chore(deps): update dependency astro to v5.15.6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
astro (source)	5.5.6 -> 5.15.6

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-54793

Summary

There is an Open Redirection vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks.

This affects Astro >=5.2.0 sites that use on-demand rendering (SSR) with the Node or Cloudflare adapter. It does not affect static sites, or sites deployed to Netlify or Vercel.

Background

Astro performs automatic redirection to the canonical URL, either adding or removing trailing slashes according to the value of the trailingSlash configuration option. It follows the following rules:

• If trailingSlash is set to "never", https://example.com/page/ will redirect to https://example.com/page
• If trailingSlash is set to "always", https://example.com/page will redirect to https://example.com/page/

It also collapses multiple trailing slashes, according to the following rules:

• If trailingSlash is set to "always" or "ignore" (the default), https://example.com/page// will redirect to https://example.com/page/
• If trailingSlash is set to "never", https://example.com/page// will redirect to https://example.com/page

It does this by returning a 301 redirect to the target path. The vulnerability occurs because it uses a relative path for the redirect. To redirect from https://example.com/page to https://example.com/page/, it sending a 301 response with the header Location: /page/. The browser resolves this URL relative to the original page URL and redirects to https://example.com/page/

Details

The vulnerability occurs if the target path starts with //. A request for https://example.com//page will send the header Location: //page/. The browser interprets this as a protocol-relative URL, so instead of redirecting to https://example.com//page/, it will attempt to redirect to https://page/. This is unlikely to resolve, but by crafting a URL in the form https://example.com//target.domain/subpath, it will send the header Location: //target.domain/subpath/, which the browser translates as a redirect to https://target.domain/subpath/. The subpath part is required because otherwise Astro will interpret /target.domain as a file download, which skips trailing slash handling.

This leads to an Open Redirect vulnerability.

The URL needed to trigger the vulnerability varies according to the trailingSlash setting.

• If trailingSlash is set to "never", a URL in the form https://example.com//target.domain/subpath/
• If trailingSlash is set to "always", a URL in the form https://example.com//target.domain/subpath
• For any config value, a URL in the form https://example.com//target.domain/subpath//

Impact

This is classified as an Open Redirection vulnerability (CWE-601). It affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks.

No authentication is required to exploit this vulnerability. Any unauthenticated user can trigger the redirect by clicking a malicious link.

Mitigation

You can test if your site is affected by visiting https://yoursite.com//docs.astro.build/en//. If you are redirected to the Astro docs then your site is affected and must be updated.

Upgrade your site to Astro 5.12.8. To mitigate at the network level, block outgoing redirect responses with a Location header value that starts with //.

CVE-2025-55303

Summary

In affected versions of astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.

Details

On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images.

The /_image endpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using the image.domains or image.remotePatterns options).

However, a bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png.

Proof of Concept

1. Create a new minimal Astro project ([email protected]).

2. Configure it to use the Node adapter (@astrojs/[email protected] — newer versions are not impacted):

   // astro.config.mjs
   import { defineConfig } from 'astro/config';
   import node from '@​astrojs/node';
   
   export default defineConfig({
   	adapter: node({ mode: 'standalone' }),
   });

3. Build the site by running astro build.

4. Run the server, e.g. with astro preview.

5. Append /_image?href=//placehold.co/600x400 to the preview URL, e.g. http://localhost:4321/_image?href=//placehold.co/600x400

6. The site will serve the image from the unauthorized placehold.co origin.

Impact

Allows a non-authorized third-party to create URLs on an impacted site’s origin that serve unauthorized image content.
In the case of SVG images, this could include the risk of cross-site scripting (XSS) if a user followed a link to a maliciously crafted SVG.

CVE-2025-61925

Summary

When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an X-Forwarded-Host header that is reflected when using the recommended Astro.url property as there is no validation that the value is safe.

Details

Astro reflects the value in X-Forwarded-Host in output when using Astro.url without any validation.

It is common for web servers such as nginx to route requests via the Host header, and forward on other request headers. As such as malicious request can be sent with both a Host header and an X-Forwarded-Host header where the values do not match and the X-Forwarded-Host header is malicious. Astro will then return the malicious value.

This could result in any usages of the Astro.url value in code being manipulated by a request. For example if a user follows guidance and uses Astro.url for a canonical link the canonical link can be manipulated to another site. It is not impossible to imagine that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party.

As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users.

Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues.

PoC

• Check out the minimal Astro example found here: https://github.com/Chisnet/minimal_dynamic_astro_server
• nvm use
• yarn run build
• node ./dist/server/entry.mjs
• curl --location 'http://localhost:4321/' --header 'X-Forwarded-Host: www.evil.com' --header 'Host: www.example.com'
• Observe that the response reflects the malicious X-Forwarded-Host header

For the more advanced / dangerous attack vector deploy the application behind a caching proxy, e.g. Cloudflare, set a non-zero cache time, perform the above curl request a few times to establish a cache, then perform the request without the malicious headers and observe that the malicious data is persisted.

Impact

This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy.

CVE-2025-64745

Summary

A Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the trailingSlash configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim's browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links.

Details

Vulnerability Location

https://github.com/withastro/astro/blob/5bc37fd5cade62f753aef66efdf40f982379029a/packages/astro/src/template/4xx.ts#L133-L149

Root Cause

The vulnerability was introduced in commit 536175528 (PR #​12994) , as part of a feature to "redirect trailing slashes on on-demand rendered pages." The feature added a helpful 404 error page in development mode to alert developers of trailing slash mismatches.

Issue: The corrected variable, which is derived from the user-controlled pathname parameter, is directly interpolated into the HTML without proper escaping. While the pathname variable itself is escaped elsewhere in the same file (line 114: escape(pathname)), the corrected variable is not sanitized before being inserted into both the href attribute and the link text.

Attack Vector

When a developer has configured trailingSlash to 'always' or 'never' and visits a URL with a mismatched trailing slash, the development server returns a 404 page containing the vulnerable template. An attacker can craft a URL with JavaScript payloads that will be executed when the page is rendered.

PoC

Local Testing (localhost)

Basic vulnerability verification in local development environment

Show details

astro.config.mjs:

import { defineConfig } from 'astro/config';

export default defineConfig({
  trailingSlash: 'never', // or 'always'
  server: {
    port: 3000,
    host: true
  }
});

package.json:

{
  "name": "astro-xss-poc-victim",
  "version": "0.1.0",
  "scripts": {
    "dev": "astro dev"
  },
  "dependencies": {
    "astro": "5.15.5"
  }
}

Start the development server:

npm install
npm run dev

Access the following malicious URL depending on your configuration:

For trailingSlash: 'never' (requires trailing slash):

http://localhost:3000/"></code><script>alert(document.domain)</script><!--/

For trailingSlash: 'always' (no trailing slash):

http://localhost:3000/"></code><script>alert(document.domain)</script><!--

When accessing the malicious URL:

1. The development server returns a 404 page due to trailing slash mismatch
2. The JavaScript payload (alert(document.domain)) executes in the browser
3. An alert dialog appears, demonstrating arbitrary code execution

Remote Testing (ngrok)

Reproduce realistic attack scenario via external malicious link

Show details

Prerequisites: ngrok account and authtoken configured (ngrok config add-authtoken <key>)

Setup and Execution:

#!/bin/bash
set -e

mkdir -p logs

npm i
npm run dev > ./logs/victim.log 2>&1 &

ngrok http 3000 > ./logs/ngrok.log 2>&1 &

sleep 3

NGROK_URL=$(curl -s http://localhost:4040/api/tunnels | grep -o '"public_url":"https://[^"]*' | head -1 | cut -d'"' -f4)
echo ""
echo "=== Attack URLs ==="
echo ""
echo "For trailingSlash: 'never' (requires trailing slash):"
echo "${NGROK_URL}/\"></code><script>alert(document.domain)</script><!--/"
echo ""
echo "For trailingSlash: 'always' (no trailing slash):"
echo "${NGROK_URL}/\"></code><script>alert(document.domain)</script><!--"
echo ""
wait

When a remote user accesses either of the generated attack URLs:

1. The request is tunneled through ngrok to the local development server
2. The development server returns a 404 page due to trailing slash mismatch
3. The JavaScript payload (alert(document.domain)) executes in the user's browser

Both URL patterns work depending on your trailingSlash configuration ('never' or 'always').

Impact

This only affects the development server. Risk depends on how and where the dev server is exposed.

Security impact

• Developer environment compromise: Visiting a crafted URL can run arbitrary JS in the developer's browser.
• Session hijacking: Active developer sessions can be stolen if services are open in the browser.
• Local resource access: JS may probe localhost endpoints or dev tools depending on browser policies.
• Supply-chain risk: Malicious packages or CI that start dev servers can widen exposure.

Attack scenarios

• Social engineering: Malicious link sent to a developer triggers the XSS when opened.
• Malicious documentation: Attack URLs embedded in issues, PRs, chat, or docs.
• Dependency/CI abuse: Packages or automation that spawn public dev servers expose many targets.

Remediation

The fix is straightforward and requires escaping the corrected variable before inserting it into the HTML template. The codebase already imports and uses the escape() function from the html-escaper package.

CVE-2025-64525

Summary

In impacted versions of Astro using on-demand rendering, request headers x-forwarded-proto and x-forwarded-port are insecurely used, without sanitization, to build the URL. This has several consequences the most important of which are:

• Middleware-based protected route bypass (only via x-forwarded-proto)
• DoS via cache poisoning (if a CDN is present)
• SSRF (only via x-forwarded-proto)
• URL pollution (potential SXSS, if a CDN is present)
• WAF bypass

Details

The x-forwarded-proto and x-forwarded-port headers are used without sanitization in two parts of the Astro server code. The most important is in the createRequest() function. Any configuration, including the default one, is affected:

https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97
https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121

These header values are then used directly to construct URLs.

By injecting a payload at the protocol level during URL creation (via the x-forwarded-proto header), the entire URL can be rewritten, including the host, port and path, and then pass the rest of the URL, the real hostname and path, as a query so that it doesn't affect (re)routing.

If the following header value is injected when requesting the path /ssr:

x-forwarded-proto: https://www.malicious-url.com/?tank=

The complete URL that will be created is: https://www.malicious-url.com/?tank=://localhost/ssr

As a reminder, URLs are created like this:

url = new URL(`${protocol}://${hostnamePort}${req.url}`);

The value is injected at the beginning of the string (${protocol}), and ends with a query ?tank= whose value is the rest of the string, ://${hostnamePort}${req.url}.

This way there is control over the routing without affecting the path, and the URL can be manipulated arbitrarily. This behavior can be exploited in various ways, as will be seen in the PoC section.

The same logic applies to x-forwarded-port, with a few differences.

Note

The createRequest function is called every time a non-static page is requested. Therefore, all non-static pages are exploitable for reproducing the attack.

PoC

The PoC will be tested with a minimal repository:

• Latest Astro version at the time (2.16.0)
• The Node adapter
• Two simple pages, one SSR (/ssr), the other simulating an admin page (/admin) protected by a middleware
• A middleware example copied and pasted from the official Astro documentation to protect the admin page based on the path

Download the PoC repository

Middleware-based protected route bypass - x-forwarded-proto only

The middleware has been configured to protect the /admin route based on the official documentation:

// src/middleware.ts
import { defineMiddleware } from "astro/middleware";

export const onRequest = defineMiddleware(async (context, next) => {
  const isAuthed = false; // auth logic
  if (context.url.pathname === "/admin" && !isAuthed) {
    return context.redirect("/");
  }
  return next();
});

1. When tryint to access /admin the attacker is naturally redirected :

   curl -i http://localhost:4321/admin

   

2. The attackr can bypass the middleware path check using a malicious header value:

   curl -i -H "x-forwarded-proto: x:admin?" http://localhost:4321/admin

   

How ​​is this possible?

Here, with the payload x:admin?, the attacker can use the URL API parser to their advantage:

• x: is considered the protocol
• Since there is no //, the parser considers there to be no authority, and everything before the ? character is therefore considered part of the path: admin

During a path-based middleware check, the path value begins with a /: context.url.pathname === "/admin". However, this is not the case with this payload; context.url.pathname === "admin", the absence of a slash satisfies both the middleware check and the router and consequently allows us to bypass the protection and access the page.

SSRF

As seen, the request URL is built from untrusted input via the x-forwarded-protocol header, if it turns out that this URL is subsequently used to perform external network calls, for an API for example, this allows an attacker to supply a malicious URL that the server will fetch, resulting in server-side request forgery (SSRF).

Example of code reusing the "origin" URL, concatenating it to the API endpoint :

DoS via cache poisoning

If a CDN is present, it is possible to force the caching of bad pages/resources, or 404 pages on the application routes, rendering the application unusable.

A 404 cab be forced, causing an error on the /ssr page like this : curl -i -H "x-forwarded-proto: https://localhost/vulnerable?" http://localhost:4321/ssr

Same logic applies to x-forwarded-port : curl -i -H "x-forwarded-port: /vulnerable?" http://localhost:4321/ssr

How ​​is this possible?

The router sees the request for the path /vulnerable, which does not exist, and therefore returns a 404, while the potential CDN sees /ssr and can then cache the 404 response, consequently serving it to all users requesting the path /ssr.

URL pollution

The exploitability of the following is also contingent on the presence of a CDN, and is therefore cache poisoning.

If the value of request.url is used to create links within the page, this can lead to Stored XSS with x-forwarded-proto and the following value:

x-forwarded-proto: javascript:alert(document.cookie)//

results in the following URL object:

It is also possible to inject any link, always, if the value of request.url is used on the server side to create links.

x-forwarded-proto: https://www.malicious-site.com/bad?

The attacker is more limited with x-forwarded-port

If the value of request.url is used to create links within the page, this can lead to broken links, with the header and the following value:

X-Forwarded-Port: /nope?

Example of an Astro website:

WAF bypass

For this section, Astro invites users to read previous research on the React-Router/Remix framework, in the section "Exploitation - WAF bypass and escalations". This research deals with a similar case, the difference being that the vulnerable header was x-forwarded-host in their case:

https://zhero-web-sec.github.io/research-and-things/react-router-and-the-remixed-path

Note: A section addressing DoS attacks via cache poisoning using the same vector was also included there.

CVE-2025-61925 complete bypass

It is possible to completely bypass the vulnerability patch related to the X-Forwarded-Host header.

By sending x-forwarded-host with an empty value, the forwardedHostname variable is assigned an empty string. Then, during the subsequent check, the condition fails because forwardedHostname returns false, its value being an empty string:

if (forwardedHostname && !App.validateForwardedHost(...))

Consequently, the implemented check is bypassed. From this point on, since the request has no host (its value being an empty string), the path value is retrieved by the URL parser to set it as the host. This is because the http/https schemes are considered special schemes by the WHATWG URL Standard Specification, requiring an authority state.

From there, the following request on the example SSR application (astro repo) yields an SSRF:

empty x-forwarded-host + the target host in the path

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo)

---

Release Notes

withastro/astro (astro)

v5.15.6

Compare Source

Patch Changes

• #​14751 18c55e1 Thanks @​delucis! - Fixes hydration of client components when running the dev server and using a barrel file that re-exports both Astro and UI framework components.

• #​14750 35122c2 Thanks @​florian-lefebvre! - Updates the experimental Fonts API to log a warning if families with a conflicting cssVariable are provided

• #​14737 74c8852 Thanks @​Arecsu! - Fixes an error when using transition:persist with components that use declarative Shadow DOM. Astro now avoids re-attaching a shadow root if one already exists, preventing "Unable to re-attach to existing ShadowDOM" navigation errors.

• #​14750 35122c2 Thanks @​florian-lefebvre! - Updates the experimental Fonts API to allow for more granular configuration of remote font families

  A font family is defined by a combination of properties such as weights and styles (e.g. weights: [500, 600] and styles: ["normal", "bold"]), but you may want to download only certain combinations of these.

  For greater control over which font files are downloaded, you can specify the same font (ie. with the same cssVariable, name, and provider properties) multiple times with different combinations. Astro will merge the results and download only the required files. For example, it is possible to download normal 500 and 600 while downloading only italic 500:

  // astro.config.mjs
  import { defineConfig, fontProviders } from 'astro/config';
  
  export default defineConfig({
    experimental: {
      fonts: [
        {
          name: 'Roboto',
          cssVariable: '--roboto',
          provider: fontProviders.google(),
          weights: [500, 600],
          styles: ['normal'],
        },
        {
          name: 'Roboto',
          cssVariable: '--roboto',
          provider: fontProviders.google(),
          weights: [500],
          styles: ['italic'],
        },
      ],
    },
  });

v5.15.5

Compare Source

Patch Changes

• #​14712 91780cf Thanks @​florian-lefebvre! - Fixes a case where build's process.env would be inlined in the server output

• #​14713 666d5a7 Thanks @​florian-lefebvre! - Improves fallbacks generation when using the experimental Fonts API

• #​14743 dafbb1b Thanks @​matthewp! - Improves X-Forwarded header validation to prevent cache poisoning and header injection attacks. Now properly validates X-Forwarded-Proto, X-Forwarded-Host, and X-Forwarded-Port headers against configured allowedDomains patterns, rejecting malformed or suspicious values. This is especially important when running behind a reverse proxy or load balancer.

v5.15.4

Compare Source

Patch Changes

• #​14703 970ac0f Thanks @​ArmandPhilippot! - Adds missing documentation for some public utilities exported from astro:i18n.

• #​14715 3d55c5d Thanks @​ascorbic! - Adds support for client hydration in getContainerRenderer()

  The getContainerRenderer() function is exported by Astro framework integrations to simplify the process of rendering framework components when using the experimental Container API inside a Vite or Vitest environment. This update adds the client hydration entrypoint to the returned object, enabling client-side interactivity for components rendered using this function. Previously this required users to manually call container.addClientRenderer() with the appropriate client renderer entrypoint.

  See the container-with-vitest demo for a usage example, and the Container API documentation for more information on using framework components with the experimental Container API.

• #​14711 a4d284d Thanks @​deining! - Fixes typos in documenting our error messages and public APIs.

• #​14701 9be54c7 Thanks @​florian-lefebvre! - Fixes a case where the experimental Fonts API would filter available font files too aggressively, which could prevent the download of woff files when using the google provider

v5.15.3

Compare Source

Patch Changes

• #​14627 b368de0 Thanks @​matthewp! - Fixes skew protection support for images and font URLs

  Adapter-level query parameters (assetQueryParams) are now applied to all image and font asset URLs, including:

  • Dynamic optimized images via /_image endpoint
  • Static optimized image files
  • Font preload tags and font requests when using the experimental Fonts API

• #​14631 3ad33f9 Thanks @​KurtGokhan! - Adds the astro/jsx-dev-runtime export as an alias for astro/jsx-runtime

v5.15.2

Compare Source

Patch Changes

• #​14623 c5fe295 Thanks @​delucis! - Fixes a leak of server runtime code when importing SVGs in client-side code. Previously, when importing an SVG file in client code, Astro could end up adding code for rendering SVGs on the server to the client bundle.

• #​14621 e3175d9 Thanks @​GameRoMan! - Updates vite version to fix CVE

v5.15.1

Compare Source

Patch Changes

• #​14612 18552c7 Thanks @​ematipico! - Fixes a regression introduced in Astro v5.14.7 that caused ?url imports to not work correctly. This release reverts #​14142.

v5.15.0

Compare Source

Minor Changes

• #​14543 9b3241d Thanks @​matthewp! - Adds two new adapter configuration options assetQueryParams and internalFetchHeaders to the Adapter API.

  Official and community-built adapters can now use client.assetQueryParams to specify query parameters that should be appended to asset URLs (CSS, JavaScript, images, fonts, etc.). The query parameters are automatically appended to all generated asset URLs during the build process.

  Adapters can also use client.internalFetchHeaders to specify headers that should be included in Astro's internal fetch calls (Actions, View Transitions, Server Islands, Prefetch).

  This enables features like Netlify's skew protection, which requires the deploy ID to be sent with both internal requests and asset URLs to ensure client and server versions match during deployments.

• #​14489 add4277 Thanks @​dev-shetty! - Adds a new Copy to Clipboard button to the error overlay stack trace.

  When an error occurs in dev mode, you can now copy the stack trace with a single click to more easily share it in a bug report, a support thread, or with your favorite LLM.

• #​14564 5e7cebb Thanks @​florian-lefebvre! - Updates astro add cloudflare to scaffold more configuration files

  Running astro add cloudflare will now emit wrangler.jsonc and public/.assetsignore, allowing your Astro project to work out of the box as a worker.

Patch Changes

• #​14591 3e887ec Thanks @​matthewp! - Adds TypeScript support for the components prop on MDX Content component when using await render(). Developers now get proper IntelliSense and type checking when passing custom components to override default MDX element rendering.

• #​14598 7b45c65 Thanks @​delucis! - Reduces terminal text styling dependency size by switching from kleur to picocolors

• #​13826 8079482 Thanks @​florian-lefebvre! - Adds the option to specify in the preload directive which weights, styles, or subsets to preload for a given font family when using the experimental Fonts API:

  ---
  import { Font } from 'astro:assets';
  ---
  
  <Font
    cssVariable="--font-roboto"
    preload={[{ subset: 'latin', style: 'normal' }, { weight: '400' }]}
  />

  Variable weight font files will be preloaded if any weight within its range is requested. For example, a font file for font weight 100 900 will be included when 400 is specified in a preload object.

v5.14.8

Compare Source

Patch Changes

• #​14590 577d051 Thanks @​matthewp! - Fixes image path resolution in content layer collections to support bare filenames. The image() helper now normalizes bare filenames like "cover.jpg" to relative paths "./cover.jpg" for consistent resolution behavior between markdown frontmatter and JSON content collections.

v5.14.7

Compare Source

Patch Changes

• #​14582 7958c6b Thanks @​florian-lefebvre! - Fixes a regression that caused Actions to throw errors while loading

• #​14567 94500bb Thanks @​matthewp! - Fixes the actions endpoint to return 404 for non-existent actions instead of throwing an unhandled error

• #​14566 946fe68 Thanks @​matthewp! - Fixes handling malformed cookies gracefully by returning the unparsed value instead of throwing

  When a cookie with an invalid value is present (e.g., containing invalid URI sequences), Astro.cookies.get() now returns the raw cookie value instead of throwing a URIError. This aligns with the behavior of the underlying cookie package and prevents crashes when manually-set or corrupted cookies are encountered.

• #​14142 73c5de9 Thanks @​P4tt4te! - Updates handling of CSS for hydrated client components to prevent duplicates

• #​14576 2af62c6 Thanks @​aprici7y! - Fixes a regression that caused Astro.site to always be undefined in getStaticPaths()

v5.14.6

Compare Source

Patch Changes

• #​14562 722bba0 Thanks @​erbierc! - Fixes a bug where the behavior of the "muted" HTML attribute was inconsistent with that of other attributes.

• #​14538 51ebe6a Thanks @​florian-lefebvre! - Improves how Actions are implemented

• #​14548 6cdade4 Thanks @​ascorbic! - Removes support for the maxAge property in cacheHint objects returned by live loaders.

⚠️ Breaking change for experimental live content collections only

Feedback showed that this did not make sense to set at the loader level, since the loader does not know how long each individual entry should be cached for.

If your live loader returns cache hints with maxAge, you need to remove this property:

return {
  entries: [...],
  cacheHint: {
    tags: ['my-tag'],
-   maxAge: 60,
    lastModified: new Date(),
  },
};

The cacheHint object now only supports tags and lastModified properties. If you want to set the max age for a page, you can set the headers manually:

v5.14.5

Compare Source

Patch Changes

• #​14525 4f55781 Thanks @​penx! - Fixes defineLiveCollection() types

• #​14441 62ec8ea Thanks @​upsuper! - Updates redirect handling to be consistent across static and server output, aligning with the behavior of other adapters.

  Previously, the Node.js adapter used default HTML files with meta refresh tags when in static output. This often resulted in an extra flash of the page on redirect, while also not applying the proper status code for redirections. It's also likely less friendly to search engines.

  This update ensures that configured redirects are always handled as HTTP redirects regardless of output mode, and the default HTML files for the redirects are no longer generated in static output. It makes the Node.js adapter more consistent with the other official adapters.

  No change to your project is required to take advantage of this new adapter functionality. It is not expected to cause any breaking changes. However, if you relied on the previous redirecting behavior, you may need to handle your redirects differently now. Otherwise you should notice smoother redirects, with more accurate HTTP status codes, and may potentially see some SEO gains.

• #​14506 ec3cbe1 Thanks @​abdo-spices! - Updates the <Font /> component so that preload links are generated after the style tag, as recommended by capo.js

v5.14.4

Compare Source

Patch Changes

• #​14509 7e04caf Thanks @​ArmandPhilippot! - Fixes an error in the docs that specified an incorrect version for the security.allowedDomains release.

v5.14.3

Compare Source

Patch Changes

• #​14505 28b2a1d Thanks @​matthewp! - Fixes Cannot set property manifest error in test utilities by adding a protected setter for the manifest property

• #​14235 c4d84bb Thanks @​toxeeec! - Fixes a bug where the "tap" prefetch strategy worked only on the first clicked link with view transitions enabled

v5.14.1

Compare Source

Patch Changes

• #​14440 a3e16ab Thanks @​florian-lefebvre! - Fixes a case where the URLs generated by the experimental Fonts API would be incorrect in dev

v5.14.0

Compare Source

Minor Changes

• #​13520 a31edb8 Thanks @​openscript! - Adds a new property routePattern available to GetStaticPathsOptions

  This provides the original, dynamic segment definition in a routing file path (e.g. /[...locale]/[files]/[slug]) from the Astro render context that would not otherwise be available within the scope of getStaticPaths(). This can be useful to calculate the params and props for each page route.

  For example, you can now localize your route segments and return an array of static paths by passing routePattern to a custom getLocalizedData() helper function. The params object will be set with explicit values for each route segment (e.g. locale, files, and slug). Then, these values will be used to generate the routes and can be used in your page template via Astro.params.

v5.13.11

Compare Source

Patch Changes

• #​14409 250a595 Thanks @​louisescher! - Fixes an issue where astro info would log errors to console in certain cases.

• #​14398 a7df80d Thanks @​idawnlight! - Fixes an unsatisfiable type definition when calling addServerRenderer on an experimental container instance

• #​13747 120866f Thanks @​jp-knj! - Adds automatic request signal abortion when the underlying socket closes in the Node.js adapter

  The Node.js adapter now automatically aborts the request.signal when the client connection is terminated. This enables better resource management and allows applications to properly handle client disconnections through the standard AbortSignal API.

• #​14428 32a8acb Thanks @​drfuzzyness! - Force sharpService to return a Uint8Array if Sharp returns a SharedArrayBuffer

• #​14411 a601186 Thanks @​GameRoMan! - Fixes relative links to docs that could not be opened in the editor.

v5.13.10

Compare Source

Patch Changes

• Updated dependencies [1e2499e]:
  • @​astrojs/internal-helpers@​0.7.3
  • @​astrojs/markdown-remark@​6.3.7

v5.13.9

Compare Source

Patch Changes

• #​14402 54dcd04 Thanks @​FredKSchott! - Removes warning that caused unexpected console spam when using Bun

v5.13.8

Compare Source

Patch Changes

• #​14300 bd4a70b Thanks @​louisescher! - Adds Vite version & integration versions to output of astro info

• #​14341 f75fd99 Thanks @​delucis! - Fixes support for declarative Shadow DOM when using the <ClientRouter> component

• #​14350 f59581f Thanks @​ascorbic! - Improves error reporting for content collections by adding logging for configuration errors that had previously been silently ignored. Also adds a new error that is thrown if a live collection is used in content.config.ts rather than live.config.ts.

• #​14343 13f7d36 Thanks @​florian-lefebvre! - Fixes a regression in non node runtimes

v5.13.7

Compare Source

Patch Changes

• #​14330 72e14ab Thanks @​ascorbic! - Removes pinned package that is no longer needed.

• #​14335 17c7b03 Thanks @​florian-lefebvre! - Bumps sharp minimal version to 0.34.0

v5.13.6

Compare Source

Patch Changes

• #​14294 e005855 Thanks @​martrapp! - Restores the ability to use Google Analytics History change trigger with the <ClientRouter />.

• #​14326 c24a8f4 Thanks @​jsparkdev! - Updates vite version to fix CVE

• #​14108 218e070 Thanks @​JusticeMatthew! - Updates dynamic route split regex to avoid infinite retries/exponential complexity

• #​14327 c1033be Thanks @​ascorbic! - Pins simple-swizzle to avoid compromised version

v5.13.5

Compare Source

Patch Changes

• #​14286 09c5db3 Thanks @​ematipico! - BREAKING CHANGES only to the experimental CSP feature

  The following runtime APIs of the Astro global have been renamed:

  • Astro.insertDirective to Astro.csp.insertDirective
  • Astro.insertStyleResource to Astro.csp.insertStyleResource
  • Astro.insertStyleHash to Astro.csp.insertStyleHash
  • Astro.insertScriptResource to Astro.csp.insertScriptResource
  • Astro.insertScriptHash to Astro.csp.insertScriptHash

  The following runtime APIs of the APIContext have been renamed:

  • ctx.insertDirective to ctx.csp.insertDirective
  • ctx.insertStyleResource to ctx.csp.insertStyleResource
  • ctx.insertStyleHash to ctx.csp.insertStyleHash
  • ctx.insertScriptResource to ctx.csp.insertScriptResource
  • ctx.insertScriptHash to ctx.csp.insertScriptHash

• #​14283 3224637 Thanks @​ematipico! - Fixes an issue where CSP headers were incorrectly injected in the development server.

• #​14275 [3e2f20d](https://redirect.github.com/withastro/astro/commit/3e2f20d07e92b1acfadb

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: dfb6bf4

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/npm-astro-vulnerability

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

🤖 Nx Cloud AI Fix Eligible

An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.

_{To disable these notifications, a workspace admin can disable them in workspace settings.}

---

View your CI Pipeline Execution ↗ for commit dfb6bf4

Command	Status	Duration	Result
nx affected --targets=test:sherif,test:knip,tes...	❌ Failed	2m 35s	View ↗
nx run-many --target=build --exclude=examples/*...	❌ Failed	1m 22s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-11-14 00:16:09 UTC