Skip to content

fix(deps): update dependency astro to v5 [security] #632

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency astro to v5 [security] #632

wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Oct 11, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
astro (source) 4.16.19 -> 5.15.5 age confidence

GitHub Vulnerability Alerts

CVE-2025-61925

Summary

When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an X-Forwarded-Host header that is reflected when using the recommended Astro.url property as there is no validation that the value is safe.

Details

Astro reflects the value in X-Forwarded-Host in output when using Astro.url without any validation.

It is common for web servers such as nginx to route requests via the Host header, and forward on other request headers. As such as malicious request can be sent with both a Host header and an X-Forwarded-Host header where the values do not match and the X-Forwarded-Host header is malicious. Astro will then return the malicious value.

This could result in any usages of the Astro.url value in code being manipulated by a request. For example if a user follows guidance and uses Astro.url for a canonical link the canonical link can be manipulated to another site. It is not impossible to imagine that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party.

As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users.

Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues.

PoC

  • Check out the minimal Astro example found here: https://github.com/Chisnet/minimal_dynamic_astro_server
  • nvm use
  • yarn run build
  • node ./dist/server/entry.mjs
  • curl --location 'http://localhost:4321/' --header 'X-Forwarded-Host: www.evil.com' --header 'Host: www.example.com'
  • Observe that the response reflects the malicious X-Forwarded-Host header

For the more advanced / dangerous attack vector deploy the application behind a caching proxy, e.g. Cloudflare, set a non-zero cache time, perform the above curl request a few times to establish a cache, then perform the request without the malicious headers and observe that the malicious data is persisted.

Impact

This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy.

CVE-2025-64525

Summary

In impacted versions of Astro using on-demand rendering, request headers x-forwarded-proto and x-forwarded-port are insecurely used, without sanitization, to build the URL. This has several consequences the most important of which are:

  • Middleware-based protected route bypass (only via x-forwarded-proto)
  • DoS via cache poisoning (if a CDN is present)
  • SSRF (only via x-forwarded-proto)
  • URL pollution (potential SXSS, if a CDN is present)
  • WAF bypass

Details

The x-forwarded-proto and x-forwarded-port headers are used without sanitization in two parts of the Astro server code. The most important is in the createRequest() function. Any configuration, including the default one, is affected:

https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97
https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121

These header values are then used directly to construct URLs.

By injecting a payload at the protocol level during URL creation (via the x-forwarded-proto header), the entire URL can be rewritten, including the host, port and path, and then pass the rest of the URL, the real hostname and path, as a query so that it doesn't affect (re)routing.

If the following header value is injected when requesting the path /ssr:

x-forwarded-proto: https://www.malicious-url.com/?tank=

The complete URL that will be created is: https://www.malicious-url.com/?tank=://localhost/ssr

As a reminder, URLs are created like this:

url = new URL(`${protocol}://${hostnamePort}${req.url}`);

The value is injected at the beginning of the string (${protocol}), and ends with a query ?tank= whose value is the rest of the string, ://${hostnamePort}${req.url}.

This way there is control over the routing without affecting the path, and the URL can be manipulated arbitrarily. This behavior can be exploited in various ways, as will be seen in the PoC section.

The same logic applies to x-forwarded-port, with a few differences.

Note

The createRequest function is called every time a non-static page is requested. Therefore, all non-static pages are exploitable for reproducing the attack.

PoC

The PoC will be tested with a minimal repository:

  • Latest Astro version at the time (2.16.0)
  • The Node adapter
  • Two simple pages, one SSR (/ssr), the other simulating an admin page (/admin) protected by a middleware
  • A middleware example copied and pasted from the official Astro documentation to protect the admin page based on the path

Download the PoC repository

Middleware-based protected route bypass - x-forwarded-proto only

The middleware has been configured to protect the /admin route based on the official documentation:

// src/middleware.ts
import { defineMiddleware } from "astro/middleware";

export const onRequest = defineMiddleware(async (context, next) => {
  const isAuthed = false; // auth logic
  if (context.url.pathname === "/admin" && !isAuthed) {
    return context.redirect("/");
  }
  return next();
});

  1. When tryint to access /admin the attacker is naturally redirected :

    curl -i http://localhost:4321/admin
    image

  2. The attackr can bypass the middleware path check using a malicious header value:

    curl -i -H "x-forwarded-proto: x:admin?" http://localhost:4321/admin
    image

How ​​is this possible?

Here, with the payload x:admin?, the attacker can use the URL API parser to their advantage:

  • x: is considered the protocol
  • Since there is no //, the parser considers there to be no authority, and everything before the ? character is therefore considered part of the path: admin

During a path-based middleware check, the path value begins with a /: context.url.pathname === "/admin". However, this is not the case with this payload; context.url.pathname === "admin", the absence of a slash satisfies both the middleware check and the router and consequently allows us to bypass the protection and access the page.

SSRF

As seen, the request URL is built from untrusted input via the x-forwarded-protocol header, if it turns out that this URL is subsequently used to perform external network calls, for an API for example, this allows an attacker to supply a malicious URL that the server will fetch, resulting in server-side request forgery (SSRF).

Example of code reusing the "origin" URL, concatenating it to the API endpoint :

image

DoS via cache poisoning

If a CDN is present, it is possible to force the caching of bad pages/resources, or 404 pages on the application routes, rendering the application unusable.

A 404 cab be forced, causing an error on the /ssr page like this : curl -i -H "x-forwarded-proto: https://localhost/vulnerable?" http://localhost:4321/ssr
image

Same logic applies to x-forwarded-port : curl -i -H "x-forwarded-port: /vulnerable?" http://localhost:4321/ssr

How ​​is this possible?

The router sees the request for the path /vulnerable, which does not exist, and therefore returns a 404, while the potential CDN sees /ssr and can then cache the 404 response, consequently serving it to all users requesting the path /ssr.

URL pollution

The exploitability of the following is also contingent on the presence of a CDN, and is therefore cache poisoning.

If the value of request.url is used to create links within the page, this can lead to Stored XSS with x-forwarded-proto and the following value:

x-forwarded-proto: javascript:alert(document.cookie)//

results in the following URL object:

image

It is also possible to inject any link, always, if the value of request.url is used on the server side to create links.

x-forwarded-proto: https://www.malicious-site.com/bad?

The attacker is more limited with x-forwarded-port

If the value of request.url is used to create links within the page, this can lead to broken links, with the header and the following value:

X-Forwarded-Port: /nope?

Example of an Astro website:
Capture d’écran 2025-11-03 à 22 07 14

WAF bypass

For this section, Astro invites users to read previous research on the React-Router/Remix framework, in the section "Exploitation - WAF bypass and escalations". This research deals with a similar case, the difference being that the vulnerable header was x-forwarded-host in their case:

https://zhero-web-sec.github.io/research-and-things/react-router-and-the-remixed-path

Note: A section addressing DoS attacks via cache poisoning using the same vector was also included there.

CVE-2025-61925 complete bypass

It is possible to completely bypass the vulnerability patch related to the X-Forwarded-Host header.

By sending x-forwarded-host with an empty value, the forwardedHostname variable is assigned an empty string. Then, during the subsequent check, the condition fails because forwardedHostname returns false, its value being an empty string:

if (forwardedHostname && !App.validateForwardedHost(...))

Consequently, the implemented check is bypassed. From this point on, since the request has no host (its value being an empty string), the path value is retrieved by the URL parser to set it as the host. This is because the http/https schemes are considered special schemes by the WHATWG URL Standard Specification, requiring an authority state.

From there, the following request on the example SSR application (astro repo) yields an SSRF:
Capture d’écran 2025-11-06 à 21 18 26
empty x-forwarded-host + the target host in the path

Credits

  • Allam Rachid (zhero;)
  • Allam Yasser (inzo)

Release Notes

withastro/astro (astro)

v5.15.5

Compare Source

Patch Changes

  • #​14712 91780cf Thanks @​florian-lefebvre! - Fixes a case where build's process.env would be inlined in the server output

  • #​14713 666d5a7 Thanks @​florian-lefebvre! - Improves fallbacks generation when using the experimental Fonts API

  • #​14743 dafbb1b Thanks @​matthewp! - Improves X-Forwarded header validation to prevent cache poisoning and header injection attacks. Now properly validates X-Forwarded-Proto, X-Forwarded-Host, and X-Forwarded-Port headers against configured allowedDomains patterns, rejecting malformed or suspicious values. This is especially important when running behind a reverse proxy or load balancer.

v5.15.4

Compare Source

Patch Changes

  • #​14703 970ac0f Thanks @​ArmandPhilippot! - Adds missing documentation for some public utilities exported from astro:i18n.

  • #​14715 3d55c5d Thanks @​ascorbic! - Adds support for client hydration in getContainerRenderer()

    The getContainerRenderer() function is exported by Astro framework integrations to simplify the process of rendering framework components when using the experimental Container API inside a Vite or Vitest environment. This update adds the client hydration entrypoint to the returned object, enabling client-side interactivity for components rendered using this function. Previously this required users to manually call container.addClientRenderer() with the appropriate client renderer entrypoint.

    See the container-with-vitest demo for a usage example, and the Container API documentation for more information on using framework components with the experimental Container API.

  • #​14711 a4d284d Thanks @​deining! - Fixes typos in documenting our error messages and public APIs.

  • #​14701 9be54c7 Thanks @​florian-lefebvre! - Fixes a case where the experimental Fonts API would filter available font files too aggressively, which could prevent the download of woff files when using the google provider

v5.15.3

Compare Source

Patch Changes

  • #​14627 b368de0 Thanks @​matthewp! - Fixes skew protection support for images and font URLs

    Adapter-level query parameters (assetQueryParams) are now applied to all image and font asset URLs, including:

    • Dynamic optimized images via /_image endpoint
    • Static optimized image files
    • Font preload tags and font requests when using the experimental Fonts API

  • #​14631 3ad33f9 Thanks @​KurtGokhan! - Adds the astro/jsx-dev-runtime export as an alias for astro/jsx-runtime

v5.15.2

Compare Source

Patch Changes

  • #​14623 c5fe295 Thanks @​delucis! - Fixes a leak of server runtime code when importing SVGs in client-side code. Previously, when importing an SVG file in client code, Astro could end up adding code for rendering SVGs on the server to the client bundle.

  • #​14621 e3175d9 Thanks @​GameRoMan! - Updates vite version to fix CVE

v5.15.1

Compare Source

Patch Changes

v5.15.0

Compare Source

Minor Changes

  • #​14543 9b3241d Thanks @​matthewp! - Adds two new adapter configuration options assetQueryParams and internalFetchHeaders to the Adapter API.

    Official and community-built adapters can now use client.assetQueryParams to specify query parameters that should be appended to asset URLs (CSS, JavaScript, images, fonts, etc.). The query parameters are automatically appended to all generated asset URLs during the build process.

    Adapters can also use client.internalFetchHeaders to specify headers that should be included in Astro's internal fetch calls (Actions, View Transitions, Server Islands, Prefetch).

    This enables features like Netlify's skew protection, which requires the deploy ID to be sent with both internal requests and asset URLs to ensure client and server versions match during deployments.

  • #​14489 add4277 Thanks @​dev-shetty! - Adds a new Copy to Clipboard button to the error overlay stack trace.

    When an error occurs in dev mode, you can now copy the stack trace with a single click to more easily share it in a bug report, a support thread, or with your favorite LLM.

  • #​14564 5e7cebb Thanks @​florian-lefebvre! - Updates astro add cloudflare to scaffold more configuration files

    Running astro add cloudflare will now emit wrangler.jsonc and public/.assetsignore, allowing your Astro project to work out of the box as a worker.

Patch Changes

  • #​14591 3e887ec Thanks @​matthewp! - Adds TypeScript support for the components prop on MDX Content component when using await render(). Developers now get proper IntelliSense and type checking when passing custom components to override default MDX element rendering.

  • #​14598 7b45c65 Thanks @​delucis! - Reduces terminal text styling dependency size by switching from kleur to picocolors

  • #​13826 8079482 Thanks @​florian-lefebvre! - Adds the option to specify in the preload directive which weights, styles, or subsets to preload for a given font family when using the experimental Fonts API:

    ---
import { Font } from 'astro:assets';
---

<Font
  cssVariable="--font-roboto"
  preload={[{ subset: 'latin', style: 'normal' }, { weight: '400' }]}
/>

    Variable weight font files will be preloaded if any weight within its range is requested. For example, a font file for font weight 100 900 will be included when 400 is specified in a preload object.

v5.14.8

Compare Source

Patch Changes
  • #​14590 577d051 Thanks @​matthewp! - Fixes image path resolution in content layer collections to support bare filenames. The image() helper now normalizes bare filenames like "cover.jpg" to relative paths "./cover.jpg" for consistent resolution behavior between markdown frontmatter and JSON content collections.

v5.14.7

Compare Source

Patch Changes

  • #​14582 7958c6b Thanks @​florian-lefebvre! - Fixes a regression that caused Actions to throw errors while loading

  • #​14567 94500bb Thanks @​matthewp! - Fixes the actions endpoint to return 404 for non-existent actions instead of throwing an unhandled error

  • #​14566 946fe68 Thanks @​matthewp! - Fixes handling malformed cookies gracefully by returning the unparsed value instead of throwing

    When a cookie with an invalid value is present (e.g., containing invalid URI sequences), Astro.cookies.get() now returns the raw cookie value instead of throwing a URIError. This aligns with the behavior of the underlying cookie package and prevents crashes when manually-set or corrupted cookies are encountered.

  • #​14142 73c5de9 Thanks @​P4tt4te! - Updates handling of CSS for hydrated client components to prevent duplicates

  • #​14576 2af62c6 Thanks @​aprici7y! - Fixes a regression that caused Astro.site to always be undefined in getStaticPaths()

v5.14.6

Compare Source

Patch Changes
⚠️ Breaking change for experimental live content collections only

Feedback showed that this did not make sense to set at the loader level, since the loader does not know how long each individual entry should be cached for.

If your live loader returns cache hints with maxAge, you need to remove this property:

return {
  entries: [...],
  cacheHint: {
    tags: ['my-tag'],
-   maxAge: 60,
    lastModified: new Date(),
  },
};

The cacheHint object now only supports tags and lastModified properties. If you want to set the max age for a page, you can set the headers manually:

v5.14.5

Compare Source

Patch Changes

  • #​14525 4f55781 Thanks @​penx! - Fixes defineLiveCollection() types

  • #​14441 62ec8ea Thanks @​upsuper! - Updates redirect handling to be consistent across static and server output, aligning with the behavior of other adapters.

    Previously, the Node.js adapter used default HTML files with meta refresh tags when in static output. This often resulted in an extra flash of the page on redirect, while also not applying the proper status code for redirections. It's also likely less friendly to search engines.

    This update ensures that configured redirects are always handled as HTTP redirects regardless of output mode, and the default HTML files for the redirects are no longer generated in static output. It makes the Node.js adapter more consistent with the other official adapters.

    No change to your project is required to take advantage of this new adapter functionality. It is not expected to cause any breaking changes. However, if you relied on the previous redirecting behavior, you may need to handle your redirects differently now. Otherwise you should notice smoother redirects, with more accurate HTTP status codes, and may potentially see some SEO gains.

  • #​14506 ec3cbe1 Thanks @​abdo-spices! - Updates the <Font /> component so that preload links are generated after the style tag, as recommended by capo.js

v5.14.4

Compare Source

Patch Changes

v5.14.3

Compare Source

Patch Changes

  • #​14505 28b2a1d Thanks @​matthewp! - Fixes Cannot set property manifest error in test utilities by adding a protected setter for the manifest property

  • #​14235 c4d84bb Thanks @​toxeeec! - Fixes a bug where the "tap" prefetch strategy worked only on the first clicked link with view transitions enabled

v5.14.1

Compare Source

Patch Changes

v5.14.0

Compare Source

Minor Changes

  • #​13520 a31edb8 Thanks @​openscript! - Adds a new property routePattern available to GetStaticPathsOptions

    This provides the original, dynamic segment definition in a routing file path (e.g. /[...locale]/[files]/[slug]) from the Astro render context that would not otherwise be available within the scope of getStaticPaths(). This can be useful to calculate the params and props for each page route.

    For example, you can now localize your route segments and return an array of static paths by passing routePattern to a custom getLocalizedData() helper function. The params object will be set with explicit values for each route segment (e.g. locale, files, and slug). Then, these values will be used to generate the routes and can be used in your page template via Astro.params.

v5.13.11

Compare Source

Patch Changes

  • #​14409 250a595 Thanks @​louisescher! - Fixes an issue where astro info would log errors to console in certain cases.

  • #​14398 a7df80d Thanks @​idawnlight! - Fixes an unsatisfiable type definition when calling addServerRenderer on an experimental container instance

  • #​13747 120866f Thanks @​jp-knj! - Adds automatic request signal abortion when the underlying socket closes in the Node.js adapter

    The Node.js adapter now automatically aborts the request.signal when the client connection is terminated. This enables better resource management and allows applications to properly handle client disconnections through the standard AbortSignal API.

  • #​14428 32a8acb Thanks @​drfuzzyness! - Force sharpService to return a Uint8Array if Sharp returns a SharedArrayBuffer

  • #​14411 a601186 Thanks @​GameRoMan! - Fixes relative links to docs that could not be opened in the editor.

v5.13.10

Compare Source

Patch Changes

v5.13.9

Compare Source

Patch Changes

v5.13.8

Compare Source

Patch Changes

  • #​14300 bd4a70b Thanks @​louisescher! - Adds Vite version & integration versions to output of astro info

  • #​14341 f75fd99 Thanks @​delucis! - Fixes support for declarative Shadow DOM when using the <ClientRouter> component

  • #​14350 f59581f Thanks @​ascorbic! - Improves error reporting for content collections by adding logging for configuration errors that had previously been silently ignored. Also adds a new error that is thrown if a live collection is used in content.config.ts rather than live.config.ts.

  • #​14343 13f7d36 Thanks @​florian-lefebvre! - Fixes a regression in non node runtimes

v5.13.7

Compare Source

Patch Changes

v5.13.6

Compare Source

Patch Changes

v5.13.5

Compare Source

Patch Changes

  • #​14286 09c5db3 Thanks @​ematipico! - BREAKING CHANGES only to the experimental CSP feature

    The following runtime APIs of the Astro global have been renamed:

    • Astro.insertDirective to Astro.csp.insertDirective
    • Astro.insertStyleResource to Astro.csp.insertStyleResource
    • Astro.insertStyleHash to Astro.csp.insertStyleHash
    • Astro.insertScriptResource to Astro.csp.insertScriptResource
    • Astro.insertScriptHash to Astro.csp.insertScriptHash

    The following runtime APIs of the APIContext have been renamed:

    • ctx.insertDirective to ctx.csp.insertDirective
    • ctx.insertStyleResource to ctx.csp.insertStyleResource
    • ctx.insertStyleHash to ctx.csp.insertStyleHash
    • ctx.insertScriptResource to ctx.csp.insertScriptResource
    • ctx.insertScriptHash to ctx.csp.insertScriptHash

  • #​14283 3224637 Thanks @​ematipico! - Fixes an issue where CSP headers were incorrectly injected in the development server.

  • #​14275 3e2f20d Thanks @​florian-lefebvre! - Adds support for experimental CSP when using experimental fonts

    Experimental fonts now integrate well with experimental CSP by injecting hashes for the styles it generates, as well as font-src directives.

    No action is required to benefit from it.

  • #​14280 4b9fb73 Thanks @​ascorbic! - Fixes a bug that caused cookies to not be correctly set when using middleware sequences

  • #​14276 77281c4 Thanks @​ArmandPhilippot! - Adds a missing export for resolveSrc, a documented image services utility.

v5.13.4

Compare Source

Patch Changes

  • #​14260 86a1e40 Thanks @​jp-knj! - Fixes Astro.url.pathname to respect trailingSlash: 'never' configuration when using a base path. Previously, the root path with a base would incorrectly return /base/ instead of /base when trailingSlash was set to 'never'.

  • #​14248 e81c4bd Thanks @​julesyoungberg! - Fixes a bug where actions named 'apply' do not work due to being a function prototype method.

v5.13.3

Compare Source

Patch Changes

  • #​14239 d7d93e1 Thanks @​wtchnm! - Fixes a bug where the types for the live content collections were not being generated correctly in dev mode

  • #​14221 eadc9dd Thanks @​delucis! - Fixes JSON schema support for content collections using the file() loader

  • #​14229 1a9107a Thanks @​jonmichaeldarby! - Ensures Astro.currentLocale returns the correct locale during SSG for pages that use a locale param (such as [locale].astro or [locale]/index.astro, which produce [locale].html)

v5.13.2

Compare Source

Patch Changes

v5.13.1

Compare Source

Patch Changes

  • #​14409 250a595 Thanks @​louisescher! - Fixes an issue where astro info would log errors to console in certain cases.

  • #​14398 a7df80d Thanks @​idawnlight! - Fixes an unsatisfiable type definition when calling addServerRenderer on an experimental container instance

  • #​13747 120866f Thanks @​jp-knj! - Adds automatic request signal abortion when the underlying socket closes in the Node.js adapter

    The Node.js adapter now automatically aborts the request.signal when the client connection is terminated. This enables better resource management and allows applications to properly handle client disconnections through the standard AbortSignal API.

  • #​14428 32a8acb Thanks @​drfuzzyness! - Force sharpService to return a Uint8Array if Sharp returns a SharedArrayBuffer

  • #​14411 a601186 Thanks @​GameRoMan! - Fixes relative links to docs that could not be opened in the editor.

v5.13.0

Compare Source

Minor Changes

  • #​14173 39911b8 Thanks @​florian-lefebvre! - Adds an experimental flag staticImportMetaEnv to disable the replacement of import.meta.env values with process.env calls and their coercion of environment variable values. This supersedes the rawEnvValues experimental flag, which is now removed.

    Astro allows you to configure a type-safe schema for your environment variables, and converts variables imported via astro:env into the expected type. This is the recommended way to use environment variables in Astro, as it allows you to easily see and manage whether your variables are public or secret, available on the client or only on the server at build time, and the data type of your values.

    However, you can still access environment variables through process.env and import.meta.env directly when needed. This was the only way to use environment variables in Astro before astro:env was added in Astro 5.0, and Astro's default handling of import.meta.env includes some logic that was only needed for earlier versions of Astro.

    The experimental.staticImportMetaEnv flag updates the behavior of import.meta.env to align with Vite's handling of environment variables and for better ease of use with Astro's current implementations and features. This will become the default behavior in Astro 6.0, and this early preview is introduced as an experimental feature.

    Currently, non-public import.meta.env environment variables are replaced by a reference to process.env. Additionally, Astro may also convert the value type of your environment variables used through import.meta.env, which can prevent access to some values such as the strings "true" (which is converted to a boolean value), and "1" (which is converted to a number).

    The experimental.staticImportMetaEnv flag simplifies Astro's default behavior, making it easier to understand and use. Astro will no longer replace any import.meta.env environment variables with a process.env call, nor will it coerce values.

    To enable this feature, add the experimental flag in your Astro config and remove rawEnvValues if it was enabled:

    // astro.config.mjs
import { defineConfig } from "astro/config";

export default defineConfig({
+  experimental: {
+    staticImportMetaEnv: true
-    rawEnvValues: false
+  }
});
Updating your project

If you were relying on Astro's default coercion, you may need to update your project code to apply it manually:

// src/components/MyComponent.astro
- const enabled: boolean = import.meta.env.ENABLED;
+ const enabled: boolean = import.meta.env.ENABLED === "true";

If you were relying on the transformation into process.env calls, you may need to update your project code to apply it manually:

// src/components/MyComponent.astro
- const enabled: boolean = import.meta.env.DB_PASSWORD;
+ const enabled: boolean = process.env.DB_PASSWORD;

You may also need to update types:

// src/env.d.ts
interface ImportMetaEnv {
  readonly PUBLIC_POKEAPI: string;
-  readonly DB_PASSWORD: string;
-  readonly ENABLED: boolean;
+  readonly ENABLED: string;
}

interface ImportMeta {
  readonly env: ImportMetaEnv;
}

+ namespace NodeJS {
+  interface ProcessEnv {
+    DB_PASSWORD: string;
+  }
+ }

See the experimental static import.meta.env documentation for more information about this feature. You can learn more about using environment variables in Astro, including astro:env, in the environment variables documentation.

  • #​14122 41ed3ac Thanks @​ascorbic! - Adds experimental support for automatic Chrome DevTools workspace folders

    This feature allows you to edit files directly in the browser and have those changes reflected in your local file system via a connected workspace folder. This allows you to apply edits such as CSS tweaks without leaving your browser tab!

    With this feature enabled, the Astro dev server will automatically configure a Chrome DevTools workspace for your project. Your project will then appear as a workspace source, ready to connect. Then, changes that you make in the "Sources" panel are automatically saved to your project source code.

    To enable this feature, add the experimental flag chromeDevtoolsWorkspace to your Astro config:

    // astro.config.mjs
import { defineConfig } from 'astro/config';

export default defineConfig({
  experimental: {
    chromeDevtoolsWorkspace: true,
  },
});

    See the experimental Chrome DevTools workspace feature documentation for more information.

v5.12.9

Compare Source

Patch Changes

  • #​14020 9518975 Thanks @​jp-knj and @​asieradzk! - Prevent double-prefixed redirect paths when using fallback and redirectToDefaultLocale together

    Fixes an issue where i18n fallback routes would generate double-prefixed paths (e.g., /es/es/test/item1/) when fallback and redirectToDefaultLocale configurations were used together. The fix adds proper checks to prevent double prefixing in route generation.

  • #​14199 3e4cb8e Thanks @​ascorbic! - Fixes a bug that prevented HMR from working with inline styles

v5.12.8

Compare Source

Patch Changes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Oct 11, 2025
@renovate renovate bot force-pushed the renovate/npm-astro-vulnerability branch 4 times, most recently from 31649f7 to a043f19 Compare October 15, 2025 05:15
@renovate renovate bot force-pushed the renovate/npm-astro-vulnerability branch 5 times, most recently from e579f05 to f4db07f Compare October 27, 2025 14:26
@renovate renovate bot force-pushed the renovate/npm-astro-vulnerability branch 2 times, most recently from 9dc289b to 1c8bcb3 Compare October 29, 2025 01:12
@renovate renovate bot force-pushed the renovate/npm-astro-vulnerability branch 3 times, most recently from 4890b2a to 9641d8e Compare November 11, 2025 02:47
@renovate renovate bot force-pushed the renovate/npm-astro-vulnerability branch from 9641d8e to e271369 Compare November 14, 2025 03:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant