fix(website): update astro 4.15.4 → 4.16.1 [security] (#27893)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [astro](https://astro.build)
([source](https://redirect.github.com/withastro/astro/tree/HEAD/packages/astro))
| dependencies | minor | [`4.15.4` ->
`4.16.1`](https://renovatebot.com/diffs/npm/astro/4.15.4/4.16.1) |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

### GitHub Vulnerability Alerts

####
[CVE-2024-47885](https://redirect.github.com/withastro/astro/security/advisories/GHSA-m85w-3h95-hcf9)

### Summary

A DOM Clobbering gadget has been discoverd in Astro's client-side
router. It can lead to cross-site scripting (XSS) in websites enables
Astro's client-side routing and has *stored* attacker-controlled
scriptless HTML elements (i.e., `iframe` tags with unsanitized `name`
attributes) on the destination pages.

### Details

#### Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first
embeds a piece of non-script, seemingly benign HTML markups in the
webpage (e.g. through a post or comment) and leverages the gadgets
(pieces of js code) living in the existing javascript code to transform
it into executable code. More for information about DOM Clobbering, here
are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

#### Gadgets found in Astro

We identified a DOM Clobbering gadget in Astro's client-side routing
module, specifically in the `<ViewTransitions />` component. When
integrated, this component introduces the following vulnerable code,
which is executed during page transitions (e.g., clicking an `<a>`
link):


https://github.com/withastro/astro/blob/7814a6cad15f06931f963580176d9b38aa7819f2/packages/astro/src/transitions/router.ts#L135-L156

However, this implementation is vulnerable to a DOM Clobbering attack.
The `document.scripts` lookup can be shadowed by an attacker injected
non-script HTML elements (e.g., `<img name="scripts"><img
name="scripts">`) via the browser's named DOM access mechanism. This
manipulation allows an attacker to replace the intended script elements
with an array of attacker-controlled scriptless HTML elements.

The condition `script.dataset.astroExec === ''` on line 138 can be
bypassed because the attacker-controlled element does not have a
data-astroExec attribute. Similarly, the check on line 134 can be
bypassed as the element does not require a `type` attribute.

Finally, the `innerHTML` of an attacker-injected non-script HTML
elements, which is plain text content before, will be set to the
`.innerHTML` of an script element that leads to XSS.

### PoC

Consider a web application using Astro as the framework with client-side
routing enabled and allowing users to embed certain scriptless HTML
elements (e.g., `form` or `iframe`). This can be done through a bunch of
website's feature that allows users to embed certain script-less HTML
(e.g., markdown renderers, web email clients, forums) or via an HTML
injection vulnerability in third-party JavaScript loaded on the page.

For PoC website, please refer to:
`https://stackblitz.com/edit/github-4xgj2d`. Clicking the "about" button
in the menu will trigger an `alert(1)` from an attacker-injected `form`
element.

```
---
import Header from "../components/Header.astro";
import Footer from "../components/Footer.astro";
import { ViewTransitions } from "astro:transitions";
import "../styles/global.css";
const { pageTitle } = Astro.props;
---
<html lang="en">
  <head>
    <meta charset="utf-8" />
    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
    <meta name="viewport" content="width=device-width" />
    <meta name="generator" content={Astro.generator} />
    <title>{pageTitle}</title>
    <ViewTransitions />
  </head>
  <body>
    <!--USER INPUT-->
    <iframe name="scripts">alert(1)</iframe>
    <iframe name="scripts">alert(1)</iframe>
    <!--USER INPUT-->
    
    <Header />
    <h1>{pageTitle}</h1>
    <slot />
    <Footer />
    <script>
      import "../scripts/menu.js";
    </script>
  </body>
</html>
```

### Impact

This vulnerability can result in cross-site scripting (XSS) attacks on
websites that built with Astro that enable the client-side routing with
`ViewTransitions` and store the user-inserted scriptless HTML tags
without properly sanitizing the `name` attributes on the page.

### Patch

We recommend replacing `document.scripts` with
`document.getElementsByTagName('script')` for referring to script
elements. This will mitigate the possibility of DOM Clobbering attacks
leveraging the `name` attribute.

### Reference

Similar issues for reference:
+ Webpack
([CVE-2024-43788](https://redirect.github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986))
+ Vite
([CVE-2024-45812](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3))
+ layui
([CVE-2024-47075](https://redirect.github.com/layui/layui/security/advisories/GHSA-j827-6rgf-9629))

Add the preset `:preserveSemverRanges` to your config if you don't want
to pin your dependencies.

---

### Release Notes

<details>
<summary>withastro/astro (astro)</summary>

###
[`v4.16.1`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4161)

[Compare
Source](https://redirect.github.com/withastro/astro/compare/astro@4.16.0...astro@4.16.1)

##### Patch Changes

-
[#&#8203;12177](https://redirect.github.com/withastro/astro/pull/12177)
[`a4ffbfa`](https://redirect.github.com/withastro/astro/commit/a4ffbfaa5cb460c12bd486fd75e36147f51d3e5e)
Thanks [@&#8203;matthewp](https://redirect.github.com/matthewp)! -
Ensure we target scripts for execution in the router

Using `document.scripts` is unsafe because if the application has a
`name="scripts"` this will shadow the built-in `document.scripts`. Fix
is to use `getElementsByTagName` to ensure we're only grabbing real
scripts.

-
[#&#8203;12173](https://redirect.github.com/withastro/astro/pull/12173)
[`2d10de5`](https://redirect.github.com/withastro/astro/commit/2d10de5f212323e6e19c7ea379826dcc18fe739c)
Thanks [@&#8203;ematipico](https://redirect.github.com/ematipico)! -
Fixes a bug where Astro Actions couldn't redirect to the correct
pathname when there was a rewrite involved.

###
[`v4.16.0`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4160)

[Compare
Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.12...astro@4.16.0)

##### Minor Changes

-
[#&#8203;12039](https://redirect.github.com/withastro/astro/pull/12039)
[`710a1a1`](https://redirect.github.com/withastro/astro/commit/710a1a11f488ff6ed3da6d3e0723b2322ccfe27b)
Thanks [@&#8203;ematipico](https://redirect.github.com/ematipico)! -
Adds a `markdown.shikiConfig.langAlias` option that allows [aliasing a
non-supported code language to a known
language](https://shiki.style/guide/load-lang#custom-language-aliases).
This is useful when the language of your code samples is not [a built-in
Shiki language](https://shiki.style/languages), but you want your
Markdown source to contain an accurate language while also displaying
syntax highlighting.

The following example configures Shiki to highlight `cjs` code blocks
using the `javascript` syntax highlighter:

    ```js
    import { defineConfig } from 'astro/config';

    export default defineConfig({
      markdown: {
        shikiConfig: {
          langAlias: {
            cjs: 'javascript',
          },
        },
      },
    });
    ```

Then in your Markdown, you can use the alias as the language for a code
block for syntax highlighting:

    ````md
    ```cjs
    'use strict';

    function commonJs() {
      return 'I am a commonjs file';
    }
    ```
    ````

-
[#&#8203;11984](https://redirect.github.com/withastro/astro/pull/11984)
[`3ac2263`](https://redirect.github.com/withastro/astro/commit/3ac2263ff6070136bec9cffb863c38bcc31ccdfe)
Thanks [@&#8203;chaegumi](https://redirect.github.com/chaegumi)! - Adds
a new `build.concurreny` configuration option to specify the number of
pages to build in parallel

    **In most cases, you should not change the default value of `1`.**

Use this option only when other attempts to reduce the overall rendering
time (e.g. batch or cache long running tasks like fetch calls or data
access) are not possible or are insufficient.

Use this option only if the refactors are not possible. If the number is
set too high, the page rendering may slow down due to insufficient
memory resources and because JS is single-threaded.

    > \[!WARNING]
> This feature is stable and is not considered experimental. However,
this feature is only intended to address difficult performance issues,
and breaking changes may occur in a [minor
release](https://docs.astro.build/en/upgrade-astro/#semantic-versioning)
to keep this option as performant as possible.

    ```js
    // astro.config.mjs
    import { defineConfig } from 'astro';

    export default defineConfig({
      build: {
        concurrency: 2,
      },
    });
    ```

##### Patch Changes

-
[#&#8203;12160](https://redirect.github.com/withastro/astro/pull/12160)
[`c6fd1df`](https://redirect.github.com/withastro/astro/commit/c6fd1df695d0f2a24bb49e6954064f92664ccf67)
Thanks [@&#8203;louisescher](https://redirect.github.com/louisescher)! -
Fixes a bug where `astro.config.mts` and `astro.config.cts` weren't
reloading the dev server upon modifications.

-
[#&#8203;12130](https://redirect.github.com/withastro/astro/pull/12130)
[`e96bcae`](https://redirect.github.com/withastro/astro/commit/e96bcae535ef2f0661f539c1d49690c531df2d4e)
Thanks [@&#8203;thehansys](https://redirect.github.com/thehansys)! -
Fixes a bug in the parsing of `x-forwarded-\*` `Request` headers, where
multiple values assigned to those headers were not correctly parsed.

Now, headers like `x-forwarded-proto: https,http` are correctly parsed.

-
[#&#8203;12147](https://redirect.github.com/withastro/astro/pull/12147)
[`9db755a`](https://redirect.github.com/withastro/astro/commit/9db755ab7cfe658ec426387e297bdcd32c4bc8de)
Thanks [@&#8203;ascorbic](https://redirect.github.com/ascorbic)! - Skips
setting statusMessage header for HTTP/2 response

HTTP/2 doesn't support status message, so setting this was logging a
warning.

-
[#&#8203;12151](https://redirect.github.com/withastro/astro/pull/12151)
[`bb6d37f`](https://redirect.github.com/withastro/astro/commit/bb6d37f94a283433994f9243189cb4386df0e11a)
Thanks [@&#8203;ematipico](https://redirect.github.com/ematipico)! -
Fixes an issue where `Astro.currentLocale` wasn't incorrectly computed
when the `defaultLocale` belonged to a custom locale path.

- Updated dependencies
\[[`710a1a1`](https://redirect.github.com/withastro/astro/commit/710a1a11f488ff6ed3da6d3e0723b2322ccfe27b)]:
-
[@&#8203;astrojs/markdown-remark](https://redirect.github.com/astrojs/markdown-remark)[@&#8203;5](https://redirect.github.com/5).3.0

###
[`v4.15.12`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#41512)

[Compare
Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.11...astro@4.15.12)

##### Patch Changes

-
[#&#8203;12121](https://redirect.github.com/withastro/astro/pull/12121)
[`2490ceb`](https://redirect.github.com/withastro/astro/commit/2490cebdb93f13ee552cffa72b2e274d64e6b4a7)
Thanks [@&#8203;ascorbic](https://redirect.github.com/ascorbic)! -
Support passing the values `Infinity` and `-Infinity` as island props.

-
[#&#8203;12118](https://redirect.github.com/withastro/astro/pull/12118)
[`f47b347`](https://redirect.github.com/withastro/astro/commit/f47b347da899c6e1dcd0b2e7887f7fce6ec8e270)
Thanks [@&#8203;Namchee](https://redirect.github.com/Namchee)! - Removes
the `strip-ansi` dependency in favor of the native Node API

-
[#&#8203;12126](https://redirect.github.com/withastro/astro/pull/12126)
[`6e1dfeb`](https://redirect.github.com/withastro/astro/commit/6e1dfeb76bec09d24928bab798c6ad3280f42e84)
Thanks [@&#8203;ascorbic](https://redirect.github.com/ascorbic)! - Clear
content layer cache when astro version changes

-
[#&#8203;12117](https://redirect.github.com/withastro/astro/pull/12117)
[`a46839a`](https://redirect.github.com/withastro/astro/commit/a46839a5c818b7de63c36d0c7e27f1a8f3b773dc)
Thanks
[@&#8203;ArmandPhilippot](https://redirect.github.com/ArmandPhilippot)!
- Updates Vite links to use their new domain

-
[#&#8203;12124](https://redirect.github.com/withastro/astro/pull/12124)
[`499fbc9`](https://redirect.github.com/withastro/astro/commit/499fbc91a6bdad8c86ff13a8caf1fa09433796b9)
Thanks [@&#8203;ascorbic](https://redirect.github.com/ascorbic)! -
Allows special characters in Action names

-
[#&#8203;12123](https://redirect.github.com/withastro/astro/pull/12123)
[`b8673df`](https://redirect.github.com/withastro/astro/commit/b8673df51c6cc4ce6a288f8eb609b7a438a07d82)
Thanks [@&#8203;Princesseuh](https://redirect.github.com/Princesseuh)! -
Fixes missing `body` property on CollectionEntry types for content layer
entries

-
[#&#8203;12132](https://redirect.github.com/withastro/astro/pull/12132)
[`de35daa`](https://redirect.github.com/withastro/astro/commit/de35daa8517555c1b9c72bc7fe9cc955c4997a83)
Thanks [@&#8203;jcayzac](https://redirect.github.com/jcayzac)! - Updates
the [`cookie`](https://npmjs.com/package/cookie) dependency to avoid the
[CVE 2024-47764](https://nvd.nist.gov/vuln/detail/CVE-2024-47764)
vulnerability.

-
[#&#8203;12113](https://redirect.github.com/withastro/astro/pull/12113)
[`a54e520`](https://redirect.github.com/withastro/astro/commit/a54e520d3c139fa123e7029c5933951b5c7f5a39)
Thanks [@&#8203;ascorbic](https://redirect.github.com/ascorbic)! - Adds
a helpful error when attempting to render an undefined collection entry

###
[`v4.15.11`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#41511)

[Compare
Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.10...astro@4.15.11)

##### Patch Changes

-
[#&#8203;12097](https://redirect.github.com/withastro/astro/pull/12097)
[`11d447f`](https://redirect.github.com/withastro/astro/commit/11d447f66b1a0f39489c2600139ebfb565336ce7)
Thanks [@&#8203;ascorbic](https://redirect.github.com/ascorbic)! - Fixes
error where references in content layer schemas sometimes incorrectly
report as missing

-
[#&#8203;12108](https://redirect.github.com/withastro/astro/pull/12108)
[`918953b`](https://redirect.github.com/withastro/astro/commit/918953bd09f057131dfe029e810019c0909345cf)
Thanks [@&#8203;lameuler](https://redirect.github.com/lameuler)! - Fixes
a bug where [data URL
images](https://developer.mozilla.org/en-US/docs/Web/URI/Schemes/data)
were not correctly handled. The bug resulted in an `ENAMETOOLONG` error.

-
[#&#8203;12105](https://redirect.github.com/withastro/astro/pull/12105)
[`42037f3`](https://redirect.github.com/withastro/astro/commit/42037f33e644d5a2bfba71377697fc7336ecb15b)
Thanks [@&#8203;ascorbic](https://redirect.github.com/ascorbic)! -
Returns custom statusText that has been set in a Response

-
[#&#8203;12109](https://redirect.github.com/withastro/astro/pull/12109)
[`ea22558`](https://redirect.github.com/withastro/astro/commit/ea225585fd12d27006434266163512ca66ad572b)
Thanks [@&#8203;ematipico](https://redirect.github.com/ematipico)! -
Fixes a regression that was introduced by an internal refactor of how
the middleware is loaded by the Astro application. The regression was
introduced by
[#&#8203;11550](https://redirect.github.com/withastro/astro/pull/11550).

When the edge middleware feature is opted in, Astro removes the
middleware function from the SSR manifest, and this wasn't taken into
account during the refactor.

-
[#&#8203;12106](https://redirect.github.com/withastro/astro/pull/12106)
[`d3a74da`](https://redirect.github.com/withastro/astro/commit/d3a74da19644477ffc81acf2a3efb26ad3335a5e)
Thanks [@&#8203;ascorbic](https://redirect.github.com/ascorbic)! -
Handles case where an immutable Response object is returned from an
endpoint

-
[#&#8203;12090](https://redirect.github.com/withastro/astro/pull/12090)
[`d49a537`](https://redirect.github.com/withastro/astro/commit/d49a537f2aaccd132154a15f1da4db471272ee90)
Thanks [@&#8203;markjaquith](https://redirect.github.com/markjaquith)! -
Server islands: changes the server island HTML placeholder comment so
that it is much less likely to get removed by HTML minifiers.

###
[`v4.15.10`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#41510)

[Compare
Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.9...astro@4.15.10)

##### Patch Changes

-
[#&#8203;12084](https://redirect.github.com/withastro/astro/pull/12084)
[`12dae50`](https://redirect.github.com/withastro/astro/commit/12dae50c776474748a80cb65c8bf1c67f0825cb0)
Thanks [@&#8203;Princesseuh](https://redirect.github.com/Princesseuh)! -
Adds missing filePath property on content layer entries

-
[#&#8203;12046](https://redirect.github.com/withastro/astro/pull/12046)
[`d7779df`](https://redirect.github.com/withastro/astro/commit/d7779dfae7bc00ff94b1e4596ff5b4897f65aabe)
Thanks [@&#8203;martrapp](https://redirect.github.com/martrapp)! - View
transitions: Fixes Astro's fade animation to prevent flashing during
morph transitions.

-
[#&#8203;12043](https://redirect.github.com/withastro/astro/pull/12043)
[`1720c5b`](https://redirect.github.com/withastro/astro/commit/1720c5b1d2bfd106ad065833823aed622bee09bc)
Thanks [@&#8203;bluwy](https://redirect.github.com/bluwy)! - Fixes
injected endpoint `prerender` option detection

-
[#&#8203;12095](https://redirect.github.com/withastro/astro/pull/12095)
[`76c5fbd`](https://redirect.github.com/withastro/astro/commit/76c5fbd6f3a8d41367f1d7033278d133d518213b)
Thanks [@&#8203;TheOtterlord](https://redirect.github.com/TheOtterlord)!
- Fix installing non-stable versions of integrations with `astro add`

###
[`v4.15.9`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4159)

[Compare
Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.8...astro@4.15.9)

##### Patch Changes

-
[#&#8203;12034](https://redirect.github.com/withastro/astro/pull/12034)
[`5b3ddfa`](https://redirect.github.com/withastro/astro/commit/5b3ddfadcb2d09b6cbd9cd42641f30ca565d0f58)
Thanks [@&#8203;ematipico](https://redirect.github.com/ematipico)! -
Fixes an issue where the middleware wasn't called when a project uses
`404.astro`.

-
[#&#8203;12042](https://redirect.github.com/withastro/astro/pull/12042)
[`243ecb6`](https://redirect.github.com/withastro/astro/commit/243ecb6d6146dc483b4726d0e76142fb25e56243)
Thanks [@&#8203;ematipico](https://redirect.github.com/ematipico)! -
Fixes a problem in the Container API, where a polyfill wasn't correctly
applied. This caused an issue in some environments where `crypto` isn't
supported.

-
[#&#8203;12038](https://redirect.github.com/withastro/astro/pull/12038)
[`26ea5e8`](https://redirect.github.com/withastro/astro/commit/26ea5e814ab8c973e683fff62389fda28c180940)
Thanks [@&#8203;ascorbic](https://redirect.github.com/ascorbic)! -
Resolves image paths in content layer with initial slash as
project-relative

When using the `image()` schema helper, previously paths with an initial
slash were treated as public URLs. This was to match the behavior of
markdown images. However this is a change from before, where paths with
an initial slash were treated as project-relative. This change restores
the previous behavior, so that paths with an initial slash are treated
as project-relative.

###
[`v4.15.8`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4158)

[Compare
Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.7...astro@4.15.8)

##### Patch Changes

-
[#&#8203;12014](https://redirect.github.com/withastro/astro/pull/12014)
[`53cb41e`](https://redirect.github.com/withastro/astro/commit/53cb41e30ea5768bf33d9f6be608fb57d31b7b9e)
Thanks [@&#8203;ascorbic](https://redirect.github.com/ascorbic)! - Fixes
an issue where component styles were not correctly included in rendered
MDX

-
[#&#8203;12031](https://redirect.github.com/withastro/astro/pull/12031)
[`8c0cae6`](https://redirect.github.com/withastro/astro/commit/8c0cae6d1bd70b332286d83d0f01cfce5272fbbe)
Thanks [@&#8203;ematipico](https://redirect.github.com/ematipico)! -
Fixes a bug where the rewrite via `next(/*..*/)` inside a middleware
didn't compute the new `APIContext.params`

-
[#&#8203;12026](https://redirect.github.com/withastro/astro/pull/12026)
[`40e7a1b`](https://redirect.github.com/withastro/astro/commit/40e7a1b05d9e5ea3fcda176c9663bbcff86edb63)
Thanks [@&#8203;bluwy](https://redirect.github.com/bluwy)! - Initializes
the Markdown processor only when there's `.md` files

-
[#&#8203;12028](https://redirect.github.com/withastro/astro/pull/12028)
[`d3bd673`](https://redirect.github.com/withastro/astro/commit/d3bd673392e63720e241d6a002a131a3564c169c)
Thanks [@&#8203;bluwy](https://redirect.github.com/bluwy)! - Handles
route collision detection only if it matches `getStaticPaths`

-
[#&#8203;12027](https://redirect.github.com/withastro/astro/pull/12027)
[`dd3b753`](https://redirect.github.com/withastro/astro/commit/dd3b753aba6400558671d85214e27b8e4fb1654b)
Thanks [@&#8203;fviolette](https://redirect.github.com/fviolette)! - Add
`selected` to the list of boolean attributes

-
[#&#8203;12001](https://redirect.github.com/withastro/astro/pull/12001)
[`9be3e1b`](https://redirect.github.com/withastro/astro/commit/9be3e1bba789af96d8b21d9c8eca8542cfb4ff77)
Thanks [@&#8203;uwej711](https://redirect.github.com/uwej711)! - Remove
dependency on path-to-regexp

###
[`v4.15.7`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4157)

[Compare
Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.6...astro@4.15.7)

##### Patch Changes

-
[#&#8203;12000](https://redirect.github.com/withastro/astro/pull/12000)
[`a2f8c5d`](https://redirect.github.com/withastro/astro/commit/a2f8c5d85ff15803f5cedf9148cd70ffc138ddef)
Thanks
[@&#8203;ArmandPhilippot](https://redirect.github.com/ArmandPhilippot)!
- Fixes an outdated link used to document Content Layer API

-
[#&#8203;11915](https://redirect.github.com/withastro/astro/pull/11915)
[`0b59fe7`](https://redirect.github.com/withastro/astro/commit/0b59fe74d5922c572007572ddca8d11482e2fb5c)
Thanks [@&#8203;azhirov](https://redirect.github.com/azhirov)! - Fix:
prevent island from re-rendering when using transition:persist
([#&#8203;11854](https://redirect.github.com/withastro/astro/issues/11854))

###
[`v4.15.6`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4156)

[Compare
Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.5...astro@4.15.6)

##### Patch Changes

-
[#&#8203;11993](https://redirect.github.com/withastro/astro/pull/11993)
[`ffba5d7`](https://redirect.github.com/withastro/astro/commit/ffba5d716edcdfc42899afaa4188b7a4cd0c91eb)
Thanks [@&#8203;matthewp](https://redirect.github.com/matthewp)! - Fix
getStaticPaths regression

This reverts a previous change meant to remove a dependency, to fix a
regression with multiple nested spread routes.

-
[#&#8203;11964](https://redirect.github.com/withastro/astro/pull/11964)
[`06eff60`](https://redirect.github.com/withastro/astro/commit/06eff60cabb55d91fe4075421b1693b1ab33225c)
Thanks [@&#8203;TheOtterlord](https://redirect.github.com/TheOtterlord)!
- Add wayland (wl-copy) support to `astro info`

###
[`v4.15.5`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4155)

[Compare
Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.4...astro@4.15.5)

##### Patch Changes

-
[#&#8203;11939](https://redirect.github.com/withastro/astro/pull/11939)
[`7b09c62`](https://redirect.github.com/withastro/astro/commit/7b09c62b565cd7b50c35fb68d390729f936a43fb)
Thanks [@&#8203;bholmesdev](https://redirect.github.com/bholmesdev)! -
Adds support for Zod discriminated unions on Action form inputs. This
allows forms with different inputs to be submitted to the same action,
using a given input to decide which object should be used for
validation.

This example accepts either a `create` or `update` form submission, and
uses the `type` field to determine which object to validate against.

    ```ts
    import { defineAction } from 'astro:actions';
    import { z } from 'astro:schema';

    export const server = {
      changeUser: defineAction({
        accept: 'form',
        input: z.discriminatedUnion('type', [
          z.object({
            type: z.literal('create'),
            name: z.string(),
            email: z.string().email(),
          }),
          z.object({
            type: z.literal('update'),
            id: z.number(),
            name: z.string(),
            email: z.string().email(),
          }),
        ]),
        async handler(input) {
          if (input.type === 'create') {
            // input is { type: 'create', name: string, email: string }
          } else {
// input is { type: 'update', id: number, name: string, email: string }
          }
        },
      }),
    };
    ```

    The corresponding `create` and `update` forms may look like this:

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4xMjYuMSIsInVwZGF0ZWRJblZlciI6IjM4LjEyNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbImF1dG9tZXJnZSIsInJlbm92YXRlL2NvbnRhaW5lciIsInR5cGUvbWlub3IiXX0=-->

website/package.json

@@ -23,7 +23,7 @@
     "@astrojs/starlight-tailwind": "2.0.3",
     "@astrojs/tailwind": "5.1.2",
     "@playform/compress": "0.1.4",
-    "astro": "4.15.4",
+    "astro": "4.16.1",
     "astro-better-image-service": "2.0.37",
     "astro-integration-lottie": "0.3.1",
     "astro-robots-txt": "1.0.0",