Update dependency astro to v5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
astro (source)	^3.5.5 -> ^5.0.0

GitHub Vulnerability Alerts

CVE-2024-47885

Summary

A DOM Clobbering gadget has been discoverd in Astro's client-side router. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has stored attacker-controlled scriptless HTML elements (i.e., iframe tags with unsanitized name attributes) on the destination pages.

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadgets found in Astro

We identified a DOM Clobbering gadget in Astro's client-side routing module, specifically in the <ViewTransitions /> component. When integrated, this component introduces the following vulnerable code, which is executed during page transitions (e.g., clicking an <a> link):

https://github.com/withastro/astro/blob/7814a6cad15f06931f963580176d9b38aa7819f2/packages/astro/src/transitions/router.ts#L135-L156

However, this implementation is vulnerable to a DOM Clobbering attack. The document.scripts lookup can be shadowed by an attacker injected non-script HTML elements (e.g., <img name="scripts"><img name="scripts">) via the browser's named DOM access mechanism. This manipulation allows an attacker to replace the intended script elements with an array of attacker-controlled scriptless HTML elements.

The condition script.dataset.astroExec === '' on line 138 can be bypassed because the attacker-controlled element does not have a data-astroExec attribute. Similarly, the check on line 134 can be bypassed as the element does not require a type attribute.

Finally, the innerHTML of an attacker-injected non-script HTML elements, which is plain text content before, will be set to the .innerHTML of an script element that leads to XSS.

PoC

Consider a web application using Astro as the framework with client-side routing enabled and allowing users to embed certain scriptless HTML elements (e.g., form or iframe). This can be done through a bunch of website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

For PoC website, please refer to: https://stackblitz.com/edit/github-4xgj2d. Clicking the "about" button in the menu will trigger an alert(1) from an attacker-injected form element.

---
import Header from "../components/Header.astro";
import Footer from "../components/Footer.astro";
import { ViewTransitions } from "astro:transitions";
import "../styles/global.css";
const { pageTitle } = Astro.props;
---
<html lang="en">
  <head>
    <meta charset="utf-8" />
    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
    <meta name="viewport" content="width=device-width" />
    <meta name="generator" content={Astro.generator} />
    <title>{pageTitle}</title>
    <ViewTransitions />
  </head>
  <body>
    <!--USER INPUT-->
    <iframe name="scripts">alert(1)</iframe>
    <iframe name="scripts">alert(1)</iframe>
    <!--USER INPUT-->
    
    <Header />
    <h1>{pageTitle}</h1>
    <slot />
    <Footer />
    <script>
      import "../scripts/menu.js";
    </script>
  </body>
</html>

Impact

This vulnerability can result in cross-site scripting (XSS) attacks on websites that built with Astro that enable the client-side routing with ViewTransitions and store the user-inserted scriptless HTML tags without properly sanitizing the name attributes on the page.

Patch

We recommend replacing document.scripts with document.getElementsByTagName('script') for referring to script elements. This will mitigate the possibility of DOM Clobbering attacks leveraging the name attribute.

Reference

Similar issues for reference:

• Webpack (CVE-2024-43788)
• Vite (CVE-2024-45812)
• layui (CVE-2024-47075)

CVE-2024-56140

Summary

A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks.

Details

When the security.checkOrigin configuration option is set to true, Astro middleware will perform a CSRF check. (Source code: https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts)

For example, with the following Astro configuration:

// astro.config.mjs
import { defineConfig } from 'astro/config';
import node from '@​astrojs/node';

export default defineConfig({
	output: 'server',
	security: { checkOrigin: true },
	adapter: node({ mode: 'standalone' }),
});

A request like the following would be blocked if made from a different origin:

// fetch API or <form action="https://test.example.com/" method="POST">
fetch('https://test.example.com/', {
	method: 'POST',
	credentials: 'include',
	body: 'a=b',
	headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
});
// => Cross-site POST form submissions are forbidden

However, a vulnerability exists that can bypass this security.

Pattern 1: Requests with a semicolon after the Content-Type

A semicolon-delimited parameter is allowed after the type in Content-Type.

Web browsers will treat a Content-Type such as application/x-www-form-urlencoded; abc as a simple request and will not perform preflight validation. In this case, CSRF is not blocked as expected.

fetch('https://test.example.com', {
	method: 'POST',
	credentials: 'include',
	body: 'test',
	headers: { 'Content-Type': 'application/x-www-form-urlencoded; abc' },
});
// => Server-side functions are executed (Response Code 200).

Pattern 2: Request without Content-Type header

The Content-Type header is not required for a request. The following examples are sent without a Content-Type header, resulting in CSRF.

// Pattern 2.1 Request without body
fetch('http://test.example.com', { method: 'POST', credentials: 'include' });

// Pattern 2.2 Blob object without type
fetch('https://test.example.com', {
	method: 'POST',
	credentials: 'include',
	body: new Blob(['a=b'], {}),
});

Impact

Bypass CSRF protection implemented with CSRF middleware.

Note

Even with credentials: 'include', browsers may not send cookies due to third-party cookie blocking. This feature depends on the browser version and settings, and is for privacy protection, not as a CSRF measure.

CVE-2024-56159

Summary

A bug in the build process allows any unauthenticated user to read parts of the server source code.

Details

During build, along with client assets such as css and font files, the sourcemap files for the server code are moved to a publicly-accessible folder.
https://github.com/withastro/astro/blob/176fe9f113fd912f9b61e848b00bbcfecd6d5c2c/packages/astro/src/core/build/static-build.ts#L139

Any outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website.

While some server files are hashed, making their access obscure, the files corresponding to the file system router (those in src/pages) are predictably named. For example. the sourcemap file for src/pages/index.astro gets named dist/client/pages/index.astro.mjs.map.

PoC

Here is one example of an affected open-source website:
https://creatorsgarten.org/pages/index.astro.mjs.map

The file can be saved and opened using https://evanw.github.io/source-map-visualization/ to reconstruct the source code.

The above accurately mirrors the source code as seen in the repository: https://github.com/creatorsgarten/creatorsgarten.org/blob/main/src/pages/index.astro

The above was found as the 4th result (and the first one on Astro 5.0+) when making the following search query on GitHub.com (search results link):

path:astro.config.mjs @​sentry/astro

This vulnerability is the root cause of https://github.com/withastro/astro/issues/12703, which links to a simple stackblitz project demonstrating the vulnerability. Upon build, notice the contents of the dist/client (referred to as config.build.client in astro code) folder. All astro servers make the folder in question accessible to the public internet without any authentication. It contains .map files corresponding to the code that runs on the server.

Impact

All server-output (SSR) projects on Astro 5 versions v5.0.3 through v5.0.6 (inclusive), that have sourcemaps enabled, either directly or through an add-on such as sentry, are affected. The fix for server-output projects was released in [email protected].

Additionally, all static-output (SSG) projects built using Astro 4 versions 4.16.17 or older, or Astro 5 versions 5.0.7 or older, that have sourcemaps enabled are also affected. The fix for static-output projects was released in [email protected], and backported to Astro v4 in [email protected].

The immediate impact is limited to source code. Any secrets or environment variables are not exposed unless they are present verbatim in the source code.

There is no immediate loss of integrity within the the vulnerable server. However, it is possible to subsequently discover another vulnerability via the revealed source code .

There is no immediate impact to availability of the vulnerable server. However, the presence of an unsafe regular expression, for example, can quickly be exploited to subsequently compromise the availability.

• Network attack vector.
• Low attack complexity.
• No privileges required.
• No interaction required from an authorized user.
• Scope is limited to first party. Although the source code of closed-source third-party software may also be exposed.

Remediation

The fix for server-output projects was released in [email protected], and the fix for static-output projects was released in [email protected] and backported to Astro v4 in [email protected]. Users are advised to update immediately if they are using sourcemaps or an integration that enables sourcemaps.

CVE-2025-55303

Summary

In affected versions of astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.

Details

On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images.

The /_image endpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using the image.domains or image.remotePatterns options).

However, a bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png.

Proof of Concept

1. Create a new minimal Astro project ([email protected]).

2. Configure it to use the Node adapter (@astrojs/[email protected] — newer versions are not impacted):

   // astro.config.mjs
   import { defineConfig } from 'astro/config';
   import node from '@​astrojs/node';
   
   export default defineConfig({
   	adapter: node({ mode: 'standalone' }),
   });

3. Build the site by running astro build.

4. Run the server, e.g. with astro preview.

5. Append /_image?href=//placehold.co/600x400 to the preview URL, e.g. http://localhost:4321/_image?href=//placehold.co/600x400

6. The site will serve the image from the unauthorized placehold.co origin.

Impact

Allows a non-authorized third-party to create URLs on an impacted site’s origin that serve unauthorized image content.
In the case of SVG images, this could include the risk of cross-site scripting (XSS) if a user followed a link to a maliciously crafted SVG.

CVE-2025-61925

Summary

When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an X-Forwarded-Host header that is reflected when using the recommended Astro.url property as there is no validation that the value is safe.

Details

Astro reflects the value in X-Forwarded-Host in output when using Astro.url without any validation.

It is common for web servers such as nginx to route requests via the Host header, and forward on other request headers. As such as malicious request can be sent with both a Host header and an X-Forwarded-Host header where the values do not match and the X-Forwarded-Host header is malicious. Astro will then return the malicious value.

This could result in any usages of the Astro.url value in code being manipulated by a request. For example if a user follows guidance and uses Astro.url for a canonical link the canonical link can be manipulated to another site. It is not impossible to imagine that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party.

As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users.

Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues.

PoC

• Check out the minimal Astro example found here: https://github.com/Chisnet/minimal_dynamic_astro_server
• nvm use
• yarn run build
• node ./dist/server/entry.mjs
• curl --location 'http://localhost:4321/' --header 'X-Forwarded-Host: www.evil.com' --header 'Host: www.example.com'
• Observe that the response reflects the malicious X-Forwarded-Host header

For the more advanced / dangerous attack vector deploy the application behind a caching proxy, e.g. Cloudflare, set a non-zero cache time, perform the above curl request a few times to establish a cache, then perform the request without the malicious headers and observe that the malicious data is persisted.

Impact

This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy.

---

Release Notes

withastro/astro (astro)

v5.14.3

Compare Source

Patch Changes

• #​14505 28b2a1d Thanks @​matthewp! - Fixes Cannot set property manifest error in test utilities by adding a protected setter for the manifest property

• #​14235 c4d84bb Thanks @​toxeeec! - Fixes a bug where the "tap" prefetch strategy worked only on the first clicked link with view transitions enabled

v5.14.1

Compare Source

Patch Changes

• #​14440 a3e16ab Thanks @​florian-lefebvre! - Fixes a case where the URLs generated by the experimental Fonts API would be incorrect in dev

v5.14.0

Compare Source

Minor Changes

• #​13520 a31edb8 Thanks @​openscript! - Adds a new property routePattern available to GetStaticPathsOptions

  This provides the original, dynamic segment definition in a routing file path (e.g. /[...locale]/[files]/[slug]) from the Astro render context that would not otherwise be available within the scope of getStaticPaths(). This can be useful to calculate the params and props for each page route.

  For example, you can now localize your route segments and return an array of static paths by passing routePattern to a custom getLocalizedData() helper function. The params object will be set with explicit values for each route segment (e.g. locale, files, and slug). Then, these values will be used to generate the routes and can be used in your page template via Astro.params.

v5.13.11

Compare Source

Patch Changes

• #​14409 250a595 Thanks @​louisescher! - Fixes an issue where astro info would log errors to console in certain cases.

• #​14398 a7df80d Thanks @​idawnlight! - Fixes an unsatisfiable type definition when calling addServerRenderer on an experimental container instance

• #​13747 120866f Thanks @​jp-knj! - Adds automatic request signal abortion when the underlying socket closes in the Node.js adapter

  The Node.js adapter now automatically aborts the request.signal when the client connection is terminated. This enables better resource management and allows applications to properly handle client disconnections through the standard AbortSignal API.

• #​14428 32a8acb Thanks @​drfuzzyness! - Force sharpService to return a Uint8Array if Sharp returns a SharedArrayBuffer

• #​14411 a601186 Thanks @​GameRoMan! - Fixes relative links to docs that could not be opened in the editor.

v5.13.10

Compare Source

Patch Changes

• Updated dependencies [1e2499e]:
  • @​astrojs/internal-helpers@​0.7.3
  • @​astrojs/markdown-remark@​6.3.7

v5.13.9

Compare Source

Patch Changes

• #​14402 54dcd04 Thanks @​FredKSchott! - Removes warning that caused unexpected console spam when using Bun

v5.13.8

Compare Source

Patch Changes

• #​14300 bd4a70b Thanks @​louisescher! - Adds Vite version & integration versions to output of astro info

• #​14341 f75fd99 Thanks @​delucis! - Fixes support for declarative Shadow DOM when using the <ClientRouter> component

• #​14350 f59581f Thanks @​ascorbic! - Improves error reporting for content collections by adding logging for configuration errors that had previously been silently ignored. Also adds a new error that is thrown if a live collection is used in content.config.ts rather than live.config.ts.

• #​14343 13f7d36 Thanks @​florian-lefebvre! - Fixes a regression in non node runtimes

v5.13.7

Compare Source

Patch Changes

• #​14330 72e14ab Thanks @​ascorbic! - Removes pinned package that is no longer needed.

• #​14335 17c7b03 Thanks @​florian-lefebvre! - Bumps sharp minimal version to 0.34.0

v5.13.6

Compare Source

Patch Changes

• #​14294 e005855 Thanks @​martrapp! - Restores the ability to use Google Analytics History change trigger with the <ClientRouter />.

• #​14326 c24a8f4 Thanks @​jsparkdev! - Updates vite version to fix CVE

• #​14108 218e070 Thanks @​JusticeMatthew! - Updates dynamic route split regex to avoid infinite retries/exponential complexity

• #​14327 c1033be Thanks @​ascorbic! - Pins simple-swizzle to avoid compromised version

v5.13.5

Compare Source

Patch Changes

• #​14286 09c5db3 Thanks @​ematipico! - BREAKING CHANGES only to the experimental CSP feature

  The following runtime APIs of the Astro global have been renamed:

  • Astro.insertDirective to Astro.csp.insertDirective
  • Astro.insertStyleResource to Astro.csp.insertStyleResource
  • Astro.insertStyleHash to Astro.csp.insertStyleHash
  • Astro.insertScriptResource to Astro.csp.insertScriptResource
  • Astro.insertScriptHash to Astro.csp.insertScriptHash

  The following runtime APIs of the APIContext have been renamed:

  • ctx.insertDirective to ctx.csp.insertDirective
  • ctx.insertStyleResource to ctx.csp.insertStyleResource
  • ctx.insertStyleHash to ctx.csp.insertStyleHash
  • ctx.insertScriptResource to ctx.csp.insertScriptResource
  • ctx.insertScriptHash to ctx.csp.insertScriptHash

• #​14283 3224637 Thanks @​ematipico! - Fixes an issue where CSP headers were incorrectly injected in the development server.

• #​14275 3e2f20d Thanks @​florian-lefebvre! - Adds support for experimental CSP when using experimental fonts

  Experimental fonts now integrate well with experimental CSP by injecting hashes for the styles it generates, as well as font-src directives.

  No action is required to benefit from it.

• #​14280 4b9fb73 Thanks @​ascorbic! - Fixes a bug that caused cookies to not be correctly set when using middleware sequences

• #​14276 77281c4 Thanks @​ArmandPhilippot! - Adds a missing export for resolveSrc, a documented image services utility.

v5.13.4

Compare Source

Patch Changes

• #​14260 86a1e40 Thanks @​jp-knj! - Fixes Astro.url.pathname to respect trailingSlash: 'never' configuration when using a base path. Previously, the root path with a base would incorrectly return /base/ instead of /base when trailingSlash was set to 'never'.

• #​14248 e81c4bd Thanks @​julesyoungberg! - Fixes a bug where actions named 'apply' do not work due to being a function prototype method.

v5.13.3

Compare Source

Patch Changes

• #​14239 d7d93e1 Thanks @​wtchnm! - Fixes a bug where the types for the live content collections were not being generated correctly in dev mode

• #​14221 eadc9dd Thanks @​delucis! - Fixes JSON schema support for content collections using the file() loader

• #​14229 1a9107a Thanks @​jonmichaeldarby! - Ensures Astro.currentLocale returns the correct locale during SSG for pages that use a locale param (such as [locale].astro or [locale]/index.astro, which produce [locale].html)

v5.13.2

Compare Source

Patch Changes

• 4d16de7 Thanks @​ematipico! - Improves the detection of remote paths in the _image endpoint. Now href parameters that start with // are considered remote paths.

• Updated dependencies [4d16de7]:

  • @​astrojs/internal-helpers@​0.7.2
  • @​astrojs/markdown-remark@​6.3.6

v5.13.1

Compare Source

Patch Changes

• #​14409 250a595 Thanks @​louisescher! - Fixes an issue where astro info would log errors to console in certain cases.

• #​14398 a7df80d Thanks @​idawnlight! - Fixes an unsatisfiable type definition when calling addServerRenderer on an experimental container instance

• #​13747 120866f Thanks @​jp-knj! - Adds automatic request signal abortion when the underlying socket closes in the Node.js adapter

  The Node.js adapter now automatically aborts the request.signal when the client connection is terminated. This enables better resource management and allows applications to properly handle client disconnections through the standard AbortSignal API.

• #​14428 32a8acb Thanks @​drfuzzyness! - Force sharpService to return a Uint8Array if Sharp returns a SharedArrayBuffer

• #​14411 a601186 Thanks @​GameRoMan! - Fixes relative links to docs that could not be opened in the editor.

v5.13.0

Compare Source

Minor Changes

• #​14173 39911b8 Thanks @​florian-lefebvre! - Adds an experimental flag staticImportMetaEnv to disable the replacement of import.meta.env values with process.env calls and their coercion of environment variable values. This supersedes the rawEnvValues experimental flag, which is now removed.

  Astro allows you to configure a type-safe schema for your environment variables, and converts variables imported via astro:env into the expected type. This is the recommended way to use environment variables in Astro, as it allows you to easily see and manage whether your variables are public or secret, available on the client or only on the server at build time, and the data type of your values.

  However, you can still access environment variables through process.env and import.meta.env directly when needed. This was the only way to use environment variables in Astro before astro:env was added in Astro 5.0, and Astro's default handling of import.meta.env includes some logic that was only needed for earlier versions of Astro.

  The experimental.staticImportMetaEnv flag updates the behavior of import.meta.env to align with Vite's handling of environment variables and for better ease of use with Astro's current implementations and features. This will become the default behavior in Astro 6.0, and this early preview is introduced as an experimental feature.

  Currently, non-public import.meta.env environment variables are replaced by a reference to process.env. Additionally, Astro may also convert the value type of your environment variables used through import.meta.env, which can prevent access to some values such as the strings "true" (which is converted to a boolean value), and "1" (which is converted to a number).

  The experimental.staticImportMetaEnv flag simplifies Astro's default behavior, making it easier to understand and use. Astro will no longer replace any import.meta.env environment variables with a process.env call, nor will it coerce values.

  To enable this feature, add the experimental flag in your Astro config and remove rawEnvValues if it was enabled:

  // astro.config.mjs
  import { defineConfig } from "astro/config";
  
  export default defineConfig({
  +  experimental: {
  +    staticImportMetaEnv: true
  -    rawEnvValues: false
  +  }
  });

Updating your project

If you were relying on Astro's default coercion, you may need to update your project code to apply it manually:

// src/components/MyComponent.astro
- const enabled: boolean = import.meta.env.ENABLED;
+ const enabled: boolean = import.meta.env.ENABLED === "true";

If you were relying on the transformation into process.env calls, you may need to update your project code to apply it manually:

// src/components/MyComponent.astro
- const enabled: boolean = import.meta.env.DB_PASSWORD;
+ const enabled: boolean = process.env.DB_PASSWORD;

You may also need to update types:

// src/env.d.ts
interface ImportMetaEnv {
  readonly PUBLIC_POKEAPI: string;
-  readonly DB_PASSWORD: string;
-  readonly ENABLED: boolean;
+  readonly ENABLED: string;
}

interface ImportMeta {
  readonly env: ImportMetaEnv;
}

+ namespace NodeJS {
+  interface ProcessEnv {
+    DB_PASSWORD: string;
+  }
+ }

See the experimental static import.meta.env documentation for more information about this feature. You can learn more about using environment variables in Astro, including astro:env, in the environment variables documentation.

• #​14122 41ed3ac Thanks @​ascorbic! - Adds experimental support for automatic Chrome DevTools workspace folders

  This feature allows you to edit files directly in the browser and have those changes reflected in your local file system via a connected workspace folder. This allows you to apply edits such as CSS tweaks without leaving your browser tab!

  With this feature enabled, the Astro dev server will automatically configure a Chrome DevTools workspace for your project. Your project will then appear as a workspace source, ready to connect. Then, changes that you make in the "Sources" panel are automatically saved to your project source code.

  To enable this feature, add the experimental flag chromeDevtoolsWorkspace to your Astro config:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  
  export default defineConfig({
    experimental: {
      chromeDevtoolsWorkspace: true,
    },
  });

  See the experimental Chrome DevTools workspace feature documentation for more information.

v5.12.9

Compare Source

Patch Changes

• #​14020 9518975 Thanks @​jp-knj and @​asieradzk! - Prevent double-prefixed redirect paths when using fallback and redirectToDefaultLocale together

  Fixes an issue where i18n fallback routes would generate double-prefixed paths (e.g., /es/es/test/item1/) when fallback and redirectToDefaultLocale configurations were used together. The fix adds proper checks to prevent double prefixing in route generation.

• #​14199 3e4cb8e Thanks @​ascorbic! - Fixes a bug that prevented HMR from working with inline styles

v5.12.8

Compare Source

Patch Changes

• 0567fb7 Thanks @​ascorbic! - Adds // to list of internal path prefixes that do not have automated trailing slash handling

• #​13894 b36e72f Thanks @​florian-lefebvre! - Removes Astro Studio commands from the CLI help

• Updated dependencies [0567fb7]:

  • @​astrojs/internal-helpers@​0.7.1
  • @​astrojs/markdown-remark@​6.3.5

v5.12.7

Compare Source

Patch Changes

• #​14169 f4e8889 Thanks @​ascorbic! - Skips trailing slash handling for paths that start with /..

• #​14170 34e6b3a Thanks @​ematipico! - Fixes an issue where static redirects couldn't correctly generate a redirect when the destination is a prerendered route, and the output is set to "server".

• #​14169 f4e8889 Thanks @​ascorbic! - Fixes a bug that prevented images from being displayed in dev when using the Netlify adapter with trailingSlash set to always

• Updated dependencies [f4e8889]:

  • @​astrojs/internal-helpers@​0.7.0
  • @​astrojs/markdown-remark@​6.3.4

v5.12.6

Compare Source

Patch Changes

• #​14153 29e9283 Thanks @​jp-knj! - Fixes a regression introduced by a recent optimisation of how SVG images are emitted during the build.

• #​14156 592f08d Thanks @​TheOtterlord! - Fix the client router not submitting forms if the active URL contained a hash

• #​14160 d2e25c6 Thanks @​ascorbic! - Fixes a bug that meant some remote image URLs could cause invalid filenames to be used for processed images

• #​14167 62bd071 Thanks @​ascorbic! - Fixes a bug that prevented destroyed sessions from being deleted from storage unless the session had been loaded

v5.12.5

Compare Source

Patch Changes

• #​14059 19f53eb Thanks @​benosmac! - Fixes a bug in i18n implementation, where Astro didn't emit the correct pages when fallback is enabled, and a locale uses a catch-all route, e.g. src/pages/es/[...catchAll].astro

• #​14155 31822c3 Thanks @​ascorbic! - Fixes a bug that caused an error "serverEntrypointModule[_start] is not a function" in some adapters

v5.12.4

Compare Source

Patch Changes

• #​14031 e9206c1 Thanks @​jp-knj! - Optimized the build pipeline for SVG images. Now, Astro doesn't reprocess images that have already been processed.

• #​14132 976879a Thanks @​ematipico! - Fixes a bug where the property Astro.routePattern/context.routePattern wasn't updated when using a rewrite via middleware.

• #​14131 aafc4d7 Thanks @​florian-lefebvre! - Fixes a case where an error occurring in a middleware would show the dev overlay instead of the custom 500.astro page

• #​14127 2309ada Thanks @​florian-lefebvre! - Upgrades zod

• #​14134 186c201 Thanks @​ascorbic! - Throws a more helpful error in dev if trying to use a server island without an adapter

• #​14129 3572d85 Thanks @​ematipico! - Fixes a bug where the CSP headers was incorrectly added to a page when using an adapter.

v5.12.3

Compare Source

Patch Changes

• #​14119 14807a4 Thanks @​ascorbic! - Fixes a bug that caused builds to fail if a client directive was mistakenly added to an Astro component

• #​14001 4b03d9c Thanks @​dnek! - Fixes an issue where getImage() assigned the resized base URL to the srcset URL of ImageTransform, which matched the width, height, and format of the original image.

v5.12.2

Compare Source

Patch Changes

• #​14071 d2cb35d Thanks @​Grisoly! - Exposes the Code component lang prop type:

  import type { CodeLanguage } from 'astro';

• #​14111 5452ee6 Thanks @​ascorbic! - Fixes a bug that prevented "key" from being used as a prop for Astro components in MDX

• #​14106 b5b39e4 Thanks @​ascorbic! - Exits with non-zero exit code when config has an error

• #​14112 37458b3 Thanks @​ascorbic! - Fixes a bug that meant that SVG components could no longer be serialized with JSON.stringify

• #​14061 c7a7dd5 Thanks @​jonasgeiler! - Add module declaration for ?no-inline asset imports

• #​14109 5a08fa2 Thanks @​ascorbic! - Throw a more helpful error if defineLiveCollection is used outside of a live.config file

• #​14110 e7dd4e1 Thanks @​ascorbic! - Warn if duplicate IDs are found by file loader

v5.12.1

Compare Source

Patch Changes

• #​14094 22e9087 Thanks @​ascorbic! - Correct types to allow priority on all images

• #​14091 26c6b6d Thanks @​ascorbic! - Fixes a bug that caused a type error when defining session options without a driver

• #​14082 93322cb Thanks @​louisescher! - Fixes an issue where Astro's default 404 route would incorrectly match routes containing "/404" in dev

• #​14089 687d253 Thanks @​florian-lefebvre! - Fixes a case where astro:env would not load the right environments variables in dev

• #​14092 6692c71 Thanks @​ascorbic! - Improves error handling in live collections

• #​14074 144a950 Thanks @​abcfy2! - Fixes a bug that caused some image service builds to fail

• #​14092 6692c71 Thanks @​ascorbic! - Fixes a case where zod could not be imported from astro:content virtual module in live collection config

v5.12.0

Compare Source

Minor Changes

• #​13971 fe35ee2 Thanks @​adamhl8! - Adds an experimental flag rawEnvValues to disable coercion of import.meta.env values (e.g. converting strings to other data types) that are populated from process.env

  Astro allows you to configure a type-safe schema for your environment variables, and converts variables imported via astro:env into the expected type.

  However, Astro also converts your environment variables used through import.meta.env in some cases, and this can prevent access to some values such as the strings "true" (which is converted to a boolean value), and "1" (which is converted to a number).

  The experimental.rawEnvValues flag disables coercion of import.meta.env values that are populated from process.env, allowing you to use the raw value.

  To enable this feature, add the experimental flag in your Astro config:

  import { defineConfig } from "astro/config"
  
  export default defineConfig({
  +  experimental: {
  +    rawEnvValues: true,
  +  }
  })

  If you were relying on th

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[netlify]

❌ Deploy Preview for astro-docs failed.

Name	Link
🔨 Latest commit	b54a836
🔍 Latest deploy log	https://app.netlify.com/sites/astro-docs/deploys/670da231b5ed570008424bc4

[netlify]

❌ Deploy Preview for advanced-astro-docs failed.

Name	Link
🔨 Latest commit	b54a836
🔍 Latest deploy log	https://app.netlify.com/sites/advanced-astro-docs/deploys/670da231b4a16c000803726c

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	astro@​3.5.5 ⏵ 5.14.8		+31		+1

View full report

[netlify]

❌ Deploy Preview for astro-docs failed.

Name	Link
🔨 Latest commit	30a396c
🔍 Latest deploy log	https://app.netlify.com/projects/astro-docs/deploys/68f7e23c2527ed00084ff476

[netlify]

❌ Deploy Preview for advanced-astro-docs failed.

Name	Link
🔨 Latest commit	30a396c
🔍 Latest deploy log	https://app.netlify.com/projects/advanced-astro-docs/deploys/68f7e23c63388c0008e62280