chore(deps): bump the github-actions group with 2 updates

[dependabot]

Bumps the github-actions group with 2 updates: astro and vercel.

Updates astro from 6.2.1 to 6.2.2

Release notes

Sourced from astro's releases.

astro@6.2.2

Patch Changes

• #16292 00f48ee Thanks @​p-linnane! - Fixes head metadata propagation in dev for adapters that load modules in the prerender Vite environment, such as @astrojs/cloudflare. The astro:head-metadata plugin previously only tracked the ssr environment, so maybeRenderHead() could fire inside an unrelated component's \<template> element, trapping subsequent hoisted <style> blocks.

• #16451 778865f Thanks @​maximslo! - Fixes build crash when processing animated AVIF images. Sharp now gracefully passes through unsupported image formats instead of crashing during the build.

• #16548 7214d3e Thanks @​senutpal! - Fixes scoped styles applying to the wrong element when vite.css.transformer is set to 'lightningcss' and a selector uses a nested & inside :where(...), such as Tailwind v4's space-x-*, space-y-*, and divide-* utilities.

• #16566 9ac96b4 Thanks @​web-dev0521! - Fixes data-astro-prefetch="tap" not triggering when clicking nested elements (e.g. <span>, <img>, <svg>) inside an anchor tag.

• #15994 1e70d18 Thanks @​ossaidqadri! - Fix <style> compilation failure when importing Astro components via tsconfig path aliases

• #16144 1cd6650 Thanks @​fkatsuhiro! - Fixed a regression where .html was unexpectedly stripped from dynamic route parameters on non-page routes (.ts endpoints and redirects). This caused endpoints like /some/[...id].ts returning id: 'file.html' on getStaticPaths to not serve that file because the generated route (/some/file.html) would get matched as id: file that is not part of the list returned by getStaticPaths.

• #16415 559c0fd Thanks @​0xbejaxer! - Fix CSS traversal boundaries so pages with export const partial = true still contribute styles when imported as components by other pages.

• #16516 17f1867 Thanks @​fkatsuhiro! - Fixes an issue where the index route would return a 404 error when using a custom base path combined with trailingSlash: 'never'. This ensures that the home page and internal rewrites are correctly matched under these configurations.

• #16515 280ec88 Thanks @​jp-knj! - Fixes an issue where i18n.fallback pages with fallbackType: 'rewrite' were emitted with empty bodies during astro build.

• #16565 7959798 Thanks @​enjoyandlove! - Fixes session persistence when session.delete() is the first mutation in a request (no prior get, set, has, or keys). The session was marked dirty in memory, but persistence skipped the save because #data stayed undefined, so the backing store could still return the deleted key on the next request.

• #16527 86fd80d Thanks @​enjoyandlove! - Prevents script deduplication state from being consumed while rendering inert \<template> contexts.

• #16540 e59c637 Thanks @​ascorbic! - Skips session storage reads when no session cookie is present. Previously, calling session.get() on a request without a session cookie would initialize the storage driver and make a read that was guaranteed to miss. On network-backed drivers this added latency and resource usage to every anonymous request.

• #16517 6ab0b3c Thanks @​adamchal! - Removes inline CSS for prerendered routes from the SSR manifest. The static HTML on disk already inlines those styles, and the SSR worker never renders prerendered routes, so the data was dead weight. Builds with many prerendered routes and build.inlineStylesheets: "always" (or "auto" with small stylesheets) will see a smaller SSR entry chunk, which reduces cold-start parse time on platforms like Cloudflare Workers.

• #16509 d3d3557 Thanks @​cyphercodes! - Fix conditional named slot callbacks receiving arguments from Astro.slots.render().

• #16236 c6b068e Thanks @​fkatsuhiro! - Fixes the position prop on <Image /> and <Picture /> components to correctly apply object-position styles

• #16018 d14f47c Thanks @​felmonon! - Fix defineLiveCollection() so LiveLoader data types declared as interfaces are accepted.

Changelog

Sourced from astro's changelog.

6.2.2

Patch Changes

• #16292 00f48ee Thanks @​p-linnane! - Fixes head metadata propagation in dev for adapters that load modules in the prerender Vite environment, such as @astrojs/cloudflare. The astro:head-metadata plugin previously only tracked the ssr environment, so maybeRenderHead() could fire inside an unrelated component's \<template> element, trapping subsequent hoisted <style> blocks.

• #16451 778865f Thanks @​maximslo! - Fixes build crash when processing animated AVIF images. Sharp now gracefully passes through unsupported image formats instead of crashing during the build.

• #16548 7214d3e Thanks @​senutpal! - Fixes scoped styles applying to the wrong element when vite.css.transformer is set to 'lightningcss' and a selector uses a nested & inside :where(...), such as Tailwind v4's space-x-*, space-y-*, and divide-* utilities.

• #16566 9ac96b4 Thanks @​web-dev0521! - Fixes data-astro-prefetch="tap" not triggering when clicking nested elements (e.g. <span>, <img>, <svg>) inside an anchor tag.

• #15994 1e70d18 Thanks @​ossaidqadri! - Fix <style> compilation failure when importing Astro components via tsconfig path aliases

• #16144 1cd6650 Thanks @​fkatsuhiro! - Fixed a regression where .html was unexpectedly stripped from dynamic route parameters on non-page routes (.ts endpoints and redirects). This caused endpoints like /some/[...id].ts returning id: 'file.html' on getStaticPaths to not serve that file because the generated route (/some/file.html) would get matched as id: file that is not part of the list returned by getStaticPaths.

• #16415 559c0fd Thanks @​0xbejaxer! - Fix CSS traversal boundaries so pages with export const partial = true still contribute styles when imported as components by other pages.

• #16516 17f1867 Thanks @​fkatsuhiro! - Fixes an issue where the index route would return a 404 error when using a custom base path combined with trailingSlash: 'never'. This ensures that the home page and internal rewrites are correctly matched under these configurations.

• #16515 280ec88 Thanks @​jp-knj! - Fixes an issue where i18n.fallback pages with fallbackType: 'rewrite' were emitted with empty bodies during astro build.

• #16565 7959798 Thanks @​enjoyandlove! - Fixes session persistence when session.delete() is the first mutation in a request (no prior get, set, has, or keys). The session was marked dirty in memory, but persistence skipped the save because #data stayed undefined, so the backing store could still return the deleted key on the next request.

• #16527 86fd80d Thanks @​enjoyandlove! - Prevents script deduplication state from being consumed while rendering inert \<template> contexts.

• #16540 e59c637 Thanks @​ascorbic! - Skips session storage reads when no session cookie is present. Previously, calling session.get() on a request without a session cookie would initialize the storage driver and make a read that was guaranteed to miss. On network-backed drivers this added latency and resource usage to every anonymous request.

• #16517 6ab0b3c Thanks @​adamchal! - Removes inline CSS for prerendered routes from the SSR manifest. The static HTML on disk already inlines those styles, and the SSR worker never renders prerendered routes, so the data was dead weight. Builds with many prerendered routes and build.inlineStylesheets: "always" (or "auto" with small stylesheets) will see a smaller SSR entry chunk, which reduces cold-start parse time on platforms like Cloudflare Workers.

• #16509 d3d3557 Thanks @​cyphercodes! - Fix conditional named slot callbacks receiving arguments from Astro.slots.render().

• #16236 c6b068e Thanks @​fkatsuhiro! - Fixes the position prop on <Image /> and <Picture /> components to correctly apply object-position styles

• #16018 d14f47c Thanks @​felmonon! - Fix defineLiveCollection() so LiveLoader data types declared as interfaces are accepted.

Commits

• 3f67b84 [ci] release (#16545)
• 7711e47 [ci] format
• 17f1867 fix: route mismatch using trail slash never (#16516)
• 7959798 fix(astro): persist session delete without prior get/set (#16565)
• 9ac96b4 fix(prefetch): trigger tap strategy when clicking nested child elements (#16566)
• 6ab0b3c fix(build): exclude prerendered route styles from SSR manifest (#16517)
• a595623 [ci] format
• c6b068e fix : astro image position prop bug (#16236)
• 9f4eee0 Fixes @_@ not being stripped from CSS file names (#16264)
• 7214d3e fix(css): preserve scope on nested & with lightningcss transformer (#16548)
• Additional commits viewable in compare view

Updates vercel from 53.1.0 to 53.1.1

Release notes

Sourced from vercel's releases.

vercel@53.1.1

Patch Changes

• 4a5be0b: Fixed vc env update failing when updating sensitive environment variables.
• 2ffd7bc: Tighten the SdkKey type so plaintext keyValue, tokenValue, and connectionString can no longer appear on list responses. flags sdk-keys ls --json already omitted these via an explicit allowlist; the type split makes the guarantee static. Create-time output from flags sdk-keys add is unaffected.
• e6cb5bc: Hide --token from help output for commands that don't support it (login, switch).
• 8a5aa6a: Ensure synthetic SPA fallbacks are merged after builder-produced routes.
• bab5a60: Handle stale Claude Code Vercel plugin registry entries during plugin migration.
• Updated dependencies [34e7b09]
• Updated dependencies [8e29c9c]
• Updated dependencies [2da36f3]
• Updated dependencies [fa5f57a]
• Updated dependencies [97f87f7]
  • @​vercel/next@​4.17.1
  • @​vercel/python@​6.38.0
  • @​vercel/remix-builder@​5.8.1
  • @​vercel/static-build@​2.9.22

Changelog

Sourced from vercel's changelog.

53.1.1

Patch Changes

• 4a5be0b: Fixed vc env update failing when updating sensitive environment variables.
• 2ffd7bc: Tighten the SdkKey type so plaintext keyValue, tokenValue, and connectionString can no longer appear on list responses. flags sdk-keys ls --json already omitted these via an explicit allowlist; the type split makes the guarantee static. Create-time output from flags sdk-keys add is unaffected.
• e6cb5bc: Hide --token from help output for commands that don't support it (login, switch).
• 8a5aa6a: Ensure synthetic SPA fallbacks are merged after builder-produced routes.
• bab5a60: Handle stale Claude Code Vercel plugin registry entries during plugin migration.
• Updated dependencies [34e7b09]
• Updated dependencies [8e29c9c]
• Updated dependencies [2da36f3]
• Updated dependencies [fa5f57a]
• Updated dependencies [97f87f7]
  • @​vercel/next@​4.17.1
  • @​vercel/python@​6.38.0
  • @​vercel/remix-builder@​5.8.1
  • @​vercel/static-build@​2.9.22

Commits

• 23180c5 Version Packages (#16199)
• 8a5aa6a [services] fix nitro index.html fallback route bug (#16189)
• 2da36f3 [python] Show the --functions-beta message for functions >1GB (#16049)
• e6cb5bc fix(cli): hide --token from help output for commands that don't support it ...
• 2ffd7bc fix(cli): tighten SdkKey type to keep plaintext off list responses (#16195)
• 4a5be0b fix vc env update for sensitive environment variables (#16096)
• bab5a60 [CLI] Handling stale cached plugin installs + removing nontty install suggest...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
openresource-dev	Ready	Preview, Comment	May 5, 2026 7:24am