chore(deps): Bump the npm-dependencies group in /site with 4 updates

[dependabot]

Bumps the npm-dependencies group in /site with 4 updates: @astrojs/cloudflare, @astrojs/sitemap, astro and wrangler.

Updates @astrojs/cloudflare from 13.5.4 to 13.5.5

Release notes

Sourced from @​astrojs/cloudflare's releases.

@​astrojs/cloudflare@​13.5.5

Patch Changes

• #16607 98297af Thanks @​alexanderflodin! - Fixes incorrect assets.directory in the generated wrangler.json when a base path is configured

• Updated dependencies []:

  • @​astrojs/underscore-redirects@​1.0.3

Changelog

Sourced from @​astrojs/cloudflare's changelog.

13.5.5

Patch Changes

• #16607 98297af Thanks @​alexanderflodin! - Fixes incorrect assets.directory in the generated wrangler.json when a base path is configured

• Updated dependencies []:

  • @​astrojs/underscore-redirects@​1.0.3

Commits

• 1e49163 [ci] release (#16832)
• 1e7b988 [ci] format
• 98297af fix(cloudflare): correct assets.directory in wrangler.json when base is set (...
• See full diff in compare view

Updates @astrojs/sitemap from 3.7.2 to 3.7.3

Release notes

Sourced from @​astrojs/sitemap's releases.

@​astrojs/sitemap@​3.7.3

Patch Changes

• #16837 783c4a6 Thanks @​jdevalk! - Improves <lastmod> accuracy in the sitemap index. Each <sitemap> entry in sitemap-index.xml is now stamped with the most recent lastmod of the URLs in the child sitemap it points to, instead of repeating a single global date on every entry. When a child sitemap has no per-URL lastmod, the entry falls back to the lastmod option as before. This gives search engines a per-file freshness signal, so they can tell which child sitemaps actually changed without refetching all of them.

Changelog

Sourced from @​astrojs/sitemap's changelog.

3.7.3

Patch Changes

• #16837 783c4a6 Thanks @​jdevalk! - Improves <lastmod> accuracy in the sitemap index. Each <sitemap> entry in sitemap-index.xml is now stamped with the most recent lastmod of the URLs in the child sitemap it points to, instead of repeating a single global date on every entry. When a child sitemap has no per-URL lastmod, the entry falls back to the lastmod option as before. This gives search engines a per-file freshness signal, so they can tell which child sitemaps actually changed without refetching all of them.

Commits

• 1e49163 [ci] release (#16832)
• 783c4a6 Stamp sitemap index entries with per-file lastmod (#16837)
• 5a8cd09 refactor: update tsconfig to use TypeScript project references (#16505)
• 5c543c5 refactor(astro): add internal entry points for test (#16473)
• f7566b8 refactor: unify test setup (#16445)
• ba2dbf1 refactor(astro): correct Fixture type signatures in test-utils (#16380)
• 245f300 refactor: migrate sitemap tests to typescript (#16353)
• 88fcc98 fix integrations links across docs (#16098)
• See full diff in compare view

Updates astro from 6.3.7 to 6.3.8

Release notes

Sourced from astro's releases.

astro@6.3.8

Patch Changes

• #16830 f2bf3cb Thanks @​matthewp! - Fixes 404s for dynamically imported JS chunks when using an adapter with assetQueryParams (e.g. Vercel skew protection)

• #16831 ace96ba Thanks @​astrobot-houston! - Fixes a misleading GetStaticPathsRequired error when a redirect is configured from a dynamic route to a static (or less-dynamic) destination. For example, '/project/[slug]': '/' previously produced a confusing error pointing at index.astro. Astro now detects the parameter mismatch at config validation time and throws a clear InvalidRedirectDestination error naming the missing parameters.

• #16702 b7d1758 Thanks @​matthewp! - Fixes scoped styles from .astro components being dropped when rendered inside MDX content (<Content /> from render(entry)) passed through a named slot using <Fragment slot="X">. The Fragment component now eagerly evaluates its slot contents to ensure propagating components register their styles before head content is flushed.

• #16823 3df6a45 Thanks @​astrobot-houston! - Fixes missing CSS for conditionally rendered Svelte components in production builds

• #16836 3d7adfa Thanks @​LongYC! - Document compressHTML: "jsx" config is only available since Astro v6.2.0

• #16864 334ce13 Thanks @​cheets! - Fixes a false-positive Internal Warning: route cache overwritten logged on every SSR request for dynamic routes

Changelog

Sourced from astro's changelog.

6.3.8

Patch Changes

• #16830 f2bf3cb Thanks @​matthewp! - Fixes 404s for dynamically imported JS chunks when using an adapter with assetQueryParams (e.g. Vercel skew protection)

• #16831 ace96ba Thanks @​astrobot-houston! - Fixes a misleading GetStaticPathsRequired error when a redirect is configured from a dynamic route to a static (or less-dynamic) destination. For example, '/project/[slug]': '/' previously produced a confusing error pointing at index.astro. Astro now detects the parameter mismatch at config validation time and throws a clear InvalidRedirectDestination error naming the missing parameters.

• #16702 b7d1758 Thanks @​matthewp! - Fixes scoped styles from .astro components being dropped when rendered inside MDX content (<Content /> from render(entry)) passed through a named slot using <Fragment slot="X">. The Fragment component now eagerly evaluates its slot contents to ensure propagating components register their styles before head content is flushed.

• #16823 3df6a45 Thanks @​astrobot-houston! - Fixes missing CSS for conditionally rendered Svelte components in production builds

• #16836 3d7adfa Thanks @​LongYC! - Document compressHTML: "jsx" config is only available since Astro v6.2.0

• #16864 334ce13 Thanks @​cheets! - Fixes a false-positive Internal Warning: route cache overwritten logged on every SSR request for dynamic routes

Commits

• 1e49163 [ci] release (#16832)
• 2f3bbf1 refactor: move integration tests to unit tests (#16866)
• 4591fb0 [ci] format
• 334ce13 fix(core): include mod in SSR route-cache entry to silence false-positive w...
• 3df6a45 Fix missing CSS for conditionally rendered Svelte components (#16823)
• 221bb4b fix(core): cache resolved actions in base pipeline (#16859)
• 4f5a9a8 chore: remove fixtures and move slot tests to unit (#16773)
• b22af11 fix(docs): update InvalidRedirectDestination error message (#16840)
• e542226 [ci] format
• b7d1758 fix(render): propagate styles through Fragment named slots (#16181) (#16702)
• Additional commits viewable in compare view

Updates wrangler from 4.94.0 to 4.95.0

Release notes

Sourced from wrangler's releases.

wrangler@4.95.0

Minor Changes

• #14009 ca5b604 Thanks @​dario-piotrowicz! - Add telemetry for detecting whether AI coding agents have Cloudflare skills installed

  Wrangler now includes a currentAgentSkillsInstalled property in telemetry events that reports whether the current AI coding agent has Cloudflare skills present on disk. The value distinguishes between skills installed automatically by Wrangler ("automatic"), skills installed manually by the user ("manual"), no skills present (false), or no supported agent detected (null). Skill names are fetched from the GitHub Contents API with a 24-hour disk cache to avoid rate limits.

• #14014 d042705 Thanks @​emily-shen! - Add --x-deploy-helpers to gate an upcoming deploy path refactor.

Patch Changes

• #14003 c1fd2fd Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260521.1	1.20260526.1

• #13728 49c1a59 Thanks @​penalosa! - Reject remote: false on always-remote bindings (AI, AI Search, Media, Artifacts, Flagship, VPC Service, VPC Network)

  These binding types have no local simulator and the resource is fundamentally remote-only. Setting remote: false was previously silently accepted but produced a non-functional binding. wrangler dev now fails with a clear error directing users to either remove the remote field or set it to true.

• #14039 fee1ce4 Thanks @​dario-piotrowicz! - Preserve --compatibility-flags in the interactive deploy config flow

  When running wrangler deploy without a config file and going through the interactive setup flow, any --compatibility-flags passed on the command line (e.g. --compatibility-flags=nodejs_compat) were lost in two places:

  1. The generated wrangler.jsonc file did not include compatibility_flags.
  2. The suggested CLI command shown when declining the config file write did not include --compatibility-flags.

  Both are now fixed. Compatibility flags are persisted to the generated config and included in the suggested command.

• #14010 b3962ff Thanks @​dario-piotrowicz! - Improve error messages for Pages CLI commands

  Error messages across wrangler pages subcommands (deploy, dev, secret, project, etc.) now provide clearer descriptions and actionable guidance. For example, instead of "Must specify a project name.", you'll now see "Missing Pages project name. Use --project-name or set the name in your wrangler.jsonc configuration file."

• #14011 420e457 Thanks @​petebacondarwin! - Warn when a remote-bindings request is blocked by Cloudflare Access

  When wrangler dev is used with remote bindings and a request from the local remote-bindings proxy client to the remote workers.dev proxy server is blocked by Cloudflare Access (HTTP 403 with the Cloudflare Access block page), Wrangler now:

  • Logs a single, visually striking warning per dev session explaining how to set CLOUDFLARE_ACCESS_CLIENT_ID / CLOUDFLARE_ACCESS_CLIENT_SECRET (Service Token credentials) or run cloudflared access login to authenticate.
  • Replaces the original Access HTML block page with a readable plain-text body containing the same guidance, so the message also reaches the user via binding error messages (e.g. InferenceUpstreamError from env.AI.run()) and any browser response piped back via a service binding .fetch().

  Previously the 403 was returned to user code with the full Access HTML, which both drowned out other logs and made it hard to tell that the failure was due to Cloudflare Access on workers.dev rather than a problem in the binding itself or the deployed proxy server. The detection runs inside the proxy client worker (which only ever talks to the remote-bindings proxy URL), so it does not trigger false positives on user-worker 403s.

• #14044 8b1467e Thanks @​pombosilva! - Rename Workflow binding schedule property to schedules

  The schedule property on Workflow bindings introduced in #13467 has been renamed to schedules to match the control plane API.

  Note: This remains a configuration-only change. Scheduled triggering of Workflow instances is not yet available — adding schedules to a Workflow binding will not result in scheduled invocations at this time.

... (truncated)

Commits

• 0998725 Set disallowTypeAnnotations to false in `@typescript-eslint/consistent-ty...
• 3a746ac [tools] Lint that all non-bundled deps of published packages are pinned (#14112)
• 337e912 Remove trailing periods from URLs in terminal output (#14105)
• b210c5e [wrangler] Add re-authentication hint to account fetch errors (#14141)
• 64ef9fd [wrangler] Fix secret bulk stdin env parsing (#14124)
• 65b5f9e move fetchResult, fetchListResult and dependents into workers-utils (#14063)
• 50ef724 Version Packages (#14082)
• 2dffeeb Adapt React Router autoconfig based on v8_middleware future flag (#14132)
• 1103c07 Bump rosie-skills from 0.7.6 to 0.8.1 and bundle it into the Wrangler o...
• 59e43e4 [wrangler] fix: remove trailing period after api-tokens URL in wrangler whoam...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions