Bump astro from 5.15.9 to 5.16.6

[dependabot]

Bumps astro from 5.15.9 to 5.16.6.

Release notes

Sourced from astro's releases.

[email protected]

Patch Changes

• #14982 6849e38 Thanks @​Princesseuh! - Fixes images outside the project directory not working when using astro:assets in development mode

• #14987 9dd9fca Thanks @​Princesseuh! - Fixes SVGs not working in dev mode when using the passthrough image service

• #15014 a178422 Thanks @​delucis! - Adds support for extending the type of the props accepted by Astro’s <Image> component, <Picture> component, and getImage() API.

[email protected]

Patch Changes

• #14985 c016f10 Thanks @​florian-lefebvre! - Fixes a case where JSDoc annotations wouldn't show for fonts related APIs in the Astro config

• #14973 ed7cc2f Thanks @​amankumarpandeyin! - Fixes performance regression and OOM errors when building medium-sized blogs with many content entries. Replaced O(n²) object spread pattern with direct mutation in generateLookupMap.

• #14958 70eb542 Thanks @​ascorbic! - Gives a helpful error message if a user sets output: "hybrid" in their Astro config.

  The option was removed in Astro 5, but lots of content online still references it, and LLMs often suggest it. It's not always clear that the replacement is output: "static", rather than output: "server". This change adds a helpful error message to guide humans and robots.

• #14901 ef53716 Thanks @​Darknab! - Updates the glob() loader to log a warning when duplicated IDs are detected

• Updated dependencies [d8305f8]:

  • @​astrojs/markdown-remark@​6.3.10

[email protected]

Patch Changes

• #14940 2cf79c2 Thanks @​ematipico! - Fixes a bug where Astro didn't properly combine CSP resources from the csp configuration with those added using the runtime API (Astro.csp.insertDirective()) to form grammatically correct CSP headers

  Now Astro correctly deduplicate CSP resources. For example, if you have a global resource in the configuration file, and then you add a a new one using the runtime APIs.

[email protected]

Patch Changes

• #14889 4bceeb0 Thanks @​florian-lefebvre! - Fixes actions types when using specific TypeScript configurations

• #14929 e0f277d Thanks @​matthewp! - Fixes authentication bypass via double URL encoding in middleware

  Prevents attackers from bypassing path-based authentication checks using multi-level URL encoding (e.g., /%2561dmin instead of /%61dmin). Pathnames are now validated after decoding to ensure no additional encoding remains.

[email protected]

Patch Changes

• #14876 b43dc7f Thanks @​florian-lefebvre! - Fixes a vite warning log during builds when using npm

• #14884 10273e0 Thanks @​florian-lefebvre! - Fixes a case where setting the status of a page to 404 in ssr would show an empty page (or 404.astro page if provided) instead of using the current page

[email protected]

... (truncated)

Changelog

Sourced from astro's changelog.

5.16.6

Patch Changes

• #14982 6849e38 Thanks @​Princesseuh! - Fixes images outside the project directory not working when using astro:assets in development mode

• #14987 9dd9fca Thanks @​Princesseuh! - Fixes SVGs not working in dev mode when using the passthrough image service

• #15014 a178422 Thanks @​delucis! - Adds support for extending the type of the props accepted by Astro’s <Image> component, <Picture> component, and getImage() API.

5.16.5

Patch Changes

• #14985 c016f10 Thanks @​florian-lefebvre! - Fixes a case where JSDoc annotations wouldn't show for fonts related APIs in the Astro config

• #14973 ed7cc2f Thanks @​amankumarpandeyin! - Fixes performance regression and OOM errors when building medium-sized blogs with many content entries. Replaced O(n²) object spread pattern with direct mutation in generateLookupMap.

• #14958 70eb542 Thanks @​ascorbic! - Gives a helpful error message if a user sets output: "hybrid" in their Astro config.

  The option was removed in Astro 5, but lots of content online still references it, and LLMs often suggest it. It's not always clear that the replacement is output: "static", rather than output: "server". This change adds a helpful error message to guide humans and robots.

• #14901 ef53716 Thanks @​Darknab! - Updates the glob() loader to log a warning when duplicated IDs are detected

• Updated dependencies [d8305f8]:

  • @​astrojs/markdown-remark@​6.3.10

5.16.4

Patch Changes

• #14940 2cf79c2 Thanks @​ematipico! - Fixes a bug where Astro didn't properly combine CSP resources from the csp configuration with those added using the runtime API (Astro.csp.insertDirective()) to form grammatically correct CSP headers

  Now Astro correctly deduplicate CSP resources. For example, if you have a global resource in the configuration file, and then you add a a new one using the runtime APIs.

5.16.3

Patch Changes

• #14889 4bceeb0 Thanks @​florian-lefebvre! - Fixes actions types when using specific TypeScript configurations

• #14929 e0f277d Thanks @​matthewp! - Fixes authentication bypass via double URL encoding in middleware

  Prevents attackers from bypassing path-based authentication checks using multi-level URL encoding (e.g., /%2561dmin instead of /%61dmin). Pathnames are now validated after decoding to ensure no additional encoding remains.

5.16.2

Patch Changes

... (truncated)

Commits

• 0343993 [ci] release (#14997)
• a178422 Support extending the image API props type (#15014)
• 8cdaa00 [ci] format
• 9dd9fca fix(assets): Fixes missing format option for svgs in the passthrough service ...
• 6849e38 fix(assets): support images outside of the project in dev (#14982)
• 02c19eb [ci] release (#14959)
• ed7cc2f fix: prevent O(n²) memory allocation in content lookup map generation (#14973)
• c016f10 fix(fonts): jsdocs (#14985)
• ef53716 fix(content): warn on duplicate Markdown content entry IDs (#14901)
• 70eb542 feat: print a more helpful error message for output: hybrid (#14958)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
shepherd-docs	Ready	Preview, Comment	Dec 29, 2025 10:04am

1 Skipped Deployment

Project	Deployment	Review	Updated (UTC)
shepherd-landing	Skipped		Dec 29, 2025 10:04am

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}