chore(deps): bump the npm_and_yarn group across 5 directories with 7 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the /packages/console/app directory: wrangler.
Bumps the npm_and_yarn group with 1 update in the /packages/desktop-electron directory: electron.
Bumps the npm_and_yarn group with 2 updates in the /packages/opencode directory: @modelcontextprotocol/sdk and minimatch.
Bumps the npm_and_yarn group with 1 update in the /packages/ui directory: dompurify.
Bumps the npm_and_yarn group with 2 updates in the /packages/web directory: @astrojs/cloudflare and astro.

Updates wrangler from 4.50.0 to 4.59.1

Commits

• 37a8607 Version Packages (#11890)
• 99b1f32 fix: execute git commands in pages deploy safely (#11889)
• e98c95a Version Packages (#11836)
• ad65efa Add --check flag to wrangler types (#11852)
• beb96af feat(unenv-preset): add support for native node:sqlite module (#11841)
• b0e54b2 [wrangler] Add AI agent detection to analytics events (#11820)
• 2203af4 Add Node.js 24 and 25 compatibility to the test suites for Miniflare, Wrangle...
• b6148ed chore(deps): bump the workerd-and-workers-types group with 2 updates (#11872)
• 0eb973d Do not warn user when using a redirected config that came from a config with ...
• 0f8d69d containers: users can set multiple tiers for constraints (#11755)
• Additional commits viewable in compare view

Updates electron from 40.4.1 to 40.8.3

Release notes

Sourced from electron's releases.

electron v40.8.3

Release Notes for v40.8.3

Fixes

• Added additional ASAR support to additional fs copy methods. #50287 (Also in 39, 41, 42)
• Fixed an issue where some DevTools functionality didn't work as expected. #50275 (Also in 41, 42)
• Fixed user resizing of transparent windows on win32 platform. #50301 (Also in 39, 41, 42)

electron v40.8.2

Release Notes for v40.8.2

Other Changes

• Backported fix for b/491421267. #50229
• Fixed an issue where running app icons were not correctly retrieved on macOS Tahoe. #50188

electron v40.8.1

Release Notes for v40.8.1

Fixes

• Added validation to protocol client methods to reject protocol names that do not conform to the RFC 3986 URI scheme grammar. #50158 (Also in 38, 39, 41)
• Fixed an issue on macOS where calling autoUpdater.quitAndInstall() could fail if checkForUpdates() was called again after an update was already downloaded. #50216 (Also in 39, 41)
• Fixed an issue where Chrome Devtools menus may not appear in certain embedded windows. #50138 (Also in 39, 41)
• Fixed an issue where additionalData passed to app.requestSingleInstanceLock on Windows could be truncated or fail to deserialize in the primary instance's second-instance event. #50162 (Also in 38, 39, 41)
• Fixed an issue where screen.getCursorScreenPoint() crashed on Wayland when it was called before a BrowserWindow had been created. #50104 (Also in 39, 41)
• Fixed an issue where calling setBounds on a WebContentsView could trigger redundant page-favicon-updated events even when the favicon had not changed. #50084 (Also in 39, 41)
• Fixed an issue where invalid characters in custom protocol or webRequest response header values were not rejected. #50131 (Also in 38, 39, 41)
• Fixed an issue where permission and device-chooser handlers received the top-level page origin instead of the requesting subframe's origin. #50149 (Also in 38, 39, 41)
• Fixed an issue where traffic light buttons would flash at position (0,0) when restoring a window with a custom trafficLightPosition from minimization on macOS. #50207 (Also in 39, 41)
• Fixed bug where opening a message box immediately upon closing a child window may cause the parent window to freeze on Windows. #50189 (Also in 39, 41)
• Reverted AltGr key fix that caused menu bar to no longer show on Windows. #50110 (Also in 39, 41)

Other Changes

• Backported fix for chromium:485622239. #50168

electron v40.8.0

Release Notes for v40.8.0

Features

• Added a reason property to the Notification 'closed' event on Windows to allow developers to know the reason the Notification was dismissed. #50030 (Also in 41)

Fixes

• Fixed shutdown crash on windows when hidden titlebar is enabled. #50053 (Also in 39, 41)

Other Changes

• Updated Chromium to 144.0.7559.236. #50060

... (truncated)

Commits

• e094b39 fix: user resizable transparent windows on win32 (#50301)
• 339d44c fix: add ASAR support to additional copy methods (#50287)
• ee2d3db test: fix esm issue in node-spec-runner (#50294)
• 139e238 build: remove redundant bits of ncrypto node patch (#50280)
• a1550f5 fix: prefer browser runtime over node in DevTools HostRuntime detection (#50275)
• 3dd04c2 ci: update actions/cache to 5.0.3 (#50236)
• d32b8a6 chore: cherry-pick 7911bee5d90e from skia (#50229)
• 425fe98 chore: cherry-pick d5b0cb2acffe from v8 (#50231)
• 6b4b7df chore: backport running mac app icons from chromium (crrev.com/c/7239386) (#5...
• cc81658 ci: add timeout to test step (#50211)
• Additional commits viewable in compare view

Updates @modelcontextprotocol/sdk from 1.25.2 to 1.26.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.26.0

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

• chore: bump v1.25.3 for backport fixes by @​pcarleton in modelcontextprotocol/typescript-sdk#1412
• fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) by @​samuv in modelcontextprotocol/typescript-sdk#1382
• Fix #1430: Client Credentials providers scopes support (backported) by @​NSeydoux in modelcontextprotocol/typescript-sdk#1442
• chore: bump version to 1.26.0 by @​pcarleton in modelcontextprotocol/typescript-sdk#1479

New Contributors

• @​samuv made their first contribution in modelcontextprotocol/typescript-sdk#1382
• @​NSeydoux made their first contribution in modelcontextprotocol/typescript-sdk#1442

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.3...v1.26.0

v1.25.3

What's Changed

• [v1.x backport] Use correct schema for client sampling validation when tools are present by @​olaservo in modelcontextprotocol/typescript-sdk#1407
• fix: prevent Hono from overriding global Response object (v1.x) by @​mattzcarey in modelcontextprotocol/typescript-sdk#1411

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.2...v1.25.3

Commits

• fe9c07b chore: bump version to 1.26.0 (#1479)
• 4f01e7e fix: add non-null assertions for optional setupServer fields in stateful test
• a05be17 Merge commit from fork
• 50d9fa3 Fix #1430: Client Credentials providers scopes support (backported) (#1442)
• aa81a66 fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x back...
• 6aba065 chore: bump v1.25.3 for backport fixes (#1412)
• 6e8f7e1 fix: prevent Hono from overriding global Response object (v1.x) (#1411)
• 12ae856 [v1.x backport] Use correct schema for client sampling validation when tools ...
• See full diff in compare view

Updates minimatch from 10.0.3 to 10.2.3

Changelog

Sourced from minimatch's changelog.

change log

10.2

• Add braceExpandMax option

10.1

• Add magicalBraces option for escape
• Fix makeRe when partial: true is set.
• Fix makeRe when pattern ends in a final ** path part.

10.0

• Require node 20 or 22 and higher

9.0

• No default export, only named exports.

8.0

• Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions
• Bump required Node.js version

7.4

• Add escape() method
• Add unescape() method
• Add Minimatch.hasMagic() method

7.3

• Add support for posix character classes in a unicode-aware way.

7.2

• Add windowsNoMagicRoot option

7.1

• Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

... (truncated)

Commits

• ea94840 10.2.3
• 0873fba update deps
• cecaad1 more extglob coalescing for performance
• 11d0df6 limit nested extglob recursion, flatten extglobs
• c3448c4 update assertValidPattern param type to unknown from any
• 0bf499a limit recursion for **, improve perf considerably
• 9f15c58 update deps
• f42b239 10.2.2
• fa2133b update deps
• b9d0153 ci: update action workflows
• Additional commits viewable in compare view

Updates dompurify from 3.3.1 to 3.3.2

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.2

• Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
• Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
• Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
• Bumped and removed several dependencies, thanks @​Rotzbua
• Fixed the test suite after bumping dependencies, thanks @​Rotzbua

Commits

• 5e56114 Getting 3.x branch ready for 3.3.2 release (#1208)
• e8c95f4 fix: Fixed the broken package-lock.json
• 9636037 Update package-lock.json
• 5cad4ce Getting 3.x branch ready for 3.3.2 releas (#1205)
• See full diff in compare view

Updates @astrojs/cloudflare from 12.6.3 to 12.6.6

Changelog

Sourced from @​astrojs/cloudflare's changelog.

12.6.6

Patch Changes

• 9ecf359 Thanks @​alexanderniebuhr! - Improves the image proxy endpoint when using the default compile option to adhere to user configuration regarding the allowed remote domains

• Updated dependencies []:

  • @​astrojs/underscore-redirects@​1.0.0

12.6.5

Patch Changes

• #14259 02366e9 Thanks @​ascorbic! - Removes warning when using the adapter with a static build.

  The Cloudflare adapter now has several uses outside of on-demand rendered pages, so this warning is misleading. Similar warnings have already been removed from other adapters.

• #14234 15b55f3 Thanks @​yanthomasdev! - Fixes an issue that could cause duplicate exports when configuring workerEntrypoint.namedExports

• #14240 77b18fb Thanks @​delucis! - Increases the minimum supported version of Astro to 5.7.0

• Updated dependencies []:

  • @​astrojs/underscore-redirects@​1.0.0

12.6.4

Patch Changes

• Updated dependencies [4d16de7]:
  • @​astrojs/internal-helpers@​0.7.2
  • @​astrojs/underscore-redirects@​1.0.0

Commits

• 24b04c1 [ci] release (#14267)
• fbec0e0 [ci] format
• 9ecf359 Merge commit from fork
• 4823c42 feat(netlify): dev context (#14269)
• d471be5 [ci] release (#14242)
• 02366e9 fix: don't warnign when using in static build (#14259)
• 15b55f3 Filter duplicate exports from Cloudflare adapter's namedExports (#14234)
• 77b18fb Update Astro peer dependency in adapters with auto-enabled sessions (#14240)
• 9288133 [ci] release (#14232)
• See full diff in compare view

Updates astro from 5.7.13 to 5.18.1

Release notes

Sourced from astro's releases.

astro@5.18.1

Patch Changes

• Updated dependencies [c2cd371]:
  • @​astrojs/internal-helpers@​0.7.6
  • @​astrojs/markdown-remark@​6.3.11

Changelog

Sourced from astro's changelog.

5.18.1

Patch Changes

• Updated dependencies [c2cd371]:
  • @​astrojs/internal-helpers@​0.7.6
  • @​astrojs/markdown-remark@​6.3.11

5.18.0

Minor Changes

• #15589 b7dd447 Thanks @​qzio! - Adds a new security.actionBodySizeLimit option to configure the maximum size of Astro Actions request bodies.

  This lets you increase the default 1 MB limit when your actions need to accept larger payloads. For example, actions that handle file uploads or large JSON payloads can now opt in to a higher limit.

  If you do not set this option, Astro continues to enforce the 1 MB default to help prevent abuse.

  // astro.config.mjs
  export default defineConfig({
    security: {
      actionBodySizeLimit: 10 * 1024 * 1024, // set to 10 MB
    },
  });

Patch Changes

• #15594 efae11c Thanks @​qzio! - Fix X-Forwarded-Proto validation when allowedDomains includes both protocol and hostname fields. The protocol check no longer fails due to hostname mismatch against the hardcoded test URL.

5.17.3

Patch Changes

• #15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #15569 e01e98b Thanks @​matthewp! - Respect image allowlists when inferring remote image sizes and reject remote redirects.

5.17.2

Patch Changes

• c13b536 Thanks @​matthewp! - Improves Host header handling for SSR deployments behind proxies

5.17.1

Patch Changes

• #15334 d715f1f Thanks @​florian-lefebvre! - BREAKING CHANGE to the experimental Fonts API only

... (truncated)

Commits

• 434d9cc [ci] release (#15829)
• c2cd371 fix(helpers): Backport remote patterns segments fix (#15828)
• 011f061 [ci] release (#15597)
• efae11c fix: X-Forwarded-Proto rejected when allowedDomains includes protocol… (#15594)
• 751ccf0 Update actionBodySizeLimit changeset and make minor (#15600)
• b7dd447 make actionBodySizeLimit configurable (#15589)
• e0f1a2b [ci] release (#15571)
• 522f880 Limit action request body size (#15564)
• 436962a chore: Upgrade Vite and esbuild (#15554)
• e01e98b Respect remote image allowlists (#15569)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for astro since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.