⬆️ deps: Update dependencies (non-major)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@tailwindcss/vite (source)	4.2.4 → 4.3.0			dependencies	minor
astro (source)	6.1.8 → 6.3.1			pnpm-workspace.overrides	minor
astro (source)	6.1.8 → 6.3.1			dependencies	minor
mermaid	11.14.0 → 11.15.0			dependencies	minor
oxlint (source)	1.61.0 → 1.64.0			devDependencies	minor
react (source)	19.2.5 → 19.2.6			devDependencies	patch
react-dom (source)	19.2.5 → 19.2.6			devDependencies	patch
tailwindcss (source)	4.2.4 → 4.3.0			dependencies	minor
vite (source)	0.1.18 → 0.1.21			pnpm.catalog.default	patch
vite-plus (source)	0.1.18 → 0.1.21			pnpm.catalog.default	patch
vitest (source)	0.1.18 → 0.1.21			pnpm.catalog.default	patch
wrangler (source)	4.84.1 → 4.90.1			devDependencies	minor
zrr1999/zendev	v0.0.5 → v0.0.6			action	patch

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

tailwindlabs/tailwindcss (@​tailwindcss/vite)

v4.3.0

Compare Source

Added

• Add @container-size utility (#​18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#​19981, #​20019)
• Add scrollbar-gutter-* utilities (#​20018)
• Add zoom-* utilities (#​20020)
• Add tab-* utilities (#​20022)
• Allow using @variant with stacked variants (e.g. @variant hover:focus { … }) (#​19996)
• Allow using @variant with compound variants (e.g. @variant hover, focus { … }) (#​19996)
• Support --default(…) in --value(…) and --modifier(…) for functional @utility definitions (#​19989)

Fixed

• Ensure @plugin resolves package JavaScript entries instead of browser CSS entries when using @tailwindcss/vite (#​19949)
• Fix relative @import and @plugin paths resolving from the wrong directory when using @tailwindcss/vite (#​19965)
• Ensure CSS files containing @variant are processed by @tailwindcss/vite (#​19966)
• Resolve imports relative to base when result.opts.from is not provided when using @tailwindcss/postcss (#​19980)
• Canonicalization: preserve significant _ whitespace in arbitrary values (#​19986)
• Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. w-[calc(100%---spacing(60))] → w-[calc(100%-(--spacing(60)))]) (#​19986)
• Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. -mt-[20in] → mt-[-20in], not mt-[-1920px]) (#​19988)
• Canonicalization: migrate arbitrary :has() variants from [&:has(…)] to has-[…] (#​19991)
• Upgrade: don’t migrate inline style attributes (e.g. style="flex-grow: 1" → style="flex-grow: 1", not style="grow: 1") (#​19918)
• Allow multiple @utility definitions with the same name but different value types (#​19777)
• Export missing PluginWithConfig type from tailwindcss/plugin to fix errors when inferring plugin config types (#​19707)
• Ensure start and end legacy utilities without values do not generate CSS (#​20003)
• Ensure --value(…) is required in functional @utility definitions (#​20005)
• Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. -left-[(var(--a)+var(--b))]) (#​20011)

withastro/astro (astro)

v6.3.1

Compare Source

Patch Changes

• #​16646 15fbc41 Thanks @​matthewp! - Fixes local images returning 404 on non-prerendered pages when using the generic image endpoint

v6.3.0

Compare Source

Minor Changes

• #​16366 d69f858 Thanks @​matthewp! - Adds a new experimental.advancedRouting option that lets you take full control of Astro's request handling pipeline by creating a src/app.ts file in your project.

  Today, Astro handles every incoming request through a fixed internal pipeline: trailing slash normalization, redirects, actions, middleware, page rendering, i18n, and so on. That pipeline works great for most sites, but as projects grow you often want to run your own logic between those steps — an auth check before rendering, a rate limiter before actions, custom logging around the whole stack. Advanced routing gives you that control.

  When enabled, Astro looks for a src/app.ts file in your project. If it finds one, that file becomes the entrypoint for all server-rendered requests. You compose the pipeline yourself using the handlers Astro provides, and you can slot your own logic anywhere in the chain.

Enabling advanced routing

// astro.config.mjs
import { defineConfig } from 'astro/config';

export default defineConfig({
  experimental: {
    advancedRouting: true,
  },
});

Two ways to build your pipeline

Astro ships two entrypoints for advanced routing: astro/fetch and astro/hono.

astro/fetch is a low-level, framework-free API built on the Web Fetch standard. You create a FetchState from the incoming request, then call handler functions in sequence. Each handler takes the state, does its work, and returns a Response (or undefined to pass through). This is the core primitive that everything else is built on:

// src/app.ts
import {
  FetchState,
  trailingSlash,
  redirects,
  actions,
  middleware,
  pages,
  i18n,
} from 'astro/fetch';

export default {
  async fetch(request: Request) {
    const state = new FetchState(request);

    // Early exits — these return a Response only when they apply.
    const slash = trailingSlash(state);
    if (slash) return slash;

    const redirect = redirects(state);
    if (redirect) return redirect;

    const action = await actions(state);
    if (action) return action;

    // Middleware wraps page rendering; i18n post-processes the response.
    const response = await middleware(state, () => pages(state));
    return i18n(state, response);
  },
};

astro/hono wraps the same handlers as Hono middleware, so you can mix Astro's pipeline with Hono's ecosystem of middleware (logger, CORS, JWT, rate limiting, etc.) using the app.use() pattern you already know:

// src/app.ts
import { Hono } from 'hono';
import { getCookie } from 'hono/cookie';
import { logger } from 'hono/logger';
import { actions, middleware, pages, i18n } from 'astro/hono';

const app = new Hono();

app.use(logger());

// Auth gate — only runs for /dashboard routes.
app.use('/dashboard/*', async (c, next) => {
  const session = getCookie(c, 'session');
  if (!session) return c.redirect('/login');
  return next();
});

app.use(actions());
app.use(middleware());
app.use(pages());
app.use(i18n());

export default app;

Both approaches give you the same power — pick whichever fits your project. If you don't need a framework, astro/fetch keeps things minimal. If you want a rich middleware ecosystem, astro/hono gets you there with one import.

For more information on enabling and using this feature in your project, see the experimental advanced routing docs. To give feedback, or to keep up with its development, see the advanced routing RFC for more information and discussion.

• #​16366 d69f858 Thanks @​matthewp! - Adds a consume() instance method to AstroCookies. This method marks the cookies as consumed and returns the Set-Cookie header values. After consumption, any subsequent set() calls will log a warning, since the headers have already been sent.

  Previously this was only available as a static method AstroCookies.consume(cookies). The static method is now deprecated but kept for backward compatibility with existing adapters.

• #​16412 ba2d2e3 Thanks @​0xbejaxer! - Add retry and error event handling for astro-island hydration import failures to reduce unrecoverable hydration errors on transient network failures.

• #​16582 885cd31 Thanks @​Princesseuh! - Adds a new image.dangerouslyProcessSVG flag to optionally enable processing SVG inputs. For security reasons, Astro will no longer rasterizes SVG image sources by default in its default image service and endpoint.

  Set image.dangerouslyProcessSVG: true to opt back into processing SVG inputs.

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  
  export default defineConfig({
    // ...
    image: {
      dangerouslyProcessSVG: true,
    },
  });

  Note that this is a breaking change for users who were previously relying on Astro's default image service to rasterize SVG inputs, but it is a necessary change to improve security and prevent potential vulnerabilities.

• #​16519 1b1c218 Thanks @​louisescher! - Adds support for redirecting URLs in remote image optimization.

  Previously, when a remote image URL meant to be optimized by Astro led to a redirect, Astro would fail silently and ignore the redirect. Now, Astro tracks up to 10 redirects for these images. If any of the redirects are not covered by a pattern in image.remotePatterns or a domain in image.domains, Astro will fail with a helpful error message.

  In the following example, the first image would be loaded successfully, while the second would lead to Astro throwing an error:

  export default defineConfig({
    image: {
      domains: ['example.com', 'cdn.example.com'],
    },
  });

  {
    /* Redirects to https://cdn.example.com/assets/image.png: */
  }
  <Image
    src="https://example.com/assets/image.png"
    width="1920"
    height="1080"
    alt="An example image."
  />;
  
  {
    /* Redirects to https://malicious.com/image.png: */
  }
  <Image
    src="https://example.com/bad-image.png"
    width="1920"
    height="1080"
    alt="An example image."
  />;

  In cases where all redirects to HTTPS hosts should be trusted, the following configuration for image.remotePatterns can be used:

  export default defineConfig({
    image: {
      remotePatterns: [
        {
          protocol: 'https',
        },
      ],
    },
  });

Patch Changes

• #​16592 9c6efc5 Thanks @​matthewp! - Escapes interpolated values in the dev server redirect HTML template, consistent with how the 404 template already handles them

• #​16585 78f305e Thanks @​web-dev0521! - Fixes z.array(z.boolean()) in form actions incorrectly coercing the string "false" to true. Boolean array elements now use the same 'true'/'false' string comparison as single z.boolean() fields, so submitting ["false", "true", "false"] correctly parses as [false, true, false].

• #​16567 12a03f2 Thanks @​matthewp! - Fixes deleted content collection entries persisting in getCollection() results during dev

• #​16595 ce9b25c Thanks @​web-dev0521! - Fixes pushDirective in the CSP runtime duplicating the new directive once per existing non-matching directive. Calling insertDirective() (or otherwise pushing a directive whose name is not yet in the list) now appends it exactly once, and a directive that merges with a later existing entry no longer leaves an unmerged copy behind.

• #​16600 94e4b7c Thanks @​web-dev0521! - Fixes Astro.preferredLocale returning the wrong value when i18n.locales mixes object-form entries ({ path, codes }) with string entries that normalize to the same locale. The first matching code in the configured locales order is now selected, matching the documented behavior.

• #​16591 cce20f7 Thanks @​matthewp! - Uses a consistent generic error message in the image endpoint across all adapters

• #​16629 f54be80 Thanks @​g-taki! - Fixes a bug where SSR responses in astro dev could crash with TypeError: this.logger.flush is not a function.

• #​16589 3740b24 Thanks @​ArmandPhilippot! - Fixes an outdated code snippet in the documentation for session storage configuration.

• Updated dependencies [354e231]:

  • @​astrojs/telemetry@​3.3.2

v6.2.2

Compare Source

Patch Changes

• #​16292 00f48ee Thanks @​p-linnane! - Fixes head metadata propagation in dev for adapters that load modules in the prerender Vite environment, such as @astrojs/cloudflare. The astro:head-metadata plugin previously only tracked the ssr environment, so maybeRenderHead() could fire inside an unrelated component's <template> element, trapping subsequent hoisted <style> blocks.

• #​16451 778865f Thanks @​maximslo! - Fixes build crash when processing animated AVIF images. Sharp now gracefully passes through unsupported image formats instead of crashing during the build.

• #​16548 7214d3e Thanks @​senutpal! - Fixes scoped styles applying to the wrong element when vite.css.transformer is set to 'lightningcss' and a selector uses a nested & inside :where(...), such as Tailwind v4's space-x-*, space-y-*, and divide-* utilities.

• #​16566 9ac96b4 Thanks @​web-dev0521! - Fixes data-astro-prefetch="tap" not triggering when clicking nested elements (e.g. <span>, <img>, <svg>) inside an anchor tag.

• #​15994 1e70d18 Thanks @​ossaidqadri! - Fix <style> compilation failure when importing Astro components via tsconfig path aliases

• #​16144 1cd6650 Thanks @​fkatsuhiro! - Fixed a regression where .html was unexpectedly stripped from dynamic route parameters on non-page routes (.ts endpoints and redirects). This caused endpoints like /some/[...id].ts returning id: 'file.html' on getStaticPaths to not serve that file because the generated route (/some/file.html) would get matched as id: file that is not part of the list returned by getStaticPaths.

• #​16415 559c0fd Thanks @​0xbejaxer! - Fix CSS traversal boundaries so pages with export const partial = true still contribute styles when imported as components by other pages.

• #​16516 17f1867 Thanks @​fkatsuhiro! - Fixes an issue where the index route would return a 404 error when using a custom base path combined with trailingSlash: 'never'. This ensures that the home page and internal rewrites are correctly matched under these configurations.

• #​16515 280ec88 Thanks @​jp-knj! - Fixes an issue where i18n.fallback pages with fallbackType: 'rewrite' were emitted with empty bodies during astro build.

• #​16565 7959798 Thanks @​enjoyandlove! - Fixes session persistence when session.delete() is the first mutation in a request (no prior get, set, has, or keys). The session was marked dirty in memory, but persistence skipped the save because #data stayed undefined, so the backing store could still return the deleted key on the next request.

• #​16527 86fd80d Thanks @​enjoyandlove! - Prevents script deduplication state from being consumed while rendering inert <template> contexts.

• #​16540 e59c637 Thanks @​ascorbic! - Skips session storage reads when no session cookie is present. Previously, calling session.get() on a request without a session cookie would initialize the storage driver and make a read that was guaranteed to miss. On network-backed drivers this added latency and resource usage to every anonymous request.

• #​16517 6ab0b3c Thanks @​adamchal! - Removes inline CSS for prerendered routes from the SSR manifest. The static HTML on disk already inlines those styles, and the SSR worker never renders prerendered routes, so the data was dead weight. Builds with many prerendered routes and build.inlineStylesheets: "always" (or "auto" with small stylesheets) will see a smaller SSR entry chunk, which reduces cold-start parse time on platforms like Cloudflare Workers.

• #​16509 d3d3557 Thanks @​cyphercodes! - Fix conditional named slot callbacks receiving arguments from Astro.slots.render().

• #​16236 c6b068e Thanks @​fkatsuhiro! - Fixes the position prop on <Image /> and <Picture /> components to correctly apply object-position styles

• #​16018 d14f47c Thanks @​felmonon! - Fix defineLiveCollection() so LiveLoader data types declared as interfaces are accepted.

v6.2.1

Compare Source

Patch Changes

• #​16531 76db01d Thanks @​rodrigosdev! - Fixes config validation for omitted integrations fields with newer Zod versions.

• #​16535 7df0fe4 Thanks @​rururux! - Fixed an issue where a warning was displayed when the server property was missing during config validation, even though it is not required.

• #​16534 5cf6c51 Thanks @​matthewp! - Fixes compatibility with Zod 4.4.0 for the server config property and error formatting

v6.2.0

Compare Source

Minor Changes

• #​16187 fe58071 Thanks @​gllmt! - Adds a waitUntil option to the RenderOptions so that adapters can forward runtime background-task hooks to Astro.

  When provided by an adapter, runtime cache providers receive context.waitUntil in
  CacheProvider.onRequest(), which allows background cache work such as stale-while-revalidate
  without blocking the response. The Cloudflare adapter now forwards
  ExecutionContext.waitUntil to this API.

• #​16290 a49637a Thanks @​ViVaLaDaniel! - Ensures that server.allowedHosts (and vite.preview.allowedHosts) configuration is respected when using astro preview with the @astrojs/cloudflare adapter. This improves security by preventing DNS rebinding attacks when previewing Cloudflare builds locally.

• #​15725 4108ec1 Thanks @​meyer! - Adds support for a new 'jsx' value for the compressHTML option. When set, whitespace is stripped using JSX whitespace rules instead of the default HTML compression strategy.

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  
  export default defineConfig({
    compressHTML: 'jsx',
  });

  In JSX, whitespaces never matter, as such, no amount of indentation, or newlines will not affect the rendered output. For instance, the following code:

  <div>
    <span>foo</span>
    <span>bar</span>
  </div>

  will be rendered as foobar, whereas with HTML whitespace rules, a space would be present between the words due to the newline and indentation between the tags.

• #​16477 28fb3e1 Thanks @​ematipico! - Adds experimental support for configurable log handlers.

  This experimental feature provides better control over Astro's logging infrastructure by allowing users to replace the default console output with custom logging implementations (e.g., structured JSON). This is particularly useful for users using on-demand rendering and wishing to connect their log aggregation services, such as Kibana, Logstash, CloudWatch, Grafana, or Loki.

  By default, Astro provides three built-in log handlers (json, node, and console), but you can also create your own.

JSON logging

JSON logging can be enabled via the CLI for the build, dev, and sync commands using the experimentalJson flag:

// astro.config.mjs
import { defineConfig, logHandlers } from 'astro/config';

export default defineConfig({
  experimental: {
    logger: logHandlers.json({
      pretty: true,
      level: 'warn',
    }),
  },
});

Custom logger

You can also create your own custom logger by implementing the correct interface:

// astro.config.mjs
import { defineConfig } from 'astro/config';

export default defineConfig({
  experimental: {
    logger: {
      entrypoint: '@​org/custom-logger',
    },
  },
});

// @​org/custom-logger.js
import type { AstroLoggerDestination, AstroLoggerMessage } from 'astro';
import { matchesLevel } from 'astor/logger';

function customLogger(level = 'info'): AstroLoggerDestination {
  return {
    write(message: AstroLoggerMessage) {
      if (matchesLevel(message.level, level)) {
        // write message somewhere
      }
    },
  };
}

export default customLogger;

For more information on enabling and using this feature in your project, see the Experimental Logger docs.

For a complete overview and to give feedback on this experimental API, see the Custom logger RFC.

• #​16333 0f7c3c8 Thanks @​florian-lefebvre! - Adds an experimental flag svgOptimizer that enables automatic optimization of your SVG components using the provided optimizer. This supersedes the svgo experimental flag, which is now removed.

  When enabled, your imported SVG files used as components will be optimized for smaller file sizes and better performance while maintaining visual quality. This can significantly reduce the size of your SVG assets by removing unnecessary metadata, comments, and redundant code.

  Astro ships with a SVGO based optimizer, but any can be used.

  To enable this feature, add the experimental flag in your Astro config and remove svgo if it was enabled:

  // astro.config.mjs
  -import { defineConfig } from "astro/config";
  +import { defineConfig, svgoOptimizer } from "astro/config";
  
  export default defineConfig({
  +  experimental: {
  +    svgOptimizer: svgoOptimizer()
  -    svgo: true
  +  }
  });

  For more information on enabling and using this feature in your project, see the experimental SVG optimization docs.

• #​16302 f6f8e80 Thanks @​florian-lefebvre! - Adds a new experimental_getFontFileURL() method to resolve font file URLs when using the Fonts API

  The fontData object exported from astro:assets was introduced to provide low-level access to font family data for advanced usage. One of the goals of this API was to be able to resolve buffers using URLs. However, it turned out to be impractical, especially during prerendering.

  Astro now exports a new experimental_getFontFileURL() helper function from astro:assets to resolve font file URLs from fontData. For example, when using satori to generate Open Graph images:

  // src/pages/og.png.ts
  
  import type { APIRoute } from "astro";
  -import { fontData } from "astro:assets";
  +import { fontData, experimental_getFontFileURL } from "astro:assets";
  -import { outDir } from "astro:config/server";
  -import { readFile } from "node:fs/promises";
  import satori from "satori";
  import { html } from "satori-html";
  import sharp from "sharp";
  
  export const GET: APIRoute = async (context) => {
    const fontPath = fontData["--font-roboto"][0]?.src[0]?.url;
  
    if (fontPath === undefined) {
      throw new Error("Cannot find the font path.");
    }
  
  -  const data = import.meta.env.DEV
  -    ? await fetch(new URL(fontPath, context.url.origin)).then(async (res) => res.arrayBuffer())
  -    : await readFile(new URL(`.${fontPath}`, outDir));
  +  const url = experimental_getFontFileURL(fontPath, context.url);
  +  const data = await fetch(url).then((res) => res.arrayBuffer());
  
    const svg = await satori(
      html`<div style="color: black;">hello, world</div>`,
      {
        width: 600,
        height: 400,
        fonts: [
          {
            name: "Roboto",
            data,
            weight: 400,
            style: "normal",
          },
        ],
      },
    );
  
    const pngBuffer = await sharp(Buffer.from(svg))
      .resize(600, 400)
      .png()
      .toBuffer();
  
    return new Response(new Uint8Array(pngBuffer), {
      headers: {
        "Content-Type": "image/png",
      },
    });
  };

  See the Fonts API documentation for more information.

Patch Changes

• #​15980 8812382 Thanks @​seroperson! - Prevents script deduplication inside <template> elements

v6.1.10

Compare Source

Patch Changes

• #​16479 1058428 Thanks @​matthewp! - Fixes a spurious [WARN] [content] Content config not loaded warning during astro dev for projects that don't use content collections

• #​16457 3d82220 Thanks @​matthewp! - Hardens server island encryption to prevent encrypted data from one island component being replayed against a different one

• #​16481 152700e Thanks @​matthewp! - Fixes a spurious 404 request for a dev toolbar sourcemap during astro dev caused by the browser mis-resolving a relative sourceMappingURL from the /@​id/ URL prefix

• #​16480 1bcb43b Thanks @​matthewp! - Fixes an unnecessary full page reload on first navigation during dev

v6.1.9

Compare Source

Patch Changes

• #​16448 99464ed Thanks @​matthewp! - Updates vite, picomatch, and unstorage to latest patch versions

• #​16422 a3951d7 Thanks @​matthewp! - Hardens astro-island export resolution and hydration error handling for malformed component metadata

• #​16420 e21de1d Thanks @​matthewp! - Hardens Astro's error overlay and server logging paths to avoid unsafe HTML insertion and format-string interpolation

• #​16419 f3485c3 Thanks @​matthewp! - Hardens nested object and package metadata lookups to ignore prototype keys in content handling and project scaffolding

• #​16022 a002540 Thanks @​mathieumaf! - Fixes an issue where i18n domains would return 404 when trailingSlash is set to never.

• Updated dependencies [99464ed, f3485c3]:

  • @​astrojs/internal-helpers@​0.9.0
  • @​astrojs/markdown-remark@​7.1.1

mermaid-js/mermaid (mermaid)

v11.15.0

Compare Source

Minor Changes

• #​7174 0aca217 Thanks @​milesspencer35! - feat(sequence): Add support for decimal start and increment values in the autonumber directive

• #​7512 8e17492 Thanks @​aruncveli! - feat(flowchart): add datastore shape

  In Data flow diagrams, a datastore/warehouse/file/database is used to represent data persistence. It is denoted by a rectangle with only top and bottom borders, and can be used in flowcharts with A@{ shape: datastore, label: "Datastore" }.

• #​6440 9ad8dde Thanks @​yordis, @​lgazo! - feat: add Event Modeling diagram

• #​7707 27db774 Thanks @​txmxthy! - feat(architecture): expose four fcose layout knobs for architecture-beta diagrams (nodeSeparation, idealEdgeLengthMultiplier, edgeElasticity, numIter) so authors can tune layout density and spread overlapping siblings without changing diagram source

• #​7604 bf9502f Thanks @​M-a-c! - feat(class): add nested namespace support for class diagrams via dot notation and syntactic nesting

  If you have namespaces in class diagrams that use .s already and want to render them without nesting (≤v11.14.0 behaviour), you can use set class.hierarchicalNamespaces=false in your mermaid config:

  config:
    class:
      hierarchicalNamespaces: false

• #​7272 88cdd3d Thanks @​xinbenlv! - feat(sankey): add outlined label style, configurable nodeWidth/nodePadding, and custom node colors

Patch Changes

• #​7737 e9b0f34 Thanks @​ashishjain0512! - fix: prevent unbalanced CSS styles in classDefs

• #​7737 37ff937 Thanks @​ashishjain0512! - fix: create CSS styles using the CSSOM

  This removes some invalid CSS and normalizes some CSS formatting.

• #​7508 bfe60cc Thanks @​biiab! - fix(stateDiagram): end note now only closes a note when used on a new line

• #​7737 faafb5d Thanks @​ashishjain0512! - fix(gantt): add iteration limit for excludes field

• #​7737 65f8be2 Thanks @​ashishjain0512! - fix: disallow some CSS at-rules in custom CSS

• #​7726 1502f32 Thanks @​aloisklink! - fix(wardley): fix unnecessary sanitization of text

• #​7578 1f98db8 Thanks @​Gaston202! - fix(class): self-referential class multiplicity labels no longer rendered multiple times

  Fixes #​7560. Resolves an issue where cardinality labels on self-referential class relationships were rendered three times due to edge splitting in the dagre layout. The fix ensures that each sub-edge only carries its relevant label positions.

• #​7592 2343e38 Thanks @​knsv-bot! - fix(sequence): add background box behind alt/else section title labels in sequence diagrams

• #​7589 7fb9509 Thanks @​NYCU-Chung! - fix(block): prevent column widths from shrinking when mixing different column spans

• #​7632 3f9e0f1 Thanks @​ekiauhce! - fix(sequence): correct messageAlign label position for right-to-left arrows in sequence diagrams

• #​7642 7a8fb85 Thanks @​tractorjuice! - fix(wardley): allow hyphens in unquoted component names

  Multi-word names containing hyphens — e.g. real-time processing, end-user, on-call engineer — now parse without quoting, bringing the grammar in line with the OnlineWardleyMaps (OWM) convention. A->B (no-space arrow) still tokenises correctly.

• #​7523 5144ed4 Thanks @​darshanr0107! - fix(block): Arrow blocks in block-beta diagrams not spanning the specified number of columns when using :n syntax.

• #​7262 13d9bfa Thanks @​darshanr0107! - fix(block): Ensure block diagram hexagon blocks respect column spanning syntax

• #​7684 e14bb88 Thanks @​aloisklink! - fix: loosen uuid dependency range to allow v14

  Mermaid does not use any of the vulnerable code in CVE-2026-41907,
  but this allows users to silence any npm audit alerts on it.

• #​7633 9217c0d Thanks @​Felix-Garci! - fix(block): add support for all arrow types in block diagrams

• #​7587 5e7eb62 Thanks @​MaddyGuthridge! - chore: drop lodash-es in favour of es-toolkit

• #​7693 afaf306 Thanks @​dull-bird! - fix(quadrant-chart): allow CJK, emoji, Latin-1 accented characters, and other non-ASCII text in unquoted axis/quadrant/point labels.

  Previously the lexer only matched ASCII [A-Za-z]+ for text tokens, even though the grammar referenced UNICODE_TEXT. Bare Chinese, Japanese, Korean, emoji, and accented Latin characters in labels caused a parse error. Added a [^\x00-\x7F]+ lexer rule to emit UNICODE_TEXT and included it in the alphaNumToken grammar rule.

  Fixes #​7120.

• #​7737 4755553 Thanks @​ashishjain0512! - fix: improve D3 types for mermaidAPI funcs

• #​7737 6476973 Thanks @​ashishjain0512! - fix: handle & when namespacing CSS rules

• #​7520 8c1a0c1 Thanks @​RodrigojndSantos! - fix(stateDiagram): comments starting with one % are no longer treated as comments

  Switch to using two %% if you want to write a comment.

• Updated dependencies [7a8fb85, 675a64c]:

  • @​mermaid-js/parser@​1.1.1

oxc-project/oxc (oxlint)

v1.64.0

Compare Source

🚀 Features

• fbb8f22 linter: Support ignores in overrides (#​22148) (camc314)

🐛 Bug Fixes

• 25b7017 linter: Undocument override ignores option (#​22213) (camc314)

v1.63.0

Compare Source

📚 Documentation

• cacbc4a linter: Fix jest settings docs. (#​22127) (connorshea)

v1.62.0

Compare Source

🚀 Features

• 348f46c linter: Add respectEslintDisableDirectives option (#​21384) (Christian Vuerings)

🐛 Bug Fixes

• 8c425db lin

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	zrr-website-root	35f1ba8	Commit Preview URL Branch Preview URL	Jun 12 2026, 01:18 PM

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	zrr-website-slides	35f1ba8	Commit Preview URL Branch Preview URL	Jun 12 2026, 01:17 PM

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	zrr-website-blog	35f1ba8	Commit Preview URL Branch Preview URL	Jun 12 2026, 01:19 PM

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[zrr1999]

@copilot resolve the merge conflicts in this pull request

[Copilot]

@copilot resolve the merge conflicts in this pull request

Merge conflicts resolved in commit 50accad:

• .github/workflows/ci-pr-checks.yml: kept the Renovate bot if condition and updated zendev to v0.0.7 (from main)
• pnpm-lock.yaml: accepted main's lockfile, incorporating the astro monorepo v6, pnpm v11, and astro-pagefind v2 changes