This PR contains the following updates:
GitHub Vulnerability Alerts
Summary
In affected versions of astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.
Details
On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images.
The /_image endpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using the image.domains or image.remotePatterns options).
However, a bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png.
Proof of Concept
-
Create a new minimal Astro project (astro@5.13.0).
-
Configure it to use the Node adapter (@astrojs/node@9.1.0 — newer versions are not impacted):
// astro.config.mjs
import { defineConfig } from 'astro/config';
import node from '@​astrojs/node';
export default defineConfig({
adapter: node({ mode: 'standalone' }),
});
-
Build the site by running astro build.
-
Run the server, e.g. with astro preview.
-
Append /_image?href=//placehold.co/600x400 to the preview URL, e.g. http://localhost:4321/_image?href=//placehold.co/600x400
-
The site will serve the image from the unauthorized placehold.co origin.
Impact
Allows a non-authorized third-party to create URLs on an impacted site’s origin that serve unauthorized image content.
In the case of SVG images, this could include the risk of cross-site scripting (XSS) if a user followed a link to a maliciously crafted SVG.
Summary
When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an X-Forwarded-Host header that is reflected when using the recommended Astro.url property as there is no validation that the value is safe.
Details
Astro reflects the value in X-Forwarded-Host in output when using Astro.url without any validation.
It is common for web servers such as nginx to route requests via the Host header, and forward on other request headers. As such as malicious request can be sent with both a Host header and an X-Forwarded-Host header where the values do not match and the X-Forwarded-Host header is malicious. Astro will then return the malicious value.
This could result in any usages of the Astro.url value in code being manipulated by a request. For example if a user follows guidance and uses Astro.url for a canonical link the canonical link can be manipulated to another site. It is not impossible to imagine that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party.
As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users.
Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues.
PoC
- Check out the minimal Astro example found here: https://github.com/Chisnet/minimal_dynamic_astro_server
nvm useyarn run buildnode ./dist/server/entry.mjscurl --location 'http://localhost:4321/' --header 'X-Forwarded-Host: www.evil.com' --header 'Host: www.example.com'- Observe that the response reflects the malicious
X-Forwarded-Host header
For the more advanced / dangerous attack vector deploy the application behind a caching proxy, e.g. Cloudflare, set a non-zero cache time, perform the above curl request a few times to establish a cache, then perform the request without the malicious headers and observe that the malicious data is persisted.
Impact
This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy.
Release Notes
withastro/astro (astro)
Compare Source
Patch Changes
-
#14505 28b2a1d Thanks @matthewp! - Fixes Cannot set property manifest error in test utilities by adding a protected setter for the manifest property
-
#14235 c4d84bb Thanks @toxeeec! - Fixes a bug where the "tap" prefetch strategy worked only on the first clicked link with view transitions enabled
Compare Source
Patch Changes
Compare Source
Minor Changes
-
#13520 a31edb8 Thanks @openscript! - Adds a new property routePattern available to GetStaticPathsOptions
This provides the original, dynamic segment definition in a routing file path (e.g. /[...locale]/[files]/[slug]) from the Astro render context that would not otherwise be available within the scope of getStaticPaths(). This can be useful to calculate the params and props for each page route.
For example, you can now localize your route segments and return an array of static paths by passing routePattern to a custom getLocalizedData() helper function. The params object will be set with explicit values for each route segment (e.g. locale, files, and slug). Then, these values will be used to generate the routes and can be used in your page template via Astro.params.
Compare Source
Patch Changes
-
#14409 250a595 Thanks @louisescher! - Fixes an issue where astro info would log errors to console in certain cases.
-
#14398 a7df80d Thanks @idawnlight! - Fixes an unsatisfiable type definition when calling addServerRenderer on an experimental container instance
-
#13747 120866f Thanks @jp-knj! - Adds automatic request signal abortion when the underlying socket closes in the Node.js adapter
The Node.js adapter now automatically aborts the request.signal when the client connection is terminated. This enables better resource management and allows applications to properly handle client disconnections through the standard AbortSignal API.
-
#14428 32a8acb Thanks @drfuzzyness! - Force sharpService to return a Uint8Array if Sharp returns a SharedArrayBuffer
-
#14411 a601186 Thanks @GameRoMan! - Fixes relative links to docs that could not be opened in the editor.
Compare Source
Patch Changes
Compare Source
Patch Changes
Compare Source
Patch Changes
-
#14300 bd4a70b Thanks @louisescher! - Adds Vite version & integration versions to output of astro info
-
#14341 f75fd99 Thanks @delucis! - Fixes support for declarative Shadow DOM when using the <ClientRouter> component
-
#14350 f59581f Thanks @ascorbic! - Improves error reporting for content collections by adding logging for configuration errors that had previously been silently ignored. Also adds a new error that is thrown if a live collection is used in content.config.ts rather than live.config.ts.
-
#14343 13f7d36 Thanks @florian-lefebvre! - Fixes a regression in non node runtimes
Compare Source
Patch Changes
Compare Source
Patch Changes
Compare Source
Patch Changes
-
#14286 09c5db3 Thanks @ematipico! - BREAKING CHANGES only to the experimental CSP feature
The following runtime APIs of the Astro global have been renamed:
Astro.insertDirective to Astro.csp.insertDirectiveAstro.insertStyleResource to Astro.csp.insertStyleResourceAstro.insertStyleHash to Astro.csp.insertStyleHashAstro.insertScriptResource to Astro.csp.insertScriptResourceAstro.insertScriptHash to Astro.csp.insertScriptHash
The following runtime APIs of the APIContext have been renamed:
ctx.insertDirective to ctx.csp.insertDirectivectx.insertStyleResource to ctx.csp.insertStyleResourcectx.insertStyleHash to ctx.csp.insertStyleHashctx.insertScriptResource to ctx.csp.insertScriptResourcectx.insertScriptHash to ctx.csp.insertScriptHash
-
#14283 3224637 Thanks @ematipico! - Fixes an issue where CSP headers were incorrectly injected in the development server.
-
#14275 3e2f20d Thanks @florian-lefebvre! - Adds support for experimental CSP when using experimental fonts
Experimental fonts now integrate well with experimental CSP by injecting hashes for the styles it generates, as well as font-src directives.
No action is required to benefit from it.
-
#14280 4b9fb73 Thanks @ascorbic! - Fixes a bug that caused cookies to not be correctly set when using middleware sequences
-
#14276 77281c4 Thanks @ArmandPhilippot! - Adds a missing export for resolveSrc, a documented image services utility.
Compare Source
Patch Changes
-
#14260 86a1e40 Thanks @jp-knj! - Fixes Astro.url.pathname to respect trailingSlash: 'never' configuration when using a base path. Previously, the root path with a base would incorrectly return /base/ instead of /base when trailingSlash was set to 'never'.
-
#14248 e81c4bd Thanks @julesyoungberg! - Fixes a bug where actions named 'apply' do not work due to being a function prototype method.
Compare Source
Patch Changes
-
#14239 d7d93e1 Thanks @wtchnm! - Fixes a bug where the types for the live content collections were not being generated correctly in dev mode
-
#14221 eadc9dd Thanks @delucis! - Fixes JSON schema support for content collections using the file() loader
-
#14229 1a9107a Thanks @jonmichaeldarby! - Ensures Astro.currentLocale returns the correct locale during SSG for pages that use a locale param (such as [locale].astro or [locale]/index.astro, which produce [locale].html)
Compare Source
Patch Changes
Compare Source
Patch Changes
-
#14409 250a595 Thanks @louisescher! - Fixes an issue where astro info would log errors to console in certain cases.
-
#14398 a7df80d Thanks @idawnlight! - Fixes an unsatisfiable type definition when calling addServerRenderer on an experimental container instance
-
#13747 120866f Thanks @jp-knj! - Adds automatic request signal abortion when the underlying socket closes in the Node.js adapter
The Node.js adapter now automatically aborts the request.signal when the client connection is terminated. This enables better resource management and allows applications to properly handle client disconnections through the standard AbortSignal API.
-
#14428 32a8acb Thanks @drfuzzyness! - Force sharpService to return a Uint8Array if Sharp returns a SharedArrayBuffer
-
#14411 a601186 Thanks @GameRoMan! - Fixes relative links to docs that could not be opened in the editor.
Compare Source
Minor Changes
-
#14173 39911b8 Thanks @florian-lefebvre! - Adds an experimental flag staticImportMetaEnv to disable the replacement of import.meta.env values with process.env calls and their coercion of environment variable values. This supersedes the rawEnvValues experimental flag, which is now removed.
Astro allows you to configure a type-safe schema for your environment variables, and converts variables imported via astro:env into the expected type. This is the recommended way to use environment variables in Astro, as it allows you to easily see and manage whether your variables are public or secret, available on the client or only on the server at build time, and the data type of your values.
However, you can still access environment variables through process.env and import.meta.env directly when needed. This was the only way to use environment variables in Astro before astro:env was added in Astro 5.0, and Astro's default handling of import.meta.env includes some logic that was only needed for earlier versions of Astro.
The experimental.staticImportMetaEnv flag updates the behavior of import.meta.env to align with Vite's handling of environment variables and for better ease of use with Astro's current implementations and features. This will become the default behavior in Astro 6.0, and this early preview is introduced as an experimental feature.
Currently, non-public import.meta.env environment variables are replaced by a reference to process.env. Additionally, Astro may also convert the value type of your environment variables used through import.meta.env, which can prevent access to some values such as the strings "true" (which is converted to a boolean value), and "1" (which is converted to a number).
The experimental.staticImportMetaEnv flag simplifies Astro's default behavior, making it easier to understand and use. Astro will no longer replace any import.meta.env environment variables with a process.env call, nor will it coerce values.
To enable this feature, add the experimental flag in your Astro config and remove rawEnvValues if it was enabled:
// astro.config.mjs
import { defineConfig } from "astro/config";
export default defineConfig({
+ experimental: {
+ staticImportMetaEnv: true
- rawEnvValues: false
+ }
});
Updating your project
If you were relying on Astro's default coercion, you may need to update your project code to apply it manually:
// src/components/MyComponent.astro
- const enabled: boolean = import.meta.env.ENABLED;
+ const enabled: boolean = import.meta.env.ENABLED === "true";
If you were relying on the transformation into process.env calls, you may need to update your project code to apply it manually:
// src/components/MyComponent.astro
- const enabled: boolean = import.meta.env.DB_PASSWORD;
+ const enabled: boolean = process.env.DB_PASSWORD;
You may also need to update types:
// src/env.d.ts
interface ImportMetaEnv {
readonly PUBLIC_POKEAPI: string;
- readonly DB_PASSWORD: string;
- readonly ENABLED: boolean;
+ readonly ENABLED: string;
}
interface ImportMeta {
readonly env: ImportMetaEnv;
}
+ namespace NodeJS {
+ interface ProcessEnv {
+ DB_PASSWORD: string;
+ }
+ }See the experimental static import.meta.env documentation for more information about this feature. You can learn more about using environment variables in Astro, including astro:env, in the environment variables documentation.
-
#14122 41ed3ac Thanks @ascorbic! - Adds experimental support for automatic Chrome DevTools workspace folders
This feature allows you to edit files directly in the browser and have those changes reflected in your local file system via a connected workspace folder. This allows you to apply edits such as CSS tweaks without leaving your browser tab!
With this feature enabled, the Astro dev server will automatically configure a Chrome DevTools workspace for your project. Your project will then appear as a workspace source, ready to connect. Then, changes that you make in the "Sources" panel are automatically saved to your project source code.
To enable this feature, add the experimental flag chromeDevtoolsWorkspace to your Astro config:
// astro.config.mjs
import { defineConfig } from 'astro/config';
export default defineConfig({
experimental: {
chromeDevtoolsWorkspace: true,
},
});See the experimental Chrome DevTools workspace feature documentation for more information.
Compare Source
Patch Changes
-
#14020 9518975 Thanks @jp-knj and @asieradzk! - Prevent double-prefixed redirect paths when using fallback and redirectToDefaultLocale together
Fixes an issue where i18n fallback routes would generate double-prefixed paths (e.g., /es/es/test/item1/) when fallback and redirectToDefaultLocale configurations were used together. The fix adds proper checks to prevent double prefixing in route generation.
-
#14199 3e4cb8e Thanks @ascorbic! - Fixes a bug that prevented HMR from working with inline styles
Compare Source
Patch Changes
Compare Source
Patch Changes
-
#14169 f4e8889 Thanks @ascorbic! - Skips trailing slash handling for paths that start with /..
-
#14170 34e6b3a Thanks @ematipico! - Fixes an issue where static redirects couldn't correctly generate a redirect when the destination is a prerendered route, and the output is set to "server".
-
#14169 f4e8889 Thanks @ascorbic! - Fixes a bug that prevented images from being displayed in dev when using the Netlify adapter with trailingSlash set to always
-
Updated dependencies [f4e8889]:
Compare Source
Patch Changes
-
#14153 29e9283 Thanks @jp-knj! - Fixes a regression introduced by a recent optimisation of how SVG images are emitted during the build.
-
#14156 592f08d Thanks @TheOtterlord! - Fix the client router not submitting forms if the active URL contained a hash
-
#14160 d2e25c6 Thanks @ascorbic! - Fixes a bug that meant some remote image URLs could cause invalid filenames to be used for processed images
-
#14167 62bd071 Thanks @ascorbic! - Fixes a bug that prevented destroyed sessions from being deleted from storage unless the session had been loaded
Compare Source
Patch Changes
-
#14059 19f53eb Thanks @benosmac! - Fixes a bug in i18n implementation, where Astro didn't emit the correct pages when fallback is enabled, and a locale uses a catch-all route, e.g. src/pages/es/[...catchAll].astro
-
#14155 31822c3 Thanks @ascorbic! - Fixes a bug that caused an error "serverEntrypointModule[_start] is not a function" in some adapters
Compare Source
Patch Changes
Compare Source
Patch Changes
-
#14119 14807a4 Thanks @ascorbic! - Fixes a bug that caused builds to fail if a client directive was mistakenly added to an Astro component
-
#14001 4b03d9c Thanks @dnek! - Fixes an issue where getImage() assigned the resized base URL to the srcset URL of ImageTransform, which matched the width, height, and format of the original image.
Compare Source
Patch Changes
Compare Source
Patch Changes
Compare Source
Minor Changes
-
#13971 fe35ee2 Thanks @adamhl8! - Adds an experimental flag rawEnvValues to disable coercion of import.meta.env values (e.g. converting strings to other data types) that are populated from process.env
Astro allows you to configure a type-safe schema for your environment variables, and converts variables imported via astro:env into the expected type.
However, Astro also converts your environment variables used through import.meta.env in some cases, and this can prevent access to some values such as the strings "true" (which is converted to a boolean value), and "1" (which is converted to a number).
The experimental.rawEnvValues flag disables coercion of import.meta.env values that are populated from process.env, allowing you to use the raw value.
To enable this feature, add the experimental flag in your Astro config:
import { defineConfig } from "astro/config"
export default defineConfig({
+ experimental: {
+ rawEnvValues: true,
+ }
})If you were relying on this coercion, you may need to update your project code to apply it manually:
- const enabled: boolean = import.meta.env.ENABLED
+ const enabled: boolean = import.meta.env.ENABLED === "true"
See the experimental raw environment variables reference docs for more information.
-
#13941 6bd5f75 Thanks @aditsachde! - Adds support for TOML files to Astro's built-in glob() and file() content loaders.
In Astro 5.2, Astro added support for using TOML frontmatter in Markdown files instead of YAML. However, if you wanted to use TOML files as local content collection entries themselves, you needed to write your own loader.
Astro 5.12 now directly supports loading data from TOML files in content collections in both the glob() and the file() loaders.
If you had added your own TOML content parser for the file() loader, you can now remove it as this functionality is now included:
// src/content.config.ts
import { defineCollection } from "astro:content";
import { file } from "astro/loaders";
- import { parse as parseToml } from "toml";
const dogs = defineCollection({
- loader: file("src/data/dogs.toml", { parser: (text) => parseToml(text) }),
+ loader: file("src/data/dogs.toml")
schema: /* ... */
})Note that TOML does not support top-level arrays. Instead, the file() loader considers each top-level table to be an independent entry. The table header is populated in the id field of the entry object.
See Astro's content collections guide for more information on using the built-in content loaders.
Patch Changes
Compare Source
Patch Changes
-
#14064 2eb77d8 Thanks @jp-knj! - Allows using tsconfig compilerOptions.paths without setting compilerOptions.baseUrl
-
#14068 10189c0 Thanks @jsparkdev! - Fixes the incorrect CSS import path shown in the terminal message during Tailwind integration setup.
Compare Source
Patch Changes
-
#14045 3276b79 Thanks @ghubo! - Fixes a problem where importing animated .avif files returns a NoImageMetadata error.
-
#14041 0c4d5f8 Thanks @dixslyf! - Fixes a <ClientRouter /> bug where the fallback view transition animations when exiting a page
ran too early for browsers that do not support the View Transition API.
This bug prevented event.viewTransition?.skipTransition() from skipping the page exit animation
when used in an astro:before-swap event hook.
Compare Source
Minor Changes
-
#13972 db8f8be Thanks @ematipico! - Updates the NodeApp.match() function in the Adapter API to accept a second, optional parameter to allow adapter authors to add headers to static, prerendered pages.
NodeApp.match(request) currently checks whether there is a route that matches the given Request. If there is a prerendered route, the function returns undefined, because static routes are already rendered and their headers cannot be updated.
When the new, optional boolean parameter is passed (e.g. NodeApp.match(request, true)), Astro will return the first matched route, even when it's a prerendered route. This allows your adapter to now access static routes and provides the opportunity to set headers for these pages, for example, to implement a Content Security Policy (CSP).
Patch Changes
Compare Source
Patch Changes
-
#14000 3cbedae Thanks @feelixe! - Fix routePattern JSDoc examples to show correct return values
-
#13990 de6cfd6 Thanks @isVivek99! - Fixes a case where astro:config/client and astro:config/server virtual modules would not contain config passed to integrations updateConfig() during the build
-
#14019 a160d1e Thanks @ascorbic! - Removes the requirement to set type: 'live' when defining experimental live content collections
Previously, live collections required a type and loader configured. Now, Astro can determine that your collection is a live collection without defining it explicitly.
This means it is now safe to remove type: 'live' from your collections defined in src/live.config.ts:
import { defineLiveCollection } from 'astro:content';
import { storeLoader } from '@​mystore/astro-loader';
const products = defineLiveCollection({
- type: 'live',
loader: storeLoader({
apiKey: process.env.STORE_API_KEY,
endpoint: 'https://api.mystore.com/v1',
}),
});
export const collections = { products };This is not a breaking change: your existing live collections will continue to work even if you still include type: 'live'. However, we suggest removing this line at your earliest convenience for future compatibility when the feature becomes stable and this config option may be removed entirely.
-
#13966 598da21 Thanks @msamoylov! - Fixes a broken link on the default 404 page in development
Compare Source
Patch Changes
-
#13988 609044c Thanks @ascorbic! - Fixes a bug in live collections that caused it to incorrectly complain about the collection being defined in the wrong file
-
#13909 b258d86 Thanks @isVivek99! - Fixes rendering of special boolean attributes for custom elements
-
#13983 e718375 Thanks @florian-lefebvre! - Fixes a case where the toolbar audit would incorrectly flag images processed by Astro in content collections documents
-
#13999 f077b68 Thanks @ascorbic! - Adds lastModified field to experimental live collection cache hints
Live loaders can now set a lastModified field in the cache hints for entries and collections to indicate when the data was last modified. This is then available in the cacheHint field returned by getCollection and getEntry.
-
#13987 08f34b1 Thanks @ematipico! - Adds an informative message in dev mode when the CSP feature is enabled.
-
#14005 82aad62 Thanks @ematipico! - Fixes a bug where inline styles and scripts didn't work when CSP was enabled. Now when adding <styles> elements inside an Astro component, their hashes care correctly computed.
-
#13985 0b4c641 Thanks @jsparkdev! - Updates wrong link
Compare Source
Minor Changes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.
Uh oh!
There was an error while loading. Please reload this page.
This PR contains the following updates:
^4.3.5->^5.0.0GitHub Vulnerability Alerts
CVE-2025-55303
Summary
In affected versions of
astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.Details
On-demand rendered sites built with Astro include an
/_imageendpoint which returns optimized versions of images.The
/_imageendpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using theimage.domainsorimage.remotePatternsoptions).However, a bug in impacted versions of
astroallows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g./_image?href=//example.com/image.png.Proof of Concept
Create a new minimal Astro project (
astro@5.13.0).Configure it to use the Node adapter (
@astrojs/node@9.1.0— newer versions are not impacted):Build the site by running
astro build.Run the server, e.g. with
astro preview.Append
/_image?href=//placehold.co/600x400to the preview URL, e.g. http://localhost:4321/_image?href=//placehold.co/600x400The site will serve the image from the unauthorized
placehold.coorigin.Impact
Allows a non-authorized third-party to create URLs on an impacted site’s origin that serve unauthorized image content.
In the case of SVG images, this could include the risk of cross-site scripting (XSS) if a user followed a link to a maliciously crafted SVG.
CVE-2025-61925
Summary
When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an
X-Forwarded-Hostheader that is reflected when using the recommendedAstro.urlproperty as there is no validation that the value is safe.Details
Astro reflects the value in
X-Forwarded-Hostin output when usingAstro.urlwithout any validation.It is common for web servers such as nginx to route requests via the
Hostheader, and forward on other request headers. As such as malicious request can be sent with both aHostheader and anX-Forwarded-Hostheader where the values do not match and theX-Forwarded-Hostheader is malicious. Astro will then return the malicious value.This could result in any usages of the
Astro.urlvalue in code being manipulated by a request. For example if a user follows guidance and usesAstro.urlfor a canonical link the canonical link can be manipulated to another site. It is not impossible to imagine that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party.As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users.
Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues.
PoC
nvm useyarn run buildnode ./dist/server/entry.mjscurl --location 'http://localhost:4321/' --header 'X-Forwarded-Host: www.evil.com' --header 'Host: www.example.com'X-Forwarded-HostheaderFor the more advanced / dangerous attack vector deploy the application behind a caching proxy, e.g. Cloudflare, set a non-zero cache time, perform the above
curlrequest a few times to establish a cache, then perform the request without the malicious headers and observe that the malicious data is persisted.Impact
This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy.
Release Notes
withastro/astro (astro)
v5.14.3Compare Source
Patch Changes
#14505
28b2a1dThanks @matthewp! - FixesCannot set property manifesterror in test utilities by adding a protected setter for the manifest property#14235
c4d84bbThanks @toxeeec! - Fixes a bug where the "tap" prefetch strategy worked only on the first clicked link with view transitions enabledv5.14.1Compare Source
Patch Changes
a3e16abThanks @florian-lefebvre! - Fixes a case where the URLs generated by the experimental Fonts API would be incorrect in devv5.14.0Compare Source
Minor Changes
#13520
a31edb8Thanks @openscript! - Adds a new propertyroutePatternavailable toGetStaticPathsOptionsThis provides the original, dynamic segment definition in a routing file path (e.g.
/[...locale]/[files]/[slug]) from the Astro render context that would not otherwise be available within the scope ofgetStaticPaths(). This can be useful to calculate theparamsandpropsfor each page route.For example, you can now localize your route segments and return an array of static paths by passing
routePatternto a customgetLocalizedData()helper function. Theparamsobject will be set with explicit values for each route segment (e.g.locale,files, andslug). Then, these values will be used to generate the routes and can be used in your page template viaAstro.params.v5.13.11Compare Source
Patch Changes
#14409
250a595Thanks @louisescher! - Fixes an issue whereastro infowould log errors to console in certain cases.#14398
a7df80dThanks @idawnlight! - Fixes an unsatisfiable type definition when callingaddServerRendereron an experimental container instance#13747
120866fThanks @jp-knj! - Adds automatic request signal abortion when the underlying socket closes in the Node.js adapterThe Node.js adapter now automatically aborts the
request.signalwhen the client connection is terminated. This enables better resource management and allows applications to properly handle client disconnections through the standardAbortSignalAPI.#14428
32a8acbThanks @drfuzzyness! - Force sharpService to return a Uint8Array if Sharp returns a SharedArrayBuffer#14411
a601186Thanks @GameRoMan! - Fixes relative links to docs that could not be opened in the editor.v5.13.10Compare Source
Patch Changes
1e2499e]:v5.13.9Compare Source
Patch Changes
54dcd04Thanks @FredKSchott! - Removes warning that caused unexpected console spam when using Bunv5.13.8Compare Source
Patch Changes
#14300
bd4a70bThanks @louisescher! - Adds Vite version & integration versions to output ofastro info#14341
f75fd99Thanks @delucis! - Fixes support for declarative Shadow DOM when using the<ClientRouter>component#14350
f59581fThanks @ascorbic! - Improves error reporting for content collections by adding logging for configuration errors that had previously been silently ignored. Also adds a new error that is thrown if a live collection is used incontent.config.tsrather thanlive.config.ts.#14343
13f7d36Thanks @florian-lefebvre! - Fixes a regression in non node runtimesv5.13.7Compare Source
Patch Changes
#14330
72e14abThanks @ascorbic! - Removes pinned package that is no longer needed.#14335
17c7b03Thanks @florian-lefebvre! - Bumpssharpminimal version to0.34.0v5.13.6Compare Source
Patch Changes
#14294
e005855Thanks @martrapp! - Restores the ability to use Google AnalyticsHistory change triggerwith the<ClientRouter />.#14326
c24a8f4Thanks @jsparkdev! - Updatesviteversion to fix CVE#14108
218e070Thanks @JusticeMatthew! - Updates dynamic route split regex to avoid infinite retries/exponential complexity#14327
c1033beThanks @ascorbic! - Pins simple-swizzle to avoid compromised versionv5.13.5Compare Source
Patch Changes
#14286
09c5db3Thanks @ematipico! - BREAKING CHANGES only to the experimental CSP featureThe following runtime APIs of the
Astroglobal have been renamed:Astro.insertDirectivetoAstro.csp.insertDirectiveAstro.insertStyleResourcetoAstro.csp.insertStyleResourceAstro.insertStyleHashtoAstro.csp.insertStyleHashAstro.insertScriptResourcetoAstro.csp.insertScriptResourceAstro.insertScriptHashtoAstro.csp.insertScriptHashThe following runtime APIs of the
APIContexthave been renamed:ctx.insertDirectivetoctx.csp.insertDirectivectx.insertStyleResourcetoctx.csp.insertStyleResourcectx.insertStyleHashtoctx.csp.insertStyleHashctx.insertScriptResourcetoctx.csp.insertScriptResourcectx.insertScriptHashtoctx.csp.insertScriptHash#14283
3224637Thanks @ematipico! - Fixes an issue where CSP headers were incorrectly injected in the development server.#14275
3e2f20dThanks @florian-lefebvre! - Adds support for experimental CSP when using experimental fontsExperimental fonts now integrate well with experimental CSP by injecting hashes for the styles it generates, as well as
font-srcdirectives.No action is required to benefit from it.
#14280
4b9fb73Thanks @ascorbic! - Fixes a bug that caused cookies to not be correctly set when using middleware sequences#14276
77281c4Thanks @ArmandPhilippot! - Adds a missing export forresolveSrc, a documented image services utility.v5.13.4Compare Source
Patch Changes
#14260
86a1e40Thanks @jp-knj! - FixesAstro.url.pathnameto respecttrailingSlash: 'never'configuration when using a base path. Previously, the root path with a base would incorrectly return/base/instead of/basewhentrailingSlashwas set to 'never'.#14248
e81c4bdThanks @julesyoungberg! - Fixes a bug where actions named 'apply' do not work due to being a function prototype method.v5.13.3Compare Source
Patch Changes
#14239
d7d93e1Thanks @wtchnm! - Fixes a bug where the types for the live content collections were not being generated correctly in dev mode#14221
eadc9ddThanks @delucis! - Fixes JSON schema support for content collections using thefile()loader#14229
1a9107aThanks @jonmichaeldarby! - EnsuresAstro.currentLocalereturns the correct locale during SSG for pages that use a locale param (such as[locale].astroor[locale]/index.astro, which produce[locale].html)v5.13.2Compare Source
Patch Changes
4d16de7Thanks @ematipico! - Improves the detection of remote paths in the_imageendpoint. Nowhrefparameters that start with//are considered remote paths.Updated dependencies [
4d16de7]:v5.13.1Compare Source
Patch Changes
#14409
250a595Thanks @louisescher! - Fixes an issue whereastro infowould log errors to console in certain cases.#14398
a7df80dThanks @idawnlight! - Fixes an unsatisfiable type definition when callingaddServerRendereron an experimental container instance#13747
120866fThanks @jp-knj! - Adds automatic request signal abortion when the underlying socket closes in the Node.js adapterThe Node.js adapter now automatically aborts the
request.signalwhen the client connection is terminated. This enables better resource management and allows applications to properly handle client disconnections through the standardAbortSignalAPI.#14428
32a8acbThanks @drfuzzyness! - Force sharpService to return a Uint8Array if Sharp returns a SharedArrayBuffer#14411
a601186Thanks @GameRoMan! - Fixes relative links to docs that could not be opened in the editor.v5.13.0Compare Source
Minor Changes
#14173
39911b8Thanks @florian-lefebvre! - Adds an experimental flagstaticImportMetaEnvto disable the replacement ofimport.meta.envvalues withprocess.envcalls and their coercion of environment variable values. This supersedes therawEnvValuesexperimental flag, which is now removed.Astro allows you to configure a type-safe schema for your environment variables, and converts variables imported via
astro:envinto the expected type. This is the recommended way to use environment variables in Astro, as it allows you to easily see and manage whether your variables are public or secret, available on the client or only on the server at build time, and the data type of your values.However, you can still access environment variables through
process.envandimport.meta.envdirectly when needed. This was the only way to use environment variables in Astro beforeastro:envwas added in Astro 5.0, and Astro's default handling ofimport.meta.envincludes some logic that was only needed for earlier versions of Astro.The
experimental.staticImportMetaEnvflag updates the behavior ofimport.meta.envto align with Vite's handling of environment variables and for better ease of use with Astro's current implementations and features. This will become the default behavior in Astro 6.0, and this early preview is introduced as an experimental feature.Currently, non-public
import.meta.envenvironment variables are replaced by a reference toprocess.env. Additionally, Astro may also convert the value type of your environment variables used throughimport.meta.env, which can prevent access to some values such as the strings"true"(which is converted to a boolean value), and"1"(which is converted to a number).The
experimental.staticImportMetaEnvflag simplifies Astro's default behavior, making it easier to understand and use. Astro will no longer replace anyimport.meta.envenvironment variables with aprocess.envcall, nor will it coerce values.To enable this feature, add the experimental flag in your Astro config and remove
rawEnvValuesif it was enabled:// astro.config.mjs import { defineConfig } from "astro/config"; export default defineConfig({ + experimental: { + staticImportMetaEnv: true - rawEnvValues: false + } });Updating your project
If you were relying on Astro's default coercion, you may need to update your project code to apply it manually:
If you were relying on the transformation into
process.envcalls, you may need to update your project code to apply it manually:You may also need to update types:
// src/env.d.ts interface ImportMetaEnv { readonly PUBLIC_POKEAPI: string; - readonly DB_PASSWORD: string; - readonly ENABLED: boolean; + readonly ENABLED: string; } interface ImportMeta { readonly env: ImportMetaEnv; } + namespace NodeJS { + interface ProcessEnv { + DB_PASSWORD: string; + } + }See the experimental static
import.meta.envdocumentation for more information about this feature. You can learn more about using environment variables in Astro, includingastro:env, in the environment variables documentation.#14122
41ed3acThanks @ascorbic! - Adds experimental support for automatic Chrome DevTools workspace foldersThis feature allows you to edit files directly in the browser and have those changes reflected in your local file system via a connected workspace folder. This allows you to apply edits such as CSS tweaks without leaving your browser tab!
With this feature enabled, the Astro dev server will automatically configure a Chrome DevTools workspace for your project. Your project will then appear as a workspace source, ready to connect. Then, changes that you make in the "Sources" panel are automatically saved to your project source code.
To enable this feature, add the experimental flag
chromeDevtoolsWorkspaceto your Astro config:See the experimental Chrome DevTools workspace feature documentation for more information.
v5.12.9Compare Source
Patch Changes
#14020
9518975Thanks @jp-knj and @asieradzk! - Prevent double-prefixed redirect paths when using fallback and redirectToDefaultLocale togetherFixes an issue where i18n fallback routes would generate double-prefixed paths (e.g.,
/es/es/test/item1/) whenfallbackandredirectToDefaultLocaleconfigurations were used together. The fix adds proper checks to prevent double prefixing in route generation.#14199
3e4cb8eThanks @ascorbic! - Fixes a bug that prevented HMR from working with inline stylesv5.12.8Compare Source
Patch Changes
0567fb7Thanks @ascorbic! - Adds//to list of internal path prefixes that do not have automated trailing slash handling#13894
b36e72fThanks @florian-lefebvre! - Removes Astro Studio commands from the CLI helpUpdated dependencies [
0567fb7]:v5.12.7Compare Source
Patch Changes
#14169
f4e8889Thanks @ascorbic! - Skips trailing slash handling for paths that start with/..#14170
34e6b3aThanks @ematipico! - Fixes an issue where static redirects couldn't correctly generate a redirect when the destination is a prerendered route, and theoutputis set to"server".#14169
f4e8889Thanks @ascorbic! - Fixes a bug that prevented images from being displayed in dev when using the Netlify adapter withtrailingSlashset toalwaysUpdated dependencies [
f4e8889]:v5.12.6Compare Source
Patch Changes
#14153
29e9283Thanks @jp-knj! - Fixes a regression introduced by a recent optimisation of how SVG images are emitted during the build.#14156
592f08dThanks @TheOtterlord! - Fix the client router not submitting forms if the active URL contained a hash#14160
d2e25c6Thanks @ascorbic! - Fixes a bug that meant some remote image URLs could cause invalid filenames to be used for processed images#14167
62bd071Thanks @ascorbic! - Fixes a bug that prevented destroyed sessions from being deleted from storage unless the session had been loadedv5.12.5Compare Source
Patch Changes
#14059
19f53ebThanks @benosmac! - Fixes a bug in i18n implementation, where Astro didn't emit the correct pages whenfallbackis enabled, and a locale uses a catch-all route, e.g.src/pages/es/[...catchAll].astro#14155
31822c3Thanks @ascorbic! - Fixes a bug that caused an error "serverEntrypointModule[_start] is not a function" in some adaptersv5.12.4Compare Source
Patch Changes
#14031
e9206c1Thanks @jp-knj! - Optimized the build pipeline for SVG images. Now, Astro doesn't reprocess images that have already been processed.#14132
976879aThanks @ematipico! - Fixes a bug where the propertyAstro.routePattern/context.routePatternwasn't updated when using a rewrite via middleware.#14131
aafc4d7Thanks @florian-lefebvre! - Fixes a case where an error occurring in a middleware would show the dev overlay instead of the custom500.astropage#14127
2309adaThanks @florian-lefebvre! - Upgrades zod#14134
186c201Thanks @ascorbic! - Throws a more helpful error in dev if trying to use a server island without an adapter#14129
3572d85Thanks @ematipico! - Fixes a bug where the CSP headers was incorrectly added to a page when using an adapter.v5.12.3Compare Source
Patch Changes
#14119
14807a4Thanks @ascorbic! - Fixes a bug that caused builds to fail if a client directive was mistakenly added to an Astro component#14001
4b03d9cThanks @dnek! - Fixes an issue wheregetImage()assigned the resized base URL to the srcset URL ofImageTransform, which matched the width, height, and format of the original image.v5.12.2Compare Source
Patch Changes
#14071
d2cb35dThanks @Grisoly! - Exposes theCodecomponentlangprop type:#14111
5452ee6Thanks @ascorbic! - Fixes a bug that prevented "key" from being used as a prop for Astro components in MDX#14106
b5b39e4Thanks @ascorbic! - Exits with non-zero exit code when config has an error#14112
37458b3Thanks @ascorbic! - Fixes a bug that meant that SVG components could no longer be serialized withJSON.stringify#14061
c7a7dd5Thanks @jonasgeiler! - Add module declaration for?no-inlineasset imports#14109
5a08fa2Thanks @ascorbic! - Throw a more helpful error if defineLiveCollection is used outside of a live.config file#14110
e7dd4e1Thanks @ascorbic! - Warn if duplicate IDs are found by file loaderv5.12.1Compare Source
Patch Changes
#14094
22e9087Thanks @ascorbic! - Correct types to allowpriorityon all images#14091
26c6b6dThanks @ascorbic! - Fixes a bug that caused a type error when defining session options without a driver#14082
93322cbThanks @louisescher! - Fixes an issue where Astro's default 404 route would incorrectly match routes containing "/404" in dev#14089
687d253Thanks @florian-lefebvre! - Fixes a case whereastro:envwould not load the right environments variables in dev#14092
6692c71Thanks @ascorbic! - Improves error handling in live collections#14074
144a950Thanks @abcfy2! - Fixes a bug that caused some image service builds to fail#14092
6692c71Thanks @ascorbic! - Fixes a case where zod could not be imported fromastro:contentvirtual module in live collection configv5.12.0Compare Source
Minor Changes
#13971
fe35ee2Thanks @adamhl8! - Adds an experimental flagrawEnvValuesto disable coercion ofimport.meta.envvalues (e.g. converting strings to other data types) that are populated fromprocess.envAstro allows you to configure a type-safe schema for your environment variables, and converts variables imported via
astro:envinto the expected type.However, Astro also converts your environment variables used through
import.meta.envin some cases, and this can prevent access to some values such as the strings"true"(which is converted to a boolean value), and"1"(which is converted to a number).The
experimental.rawEnvValuesflag disables coercion ofimport.meta.envvalues that are populated fromprocess.env, allowing you to use the raw value.To enable this feature, add the experimental flag in your Astro config:
import { defineConfig } from "astro/config" export default defineConfig({ + experimental: { + rawEnvValues: true, + } })If you were relying on this coercion, you may need to update your project code to apply it manually:
See the experimental raw environment variables reference docs for more information.
#13941
6bd5f75Thanks @aditsachde! - Adds support for TOML files to Astro's built-inglob()andfile()content loaders.In Astro 5.2, Astro added support for using TOML frontmatter in Markdown files instead of YAML. However, if you wanted to use TOML files as local content collection entries themselves, you needed to write your own loader.
Astro 5.12 now directly supports loading data from TOML files in content collections in both the
glob()and thefile()loaders.If you had added your own TOML content parser for the
file()loader, you can now remove it as this functionality is now included:// src/content.config.ts import { defineCollection } from "astro:content"; import { file } from "astro/loaders"; - import { parse as parseToml } from "toml"; const dogs = defineCollection({ - loader: file("src/data/dogs.toml", { parser: (text) => parseToml(text) }), + loader: file("src/data/dogs.toml") schema: /* ... */ })Note that TOML does not support top-level arrays. Instead, the
file()loader considers each top-level table to be an independent entry. The table header is populated in theidfield of the entry object.See Astro's content collections guide for more information on using the built-in content loaders.
Patch Changes
6bd5f75]:v5.11.2Compare Source
Patch Changes
#14064
2eb77d8Thanks @jp-knj! - Allows usingtsconfigcompilerOptions.pathswithout settingcompilerOptions.baseUrl#14068
10189c0Thanks @jsparkdev! - Fixes the incorrect CSS import path shown in the terminal message during Tailwind integration setup.v5.11.1Compare Source
Patch Changes
#14045
3276b79Thanks @ghubo! - Fixes a problem where importing animated.aviffiles returns aNoImageMetadataerror.#14041
0c4d5f8Thanks @dixslyf! - Fixes a<ClientRouter />bug where the fallback view transition animations when exiting a pageran too early for browsers that do not support the View Transition API.
This bug prevented
event.viewTransition?.skipTransition()from skipping the page exit animationwhen used in an
astro:before-swapevent hook.v5.11.0Compare Source
Minor Changes
#13972
db8f8beThanks @ematipico! - Updates theNodeApp.match()function in the Adapter API to accept a second, optional parameter to allow adapter authors to add headers to static, prerendered pages.NodeApp.match(request)currently checks whether there is a route that matches the givenRequest. If there is a prerendered route, the function returnsundefined, because static routes are already rendered and their headers cannot be updated.When the new, optional boolean parameter is passed (e.g.
NodeApp.match(request, true)), Astro will return the first matched route, even when it's a prerendered route. This allows your adapter to now access static routes and provides the opportunity to set headers for these pages, for example, to implement a Content Security Policy (CSP).Patch Changes
#14029
42562f9Thanks @ematipico! - Fixes a bug where server islands wouldn't be correctly rendered when they are rendered inside fragments.Now the following examples work as expected:
v5.10.2Compare Source
Patch Changes
#14000
3cbedaeThanks @feelixe! - Fix routePattern JSDoc examples to show correct return values#13990
de6cfd6Thanks @isVivek99! - Fixes a case whereastro:config/clientandastro:config/servervirtual modules would not contain config passed to integrationsupdateConfig()during the build#14019
a160d1eThanks @ascorbic! - Removes the requirement to settype: 'live'when defining experimental live content collectionsPreviously, live collections required a
typeandloaderconfigured. Now, Astro can determine that your collection is alivecollection without defining it explicitly.This means it is now safe to remove
type: 'live'from your collections defined insrc/live.config.ts:import { defineLiveCollection } from 'astro:content'; import { storeLoader } from '@​mystore/astro-loader'; const products = defineLiveCollection({ - type: 'live', loader: storeLoader({ apiKey: process.env.STORE_API_KEY, endpoint: 'https://api.mystore.com/v1', }), }); export const collections = { products };This is not a breaking change: your existing live collections will continue to work even if you still include
type: 'live'. However, we suggest removing this line at your earliest convenience for future compatibility when the feature becomes stable and this config option may be removed entirely.#13966
598da21Thanks @msamoylov! - Fixes a broken link on the default 404 page in developmentv5.10.1Compare Source
Patch Changes
#13988
609044cThanks @ascorbic! - Fixes a bug in live collections that caused it to incorrectly complain about the collection being defined in the wrong file#13909
b258d86Thanks @isVivek99! - Fixes rendering of special boolean attributes for custom elements#13983
e718375Thanks @florian-lefebvre! - Fixes a case where the toolbar audit would incorrectly flag images processed by Astro in content collections documents#13999
f077b68Thanks @ascorbic! - AddslastModifiedfield to experimental live collection cache hintsLive loaders can now set a
lastModifiedfield in the cache hints for entries and collections to indicate when the data was last modified. This is then available in thecacheHintfield returned bygetCollectionandgetEntry.#13987
08f34b1Thanks @ematipico! - Adds an informative message in dev mode when the CSP feature is enabled.#14005
82aad62Thanks @ematipico! - Fixes a bug where inline styles and scripts didn't work when CSP was enabled. Now when adding<styles>elements inside an Astro component, their hashes care correctly computed.#13985
0b4c641Thanks @jsparkdev! - Updates wrong linkv5.10.0Compare Source
Minor Changes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.