fix(deps): update dependency astro to v6.3.1

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
astro (source)	6.1.9 → 6.3.1

---

Release Notes

withastro/astro (astro)

v6.3.1

Compare Source

Patch Changes

• #​16646 15fbc41 Thanks @​matthewp! - Fixes local images returning 404 on non-prerendered pages when using the generic image endpoint

v6.3.0

Compare Source

Minor Changes

• #​16366 d69f858 Thanks @​matthewp! - Adds a new experimental.advancedRouting option that lets you take full control of Astro's request handling pipeline by creating a src/app.ts file in your project.

  Today, Astro handles every incoming request through a fixed internal pipeline: trailing slash normalization, redirects, actions, middleware, page rendering, i18n, and so on. That pipeline works great for most sites, but as projects grow you often want to run your own logic between those steps — an auth check before rendering, a rate limiter before actions, custom logging around the whole stack. Advanced routing gives you that control.

  When enabled, Astro looks for a src/app.ts file in your project. If it finds one, that file becomes the entrypoint for all server-rendered requests. You compose the pipeline yourself using the handlers Astro provides, and you can slot your own logic anywhere in the chain.

Enabling advanced routing

// astro.config.mjs
import { defineConfig } from 'astro/config';

export default defineConfig({
  experimental: {
    advancedRouting: true,
  },
});

Two ways to build your pipeline

Astro ships two entrypoints for advanced routing: astro/fetch and astro/hono.

astro/fetch is a low-level, framework-free API built on the Web Fetch standard. You create a FetchState from the incoming request, then call handler functions in sequence. Each handler takes the state, does its work, and returns a Response (or undefined to pass through). This is the core primitive that everything else is built on:

// src/app.ts
import {
  FetchState,
  trailingSlash,
  redirects,
  actions,
  middleware,
  pages,
  i18n,
} from 'astro/fetch';

export default {
  async fetch(request: Request) {
    const state = new FetchState(request);

    // Early exits — these return a Response only when they apply.
    const slash = trailingSlash(state);
    if (slash) return slash;

    const redirect = redirects(state);
    if (redirect) return redirect;

    const action = await actions(state);
    if (action) return action;

    // Middleware wraps page rendering; i18n post-processes the response.
    const response = await middleware(state, () => pages(state));
    return i18n(state, response);
  },
};

astro/hono wraps the same handlers as Hono middleware, so you can mix Astro's pipeline with Hono's ecosystem of middleware (logger, CORS, JWT, rate limiting, etc.) using the app.use() pattern you already know:

// src/app.ts
import { Hono } from 'hono';
import { getCookie } from 'hono/cookie';
import { logger } from 'hono/logger';
import { actions, middleware, pages, i18n } from 'astro/hono';

const app = new Hono();

app.use(logger());

// Auth gate — only runs for /dashboard routes.
app.use('/dashboard/*', async (c, next) => {
  const session = getCookie(c, 'session');
  if (!session) return c.redirect('/login');
  return next();
});

app.use(actions());
app.use(middleware());
app.use(pages());
app.use(i18n());

export default app;

Both approaches give you the same power — pick whichever fits your project. If you don't need a framework, astro/fetch keeps things minimal. If you want a rich middleware ecosystem, astro/hono gets you there with one import.

For more information on enabling and using this feature in your project, see the experimental advanced routing docs. To give feedback, or to keep up with its development, see the advanced routing RFC for more information and discussion.

• #​16366 d69f858 Thanks @​matthewp! - Adds a consume() instance method to AstroCookies. This method marks the cookies as consumed and returns the Set-Cookie header values. After consumption, any subsequent set() calls will log a warning, since the headers have already been sent.

  Previously this was only available as a static method AstroCookies.consume(cookies). The static method is now deprecated but kept for backward compatibility with existing adapters.

• #​16412 ba2d2e3 Thanks @​0xbejaxer! - Add retry and error event handling for astro-island hydration import failures to reduce unrecoverable hydration errors on transient network failures.

• #​16582 885cd31 Thanks @​Princesseuh! - Adds a new image.dangerouslyProcessSVG flag to optionally enable processing SVG inputs. For security reasons, Astro will no longer rasterizes SVG image sources by default in its default image service and endpoint.

  Set image.dangerouslyProcessSVG: true to opt back into processing SVG inputs.

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  
  export default defineConfig({
    // ...
    image: {
      dangerouslyProcessSVG: true,
    },
  });

  Note that this is a breaking change for users who were previously relying on Astro's default image service to rasterize SVG inputs, but it is a necessary change to improve security and prevent potential vulnerabilities.

• #​16519 1b1c218 Thanks @​louisescher! - Adds support for redirecting URLs in remote image optimization.

  Previously, when a remote image URL meant to be optimized by Astro led to a redirect, Astro would fail silently and ignore the redirect. Now, Astro tracks up to 10 redirects for these images. If any of the redirects are not covered by a pattern in image.remotePatterns or a domain in image.domains, Astro will fail with a helpful error message.

  In the following example, the first image would be loaded successfully, while the second would lead to Astro throwing an error:

  export default defineConfig({
    image: {
      domains: ['example.com', 'cdn.example.com'],
    },
  });

  {
    /* Redirects to https://cdn.example.com/assets/image.png: */
  }
  <Image
    src="https://example.com/assets/image.png"
    width="1920"
    height="1080"
    alt="An example image."
  />;
  
  {
    /* Redirects to https://malicious.com/image.png: */
  }
  <Image
    src="https://example.com/bad-image.png"
    width="1920"
    height="1080"
    alt="An example image."
  />;

  In cases where all redirects to HTTPS hosts should be trusted, the following configuration for image.remotePatterns can be used:

  export default defineConfig({
    image: {
      remotePatterns: [
        {
          protocol: 'https',
        },
      ],
    },
  });

Patch Changes

• #​16592 9c6efc5 Thanks @​matthewp! - Escapes interpolated values in the dev server redirect HTML template, consistent with how the 404 template already handles them

• #​16585 78f305e Thanks @​web-dev0521! - Fixes z.array(z.boolean()) in form actions incorrectly coercing the string "false" to true. Boolean array elements now use the same 'true'/'false' string comparison as single z.boolean() fields, so submitting ["false", "true", "false"] correctly parses as [false, true, false].

• #​16567 12a03f2 Thanks @​matthewp! - Fixes deleted content collection entries persisting in getCollection() results during dev

• #​16595 ce9b25c Thanks @​web-dev0521! - Fixes pushDirective in the CSP runtime duplicating the new directive once per existing non-matching directive. Calling insertDirective() (or otherwise pushing a directive whose name is not yet in the list) now appends it exactly once, and a directive that merges with a later existing entry no longer leaves an unmerged copy behind.

• #​16600 94e4b7c Thanks @​web-dev0521! - Fixes Astro.preferredLocale returning the wrong value when i18n.locales mixes object-form entries ({ path, codes }) with string entries that normalize to the same locale. The first matching code in the configured locales order is now selected, matching the documented behavior.

• #​16591 cce20f7 Thanks @​matthewp! - Uses a consistent generic error message in the image endpoint across all adapters

• #​16629 f54be80 Thanks @​g-taki! - Fixes a bug where SSR responses in astro dev could crash with TypeError: this.logger.flush is not a function.

• #​16589 3740b24 Thanks @​ArmandPhilippot! - Fixes an outdated code snippet in the documentation for session storage configuration.

• Updated dependencies [354e231]:

  • @​astrojs/telemetry@​3.3.2

v6.2.2

Compare Source

Patch Changes

• #​16292 00f48ee Thanks @​p-linnane! - Fixes head metadata propagation in dev for adapters that load modules in the prerender Vite environment, such as @astrojs/cloudflare. The astro:head-metadata plugin previously only tracked the ssr environment, so maybeRenderHead() could fire inside an unrelated component's <template> element, trapping subsequent hoisted <style> blocks.

• #​16451 778865f Thanks @​maximslo! - Fixes build crash when processing animated AVIF images. Sharp now gracefully passes through unsupported image formats instead of crashing during the build.

• #​16548 7214d3e Thanks @​senutpal! - Fixes scoped styles applying to the wrong element when vite.css.transformer is set to 'lightningcss' and a selector uses a nested & inside :where(...), such as Tailwind v4's space-x-*, space-y-*, and divide-* utilities.

• #​16566 9ac96b4 Thanks @​web-dev0521! - Fixes data-astro-prefetch="tap" not triggering when clicking nested elements (e.g. <span>, <img>, <svg>) inside an anchor tag.

• #​15994 1e70d18 Thanks @​ossaidqadri! - Fix <style> compilation failure when importing Astro components via tsconfig path aliases

• #​16144 1cd6650 Thanks @​fkatsuhiro! - Fixed a regression where .html was unexpectedly stripped from dynamic route parameters on non-page routes (.ts endpoints and redirects). This caused endpoints like /some/[...id].ts returning id: 'file.html' on getStaticPaths to not serve that file because the generated route (/some/file.html) would get matched as id: file that is not part of the list returned by getStaticPaths.

• #​16415 559c0fd Thanks @​0xbejaxer! - Fix CSS traversal boundaries so pages with export const partial = true still contribute styles when imported as components by other pages.

• #​16516 17f1867 Thanks @​fkatsuhiro! - Fixes an issue where the index route would return a 404 error when using a custom base path combined with trailingSlash: 'never'. This ensures that the home page and internal rewrites are correctly matched under these configurations.

• #​16515 280ec88 Thanks @​jp-knj! - Fixes an issue where i18n.fallback pages with fallbackType: 'rewrite' were emitted with empty bodies during astro build.

• #​16565 7959798 Thanks @​enjoyandlove! - Fixes session persistence when session.delete() is the first mutation in a request (no prior get, set, has, or keys). The session was marked dirty in memory, but persistence skipped the save because #data stayed undefined, so the backing store could still return the deleted key on the next request.

• #​16527 86fd80d Thanks @​enjoyandlove! - Prevents script deduplication state from being consumed while rendering inert <template> contexts.

• #​16540 e59c637 Thanks @​ascorbic! - Skips session storage reads when no session cookie is present. Previously, calling session.get() on a request without a session cookie would initialize the storage driver and make a read that was guaranteed to miss. On network-backed drivers this added latency and resource usage to every anonymous request.

• #​16517 6ab0b3c Thanks @​adamchal! - Removes inline CSS for prerendered routes from the SSR manifest. The static HTML on disk already inlines those styles, and the SSR worker never renders prerendered routes, so the data was dead weight. Builds with many prerendered routes and build.inlineStylesheets: "always" (or "auto" with small stylesheets) will see a smaller SSR entry chunk, which reduces cold-start parse time on platforms like Cloudflare Workers.

• #​16509 d3d3557 Thanks @​cyphercodes! - Fix conditional named slot callbacks receiving arguments from Astro.slots.render().

• #​16236 c6b068e Thanks @​fkatsuhiro! - Fixes the position prop on <Image /> and <Picture /> components to correctly apply object-position styles

• #​16018 d14f47c Thanks @​felmonon! - Fix defineLiveCollection() so LiveLoader data types declared as interfaces are accepted.

v6.2.1

Compare Source

Patch Changes

• #​16531 76db01d Thanks @​rodrigosdev! - Fixes config validation for omitted integrations fields with newer Zod versions.

• #​16535 7df0fe4 Thanks @​rururux! - Fixed an issue where a warning was displayed when the server property was missing during config validation, even though it is not required.

• #​16534 5cf6c51 Thanks @​matthewp! - Fixes compatibility with Zod 4.4.0 for the server config property and error formatting

v6.2.0

Compare Source

Minor Changes

• #​16187 fe58071 Thanks @​gllmt! - Adds a waitUntil option to the RenderOptions so that adapters can forward runtime background-task hooks to Astro.

  When provided by an adapter, runtime cache providers receive context.waitUntil in
  CacheProvider.onRequest(), which allows background cache work such as stale-while-revalidate
  without blocking the response. The Cloudflare adapter now forwards
  ExecutionContext.waitUntil to this API.

• #​16290 a49637a Thanks @​ViVaLaDaniel! - Ensures that server.allowedHosts (and vite.preview.allowedHosts) configuration is respected when using astro preview with the @astrojs/cloudflare adapter. This improves security by preventing DNS rebinding attacks when previewing Cloudflare builds locally.

• #​15725 4108ec1 Thanks @​meyer! - Adds support for a new 'jsx' value for the compressHTML option. When set, whitespace is stripped using JSX whitespace rules instead of the default HTML compression strategy.

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  
  export default defineConfig({
    compressHTML: 'jsx',
  });

  In JSX, whitespaces never matter, as such, no amount of indentation, or newlines will not affect the rendered output. For instance, the following code:

  <div>
    <span>foo</span>
    <span>bar</span>
  </div>

  will be rendered as foobar, whereas with HTML whitespace rules, a space would be present between the words due to the newline and indentation between the tags.

• #​16477 28fb3e1 Thanks @​ematipico! - Adds experimental support for configurable log handlers.

  This experimental feature provides better control over Astro's logging infrastructure by allowing users to replace the default console output with custom logging implementations (e.g., structured JSON). This is particularly useful for users using on-demand rendering and wishing to connect their log aggregation services, such as Kibana, Logstash, CloudWatch, Grafana, or Loki.

  By default, Astro provides three built-in log handlers (json, node, and console), but you can also create your own.

JSON logging

JSON logging can be enabled via the CLI for the build, dev, and sync commands using the experimentalJson flag:

// astro.config.mjs
import { defineConfig, logHandlers } from 'astro/config';

export default defineConfig({
  experimental: {
    logger: logHandlers.json({
      pretty: true,
      level: 'warn',
    }),
  },
});

Custom logger

You can also create your own custom logger by implementing the correct interface:

// astro.config.mjs
import { defineConfig } from 'astro/config';

export default defineConfig({
  experimental: {
    logger: {
      entrypoint: '@​org/custom-logger',
    },
  },
});

// @​org/custom-logger.js
import type { AstroLoggerDestination, AstroLoggerMessage } from 'astro';
import { matchesLevel } from 'astor/logger';

function customLogger(level = 'info'): AstroLoggerDestination {
  return {
    write(message: AstroLoggerMessage) {
      if (matchesLevel(message.level, level)) {
        // write message somewhere
      }
    },
  };
}

export default customLogger;

For more information on enabling and using this feature in your project, see the Experimental Logger docs.

For a complete overview and to give feedback on this experimental API, see the Custom logger RFC.

• #​16333 0f7c3c8 Thanks @​florian-lefebvre! - Adds an experimental flag svgOptimizer that enables automatic optimization of your SVG components using the provided optimizer. This supersedes the svgo experimental flag, which is now removed.

  When enabled, your imported SVG files used as components will be optimized for smaller file sizes and better performance while maintaining visual quality. This can significantly reduce the size of your SVG assets by removing unnecessary metadata, comments, and redundant code.

  Astro ships with a SVGO based optimizer, but any can be used.

  To enable this feature, add the experimental flag in your Astro config and remove svgo if it was enabled:

  // astro.config.mjs
  -import { defineConfig } from "astro/config";
  +import { defineConfig, svgoOptimizer } from "astro/config";
  
  export default defineConfig({
  +  experimental: {
  +    svgOptimizer: svgoOptimizer()
  -    svgo: true
  +  }
  });

  For more information on enabling and using this feature in your project, see the experimental SVG optimization docs.

• #​16302 f6f8e80 Thanks @​florian-lefebvre! - Adds a new experimental_getFontFileURL() method to resolve font file URLs when using the Fonts API

  The fontData object exported from astro:assets was introduced to provide low-level access to font family data for advanced usage. One of the goals of this API was to be able to resolve buffers using URLs. However, it turned out to be impractical, especially during prerendering.

  Astro now exports a new experimental_getFontFileURL() helper function from astro:assets to resolve font file URLs from fontData. For example, when using satori to generate Open Graph images:

  // src/pages/og.png.ts
  
  import type { APIRoute } from "astro";
  -import { fontData } from "astro:assets";
  +import { fontData, experimental_getFontFileURL } from "astro:assets";
  -import { outDir } from "astro:config/server";
  -import { readFile } from "node:fs/promises";
  import satori from "satori";
  import { html } from "satori-html";
  import sharp from "sharp";
  
  export const GET: APIRoute = async (context) => {
    const fontPath = fontData["--font-roboto"][0]?.src[0]?.url;
  
    if (fontPath === undefined) {
      throw new Error("Cannot find the font path.");
    }
  
  -  const data = import.meta.env.DEV
  -    ? await fetch(new URL(fontPath, context.url.origin)).then(async (res) => res.arrayBuffer())
  -    : await readFile(new URL(`.${fontPath}`, outDir));
  +  const url = experimental_getFontFileURL(fontPath, context.url);
  +  const data = await fetch(url).then((res) => res.arrayBuffer());
  
    const svg = await satori(
      html`<div style="color: black;">hello, world</div>`,
      {
        width: 600,
        height: 400,
        fonts: [
          {
            name: "Roboto",
            data,
            weight: 400,
            style: "normal",
          },
        ],
      },
    );
  
    const pngBuffer = await sharp(Buffer.from(svg))
      .resize(600, 400)
      .png()
      .toBuffer();
  
    return new Response(new Uint8Array(pngBuffer), {
      headers: {
        "Content-Type": "image/png",
      },
    });
  };

  See the Fonts API documentation for more information.

Patch Changes

• #​15980 8812382 Thanks @​seroperson! - Prevents script deduplication inside <template> elements

v6.1.10

Compare Source

Patch Changes

• #​16479 1058428 Thanks @​matthewp! - Fixes a spurious [WARN] [content] Content config not loaded warning during astro dev for projects that don't use content collections

• #​16457 3d82220 Thanks @​matthewp! - Hardens server island encryption to prevent encrypted data from one island component being replayed against a different one

• #​16481 152700e Thanks @​matthewp! - Fixes a spurious 404 request for a dev toolbar sourcemap during astro dev caused by the browser mis-resolving a relative sourceMappingURL from the /@​id/ URL prefix

• #​16480 1bcb43b Thanks @​matthewp! - Fixes an unnecessary full page reload on first navigation during dev

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.