chore(deps): Bump the site-dependencies group across 1 directory with 2 updates

[dependabot]

Bumps the site-dependencies group with 2 updates in the /site directory: astro and sharp.

Updates astro from 6.4.5 to 6.4.6

Release notes

Sourced from astro's releases.

astro@6.4.6

Patch Changes

• #16765 b10e86e Thanks @​fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.

• #17026 add3df1 Thanks @​matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)

• #17033 ffda27b Thanks @​matthewp! - Validates the request origin against allowedDomains before fetching prerendered error pages. When allowedDomains is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to localhost.

Changelog

Sourced from astro's changelog.

6.4.6

Patch Changes

• #16765 b10e86e Thanks @​fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.

• #17026 add3df1 Thanks @​matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)

• #17033 ffda27b Thanks @​matthewp! - Validates the request origin against allowedDomains before fetching prerendered error pages. When allowedDomains is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to localhost.

Commits

• 19ad1b4 [ci] release (#17023)
• f1baeea [ci] format
• ffda27b Validate origin in prerendered error page fetch against allowedDomains (#17033)
• 0408628 [ci] format
• add3df1 Harden addAttribute to reject invalid attribute names (#17026)
• cfeb958 [ci] format
• b10e86e fix : content collections image hmr (#16765)
• See full diff in compare view

Updates sharp from 0.34.5 to 0.35.1

Release notes

Sourced from sharp's releases.

v0.35.1

• TypeScript: Ensure type definitions are published for both ESM and CJS. #4537

• WebAssembly: Ensure wrapper file is published. #4538

v0.35.1-rc.1

• TypeScript: Ensure type definitions are published for both ESM and CJS. #4537

• WebAssembly: Ensure wrapper file is published. #4538

v0.35.1-rc.0

• TypeScript: Ensure type definitions are published #4537

• WebAssembly: Ensure wrapper file is published. #4538

v0.35.0

• Breaking: Drop support for Node.js 18, now requires Node.js >= 20.9.0.

• Breaking: Remove install script from package.json file. Compiling from source is now opt-in via the build script.

• Breaking: Lossy AVIF output is now tuned using SSIMULACRA2-based iq quality metrics.

• Breaking: Add limitInputChannels with a default value of 5.

• Breaking: Remove deprecated failOnError constructor property.

• Breaking: Remove deprecated paletteBitDepth from metadata response.

• Breaking: Remove deprecated properties from sharpen operation.

• Breaking: Rename format.jp2k as format.jp2 for API consistency.

• Upgrade to libvips v8.18.3 for upstream bug fixes.

• Remove experimental status from WebAssembly binaries.

• Add prebuilt binaries for FreeBSD (WebAssembly).

• Deprecate Windows 32-bit (win32-ia32) prebuilt binaries.

• Ensure TIFF output bitdepth option is limited to 1, 2 or 4.

• Add AVIF/HEIF tune option for control over quality metrics.

... (truncated)

Commits

• d781a2d Release v0.35.1
• 84fa853 Prerelease v0.35.1-rc.1
• 21263c3 TypeScript: Switch type defs to ESM, convert back to CJS #4537
• 8deceb4 Docs: fix link in changelog (#4541)
• c9f08eb Revert "Docs: Highlight that Windows ARM64 support is experimental" (#4540)
• 3ec892f Prerelease v0.35.1-rc.0
• fbdeac5 CI: Run packaging linter on sub-packages
• 1da92b3 WebAssembly: Ensure wrapper file is published #4538
• 32c029e Add packaging linter to help prevent regression e.g. #4537
• 98dc1df TypeScript: Ensure type definitions are published #4537
• Additional commits viewable in compare view

[jaylann]

Holding this one. Two reasons:

1. Build site fails the supply-chain release-age gate (ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION): sharp@0.35.0 and its @img/* deps were published 2026-06-10 ~17:06 UTC, inside the minimumReleaseAge cutoff. This gate is working as designed — we don't trust <24h-old packages.
2. sharp 0.35.0 is a minor with real breaking changes (drops Node 18, AVIF re-tuning, removed deprecated APIs). Even once the age gate clears, the site build should be verified before merging.

The astro 6.4.5→6.4.6 patch is harmless on its own, but Dependabot grouped both under site-dependencies. Plan: once sharp ages past the cutoff (~17:06 UTC today), re-run checks; if the site build passes, merge. Otherwise verify just site-build locally first.

[jaylann]

Re-reviewed in depth — the content is safe, the only blocker is timing:

• Site CI runs Node 24, satisfying sharp 0.35's new Node >=20.9 floor.
• No direct sharp usage anywhere in the site and no custom Astro image-service config — sharp is only Astro's default image optimizer, so 0.35's breaking changes (removed deprecated failOnError/paletteBitDepth/sharpen props, jp2k→jp2, AVIF retuning) don't affect us.
• pnpm resolved the lockfile cleanly; the install failed only on the release-age gate, not on any astro↔sharp peer conflict.

So the sole blocker is the minimumReleaseAge supply-chain gate: sharp 0.35.0 / @img/* published 2026-06-10 ~17:06 UTC, clearing the 24h cutoff ~17:06 UTC today. Re-run Build site after that and it merges clean. No code-side concerns.

[jaylann]

@dependabot rebase

[jaylann]

https://github.com/dependabot rebase

[jaylann]

@copilot resolve the merge conflicts in this pull request. Then rebase

[Copilot]

@copilot resolve the merge conflicts in this pull request. Then rebase

I checked and rebased this branch onto stage; there were no merge conflicts to resolve and Git reports it is already up to date at 838f08c.

I also checked the failing Build site job logs: the failure is the ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION supply-chain age gate for sharp@0.35.1 and @img/sharp-*, not a merge conflict.