Updated dependencies [4315d73]:

  • @​tinacms/schema-tools@​2.7.1
  • @​tinacms/mdx@​2.1.1
  • @​tinacms/search@​1.2.9

tinacms@3.7.1

Patch Changes

• #6553 a40f52a Thanks @​thomas-sepanosian! - 🐛 Fix media usage tracking for files with the same filename in different directories

• #6544 a7ebbe1 Thanks @​isaaclombardssw! - Flipping the referenced files checkbox to off by default, and updating the label.

• #6558 519a4c2 Thanks @​joshbermanssw! - 🐖 Adding Telemetry around usage of slash command in rich-text editor

• #6546 6e374e5 Thanks @​joshbermanssw! - 🐛 Fix slash command popup from not being escapable

... (truncated)

Changelog

Sourced from tinacms's changelog.

3.7.3

Patch Changes

• #6548 cd262b3 Thanks @​isaaclombardssw! - Add 'displayOnly' field type for display-only form fields

• #6693 217bfb4 Thanks @​isaaclombardssw! - Fix sidebar file tree: consolidate duplicate roots from multiple useTina() calls, prevent chevron shrinking on long filenames, add bottom padding for last item visibility

• #6678 5feb18d Thanks @​brookjeynes-ssw! - fix: display editorial workflow modal on deleted branches

• #6699 32e145d Thanks @​joshbermanssw! - 💄 Improve UI of Grid Item in Media Manager

• #6682 d998884 Thanks @​kulesy! - Fix React Error #31 when inserting image from Media Library with custom MediaStore

• #6664 c75d871 Thanks @​18-th! - Validate relativePath to reject whitespace and invalid characters

• Updated dependencies [cd262b3, 55dae8e]:

  • @​tinacms/schema-tools@​2.7.2
  • @​tinacms/mdx@​2.1.2
  • @​tinacms/search@​1.2.10

3.7.2

Patch Changes

• #6400 3569c95 Thanks @​kulesy! - Improve branch operation error message clarity

• #6633 4315d73 Thanks @​JackDevAU! - refactor: make @​tinacms/schema-tools the single source of truth

• #6617 ff1cd6f Thanks @​18-th! - Improve error messages when a pull request via editorial workflow fails due to missing Git authoring tokens

• #6626 d1ad86e Thanks @​tiagov8! - Fix login screen error message and update modal title

• #6607 e146e92 Thanks @​joshbermanssw! - 🐖 Add Telemetry to new Media Usage dashboard to see how users are interacting with it

• #6602 246ee27 Thanks @​griffenedge! - Reduce the TinaCloud auth modal login image so it appears as a decorative element rather than dominating the modal.

• Updated dependencies [4315d73]:

  • @​tinacms/schema-tools@​2.7.1
  • @​tinacms/mdx@​2.1.1
  • @​tinacms/search@​1.2.9

3.7.1

Patch Changes

• #6553 a40f52a Thanks @​thomas-sepanosian! - 🐛 Fix media usage tracking for files with the same filename in different directories

• #6544 a7ebbe1 Thanks @​isaaclombardssw! - Flipping the referenced files checkbox to off by default, and updating the label.

... (truncated)

Commits

• b92bf54 Version Packages (#6666)
• 32e145d 💄 Modernise UI of Grid Item in Media Manager (#6699)
• d998884 Fix React Error #31 when inserting image from Media Library with custom Media...
• 217bfb4 Fix sidebar file tree: consolidate roots, chevron shrink, bottom padding (#6693)
• 5feb18d fix: display editorial workflow modal on deleted branches (#6678)
• cd262b3 Add 'displayOnly' field type (#6548)
• c75d871 Validate relativePath to reject whitespace and invalid characters (#6664)
• 9f7da80 Version Packages (#6610)
• d1ad86e Improve login screen error message and update modal title (#6626)
• ff1cd6f Handle editorial workflow git authoring failures (#6617)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for tinacms since your current version.

Updates rollup from 3.29.5 to 3.30.0

Release notes

Sourced from rollup's releases.

v3.30.0

3.30.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

• #6276: Validate bundle stays within output dir (@​lukastaegert)

Changelog

Sourced from rollup's changelog.

3.30.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

• #6276: Validate bundle stays within output dir (@​lukastaegert)

Commits

• d91d5e1 3.30.0
• 9677409 Update release script for backports
• c8cf1f9 Validate bundle stays within output dir (#6276)
• See full diff in compare view

Updates vite from 4.5.5 to 4.5.14

Changelog

Sourced from vite's changelog.

4.5.14 (2025-04-30)

• fix: backport #19965, check static serve file inside sirv (#19967) (7739479), closes #19965 #19967
• chore: run format (99afb60)

4.5.13 (2025-04-10)

• fix: backport #19830, reject requests with # in request-target (#19832) (41f3819), closes #19830 #19832

4.5.12 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (#19785) (0a3dcf5), closes #19782 #19785

4.5.11 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19763) (26e1764), closes #19761 #19763

4.5.10 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19704) (315695e), closes #19702 #19704

4.5.9 (2025-01-21)

• fix: preview.allowedHosts with specific values was not respected (#19246) (0bc52e0), closes #19246
• fix: allow CORS from loopback addresses by default (#19249) (8f63cd6), closes #19249

4.5.8 (2025-01-20)

• fix: try parse server.origin URL (#19241) (3680bad), closes #19241

4.5.7 (2025-01-20)

• fix: crypto.getRandomValues is not available in old Node versions (#19237) (f4d3c46), closes #19237

... (truncated)

Commits

• 9bfe2b1 release: v4.5.14
• 7739479 fix: backport #19965, check static serve file inside sirv (#19967)
• 99afb60 chore: run format
• cd60e8b release: v4.5.13
• 41f3819 fix: backport #19830, reject requests with # in request-target (#19832)
• 6104add release: v4.5.12
• 0a3dcf5 fix: backport #19782, fs check with svg and relative paths (#19785)
• 07ddc3e release: v4.5.11
• 26e1764 fix: backport #19761, fs check in transform middleware (#19763)
• 86e7a6b release: v4.5.10
• Additional commits viewable in compare view

Updates @tinacms/graphql from 1.5.4 to 2.2.4

Release notes

Sourced from @​tinacms/graphql's releases.

@​tinacms/graphql@​2.2.4

Patch Changes

• #6548 cd262b3 Thanks @​isaaclombardssw! - Add 'displayOnly' field type for display-only form fields

• #6663 4a8627b Thanks @​18-th! - Fix relativePath validation to reject whitespace and empty strings

• #6664 c75d871 Thanks @​18-th! - Validate relativePath to reject whitespace and invalid characters

• Updated dependencies [cd262b3, 55dae8e]:

  • @​tinacms/schema-tools@​2.7.2
  • @​tinacms/mdx@​2.1.2

@​tinacms/graphql@​2.2.3

Patch Changes

• Updated dependencies [4315d73]:
  • @​tinacms/schema-tools@​2.7.1
  • @​tinacms/mdx@​2.1.1

@​tinacms/graphql@​2.2.2

Patch Changes

• #6552 f124eab Thanks @​wicksipedia! - Fix symlink/junction path traversal bypass (GHSA-g87c-r2jp-293w, GHSA-g9c2-gf25-3x67)

• #6545 71bb5c2 Thanks @​wicksipedia! - Fix path traversal bypass via backslash sequences

  On POSIX systems, path.normalize() treats backslashes as literal characters, not directory separators. This allowed attackers to bypass the existing path traversal checks using paths like x....\package.json — the validation saw no traversal, but downstream path.join()/fs operations could resolve the backslashes as separators.

  Fixes GHSA-v9p7-gf3q-h779

@​tinacms/graphql@​2.2.1

Patch Changes

• Updated dependencies [059f480]:
  • @​tinacms/mdx@​2.1.0
  • @​tinacms/schema-tools@​2.7.0

@​tinacms/graphql@​2.2.0

Minor Changes

• #6478 0712649 Thanks @​Ben0189! - Add levelBatchSize option to DatabaseArgs to allow consumers to override the default Level batch size of 25

Changelog

Sourced from @​tinacms/graphql's changelog.

2.2.4

Patch Changes

• #6548 cd262b3 Thanks @​isaaclombardssw! - Add 'displayOnly' field type for display-only form fields

• #6663 4a8627b Thanks @​18-th! - Fix relativePath validation to reject whitespace and empty strings

• #6664 c75d871 Thanks @​18-th! - Validate relativePath to reject whitespace and invalid characters

• Updated dependencies [cd262b3, 55dae8e]:

  • @​tinacms/schema-tools@​2.7.2
  • @​tinacms/mdx@​2.1.2

2.2.3

Patch Changes

• Updated dependencies [4315d73]:
  • @​tinacms/schema-tools@​2.7.1
  • @​tinacms/mdx@​2.1.1

2.2.2

Patch Changes

• #6552 f124eab Thanks @​wicksipedia! - Fix symlink/junction path traversal bypass (GHSA-g87c-r2jp-293w, GHSA-g9c2-gf25-3x67)

• #6545 71bb5c2 Thanks @​wicksipedia! - Fix path traversal bypass via backslash sequences

  On POSIX systems, path.normalize() treats backslashes as literal characters, not directory separators. This allowed attackers to bypass the existing path traversal checks using paths like x....\package.json — the validation saw no traversal, but downstream path.join()/fs operations could resolve the backslashes as separators.

  Fixes GHSA-v9p7-gf3q-h779

2.2.1

Patch Changes

• Updated dependencies [059f480]:
  • @​tinacms/mdx@​2.1.0
  • @​tinacms/schema-tools@​2.7.0

2.2.0

Minor Changes

• #6478 0712649 Thanks @​Ben0189! - Add levelBatchSize option to DatabaseArgs to allow consumers to override the default Level batch size of 25

2.1.4

... (truncated)

Commits

• b92bf54 Version Packages (#6666)
• cad4d66 Implement test file serialization roundtrip (#6709)
• cd262b3 Add 'displayOnly' field type (#6548)
• c75d871 Validate relativePath to reject whitespace and invalid characters (#6664)