Fix CVE-2026-22775: Update devalue to 5.6.2

[Copilot]

Addresses denial-of-service vulnerability in devalue where malicious inputs to devalue.parse can cause excessive CPU/memory consumption.

Changes

• site/package.json: Added npm overrides to force devalue@^5.6.2
• site/package-lock.json: Updated transitive dependency from 5.4.2 → 5.6.2

The devalue package is pulled in by astro@5.15.3. Using npm overrides ensures the patched version is used until astro updates its own dependency constraint.

References

• GHSA-g2pg-6438-jwpf
• CVE-2026-22775
• Fixed in devalue@5.6.2

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• telemetry.astro.build
  • Triggering command: /usr/local/bin/node node /home/REDACTED/work/FortiPath/FortiPath/site/node_modules/.bin/astro build (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Please review this CVE (GHSA-g2pg-6438-jwpf) and apply the necessary patches / updates to the codebase accordingly.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.