fix(deps): update dependency astro to v5 [security] #146
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
❌ Deploy Preview for graphql-testing-library failed.
|
svc-secops
force-pushed
the
renovate/npm-astro-vulnerability
branch
from
73f1742 to
62f7b79
Compare
svc-secops
changed the title
svc-secops
force-pushed
the
renovate/npm-astro-vulnerability
branch
from
62f7b79 to
3d7d4f4
Compare
svc-secops
changed the title
svc-secops
force-pushed
the
renovate/npm-astro-vulnerability
branch
from
3d7d4f4 to
cb2f556
Compare
svc-secops
changed the title
svc-secops
force-pushed
the
renovate/npm-astro-vulnerability
branch
from
cb2f556 to
c57a02a
Compare
svc-secops
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.15.9->5.14.3GitHub Vulnerability Alerts
CVE-2024-47885
Summary
A DOM Clobbering gadget has been discoverd in Astro's client-side router. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has stored attacker-controlled scriptless HTML elements (i.e.,
iframetags with unsanitizednameattributes) on the destination pages.Details
Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:
[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/
Gadgets found in Astro
We identified a DOM Clobbering gadget in Astro's client-side routing module, specifically in the
<ViewTransitions />component. When integrated, this component introduces the following vulnerable code, which is executed during page transitions (e.g., clicking an<a>link):https://github.com/withastro/astro/blob/7814a6cad15f06931f963580176d9b38aa7819f2/packages/astro/src/transitions/router.ts#L135-L156
However, this implementation is vulnerable to a DOM Clobbering attack. The
document.scriptslookup can be shadowed by an attacker injected non-script HTML elements (e.g.,<img name="scripts"><img name="scripts">) via the browser's named DOM access mechanism. This manipulation allows an attacker to replace the intended script elements with an array of attacker-controlled scriptless HTML elements.The condition
script.dataset.astroExec === ''on line 138 can be bypassed because the attacker-controlled element does not have a data-astroExec attribute. Similarly, the check on line 134 can be bypassed as the element does not require atypeattribute.Finally, the
innerHTMLof an attacker-injected non-script HTML elements, which is plain text content before, will be set to the.innerHTMLof an script element that leads to XSS.PoC
Consider a web application using Astro as the framework with client-side routing enabled and allowing users to embed certain scriptless HTML elements (e.g.,
formoriframe). This can be done through a bunch of website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.For PoC website, please refer to:
https://stackblitz.com/edit/github-4xgj2d. Clicking the "about" button in the menu will trigger analert(1)from an attacker-injectedformelement.Impact
This vulnerability can result in cross-site scripting (XSS) attacks on websites that built with Astro that enable the client-side routing with
ViewTransitionsand store the user-inserted scriptless HTML tags without properly sanitizing thenameattributes on the page.Patch
We recommend replacing
document.scriptswithdocument.getElementsByTagName('script')for referring to script elements. This will mitigate the possibility of DOM Clobbering attacks leveraging thenameattribute.Reference
Similar issues for reference:
CVE-2024-56140
Summary
A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks.
Details
When the
security.checkOriginconfiguration option is set totrue, Astro middleware will perform a CSRF check. (Source code: https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts)For example, with the following Astro configuration:
A request like the following would be blocked if made from a different origin:
However, a vulnerability exists that can bypass this security.
Pattern 1: Requests with a semicolon after the
Content-TypeA semicolon-delimited parameter is allowed after the type in
Content-Type.Web browsers will treat a
Content-Typesuch asapplication/x-www-form-urlencoded; abcas a simple request and will not perform preflight validation. In this case, CSRF is not blocked as expected.Pattern 2: Request without
Content-TypeheaderThe
Content-Typeheader is not required for a request. The following examples are sent without aContent-Typeheader, resulting in CSRF.Impact
Bypass CSRF protection implemented with CSRF middleware.
Note
Even with
credentials: 'include', browsers may not send cookies due to third-party cookie blocking. This feature depends on the browser version and settings, and is for privacy protection, not as a CSRF measure.CVE-2024-56159
Summary
A bug in the build process allows any unauthenticated user to read parts of the server source code.
Details
During build, along with client assets such as css and font files, the sourcemap files for the server code are moved to a publicly-accessible folder.
https://github.com/withastro/astro/blob/176fe9f113fd912f9b61e848b00bbcfecd6d5c2c/packages/astro/src/core/build/static-build.ts#L139
Any outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website.
While some server files are hashed, making their access obscure, the files corresponding to the file system router (those in
src/pages) are predictably named. For example. the sourcemap file forsrc/pages/index.astrogets nameddist/client/pages/index.astro.mjs.map.PoC
Here is one example of an affected open-source website:
https://creatorsgarten.org/pages/index.astro.mjs.map
The file can be saved and opened using https://evanw.github.io/source-map-visualization/ to reconstruct the source code.
The above accurately mirrors the source code as seen in the repository: https://github.com/creatorsgarten/creatorsgarten.org/blob/main/src/pages/index.astro
The above was found as the 4th result (and the first one on Astro 5.0+) when making the following search query on GitHub.com (search results link):
This vulnerability is the root cause of https://github.com/withastro/astro/issues/12703, which links to a simple stackblitz project demonstrating the vulnerability. Upon build, notice the contents of the
dist/client(referred to asconfig.build.clientin astro code) folder. All astro servers make the folder in question accessible to the public internet without any authentication. It contains.mapfiles corresponding to the code that runs on the server.Impact
All server-output (SSR) projects on Astro 5 versions v5.0.3 through v5.0.6 (inclusive), that have sourcemaps enabled, either directly or through an add-on such as sentry, are affected. The fix for server-output projects was released in [email protected].
Additionally, all static-output (SSG) projects built using Astro 4 versions 4.16.17 or older, or Astro 5 versions 5.0.7 or older, that have sourcemaps enabled are also affected. The fix for static-output projects was released in [email protected], and backported to Astro v4 in [email protected].
The immediate impact is limited to source code. Any secrets or environment variables are not exposed unless they are present verbatim in the source code.
There is no immediate loss of integrity within the the vulnerable server. However, it is possible to subsequently discover another vulnerability via the revealed source code .
There is no immediate impact to availability of the vulnerable server. However, the presence of an unsafe regular expression, for example, can quickly be exploited to subsequently compromise the availability.
Remediation
The fix for server-output projects was released in [email protected], and the fix for static-output projects was released in [email protected] and backported to Astro v4 in [email protected]. Users are advised to update immediately if they are using sourcemaps or an integration that enables sourcemaps.
CVE-2025-55303
Summary
In affected versions of
astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.Details
On-demand rendered sites built with Astro include an
/_imageendpoint which returns optimized versions of images.The
/_imageendpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using theimage.domainsorimage.remotePatternsoptions).However, a bug in impacted versions of
astroallows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g./_image?href=//example.com/image.png.Proof of Concept
Create a new minimal Astro project (
[email protected]).Configure it to use the Node adapter (
@astrojs/[email protected]— newer versions are not impacted):Build the site by running
astro build.Run the server, e.g. with
astro preview.Append
/_image?href=//placehold.co/600x400to the preview URL, e.g. http://localhost:4321/_image?href=//placehold.co/600x400The site will serve the image from the unauthorized
placehold.coorigin.Impact
Allows a non-authorized third-party to create URLs on an impacted site’s origin that serve unauthorized image content.
In the case of SVG images, this could include the risk of cross-site scripting (XSS) if a user followed a link to a maliciously crafted SVG.
CVE-2025-61925
Summary
When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an
X-Forwarded-Hostheader that is reflected when using the recommendedAstro.urlproperty as there is no validation that the value is safe.Details
Astro reflects the value in
X-Forwarded-Hostin output when usingAstro.urlwithout any validation.It is common for web servers such as nginx to route requests via the
Hostheader, and forward on other request headers. As such as malicious request can be sent with both aHostheader and anX-Forwarded-Hostheader where the values do not match and theX-Forwarded-Hostheader is malicious. Astro will then return the malicious value.This could result in any usages of the
Astro.urlvalue in code being manipulated by a request. For example if a user follows guidance and usesAstro.urlfor a canonical link the canonical link can be manipulated to another site. It is not impossible to imagine that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party.As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users.
Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues.
PoC
nvm useyarn run buildnode ./dist/server/entry.mjscurl --location 'http://localhost:4321/' --header 'X-Forwarded-Host: www.evil.com' --header 'Host: www.example.com'X-Forwarded-HostheaderFor the more advanced / dangerous attack vector deploy the application behind a caching proxy, e.g. Cloudflare, set a non-zero cache time, perform the above
curlrequest a few times to establish a cache, then perform the request without the malicious headers and observe that the malicious data is persisted.Impact
This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy.
DOM Clobbering Gadget found in astro's client-side router that leads to XSS
CVE-2024-47885 / GHSA-m85w-3h95-hcf9
More information
Details
Summary
A DOM Clobbering gadget has been discoverd in Astro's client-side router. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has stored attacker-controlled scriptless HTML elements (i.e.,
iframetags with unsanitizednameattributes) on the destination pages.Details
Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:
[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/
Gadgets found in Astro
We identified a DOM Clobbering gadget in Astro's client-side routing module, specifically in the
<ViewTransitions />component. When integrated, this component introduces the following vulnerable code, which is executed during page transitions (e.g., clicking an<a>link):https://github.com/withastro/astro/blob/7814a6cad15f06931f963580176d9b38aa7819f2/packages/astro/src/transitions/router.ts#L135-L156
However, this implementation is vulnerable to a DOM Clobbering attack. The
document.scriptslookup can be shadowed by an attacker injected non-script HTML elements (e.g.,<img name="scripts"><img name="scripts">) via the browser's named DOM access mechanism. This manipulation allows an attacker to replace the intended script elements with an array of attacker-controlled scriptless HTML elements.The condition
script.dataset.astroExec === ''on line 138 can be bypassed because the attacker-controlled element does not have a data-astroExec attribute. Similarly, the check on line 134 can be bypassed as the element does not require atypeattribute.Finally, the
innerHTMLof an attacker-injected non-script HTML elements, which is plain text content before, will be set to the.innerHTMLof an script element that leads to XSS.PoC
Consider a web application using Astro as the framework with client-side routing enabled and allowing users to embed certain scriptless HTML elements (e.g.,
formoriframe). This can be done through a bunch of website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.For PoC website, please refer to:
https://stackblitz.com/edit/github-4xgj2d. Clicking the "about" button in the menu will trigger analert(1)from an attacker-injectedformelement.Impact
This vulnerability can result in cross-site scripting (XSS) attacks on websites that built with Astro that enable the client-side routing with
ViewTransitionsand store the user-inserted scriptless HTML tags without properly sanitizing thenameattributes on the page.Patch
We recommend replacing
document.scriptswithdocument.getElementsByTagName('script')for referring to script elements. This will mitigate the possibility of DOM Clobbering attacks leveraging thenameattribute.Reference
Similar issues for reference:
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Atro CSRF Middleware Bypass (security.checkOrigin)
CVE-2024-56140 / GHSA-c4pw-33h3-35xw
More information
Details
Summary
A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks.
Details
When the
security.checkOriginconfiguration option is set totrue, Astro middleware will perform a CSRF check. (Source code: https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts)For example, with the following Astro configuration:
A request like the following would be blocked if made from a different origin:
However, a vulnerability exists that can bypass this security.
Pattern 1: Requests with a semicolon after the
Content-TypeA semicolon-delimited parameter is allowed after the type in
Content-Type.Web browsers will treat a
Content-Typesuch asapplication/x-www-form-urlencoded; abcas a simple request and will not perform preflight validation. In this case, CSRF is not blocked as expected.Pattern 2: Request without
Content-TypeheaderThe
Content-Typeheader is not required for a request. The following examples are sent without aContent-Typeheader, resulting in CSRF.Impact
Bypass CSRF protection implemented with CSRF middleware.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Astro's server source code is exposed to the public if sourcemaps are enabled
CVE-2024-56159 / GHSA-49w6-73cw-chjr
More information
Details
Summary
A bug in the build process allows any unauthenticated user to read parts of the server source code.
Details
During build, along with client assets such as css and font files, the sourcemap files for the server code are moved to a publicly-accessible folder.
https://github.com/withastro/astro/blob/176fe9f113fd912f9b61e848b00bbcfecd6d5c2c/packages/astro/src/core/build/static-build.ts#L139
Any outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website.
While some server files are hashed, making their access obscure, the files corresponding to the file system router (those in
src/pages) are predictably named. For example. the sourcemap file forsrc/pages/index.astrogets nameddist/client/pages/index.astro.mjs.map.PoC
Here is one example of an affected open-source website:
https://creatorsgarten.org/pages/index.astro.mjs.map
The file can be saved and opened using https://evanw.github.io/source-map-visualization/ to reconstruct the source code.
The above accurately mirrors the source code as seen in the repository: https://github.com/creatorsgarten/creatorsgarten.org/blob/main/src/pages/index.astro
The above was found as the 4th result (and the first one on Astro 5.0+) when making the following search query on GitHub.com (search results link):
This vulnerability is the root cause of https://github.com/withastro/astro/issues/12703, which links to a simple stackblitz project demonstrating the vulnerability. Upon build, notice the contents of the
dist/client(referred to asconfig.build.clientin astro code) folder. All astro servers make the folder in question accessible to the public internet without any authentication. It contains.mapfiles corresponding to the code that runs on the server.Impact
All server-output (SSR) projects on Astro 5 versions v5.0.3 through v5.0.6 (inclusive), that have sourcemaps enabled, either directly or through an add-on such as sentry, are affected. The fix for server-output projects was released in [email protected].
Additionally, all static-output (SSG) projects built using Astro 4 versions 4.16.17 or older, or Astro 5 versions 5.0.7 or older, that have sourcemaps enabled are also affected. The fix for static-output projects was released in [email protected], and backported to Astro v4 in [email protected].
The immediate impact is limited to source code. Any secrets or environment variables are not exposed unless they are present verbatim in the source code.
There is no immediate loss of integrity within the the vulnerable server. However, it is possible to subsequently discover another vulnerability via the revealed source code .
There is no immediate impact to availability of the vulnerable server. However, the presence of an unsafe regular expression, for example, can quickly be exploited to subsequently compromise the availability.
Remediation
The fix for server-output projects was released in [email protected], and the fix for static-output projects was released in [email protected] and backported to Astro v4 in [email protected]. Users are advised to update immediately if they are using sourcemaps or an integration that enables sourcemaps.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Astro allows unauthorized third-party images in _image endpoint
CVE-2025-55303 / GHSA-xf8x-j4p2-f749
More information
Details
Summary
In affected versions of
astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.Details
On-demand rendered sites built with Astro include an
/_imageendpoint which returns optimized versions of images.The
/_imageendpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using theimage.domainsorimage.remotePatternsoptions).However, a bug in impacted versions of
astroallows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g./_image?href=//example.com/image.png.Proof of Concept
Create a new minimal Astro project (
[email protected]).Configure it to use the Node adapter (
@astrojs/[email protected]— newer versions are not impacted):Build the site by running
astro build.Run the server, e.g. with
astro preview.Append
/_image?href=//placehold.co/600x400to the preview URL, e.g. http://localhost:4321/_image?href=//placehold.co/600x400The site will serve the image from the unauthorized
placehold.coorigin.Impact
Allows a non-authorized third-party to create URLs on an impacted site’s origin that serve unauthorized image content.
In the case of SVG images, this could include the risk of cross-site scripting (XSS) if a user followed a link to a maliciously crafted SVG.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Astro's
X-Forwarded-Hostis reflected without validationCVE-2025-61925 / GHSA-5ff5-9fcw-vg88
More information
Details
Summary
When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an
X-Forwarded-Hostheader that is reflected when using the recommendedAstro.urlproperty as there is no validation that the value is safe.Details
Astro reflects the value in
X-Forwarded-Hostin output when usingAstro.urlwithout any validation.It is common for web servers such as nginx to route requests via the
Hostheader, and forward on other request headers. As such as malicious request can be sent with both aHostheader and anX-Forwarded-Hostheader where the values do not match and theX-Forwarded-Hostheader is malicious. Astro will then return the malicious value.This could result in any usages of the
Astro.urlvalue in code being manipulated by a request. For example if a user follows guidance and usesAstro.urlfor a canonical link the canonical link can be manipulated to another site. It is not impossible to imagine that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party.As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users.
Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues.
PoC
nvm useyarn run buildnode ./dist/server/entry.mjscurl --location 'http://localhost:4321/' --header 'X-Forwarded-Host: www.evil.com' --header 'Host: www.example.com'X-Forwarded-HostheaderFor the more advanced / dangerous attack vector deploy the application behind a caching proxy, e.g. Cloudflare, set a non-zero cache time, perform the above
curlrequest a few times to establish a cache, then perform the request without the malicious headers and observe that the malicious data is persisted.Impact
This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
withastro/astro (astro)
v5.14.3Compare Source
Patch Changes
#14505
28b2a1dThanks @matthewp! - FixesCannot set property manifesterror in test utilities by adding a protected setter for the manifest property#14235
c4d84bbThanks @toxeeec! - Fixes a bug where the "tap" prefetch strategy worked only on the first clicked link with view transitions enabledv5.14.1Compare Source
Patch Changes
a3e16abThanks @florian-lefebvre! - Fixes a case where the URLs generated by the experimental Fonts API would be incorrect in devv5.14.0Compare Source
Minor Changes
#13520
a31edb8Thanks @openscript! - Adds a new propertyroutePatternavailable toGetStaticPathsOptionsThis provides the original, dynamic segment definition in a routing file path (e.g.
/[...locale]/[files]/[slug]) from the Astro render context that would not otherwise be available within the scope ofgetStaticPaths(). This can be useful to calculate theparamsandpropsfor each page route.For example, you can now localize your route segments and return an array of static paths by passing
routePatternto a customgetLocalizedData()helper function. Theparamsobject will be set with explicit values for each route segment (e.g.locale,files, andslug). Then, these values will be used to generate the routes and can be used in your page template viaAstro.params.v5.13.11Compare Source
Patch Changes
#14409
250a595Thanks @louisescher! - Fixes an issue whereastro infowould log errors to console in certain cases.#14398
a7df80dThanks @idawnlight! - Fixes an unsatisfiable type definition when callingaddServerRendereron an experimental container instance#13747
120866fThanks @jp-knj! - Adds automatic request signal abortion when the underlying socket closes in the Node.js adapterThe Node.js adapter now automatically aborts the
request.signalwhen the client connection is terminated. This enables better resource management and allows applications to properly handle client disconnections through the standardAbortSignalAPI.#14428
32a8acbThanks @drfuzzyness! - Force sharpService to return a Uint8Array if Sharp returns a SharedArrayBuffer#14411
a601186Thanks @GameRoMan! - Fixes relative links to docs that could not be opened in the editor.v5.13.10Compare Source
Patch Changes
1e2499e]:v5.13.9Compare Source
Patch Changes
54dcd04Thanks @FredKSchott! - Removes warning that caused unexpected console spam when using Bunv5.13.8Compare Source
Patch Changes
#14300
bd4a70bThanks @louisescher! - Adds Vite version & integration versions to output ofastro info#14341
f75fd99Thanks @delucis! - Fixes support for declarative Shadow DOM when using the<ClientRouter>component#14350
f59581fThanks @ascorbic! - Improves error reporting for content collections by adding logging for configuration errors that had previously been silently ignored. Also adds a new error that is thrown if a live collection is used incontent.config.tsrather thanlive.config.ts.#14343
13f7d36Thanks @florian-lefebvre! - Fixes a regression in non node runtimesv5.13.7Compare Source
Patch Changes
#14330
72e14abThanks @ascorbic! - Removes pinned package that is no longer needed.#14335
17c7b03Thanks @florian-lefebvre! - Bumpssharpminimal version to0.34.0v5.13.6Compare Source
Patch Changes
#14294
e005855Thanks @martrapp! - Restores the ability to use Google AnalyticsHistory change triggerwith the<ClientRouter />.#14326
c24a8f4Thanks @jsparkdev! - Updatesviteversion to fix CVE#14108
218e070Thanks @JusticeMatthew! - Updates dynamic route split regex to avoid infinite retries/exponential complexity#14327
c1033beThanks @ascorbic! - Pins simple-swizzle to avoid compromised versionv5.13.5Compare Source
Patch Changes
#14286
09c5db3Thanks @ematipico! - BREAKING CHANGES only to the experimental CSP featureThe following runtime APIs of the
Astroglobal have been renamed:Astro.insertDirectivetoAstro.csp.insertDirectiveAstro.insertStyleResourcetoAstro.csp.insertStyleResourceAstro.insertStyleHashtoAstro.csp.insertStyleHashAstro.insertScriptResourcetoAstro.csp.insertScriptResourceAstro.insertScriptHashtoAstro.csp.insertScriptHashThe following runtime APIs of the
APIContexthave been renamed:ctx.insertDirectivetoctx.csp.insertDirectivectx.insertStyleResourcetoctx.csp.insertStyleResourcectx.insertStyleHashtoctx.csp.insertStyleHashctx.insertScriptResourcetoctx.csp.insertScriptResourcectx.insertScriptHashtoctx.csp.insertScriptHash#14283
3224637Thanks @ematipico! - Fixes an issue where CSP headers were incorrectly injected in the development server.#14275
3e2f20dThanks @florian-lefebvre! - Adds support for experimental CSP when using experimental fontsExperimental fonts now integrate well with experimental CSP by injecting hashes for the styles it generates, as well as
font-srcdirectives.No action is required to benefit from it.
#14280
4b9fb73Thanks @ascorbic! - Fixes a bug that caused cookies to not be correctly set when using middleware sequences#14276
77281c4Thanks @ArmandPhilippot! - Adds a missing export forresolveSrc, a documented image services utility.v5.13.4Compare Source
Patch Changes
#14260
86a1e40Thanks @jp-knj! - FixesAstro.url.pathnameto respecttrailingSlash: 'never'configuration when using a base path. Previously, the root path with a base would incorrectly return/base/instead of/basewhentrailingSlashwas set to 'never'.#14248
e81c4bdThanks @julesyoungberg! - Fixes a bug where actions named 'apply' do not work due to being a function prototype method.v5.13.3Compare Source
Patch Changes
#14239
d7d93e1Thanks @wtchnm! - Fixes a bug where the types for the live content collections were not being generated correctly in dev mode#14221
eadc9ddThanks @delucis! - Fixes JSON schema support for content collections using thefile()loader#14229
1a9107aThanks @jonmichaeldarby! - EnsuresAstro.currentLocalereturns the correct locale during SSG for pages that use a locale param (such as[locale].astroor[locale]/index.astro, which produce[locale].html)v5.13.2Compare Source
Patch Changes
4d16de7Thanks @ematipico! - Improves the detection of remote paths in the_imageendpoint. Nowhrefparameters that start with//are considered remote paths.Updated dependencies [
4d16de7]:v5.13.1Compare Source
Patch Changes
#14409
250a595Thanks @louisescher! - Fixes an issue whereastro infowould log errors to console in certain cases.#14398
a7df80dThanks @idawnlight! - Fixes an unsatisfiable type definition when callingaddServerRendereron an experimental container instance#13747
120866fThanks @jp-knj! - Adds automatic request signal abortion when the underlying socket closes in the Node.js adapterThe Node.js adapter now automatically aborts the
request.signalwhen the client connection is terminated. This enables better resource management and allows applications to properly handle client disconnections through the standardAbortSignalAPI.#14428
32a8acbThanks @drfuzzyness! - Force sharpService to return a Uint8Array if Sharp returns a SharedArrayBuffer#14411
a601186Thanks @GameRoMan! - Fixes relative links to docs that could not be opened in the editor.v5.13.0Compare Source
Minor Changes
39911b8Thanks @florian-lefebvre! - Adds an experimental flagstaticImportMetaEnvto disable the replacement ofimport.meta.envvalues with `procConfiguration
📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - "after 8am and before 4pm on tuesday" in timezone America/Los_Angeles.
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.