chore(deps): bump the minor-and-patch group across 1 directory with 7 updates

[dependabot]

Bumps the minor-and-patch group with 6 updates in the / directory:

Package	From	To
@astrojs/starlight	0.37.3	0.37.6
astro	5.16.11	5.18.0
playwright	1.57.0	1.58.2
@sip-protocol/sdk	0.7.3	0.9.0
typedoc	0.28.16	0.28.17
typedoc-plugin-markdown	4.9.0	4.10.0

Updates @astrojs/starlight from 0.37.3 to 0.37.6

Release notes

Sourced from @​astrojs/starlight's releases.

@​astrojs/starlight@​0.37.6

Patch Changes

• #3645 a562096 Thanks @​mschoeffmann! - Adds icons for Chrome, Edge, Firefox, and Safari

@​astrojs/starlight@​0.37.5

Patch Changes

• #3675 0ba556d Thanks @​controversial! - Excludes the accessible labels for heading anchor links from Pagefind results

@​astrojs/starlight@​0.37.4

Patch Changes

• #3534 703fab0 Thanks @​HiDeoo! - Fixes support for running builds when npx is unavailable.

  Previously, Starlight would spawn a process to run the Pagefind search indexing binary using npx. On platforms where npx isn’t available, this could cause issues. Starlight now runs Pagefind using its Node.js API to avoid a separate process. As a side effect, you may notice that logging during builds is now less verbose.

• #3656 a0e6368 Thanks @​delucis! - Fixes several edge cases in highlighting the current page heading in Starlight’s table of contents

• #3663 00cbf00 Thanks @​lines-of-codes! - Adds Thai language support

• #3658 ac79329 Thanks @​delucis! - Avoids adding redundant aria-current="false" attributes to sidebar entries

• #3382 db295c2 Thanks @​trueberryless! - Fixes an issue where the mobile table of contents is unable to find the first heading when a page has a tall banner.

Changelog

Sourced from @​astrojs/starlight's changelog.

0.37.6

Patch Changes

• #3645 a562096 Thanks @​mschoeffmann! - Adds icons for Chrome, Edge, Firefox, and Safari

0.37.5

Patch Changes

• #3675 0ba556d Thanks @​controversial! - Excludes the accessible labels for heading anchor links from Pagefind results

0.37.4

Patch Changes

• #3534 703fab0 Thanks @​HiDeoo! - Fixes support for running builds when npx is unavailable.

  Previously, Starlight would spawn a process to run the Pagefind search indexing binary using npx. On platforms where npx isn’t available, this could cause issues. Starlight now runs Pagefind using its Node.js API to avoid a separate process. As a side effect, you may notice that logging during builds is now less verbose.

• #3656 a0e6368 Thanks @​delucis! - Fixes several edge cases in highlighting the current page heading in Starlight’s table of contents

• #3663 00cbf00 Thanks @​lines-of-codes! - Adds Thai language support

• #3658 ac79329 Thanks @​delucis! - Avoids adding redundant aria-current="false" attributes to sidebar entries

• #3382 db295c2 Thanks @​trueberryless! - Fixes an issue where the mobile table of contents is unable to find the first heading when a page has a tall banner.

Commits

• 233b18b [ci] release (#3686)
• 84718ef [ci] format
• a562096 Add icons for various browsers (#3645)
• 58c7975 [ci] release (#3677)
• 49f153d [ci] format
• 0ba556d Set data-pagefind-ignore on heading anchor accessibility text (#3675)
• 879d6b3 [ci] release (#3659)
• db295c2 fix: mobile toc issue with custom banners (#3382)
• a0e6368 Fix table of contents intersection observer (#3656)
• 703fab0 Pagefind CLI → Pagefind API (#3534)
• Additional commits viewable in compare view

Updates astro from 5.16.11 to 5.18.0

Release notes

Sourced from astro's releases.

astro@5.18.0

Minor Changes

• #15589 b7dd447 Thanks @​qzio! - Adds a new security.actionBodySizeLimit option to configure the maximum size of Astro Actions request bodies.

  This lets you increase the default 1 MB limit when your actions need to accept larger payloads. For example, actions that handle file uploads or large JSON payloads can now opt in to a higher limit.

  If you do not set this option, Astro continues to enforce the 1 MB default to help prevent abuse.

  // astro.config.mjs
  export default defineConfig({
    security: {
      actionBodySizeLimit: 10 * 1024 * 1024, // set to 10 MB
    },
  });

Patch Changes

• #15594 efae11c Thanks @​qzio! - Fix X-Forwarded-Proto validation when allowedDomains includes both protocol and hostname fields. The protocol check no longer fails due to hostname mismatch against the hardcoded test URL.

astro@5.17.3

Patch Changes

• #15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #15569 e01e98b Thanks @​matthewp! - Respect image allowlists when inferring remote image sizes and reject remote redirects.

astro@5.17.2

Patch Changes

• c13b536 Thanks @​matthewp! - Improves Host header handling for SSR deployments behind proxies

astro@5.17.1

Patch Changes

• #15334 d715f1f Thanks @​florian-lefebvre! - BREAKING CHANGE to the experimental Fonts API only

  Removes the getFontBuffer() helper function exported from astro:assets when using the experimental Fonts API

  This experimental feature introduced in v15.6.13 ended up causing significant memory usage during build. This feature has been removed and will be reintroduced after further exploration and testing.

  If you were relying on this function, you can replicate the previous behavior manually:

  • On prerendered routes, read the file using node:fs
  • On server rendered routes, fetch files using URLs from fontData and context.url

astro@5.17.0

Minor Changes

... (truncated)

Changelog

Sourced from astro's changelog.

5.18.0

Minor Changes

• #15589 b7dd447 Thanks @​qzio! - Adds a new security.actionBodySizeLimit option to configure the maximum size of Astro Actions request bodies.

  This lets you increase the default 1 MB limit when your actions need to accept larger payloads. For example, actions that handle file uploads or large JSON payloads can now opt in to a higher limit.

  If you do not set this option, Astro continues to enforce the 1 MB default to help prevent abuse.

  // astro.config.mjs
  export default defineConfig({
    security: {
      actionBodySizeLimit: 10 * 1024 * 1024, // set to 10 MB
    },
  });

Patch Changes

• #15594 efae11c Thanks @​qzio! - Fix X-Forwarded-Proto validation when allowedDomains includes both protocol and hostname fields. The protocol check no longer fails due to hostname mismatch against the hardcoded test URL.

5.17.3

Patch Changes

• #15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #15569 e01e98b Thanks @​matthewp! - Respect image allowlists when inferring remote image sizes and reject remote redirects.

5.17.2

Patch Changes

• c13b536 Thanks @​matthewp! - Improves Host header handling for SSR deployments behind proxies

5.17.1

Patch Changes

• #15334 d715f1f Thanks @​florian-lefebvre! - BREAKING CHANGE to the experimental Fonts API only

  Removes the getFontBuffer() helper function exported from astro:assets when using the experimental Fonts API

  This experimental feature introduced in v15.6.13 ended up causing significant memory usage during build. This feature has been removed and will be reintroduced after further exploration and testing.

  If you were relying on this function, you can replicate the previous behavior manually:

  • On prerendered routes, read the file using node:fs
  • On server rendered routes, fetch files using URLs from fontData and context.url

... (truncated)

Commits

• 011f061 [ci] release (#15597)
• efae11c fix: X-Forwarded-Proto rejected when allowedDomains includes protocol… (#15594)
• 751ccf0 Update actionBodySizeLimit changeset and make minor (#15600)
• b7dd447 make actionBodySizeLimit configurable (#15589)
• e0f1a2b [ci] release (#15571)
• 522f880 Limit action request body size (#15564)
• 436962a chore: Upgrade Vite and esbuild (#15554)
• e01e98b Respect remote image allowlists (#15569)
• f2955fb [ci] release (#15474)
• c13b536 Validate Host header against allowedDomains
• Additional commits viewable in compare view

Updates playwright from 1.57.0 to 1.58.2

Release notes

Sourced from playwright's releases.

v1.58.2

Highlights

#39121 fix(trace viewer): make paths via stdin work #39129 fix: do not force swiftshader on chromium mac

Browser Versions

• Chromium 145.0.7632.6
• Mozilla Firefox 146.0.1
• WebKit 26.0

v1.58.1

Highlights

#39036 fix(msedge): fix local network permissions #39037 chore: update cft download location #38995 chore(webkit): disable frame sessions on fronzen builds

Browser Versions

• Chromium 145.0.7632.6
• Mozilla Firefox 146.0.1
• WebKit 26.0

v1.58.0

📣 Playwright CLI+SKILLs 📣

We are adding a new token-efficient CLI mode of operation to Playwright with the skills located at playwright-cli. This brings the long-awaited official SKILL-focused CLI mode to our story and makes it more coding agent-friendly.

It is the first snapshot with the essential command set (which is already larger than the original MCP!), but we expect it to grow rapidly. Unlike the token use, that one we expect to go down since snapshots are no longer forced into the LLM!

Timeline

If you're using merged reports, the HTML report Speedboard tab now shows the Timeline:

UI Mode and Trace Viewer Improvements

• New 'system' theme option follows your OS dark/light mode preference
• Search functionality (Cmd/Ctrl+F) is now available in code editors
• Network details panel has been reorganized for better usability
• JSON responses are now automatically formatted for readability

Thanks to @​cpAdm for contributing these improvements!

Miscellaneous

browserType.connectOverCDP() now accepts an isLocal option. When set to true, it tells Playwright that it runs on the same host as the CDP server, enabling file system optimizations.

Breaking Changes ⚠️

• Removed _react and _vue selectors. See locators guide for alternatives.

... (truncated)

Commits

• ce480a9 cherry-pick(#39171): devops: add ubuntu-22.04-arm bot
• e40c137 chore: mark v1.58.2 (#39155)
• 50b7296 cherry-pick(#39152): chore: fix execSync inheriting stdio
• f3dcf50 cherry-pick(#39129): fix: do not force swiftshader on chromium mac
• 8684e08 cherry-pick(#39121): fix(trace viewer): make paths via stdin work
• 97bc385 cherry-pick(#38995): chore(webkit): disable frame sessions on fronzen builds
• ad625fe chore: mark v1.58.1 (#39055)
• f07234d cherry-pick(#39036): fix(msedge): fix local network permissions (#39053)
• ab8136c cherry-pick(#39037): chore: update cft download location (#39052)
• aa6ffeb cherry-pick(#39014): docs: add 1.58 release notes for Java, Python, and C#
• Additional commits viewable in compare view

Updates @sip-protocol/sdk from 0.7.3 to 0.9.0

Changelog

Sourced from @​sip-protocol/sdk's changelog.

0.9.0

Minor Changes

• feat: Ethereum same-chain privacy with shielded transfers via Solidity contracts
  • Fix scanAnnouncements() scanning with correct spending private key
  • Add checkEthereumStealthByEthAddress() for ETH address-based stealth matching
  • Add Base Sepolia and OP Sepolia contract addresses
  • Add spendingPrivateKey to EthereumScanRecipient type

Patch Changes

• fix: DAI mainnet address invalid hex characters
• fix: Remove deprecated checkViewTag() stub
• chore: Update @sip-protocol/types dependency to ^0.2.2

0.8.0

Minor Changes

• feat: Solana same-chain privacy with shielded transfers via Anchor program
  • shieldedTransfer API for native SOL privacy transfers
  • CSPLTokenService and CSPLClient exported from main entry
  • Migrated Solana RPC client to @solana/kit
• feat: Sunspot ZK verifier pipeline for Noir proof verification on Solana
• feat: Network privacy layer (Tor/SOCKS5 proxy support) for Solana RPC calls
• feat: Winternitz vault integration for quantum-resistant key storage
• feat: Browser-compatible proof composition (Halo2 + Kimchi exports)
• feat: BNB Chain (BSC) support for multi-chain stealth addresses
• feat: Oblivious Sync Service interface for private state synchronization
• feat: NEAR fee contract integration for protocol revenue
• feat: Chain-specific optimizations for Solana, EVM, and BNB

Patch Changes

• fix: Use workspace protocol for types dependency
• fix: Relax NEAR benchmark thresholds for CI runners
• chore: Bump ephemeral-rollups-sdk to 0.8.5

0.7.4

Patch Changes

• chore: Version bump with types dependency alignment

0.2.2

Patch Changes

• fix: Remove NoirProofProvider from main entry to fully fix WASM bundling in SSR

... (truncated)

Commits

• See full diff in compare view

Updates @sip-protocol/types from 0.2.1 to 0.2.2

Changelog

Sourced from @​sip-protocol/types's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased] - M18 Ethereum Same-Chain Privacy

Added - Noir→EVM ZK Verifier (Phase A: funding_proof)

On-Chain ZK Verification

• FundingVerifier.sol — BB-generated UltraHonk Solidity verifier from Noir funding_proof circuit
• IHonkVerifier.sol — Interface for BB-generated Honk verifiers
• ZKVerifier.sol — Rewritten from mock to production router pattern (delegates to HonkVerifier instances)
• DeployVerifier.s.sol — Deployment script with EIP-170 workaround documentation

Tests (+43 new, 148 total Foundry tests)

• FundingVerifier.t.sol — 7 tests: deployment, empty/garbage proof rejection
• ZKVerifier.t.sol — 31 tests: router pattern, admin, ownership, backwards compat, funding/validity routing
• FundingVerifierE2E.t.sol — 5 tests: real Noir proof verified on-chain (~2.13M gas)

Infrastructure

• generate-proof-fixture.ts — Proof fixture generator (BB WASM + nargo + bb CLI pipeline)
• funding-proof.json — Real proof fixture (8,640 bytes, 3 public inputs)

Deployments (Sepolia v2 — real ZK verifier)

• SIPPrivacy: 0x1FED19684dC108304960db2818CF5a961d28405E
• ZKVerifier: 0x4994c799dF5B47C564cAafe7FdF415c2c2c66436
• FundingVerifier (HonkVerifier): 0x8Ee5F3FC477C308224f58766540A5E7E049B0ECf
• ZKTranscriptLib: 0x588849033F79F3b13f8BF696c1f61C27dE056df4

Changed

• Solidity compiler upgraded from 0.8.24 to 0.8.28 (BB-generated code requires ^0.8.27)
• code_size_limit = 32768 in foundry.toml (BB verifiers exceed EIP-170 with via_ir)
• fs_permissions added for proof fixture reading in tests

Issues

• Closes #805: Noir→EVM ZK verifier deployment (Phase A complete)

---

[0.6.0] - 2025-12-03

Added - M14: Developer Experience

New Packages

• @​sip-protocol/react - React hooks for SIP integration
  • SIPProvider - Context provider for SIP client
  • useSIP() - Access SIP client instance

... (truncated)

Commits

• See full diff in compare view

Updates typedoc from 0.28.16 to 0.28.17

Release notes

Sourced from typedoc's releases.

v0.28.17

Bug Fixes

• Improved handling of comments for type aliases which have been declaration merged with functions, #3064.
• Fixed anchor link generation to members named $, #3065.
• Corrected typing of the plugin option to permit functions, #3066.
• Warnings about unused @param tags will now be properly suppressed when they come from declaration files and the suppressCommentWarningsInDeclarationFiles option is enabled, #3070.
• Fixed conversion of types referencing type parameters on functions, #3071.

Thanks!

• @​pjeby

Changelog

Sourced from typedoc's changelog.

v0.28.17 (2026-02-13)

Bug Fixes

• Improved handling of comments for type aliases which have been declaration merged with functions, #3064.
• Fixed anchor link generation to members named $, #3065.
• Corrected typing of the plugin option to permit functions, #3066.
• Warnings about unused @param tags will now be properly suppressed when they come from declaration files and the suppressCommentWarningsInDeclarationFiles option is enabled, #3070.
• Fixed conversion of types referencing type parameters on functions, #3071.

Thanks!

• @​pjeby

Commits

• 882cfb9 Update changelog for release
• 89dda48 Bump version to 0.28.17
• 5ac59d8 Slightly improve docs for plugin creation
• 6f59389 Update example dependencies
• 977c604 Fix #3070
• 6aba264 Fix OIDC published plugins author links on site
• 9574e72 Fix substitution types
• 2e1967b Even more docs
• 5627474 Fix formatting
• f97ec69 Improve docs for declaration references
• Additional commits viewable in compare view

Updates typedoc-plugin-markdown from 4.9.0 to 4.10.0

Release notes

Sourced from typedoc-plugin-markdown's releases.

typedoc-plugin-markdown@4.10.0

Minor Changes

• A JSON schema to be consumed by typedoc.json is now published to the package root.
• Mark parameters with default values as optional, matching the default TypeDoc theme.

Patch Changes

• Fixed markdownlint errors related to empty table cells and invalid link fragments.
• Anchors inside table cells (when property formats equal "table") are now namespaced by reflection kind (for example property-foo) to prevent collisions with Markdown heading slugs and ensure stable in-page links (#856).
• Resolve "does not have an anchor but one was requested" warnings in verbose log mode (#850).
• Guard against undefined types causing errors in complex types in tables (thanks @​ilyabo).

Changelog

Sourced from typedoc-plugin-markdown's changelog.

4.10.0 (2026-02-06)

Minor Changes

• A JSON schema to be consumed by typedoc.json is now published to the package root.
• Mark parameters with default values as optional, matching the default TypeDoc theme.

Patch Changes

• Fixed markdownlint errors related to empty table cells and invalid link fragments.
• Anchors inside table cells (when property formats equal "table") are now namespaced by reflection kind (for example property-foo) to prevent collisions with Markdown heading slugs and ensure stable in-page links (#856).
• Resolve "does not have an anchor but one was requested" warnings in verbose log mode (#850).
• Guard against undefined types causing errors in complex types in tables (thanks @​ilyabo).

Commits

• f9c8b93 Version Packages
• 3a67289 fix(core): fixed markdownlint errors
• a2d209c fix(core): namespace anchors inside table cells
• 5191340 fix(core): mark parameters with default values as optional
• 7d46ac2 feat(core): publish json schema to package root
• 10cd31b fix(core): resolve incorrect anchor warning messages
• 7c404da fix: Prevent crash in typeDeclarationTable
• ac7e395 chore(docs): updated changelog date
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions