[Aikido] Fix security issue in astro via minor version upgrade from 5.12.9 to 5.16.3 in frontend

[aikido-autofix]

Upgrading astro to address vulnerabilities.

10 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
AIKIDO-2025-10879	HIGH	Affected versions of this package are vulnerable to authentication bypass through double-URL encoded paths. An attacker could use multi-level URL encoding (e.g. /%2561dmin) to access routes that should be behind authentication. The patch fixes this by decoding pathnames and rejecting requests that...
CVE-2025-66202	MEDIUM	Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was fixed in v5.15.8, th...
CVE-2025-64525	MEDIUM	Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers x-forwarded-proto and x-forwarded-port are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: midd...
CVE-2025-61925	MEDIUM	Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in X-Forwarded-Host in output when using Astro.url without any validation. It is common for web servers such as nginx to route requests via the Host header, and forward on other request headers. As such as malicious re...
CVE-2025-65019	MEDIUM	Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: protocol URLs. This en...
CVE-2025-64745	MEDIUM	Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the trailingSlash configuration option is used. An attacker can inject arbitrary JavaScript code that executes...
CVE-2025-55303	MEDIUM	Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /...
AIKIDO-2025-10805	MEDIUM	Affected versions of this package are vulnerable to cache poisoning and host header manipulation due to insufficient validation of X-Forwarded-Host, X-Forwarded-Proto, and X-Forwarded-Port headers. Attackers could inject or manipulate these headers to bypass domain restrictions, influence rout...
CVE-2025-64764	MEDIUM	Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8.
AIKIDO-2025-10825	LOW	Affected versions of this package are vulnerable to cross-site scripting (XSS). The patched version strengthens the security of Server Islands slots by encrypting slot data before it is sent to the browser, aligning it with the security model already used for props. This ensures the integrity of slo...