Problem

When multiple JSX renderers are used (e.g. React + Preact), Astro doesn't really know which renderer it should use to render a .jsx file during SSR. Astro will try to guess the renderer on a best-effort basis, for example:

• if a component is named QwikComponent, then it won't be treated as a React component (code link)
• if a component outputs <undefined> in the HTML, then it won't be treated as a Preact component (code link)

These guesses are fragile and error-prone. For example, in #15341, a React component is rendered using preact during SSR. This could cause subtle bugs, such as hydration mismatches when using preact to render a React component. Currently we just patch console.error and pretend it's not a problem.

Idea

When multiple JSX renderers are used in the same project, users SHOULD specify the include/exclude patterns to identify the components that should be rendered by each renderer. Otherwise a warning is already shown to the user.

These include/exclude patterns are currently only used by the Vite JSX transform plugins. We can reuse them during the SSR phase to pick the correct renderer for a JSX component.

Changes

This PR includes three main changes:

1. In packages/astro/src: I pass the metadata to the render.ssr.check() function. Notice that this matches the existing signature of the check() function.

2. In packages/astro/test: I build a comprehensive test fixture with two mock renderers (woof/meow) that demonstrates the filter pattern. Tests cover different scenarios: SSR-only components, client:load components, and client:only components.

3. In packages/integrations/preact: I reuse the include/exclude options passed to the integration. During the SSR phase, these options are used to check the component path from metadata.componentUrl.

   For now, I only update @astrojs/preact in this PR because I want to keep the PR small and focused. But in an ideal world, we should update all the JSX renderers to use this approach, including official renderers like @astrojs/react and third-party renderers like @qwikdev/astro.

Potential breaking changes

Let's say we have a project with the following config:

defineConfig({
  integrations: [
    preact({
      include: ['**/preact/jsx/*.jsx'],
    }),
    react({
      include: ['**/react/jsx/*.jsx'],
    }),
  ],
})

And we have the following file structure:

src/
  components/
    preact/
      jsx/
        Button.jsx  <-- A Preact component with .jsx extension
      js/
        Tooltip.js  <-- A Preact component with .js extension
    react/
      jsx/
        Box.jsx     <-- A React component with .jsx extension

Before this PR, all three components would be rendered by preact during SSR.
After this PR, Button.jsx will be rendered by preact, Box.jsx will be rendered by react, and Tooltip.js won't be rendered by any renderer, which will cause a build-time error.

Alternative Approach

In my current approach, I let @astrojs/preact handle its own include/exclude patterns and decide whether to render a component by itself. In an alternative approach, we could let the Astro core handle the include/exclude patterns. I didn't choose this alternative approach because include/exclude are technically renderer-specific. Although almost all Vite plugins use these patterns since this pattern is from Rollup, a Vite plugin could prefer to use other patterns to identify if a .jsx file is a valid component, especially in the future when Rolldown replaces Rollup as the default bundler.

Known limitation

SSR-only components (those without any client:* directive) don't have metadata.componentUrl, because the Astro compiler only emits client:component-path for hydrated components. The filter can't apply in this case, and check() falls back to its existing try-render behavior. Therefore, my current PR only improves the JSX components with client:* directive.

I can submit another purpose to the compiler repo with more details, if the team thinks this is a good idea.

Docs

No ready.

Changes

Images and styles in content in Cloudflare in MDX did not work correctly, the vite-plugin-content-assets plugin just would never run because it'd instantly fail at the beginning, the error would happens inside workerd, so it didn't crash the build but you'd just get a thousand errors during the build, and in dev the file just was wrong.

Fixes #15681 (comment)

Testing

Added a test

Docs

N/A

Changes

This PR tries to add more unit tests for server islands. If follow the same pattern followed until now. Creating dedicated mocks for the use case.

Some integration tests couldn't be removed because of what they test (the whole pipeline)

Testing

Green CI

Docs

Changes

This PR ports the majority of middleware integration tests to be unit tests.

Some tests can't be ported, so in the next commit I will remove only the ones that can be ported.

Testing

Green CI

Docs

Changes

This PR removes the build steps from the CI jobs. I did this because it doesn't sense to build the project twice:

• one for just checking if the build works
• one of the rest of the jobs

Testing

Green CI

Docs

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

⚠️⚠️⚠️⚠️⚠️⚠️

main is currently in pre mode so this branch has prereleases rather than normal releases. If you want to exit prereleases, run changeset pre exit on main.

⚠️⚠️⚠️⚠️⚠️⚠️

Releases

astro@6.0.0-beta.18

Patch Changes

• #15685 1a323e5 Thanks @jcayzac! - Fix regression where SVG images in content collection image() fields could not be rendered as inline components. This behavior is now restored while preserving the TLA deadlock fix.

• #15693 4db2089 Thanks @ArmandPhilippot! - Fixes the links to Astro Docs to match the v6 structure.

• Updated dependencies [f94d3c5]:

  • @astrojs/markdown-remark@7.0.0-beta.9

@astrojs/markdoc@1.0.0-beta.13

Patch Changes

• Updated dependencies [f94d3c5]:
  • @astrojs/markdown-remark@7.0.0-beta.9

@astrojs/mdx@5.0.0-beta.10

Patch Changes

• Updated dependencies [f94d3c5]:
  • @astrojs/markdown-remark@7.0.0-beta.9

@astrojs/markdown-remark@7.0.0-beta.9

Patch Changes

• #15651 f94d3c5 Thanks @ocavue! - Reuses cached Shiki highlighter instances across languages.

SVG images in content collection image() fields were regressed to plain metadata objects by 5bc2b2c, which fixed a TLA circular-dependency deadlock by skipping SVG component creation entirely.

Changes

The fix embeds the parsed SVG data (attributes and inner HTML) in the metadata at build time, then reconstructs the renderable component inside updateImageReferencesInData() in content/runtime.ts. This keeps the SVG Vite module free of server-runtime imports (preserving the TLA fix) while restoring the ability to render SVG images as inline components.

Testing

• Existing tests pass
• Add new test to validate the regression is fixed.

Docs

• No impact on public API.

Changes

• Netlify config must be statically analyzable, but when it got moved into an import it no longer was, causing Netlify not to have a catch-all route.
• Caused by #15413

Testing

• This works now: https://deploy-preview-2060--astro-www-2.netlify.app/themes/

Docs

N/A, bug fix

Changes

This change optimizes the bundle size when using the <Code /> component with output: 'server'.
Previously, all of Shiki's language and theme files were automatically bundled at build time, causing the bundle size to bloat with files that are never used.
In my environment, a project with just a single <Code /> component on a page resulted in a build size of around 10MB.
This pull request addresses the issue by introducing the optimizeShiki option, which allows users to explicitly specify which languages and themes to include in the bundle.

This becomes particularly problematic when deploying to Cloudflare Workers, which enforces the following size limits:

The reduction effect is as follows:

Measured with pnpm wrangler deploy --dry-run

When this option is used, only the specified languages and themes are available during SSR. However, since bundle size is not a concern during prerendering or SSG, all languages and themes remain freely available in those environments regardless of the option.

A minimal reproduction repository demonstrating the bundle size issue is available here: https://github.com/rururux/astro-code-bundle-size-demo
After running pnpm build, check the size of the dist/server/chunks directory to observe the bloated bundle size.

Testing

The following scenarios are covered by the new tests:

• Bundle size is reduced when the optimizeShiki option is configured
• All languages and themes are bundled as usual when the option is not set
• Languages specified in the option are correctly syntax-highlighted
• Languages not specified in the option are rendered without syntax highlighting
• Prerendered pages apply syntax highlighting regardless of the option configuration

Docs

TODO:

• changeset
• jsDoc
• document PR

/cc @withastro/maintainers-docs

Changes

This PR moves some CSP tests to be unit tests. Unfortunate some other tests can't be unit tested because need vite.

I kept track of the tests that can be moved to unit, and I will remove them in the next commit once all tests pass.

Testing

Green CI

Docs

fixes: #15675

Changes

A changeset was missing for the ./shiki subpath export addition in @astrojs/markdown-remark, so the package was never re-published with that change.
As a result, the published version (7.0.0-beta.7) is outdated and packages that depend on @astrojs/markdown-remark (such as astro itself) fail when trying to resolve the ./shiki specifier.
This PR adds the missing changeset to trigger a new release.

Testing

N/A

Docs

N/A

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

⚠️⚠️⚠️⚠️⚠️⚠️

main is currently in pre mode so this branch has prereleases rather than normal releases. If you want to exit prereleases, run changeset pre exit on main.

⚠️⚠️⚠️⚠️⚠️⚠️

Releases

astro@6.0.0-beta.17

Minor Changes

• #15495 5b99e90 Thanks @leekeh! - Adds a new middlewareMode adapter feature to replace the previous edgeMiddleware option.

  This feature only impacts adapter authors. If your adapter supports edgeMiddleware, you should upgrade to the new middlewareMode option to specify the middleware mode for your adapter as soon as possible. The edgeMiddleware feature is deprecated and will be removed in a future major release.

  export default function createIntegration() {
    return {
      name: '@example/my-adapter',
      hooks: {
        'astro:config:done': ({ setAdapter }) => {
          setAdapter({
            name: '@example/my-adapter',
            serverEntrypoint: '@example/my-adapter/server.js',
            adapterFeatures: {
  -            edgeMiddleware: true
  +            middlewareMode: 'edge'
            }
          });
        },
      },
    };
  }

Patch Changes

• #15657 cb625b6 Thanks @qzio! - Adds a new security.actionBodySizeLimit option to configure the maximum size of Astro Actions request bodies.

  This lets you increase the default 1 MB limit when your actions need to accept larger payloads. For example, actions that handle file uploads or large JSON payloads can now opt in to a higher limit.

  If you do not set this option, Astro continues to enforce the 1 MB default to help prevent abuse.

  // astro.config.mjs
  export default defineConfig({
    security: {
      actionBodySizeLimit: 10 * 1024 * 1024, // set to 10 MB
    },
  });

• Updated dependencies [1fa4177]:

  • @astrojs/markdown-remark@7.0.0-beta.8

@astrojs/netlify@7.0.0-beta.12

Minor Changes

• #15495 5b99e90 Thanks @leekeh! - Adds new middlewareMode adapter feature and deprecates edgeMiddleware option

  The edgeMiddleware option is now deprecated and will be removed in a future major release, so users should transition to using the new middlewareMode feature as soon as possible.

  export default defineConfig({
    adapter: netlify({
  -    edgeMiddleware: true
  +    middlewareMode: 'edge'
    })
  })

Patch Changes

• #15679 19ba822 Thanks @matthewp! - Fixes server-rendered routes returning 404 errors

  A configuration error in the build output prevented Netlify from correctly routing requests to server-rendered pages, causing them to return 404 errors. This fix ensures that all server routes are properly handled by the Netlify SSR function.

• Updated dependencies []:

  • @astrojs/underscore-redirects@1.0.0

@astrojs/vercel@10.0.0-beta.6

Minor Changes

• #15495 5b99e90 Thanks @leekeh! - Adds new middlewareMode adapter feature and deprecates edgeMiddleware option

  The edgeMiddleware option is now deprecated and will be removed in a future release, so users should transition to using the new middlewareMode feature as soon as possible.

  export default defineConfig({
    adapter: vercel({
  -    edgeMiddleware: true
  +    middlewareMode: 'edge'
    })
  })

@astrojs/cloudflare@13.0.0-beta.11

Patch Changes

• #15495 5b99e90 Thanks @leekeh! - Refactors to use middlewareMode adapter feature (set to classic)

• Updated dependencies []:

  • @astrojs/underscore-redirects@1.0.0

@astrojs/markdoc@1.0.0-beta.12

Patch Changes

• Updated dependencies [1fa4177]:
  • @astrojs/markdown-remark@7.0.0-beta.8

@astrojs/mdx@5.0.0-beta.9

Patch Changes

• Updated dependencies [1fa4177]:
  • @astrojs/markdown-remark@7.0.0-beta.8

@astrojs/node@10.0.0-beta.6

Patch Changes

• #15495 5b99e90 Thanks @leekeh! - Refactors to use middlewareMode adapter feature (set to classic)

• #15657 cb625b6 Thanks @qzio! - Adds a new security.actionBodySizeLimit option to configure the maximum size of Astro Actions request bodies.

  This lets you increase the default 1 MB limit when your actions need to accept larger payloads. For example, actions that handle file uploads or large JSON payloads can now opt in to a higher limit.

  If you do not set this option, Astro continues to enforce the 1 MB default to help prevent abuse.

  // astro.config.mjs
  export default defineConfig({
    security: {
      actionBodySizeLimit: 10 * 1024 * 1024, // set to 10 MB
    },
  });

@astrojs/markdown-remark@7.0.0-beta.8

Patch Changes

• #15676 1fa4177 Thanks @rururux! - Fixes an issue where the use of the Code component would result in an unexpected error.

Changes

This PR tries to unit tests all components/functions that are used for manual routing.

In the next PR/commit I will remove the integration tests.

There's no actual change to the source code

Testing

Green CI

Docs

Changes

• Equivalent of #15665 for vercel

Testing

Should pass

Docs

Changeset

Changes

• Vendors cssesc and migrate to ESM. It has been causing a bunch of issues since it was introduced. FYI I sent a message to its maintainer to try upstream improvements directly but in the meantime, that's the best solution I could come with

Testing

Should pass

Docs

Changeset

Changes

• https://devblogs.microsoft.com/typescript/announcing-typescript-6-0-beta
• Updates our packages to work with TS 6 beta (intermediary release to prepare for TS 7). The updates that it requires on our side keep it backward compatible with v5
• I updated to TS 6 to spot all errors then downgraded to TS 5. It's probably too early to upgrade to v6 in the monorepo
• Most important change: the base tsconfig now has types: ["node"] and libReplacement: false
• Removes some unused things in language tools

Testing

Should pass!

Docs

• Changeset
• withastro/docs#13319

Changes

• Was failing with "Entry module cannot be external"
  • This happened after a refactor to use the new adapter API

Testing

• Verified manually in astro.build

Docs

N/A, bug fix

Changes

• None, just docs

Testing

N/A

Docs

• Explains that {} is for allowing any domain, pathname, etc.
• Gives the use-case (behind a trusted proxy).

Fixes #15660

Normalises all imageService config into a { buildService, devService, runtimeService } triple, makes custom Node-only image services work with compile, adds a Vite dev middleware that uses jiti to dynamically import the image service entrypoint in Node, so custom TypeScript services work in dev

Config shapes

export default defineConfig({
  adapter: cloudflare({
    imageService: 'compile',
  }),
});

export default defineConfig({
  adapter: cloudflare({
    imageService: './src/my-service.ts'
  }),
});

export default defineConfig({
  adapter: cloudflare({
    imageService: {
      entrypoint: './src/my-service.ts',
      config: { quality: 80 },
    },
  }),
});

export default defineConfig({
  adapter: cloudflare({
    imageService: {
      build: 'sharp', // just an example lol 
      dev: './src/my-dev-service.ts',
      runtime: './src/my-runtime-service.ts',
      transformAtBuild: false,
    }
  }),
});

Available presets: cloudflare-binding (default) | cloudflare | compile | passthrough | custom (deprecated)

What each preset resolves to

When transformsAtBuild is true, images are transformed at build time in Node (via Sharp or a custom service), and the deployed Worker just serves transformed static assets.

Other api facets

• imageService: 'sharp' throws with guidance to use 'compile' instead
• imageService: 'custom' deprecated, eventually will be copy paste from their astro config.images to the config.adapter
• Any integration that sets config.image.service in config:setup is automatically picked up by the compile preset (captured in config:done) (this means integrations like Chris's sweetcorn dithering tool will work with compile)

interface NormalizedImageConfig {
  buildService: AstroImageServiceConfig;   // what runs during prerendering in workerd
  devService: AstroImageServiceConfig;     // what runs in dev
  runtimeService: AstroImageServiceConfig; // what's bundled into the deployed Worker
  transformsAtBuild: boolean;              // whether Node-side transforms happen after prerender
  serviceEntrypoint?: string;  // which entrypoint to compile as a Node-side Rollup chunk for build-time transforms
}

// In config:setup
updateConfig({
  image: setImageConfig(normalized, config.image, command, logger),
});

server.middlewares.use(async (req, res, next) => {
  if (!req.url?.startsWith(route)) return next();
  if (!jiti) jiti = createJiti(import.meta.url);
  const mod = await jiti.import(entrypoint);
  // ... parseURL, loadSourceImage, transform, respond
});

// Generated virtual module:
import { isPrerender } from 'virtual:astro-cloudflare:config';
import prerenderService from '@astrojs/cloudflare/image-service-workerd';
import runtimeService from 'astro/assets/services/noop';
export default isPrerender ? prerenderService : runtimeService;

propertiesToHash: [...(baseService.propertiesToHash ?? []), '_serviceConfig'],

validateOptions(options, imageConfig) {
  const validated = baseService.validateOptions!(options, imageConfig);
  const config = imageConfig?.service?.config;
  if (config && Object.keys(config).length > 0) {
    (validated as any)._serviceConfig = config;
  }
  return validated;
},

const servicePath = getServicePath();
if (servicePath) {
  const absolutePath = resolve(fileURLToPath(serverDir), servicePath);
  const mod = await import(pathToFileURL(absolutePath).href);
  globalThis.astroAsset.imageService = {
    ...mod.default,
    async transform(buf, opts, imgConfig) {
      // Re-validate with the compiled service — the workerd stub's
      // validateOptions doesn't know about custom service defaults
      if (svc.validateOptions) opts = await svc.validateOptions(opts, imgConfig);
      return svc.transform(buf, opts, imgConfig);
    },
  };
}

Changes

Fix created by the triage bot. I added some comments and the changeset.

Testing

I tested locally, but preferred to not add one. A unit test didn't trigger the issue, and an integration tests was very slow and memory consuming.

Docs

N/A

Description

• Closes #3721
• This PR updates our default font stack in an attempt to handle the cases described in the linked issue
• It kind of does the opposite of #3549, bringing back -apple-system and BlinkMacSystemFont fonts and removing the newer system-ui and ui-sans-serif families.

Todo

We should try to test on a broad range of browsers and devices:

macOS

• macOS — English (@HiDeoo & @delucis)
  • Chrome (v145): Tested pages in various languages on an English-language macOS (15.7.3 and 26.3) install, no visual change after this PR
  • Firefox (v148): Same as above
  • Edge (v145): Same as above
  • Safari (v26.2): Same as above

Windows

• Windows 10 Pro — English (@HiDeoo)
  • Chrome (v145): Tested pages in various languages, no visual change after this PR
  • Firefox (v147): Same as above
  • Edge (v145): Same as above
• Windows — Japanese (@mehm8128 and @tats-u)
  • 🚨✅ Japanese characters are now displayed with Segoe UI instead of system-ui (see comment)
  • 🚨✅ Firefox: Simplified Chinese characters are now displayed correctly on a Japanese machine (see comment)
• Windows 11 — Simplified Chinese (@tsavpyn)
  • 🚨✅ Firefox (v147): Latin fontface has changed, Simplified Chinese is unchanged, Japanese characters are now displayed correctly, e.g. instead of (see comment)

iOS

• iOS 26.3 — English (@HiDeoo)
  • Safari (v26.3): Tested pages in various languages, no visual change after this PR
• ipadOS 26.3 — English (@HiDeoo)
  • Safari (v26.3): Tested pages in various languages, no visual change after this PR

Linux

• Endeavour OS virtual machine hosted on Windows — English (English host) (@HiDeoo)
  • Firefox (v146): Tested pages in various languages, no visual change after this PR
  • Chrome (v145): Same as above
• Fedora 43 virtual machine hosted on Windows - English (English host) (@HiDeoo)
  • Firefox (v147): Tested pages in various languages, no visual change after this PR
  • Chrome (v145): Same as above
• Ubuntu 24.04.4 virtual machine hosted on Windows - English (English host) (@HiDeoo)
  • 🚨❓ Firefox (v147): Tested pages in various languages, some visual change after this PR (see comment)
  • 🚨❓ Chrome (v145): Same as above

Android

• Android 11 (old!) — English (@delucis)
  • Chrome: Tested pages in various languages, no visual change after this PR
  • Firefox: Same as above

I would love help testing this! I don’t have Windows/Linux boxes to test on personally. And testing on machines in CJK locales would be particularly useful.

To test, you can compare the deploy preview for this PR with the live Starlight docs. Check if appearance of fonts change in multiple languages and note any differences if there are any.

Description

This PR adds the new Starlight Vintage theme to the theme showcase page.

Makes ContentLayer unit testable, it was already pretty close! Just needed a couple of features like being able to pass in a contentConfigObserver.

Changes

• Constructor takes a ContentObservable so it can be provided by unit tests.
• Moves the singleton to another file, this is what the rest of Astro uses.

Testing

• Moved over tests suites:
  • content-layer.test.js
  • content-layer-render.test.js

Docs

N/A, just refactor and test changes

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@astrojs/starlight@0.37.7

Patch Changes

• #3726 8a09b60 Thanks @delucis! - Fixes an issue using components containing scripts inside Starlight’s steps component in versions of Astro >= 5.16.9

Changes

Backported from 5-legacy, but could not apply the cherry-pick cleanly

see #15589 etc

Testing

Docs

Affects documentation, but should be generated from a comment in the code.

Description

• Closes #3712
• This PR adds a hotfix for the <Steps> component to work around withastro/astro#15627

Changes

• From @matthewp: "while you're in there I would remove experimentalErrorPageHost which is a security nightmare"
• So this removes the option

Testing

Improves our tests to still check we read files from the filesystem

Docs

• Changeset
• withastro/docs#13310

Description

Fixes #14013

On Windows, when the working directory path case differs from the actual filesystem path (e.g. d:\dev vs D:\dev), styles are missing because Astro treats them as different files. The route component paths are computed relative to the root, so if the root has wrong casing, the paths won't match what Vite's module graph uses.

Changes

• packages/astro/src/core/config/config.ts: resolveRoot() now normalizes the resolved path using fs.realpathSync() to ensure the path casing matches the actual filesystem. Falls back to the original resolved path if realpathSync fails.

• packages/astro/test/units/config/config-resolve.test.js: Added unit tests for resolveRoot() verifying it returns the real filesystem path.

Testing

The fix ensures that resolveRoot() returns the canonical filesystem path regardless of how the user typed the directory name. This is transparent on case-sensitive systems (Linux/macOS) and fixes the style mismatch on case-insensitive systems (Windows).

Changes

Closes #15656

I noticed the following warning in my Astro project:

[Shiki] 10 instances have been created. Shiki is supposed to be used as a singleton, consider refactoring your code to cache your highlighter instance; Or call `highlighter.dispose()` to release unused instances.
[Shiki] 20 instances have been created. Shiki is supposed to be used as a singleton, consider refactoring your code to cache your highlighter instance; Or call `highlighter.dispose()` to release unused instances.
[Shiki] 30 instances have been created. Shiki is supposed to be used as a singleton, consider refactoring your code to cache your highlighter instance; Or call `highlighter.dispose()` to release unused instances.

This is due to the fact that Astro creates a new Shiki highlighter instance for each language, and there are many different code block languages in my project.

This PR improves this by using the same highlighter across languages. This approach works because Astro already loads languages dynamically when they haven't been loaded yet (code link).

Testing

Added a new test to ensure that

1. The same highlighter instance is used for different languages. I not only cache the Shiki highlighter instance, but I also cache the returned wrapper object (code link) for an extra tiny bit of performance improvement.
2. This cached highlighter instance can highlight new languages.

Docs

Changeset file has been added.

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

⚠️⚠️⚠️⚠️⚠️⚠️

main is currently in pre mode so this branch has prereleases rather than normal releases. If you want to exit prereleases, run changeset pre exit on main.

⚠️⚠️⚠️⚠️⚠️⚠️

Releases

astro@6.0.0-beta.16

Minor Changes

• #15646 0dd9d00 Thanks @delucis! - Removes redundant fetchpriority attributes from the output of Astro’s <Image> component

  Previously, Astro would always include fetchpriority="auto" on images not using the priority attribute.
  However, this is the default value, so specifying it is redundant. This change omits the attribute by default.

Patch Changes

• #15661 7150a2e Thanks @ematipico! - Fixes a build error when generating projects with 100k+ static routes.

• #15603 5bc2b2c Thanks @0xRozier! - Fixes a deadlock that occurred when using SVG images in content collections

• #15669 d5a888b Thanks @florian-lefebvre! - Removes the cssesc dependency

  This CommonJS dependency could sometimes cause errors because Astro is ESM-only. It is now replaced with a built-in ESM-friendly implementation.

@astrojs/cloudflare@13.0.0-beta.10

Patch Changes

• #15669 d5a888b Thanks @florian-lefebvre! - Removes the cssesc dependency

  This CommonJS dependency could sometimes cause errors because Astro is ESM-only. It is now replaced with a built-in ESM-friendly implementation.

• #15648 802426b Thanks @rururux! - Restore and fix <Code /> component functionality on Cloudflare Workers.

• Updated dependencies []:

  • @astrojs/underscore-redirects@1.0.0

@astrojs/netlify@7.0.0-beta.11

Patch Changes

• #15665 52a7efd Thanks @matthewp! - Fixes builds that were failing with "Entry module cannot be external" error when using the Netlify adapter

  This error was preventing sites from building after recent internal changes. Your builds should now work as expected without any changes to your code.

• Updated dependencies []:

  • @astrojs/underscore-redirects@1.0.0

Changes

I’ve restored the code that was previously reverted and ensured that the tests no longer fail.

Testing

CI should be green.

Docs

N/A

Changes

• Removes two nonexistent exports left over from #15640 that are causing linting to fail

Testing

Linting should no longer fail

Docs

n/a

Changes

• Updates the default image service to avoid outputting redundant fetchpriority="auto" on images
• This value is the default value so there is no need to specify it explicitly (see MDN)

Testing

We had two tests that asserted we would add this attribute, so I updated them to assert that we don’t.

There are other tests that check we correctly fetchpriority="high" when users use the priority prop on the <Image> component.

Docs

n/a — no user-facing change in behaviour

Changes

This PR was vibe coded. I checked the implementation code, but I let the AI porting all tests to be unit.

This PR makes the implementation of i18n more testable.

• Crates a I18nRouter that accepts a context, and emits decisions. Eventually, this decision is given to the middleware, which decides what to do.
• The fallback is even simpler, it's just a function that accepts some parameters and emits decisions

Testing

Green CI

Docs

Not needed

Changes

Closes #15608
Closes #15582

Revert #15582

Unfortunately we can't, in any way possible, to support Shiki with CSP. After extensive research, and realised that I broke things with my previous PR, we can't have a solution that works for everything.

Even with head propagation, markdown files can't be supported.

I added a warning for our users

Testing

CI is green

Docs

withastro/docs#13307

/cc @withastro/maintainers-docs for feedback!

This PR contains the following updates:

Package	Change	Age	Confidence
@cloudflare/workers-types	^4.20260227.0 → ^4.20260228.0
svelte (source)	^5.53.0 → ^5.53.1

Release Notes

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Changes

• Addresses https://github.com/orgs/withastro/projects/21/views/1?pane=issue&itemId=159371241
• workerd doesn't work on Stackblitz, which causes weird errors. We now throw a clean error when running in a webcontainer
• Updates the issue template to mention github for repros

Testing

N/A

Docs

Changeset + issue template

This PR contains the following updates:

Package	Change	Age	Confidence
@astrojs/compiler (source)	^3.0.0-beta.0 → ^3.0.0-beta.1
@preact/signals (source)	2.7.1 → 2.8.1
@tailwindcss/vite (source)	^4.1.18 → ^4.2.0
acorn	^8.15.0 → ^8.16.0
preact (source)	^10.28.3 → ^10.28.4
rollup (source)	^4.57.1 → ^4.58.0
svelte (source)	^5.51.5 → ^5.53.1
tailwindcss (source)	^4.1.18 → ^4.2.0
undici (source)	^7.21.0 → ^7.22.0
vue (source)	^3.5.27 → ^3.5.28

Release Notes

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Fixes: #15622 Components passed as slots to server:defer components had their <script> tags silently dropped. renderSlotToString separates HTML from render instructions, and only the HTML survived serialization via content.toString().

This appends script instructions to the slot HTML before encryption, so the island response includes the scripts needed for interactivity.

Changes

• Append type === 'script' render instructions to slot HTML in ServerIslandComponent.getIslandContent() before the payload is encrypted

Testing

Minimal reproduction: https://github.com/jwoyo/astro-server-island-bug

1. Component with <script> passed as slot to server:defer wrapper
2. Before: island response contains HTML but no <script> → no interactivity
3. After: island response includes the script → works

Docs

No docs needed — this is a bug fix restoring expected behavior.

One could argue that may result in duplicate script injection when the same component is also used statically on the page. But deduplication is not feasible at this point in the render pipeline due to concurrent buffering - the need to build idempotent scripts (that don't hurt when executed twice) could be part of the docs.

This PR contains the following updates:

Package	Change	Age	Confidence
@preact/signals (source)	^2.7.1 → ^2.8.1
preact (source)	^10.28.3 → ^10.28.4
preact-render-to-string	^6.6.5 → ^6.6.6
svelte (source)	^5.51.5 → ^5.53.1
svelte2tsx (source)	^0.7.47 → ^0.7.51

Release Notes

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Fixes #15520

Changes

• Adds a config() hook to the astroPrefetch Vite plugin that excludes astro/virtual-modules/prefetch.js from Vite's optimizeDeps.
• When <ClientRouter /> is used, Vite discovers the prefetch module as a transitive dependency and pre-bundles it via esbuild, which doesn't invoke Vite plugin transform hooks. This leaves the placeholder constants (__PREFETCH_PREFETCH_ALL__, etc.) unreplaced, causing a ReferenceError at runtime in the browser.
• The fix follows the same pattern used by the astro:transitions plugin, which already configures optimizeDeps via its own config() hook.

The triage bot was able to reproduce and confirm the root cause and the fix (labeled P2: has workaround).

Testing

I've verified this fix in my own project where I was hitting the issue. I haven't added a test here since the bug only manifests in a non-workspace npm install environment (Vite resolves differently in workspace setups), and the existing test infrastructure runs within the monorepo workspace. Happy to add one if you can point me toward a good pattern for testing dep optimization behavior.

Docs

N/A -- this is a dev server bug fix with no user-facing API changes. Users who applied the workaround from #15520 can remove the vite.optimizeDeps.exclude entry from their astro.config.mjs after this lands.

Changes

• Replace manual docker login with the official docker/login-action@v3.7.0 in the issue triage workflow.
• This silences the "credentials stored unencrypted" Docker warning that was appearing in CI logs and causing confusion.

Testing

Verified by reviewing the docker/login-action docs — it performs the same GHCR authentication but uses a credential store instead of writing plaintext credentials. Will be validated on the next issue triage run.

Docs

No docs needed — this is an internal CI workflow change with no user-facing impact.

Changes

From the most recent CI run, after #15545 was merged:
https://github.com/withastro/astro/actions/runs/22320279718/job/64576369787

[opencode] (skill("triage/reproduce.md")) tool:pending  bash — bash
[opencode] (skill("triage/reproduce.md")) > The StackBlitz URL `[https://stackblitz.com/~/github.com/jwoyo/astro-server-island-bug`](https://stackblitz.com/~/github.com/jwoyo/astro-server-island-bug%60) points to a GitHub repo. Let me clone it.
[opencode] (skill("triage/reproduce.md")) tool:running  bash — mkdir -p triage/gh-15622 && git clone https://github.com/jwoyo/astro-server-island-bug.git triage/gh-15622 && rm -rf triage/gh-15622/.git
[proxy:github-git] DENIED: POST /jwoyo/astro-server-island-bug.git/git-upload-pack
  Reason: not allowed by allow-read policy
  To allow: add a policy.allow rule for POST to this path, or use policy: 'allow-all'
CLONE_FAILED

Testing

• N/A

Docs

• N/A

Both workflows fail on forks because they depend on secrets (NETLIFY_PREVIEWS_BUILD_HOOK, CODSPEED_TOKEN) that are only available in the withastro org.

Changes

• examples-deploy.yml — Add if: ${{ github.repository_owner == 'withastro' }} to the deploy job; add permissions: contents: read (missing permissions block)
• continuous_benchmark.yml — Add if: ${{ github.repository_owner == 'withastro' }} to the codspeed job

This matches the guard already used in release.yml and other workflows.

• Fixes #15624

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Changes

this adds the following option:

export default defineConfig({
  ...
  image: {
    service: {
      defaultFormat: "original",
    },
  },
});

which defaults to "webp" (our defaults) but allows "original" to keep the file format.

Testing

this was tested on my personal website.

i didn't add tests because it's such a small change, but will do so if requested.

Docs

it should be documented enough, since it doesn't change any defaults.

https://turborepo.dev/docs/reference/run#--affected

fixes: #15341

Changes

Updated the error filtering logic to support React 19.
Previously, the "Invalid hook call" error (which occurs when using React and Preact integrations together) was filtered out to prevent noise. However, the filtering failed for React 19 because its error message format had changed.
This PR ensures that the new React 19 error messages are correctly identified and filtered, maintaining a clean console output for users.

Testing

Added a regression test to verify that the "Invalid hook call" error is no longer logged when React 19 and Preact are used together.
The hookError utility in the test was adapted from the following implementation:

Docs

N/A, bug fix

This PR contains the following updates:

Package	Change	Age	Confidence
@cloudflare/vite-plugin (source)	^1.25.0 → ^1.25.2
@cloudflare/workers-types	^4.20260213.0 → ^4.20260227.0
@netlify/blobs (source)	^10.6.0 → ^10.7.0
@netlify/vite-plugin (source)	^2.9.0 → ^2.10.2
@tailwindcss/vite (source)	^4.1.18 → ^4.2.0
svelte (source)	^5.51.5 → ^5.53.0
svelte (source)	^5.50.3 → ^5.53.0
tailwindcss (source)	^4.1.18 → ^4.2.0
wrangler (source)	^4.65.0 → ^4.67.0

Release Notes

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

This PR contains the following updates:

Package	Change	Age	Confidence
@astrojs/rss (source)	^4.0.15-beta.3 → ^4.0.15
@astrojs/sitemap (source)	^3.6.1-beta.3 → ^3.7.0
@​flue/cli	^0.0.32 → ^0.0.44
@​flue/client	^0.0.18 → ^0.0.27
@preact/signals (source)	^2.7.1 → ^2.8.1
@tailwindcss/vite (source)	^4.1.18 → ^4.2.0
fast-xml-parser	^5.3.6 → ^5.3.7
is-wsl	^3.1.0 → ^3.1.1
pnpm (source)	10.29.3 → 10.30.1
preact (source)	^10.28.3 → ^10.28.4
svelte (source)	^5.51.5 → ^5.53.0
tailwindcss (source)	^4.1.18 → ^4.2.0
turbo (source)	^2.8.7 → ^2.8.10
typescript-eslint (source)	^8.55.0 → ^8.56.0

Release Notes

pnpm/pnpm (pnpm)

v10.30.1: pnpm 10.30.1

Compare Source

Patch Changes

• Use the /-/npm/v1/security/audits/quick endpoint as the primary audit endpoint, falling back to /-/npm/v1/security/audits when it fails #​10649.

Platinum Sponsors

Gold Sponsors

v10.30.0: pnpm 10.30

Compare Source

Minor Changes

• pnpm why now shows a reverse dependency tree. The searched package appears at the root with its dependents as branches, walking back to workspace roots. This replaces the previous forward-tree output which was noisy and hard to read for deeply nested dependencies.

Patch Changes

• Revert pnpm why dependency pruning to prefer correctness over memory consumption. Reverted PR: #​7122.
• Optimize pnpm why and pnpm list performance in workspaces with many importers by sharing the dependency graph and materialization cache across all importers instead of rebuilding them independently for each one #​10596.

Platinum Sponsors

Gold Sponsors

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Changes

• Replaces Object.prototype.toString.call() with instanceof for isHTMLString detection
• Reorders renderChild type dispatch to check strings first (most common child type)
• Eliminates O(N²) head element deduplication by using a Set
• Renders array children and template expressions directly to the destination without buffering when synchronous, falling back to BufferedRenderer only when a Promise is encountered
• Adds targeted rendering benchmarks (rendering-perf.bench.js) covering many-components, many-expressions, many-head-elements, many-slots, large-array, and static-heavy page shapes

Codspeed results: all benchmarks improve or stay flat, no regressions on .md or .mdx routes. The .astro page benchmark (10K-item list) doubles in throughput.

Research done with help from Claude. Benchmarks by Claude.

Testing

New benchmarks in benchmark/bench/rendering-perf.bench.js and existing benchmark/bench/render.bench.js.

Results from local tests, compared to main:

rendering-perf.bench.js (non-streaming)

render.bench.js (realistic pages)

Docs

Internal optimizations only — no public API or behavior changes. No docs needed.

Fixes #15576

This adds a temporary workaround for a Svelte bug where components extract the class property with a null default (like let { class: className = null } = $props();). The SSR output incorrectly renders class="" instead of omitting the attribute entirely.

The fix post-processes the SSR HTML output to remove empty class attributes, matching native Svelte behavior until the upstream issue is resolved.

Tests verify the fix works correctly in both build and dev modes.

Summary

Fixes #15575

• Preserve astroContentImageFlag through the Vite resolution pipeline in vite-plugin-content-assets.ts so downstream plugins can detect content collection images
• Return plain ImageMetadata for content collection SVGs in vite-plugin-assets.ts instead of creating full Astro components (which import createComponent from the server runtime and cause a circular module dependency deadlock with TLA)

Root Cause

When SVG images are used in content collection image() fields:

1. content-assets.mjs imports them with ?astroContentImageFlag
2. The content asset plugin stripped this flag during resolution
3. The assets ESM plugin didn't know the SVG came from a content collection, so it called makeSvgComponent() which imports from runtime/server/index.js
4. Combined with top-level await (TLA) in page components, this created a circular dependency deadlock causing Node.js to silently exit with code 0

Fix

The astroContentImageFlag is now preserved through resolution so the assets plugin can distinguish content collection SVGs (which only need metadata) from directly imported SVGs (which need full component rendering).

Test plan

• New regression test: content-collection-tla-svg.test.js (YAML collection + SVG image() field + TLA with getCollection)
• Existing core-image tests pass (100/100)
• Existing core-image-svg tests pass (11/11)
• Existing content-layer tests pass (59/59)

🤖 Generated with Claude Code

Summary

Fixes #15439

<script> and <style> tags inside JSX expressions (e.g. {cond && <script>...</script>}) were losing syntax highlighting and IntelliSense because their content was scoped as plain TSX instead of JavaScript/CSS.

Changes to astro.tmLanguage.src.yaml:

• New injection rule (L:meta.embedded.expression.astro - meta.embedded.block): Injects the existing #tags-lang pattern into expression scopes so <script>/<style> tags are properly recognized inside expressions and create the correct scope structure (meta.script.astro / meta.style.astro).
• Narrowed injection exclusions: Changed - (meta source) to - (meta.embedded.block source) in all 12 language injection selectors. This allows them to fire inside expressions (where source.tsx is present from the interpolation contentName) while still preventing double-injection.

Before

Content inside <script> in expressions was scoped as source.tsx:

source.astro meta.embedded.expression.astro source.tsx

After

Content is now properly injected with source.js / source.css:

source.astro meta.embedded.expression.astro source.tsx meta.scope.tag.script.astro meta.script.astro meta.embedded.block.astro source.js

Test plan

• All 20 existing grammar snapshot tests pass unchanged (zero regressions)
• Added script/expression.astro test fixture covering <script> in ternary and && expressions
• Added style/expression.astro test fixture covering <style> in ternary and && expressions
• Verified snapshots show correct source.js / source.css scoping for script/style content inside expressions

🤖 Generated with Claude Code

Changes

• Fixes grammar and spelling

Testing

I'm not adding my tests in this PR, but I used my tooling to identify errors and then validated that I fixed most of them (some items identified by the tooling are false positives, and some would probably require more energy to discuss, so I've left them be):

• This was roughly the list of items my tooling identified: https://github.com/jsoref/astro/actions/runs/22241218963/attempts/1#summary-64345017746
• This is what my tooling thinks after the changes here:
  https://github.com/jsoref/astro/actions/runs/22241219924/attempts/1#summary-64345020614

Note that there are a bunch of fixes that my tooling didn't identify which I made later -- especially while trying to read the contributing file--I call them "in the neighborhood" fixes. (I also added some checks to my catalog of grammar errors based on things I found here...)

I prefer to have upstream CI pass before I make a PR, but the 6!==7 thing failed consistently in full CI and didn't fail in CI when I deleted everything else. There was one CI failure that just popped up in the last run. On Discord and in the docs it appears there's some understanding that there are some flaky tests, so I'm posting anyway. -- None of my changes seemed to be particularly close to the tests that failed (my initial run did have one set of real tests that I had to fix, but I fixed that quickly).

Docs

I don't think any changes to docs should be necessary.

Docs

• Make this a minor since its a new option.
• Add a code example
• Set the correct version number

Changes

This a small refactor to speedup our linting step in CI. Here's the changes

• Move the biome linting in its own step, using its own action because it doesn't need Node.js, pnpm, etc. it will be fast.
• The former lint step now runs first knip and then eslint. knip is objectively faster, so it gives us faster feedback
• Removed the needs of build from the former lint step. The step, already, builds the whole monorepo, so there's no need to wait for the Build step to understand if something is red

Plus, upgraded Biome because it allows to run multiple reporters, as you can see from the changes.

Testing

Locally tested that the Biome command still works

Docs

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to 5-legacy, this PR will be updated.

Releases

astro@5.18.0

Minor Changes

• #15589 b7dd447 Thanks @qzio! - Adds a new security.actionBodySizeLimit option to configure the maximum size of Astro Actions request bodies.

  This lets you increase the default 1 MB limit when your actions need to accept larger payloads. For example, actions that handle file uploads or large JSON payloads can now opt in to a higher limit.

  If you do not set this option, Astro continues to enforce the 1 MB default to help prevent abuse.

  // astro.config.mjs
  export default defineConfig({
    security: {
      actionBodySizeLimit: 10 * 1024 * 1024, // set to 10 MB
    },
  });

Patch Changes

• #15594 efae11c Thanks @qzio! - Fix X-Forwarded-Proto validation when allowedDomains includes both protocol and hostname fields. The protocol check no longer fails due to hostname mismatch against the hardcoded test URL.

Changes

• Sort collections and their entries by key at all three serialization points in MutableDataStore (toString, writeAssetImports, writeModuleImports) to ensure deterministic output regardless of concurrent processing order.

Fixes #15592

Testing

• Tests updated

Docs

N/A, bug fix

Changes

Refactors the checkOrigin middleware to be a port of go's csrf protection.

Ref: https://cs.opensource.google/go/go/+/refs/tags/go1.26.0:src/net/http/csrf.go;l=206

Ref article by the one of go author: https://words.filippo.io/csrf/

Testing

One test was added to check the green path.

Docs

Since this PR don't change the security.checkOrigin variable, no docs should need update.
However, since the new implementation checks not only the origin, but also sec-fetch-site maybe the variable name should change?

Changes

backports #15560 to 5.x

Testing

Docs

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

⚠️⚠️⚠️⚠️⚠️⚠️

main is currently in pre mode so this branch has prereleases rather than normal releases. If you want to exit prereleases, run changeset pre exit on main.

⚠️⚠️⚠️⚠️⚠️⚠️

Releases

@astrojs/cloudflare@13.0.0-beta.9

Major Changes

• #15435 957b9fe Thanks @rururux! - Changes the default image service from compile to cloudflare-binding. Image services options that resulted in broken images in development due to Node JS incompatiblities have now been updated to use the noop passthrough image service in dev mode. - (Cloudflare v13 and Astro6 upgrade guidance)

Minor Changes

• #15435 957b9fe Thanks @rururux! - Adds support for configuring the image service as an object with separate build and runtime options

  It is now possible to set both a build-time and runtime service independently. Currently, 'compile' is the only available build time option. The supported runtime options are 'passthrough' (default) and 'cloudflare-binding':

  import { defineConfig } from 'astro/config';
  import cloudflare from '@astrojs/cloudflare';
  
  export default defineConfig({
    adapter: cloudflare({
      imageService: { build: 'compile', runtime: 'cloudflare-binding' },
    }),
  });

  See the Cloudflare adapter imageService docs for more information about configuring your image service.

• #15556 8fb329b Thanks @florian-lefebvre! - Adds support for more @cloudflare/vite-plugin options

  The adapter now accepts the following options from Cloudflare's Vite plugin:

  • auxiliaryWorkers
  • configPath
  • inspectorPort
  • persistState
  • remoteBindings
  • experimental.headersAndRedirectsDevModeSupport

  For example, you can now set inspectorPort to provide a custom port for debugging your Workers:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  import cloudflare from '@astrojs/cloudflare';
  
  export default defineConfig({
    adapter: cloudflare({
      inspectorPort: 3456,
    }),
  });

Patch Changes

• #15565 30cd6db Thanks @ematipico! - Fixes an issue where the use of the Code component would result in an unexpected error.

• #15588 425ea16 Thanks @rururux! - Fixes an issue where esbuild would throw a "Top-level return cannot be used inside an ECMAScript module" error during dependency scanning in certain environments.

• #15636 5ecd04c Thanks @florian-lefebvre! - Adds an error when running on Stackblitz, since workerd doesn't support it

• Updated dependencies []:

  • @astrojs/underscore-redirects@1.0.0

astro@6.0.0-beta.15

Minor Changes

• #15471 32b4302 Thanks @ematipico! - Adds a new experimental flag queuedRendering to enable a queue-based rendering engine

  The new engine is based on a two-pass process, where the first pass
  traverses the tree of components, emits an ordered queue, and then the queue is rendered.

  The new engine does not use recursion, and comes with two customizable options.

  Early benchmarks showed significant speed improvements and memory efficiency in big projects.

  Queue-rendered based

  The new engine can be enabled in your Astro config with experimental.queuedRendering.enabled set to true, and can be further customized with additional sub-features.

  // astro.config.mjs
  export default defineConfig({
    experimental: {
      queuedRendering: {
        enabled: true,
      },
    },
  });

  Pooling

  With the new engine enabled, you now have the option to have a pool of nodes that can be saved and reused across page rendering. Node pooling has no effect when rendering pages on demand (SSR) because these rendering requests don't share memory. However, it can be very useful for performance when building static pages.

  // astro.config.mjs
  export default defineConfig({
    experimental: {
      queuedRendering: {
        enabled: true,
        poolSize: 2000, // store up to 2k nodes to be reused across renderers
      },
    },
  });

  Content caching

  The new engine additionally unlocks a new contentCache option. This allows you to cache values of nodes during the rendering phase. This is currently a boolean feature with no further customization (e.g. size of cache) that uses sensible defaults for most large content collections:

  When disabled, the pool engine won't cache strings, but only types.

  // astro.config.mjs
  export default defineConfig({
    experimental: {
      queuedRendering: {
        enabled: true,
        contentCache: true, // enable re-use of node values
      },
    },
  });

  For more information on enabling and using this feature in your project, see the experimental queued rendering docs for more details.

• #15543 d43841d Thanks @Princesseuh! - Adds a new experimental.rustCompiler flag to opt into the experimental Rust-based Astro compiler

  This experimental compiler is faster, provides better error messages, and generally has better support for modern JavaScript, TypeScript, and CSS features.

  After enabling in your Astro config, the @astrojs/compiler-rs package must also be installed into your project separately:

  import { defineConfig } from 'astro/config';
  
  export default defineConfig({
    experimental: {
      rustCompiler: true,
    },
  });

  This new compiler is still in early development and may exhibit some differences compared to the existing Go-based compiler. Notably, this compiler is generally more strict in regard to invalid HTML syntax and may throw errors in cases where the Go-based compiler would have been more lenient. For example, unclosed tags (e.g. <p>My paragraph) will now result in errors.

  For more information about using this experimental feature in your project, especially regarding expected differences and limitations, please see the experimental Rust compiler reference docs. To give feedback on the compiler, or to keep up with its development, see the RFC for a new compiler for Astro for more information and discussion.

Patch Changes

• #15565 30cd6db Thanks @ematipico! - Fixes an issue where the use of the Astro internal logger couldn't work with Cloudflare Vite plugin.

• #15562 e14a51d Thanks @florian-lefebvre! - Removes types for the astro:ssr-manifest module, which was removed

• #15435 957b9fe Thanks @rururux! - Improves compatibility of the built-in image endpoint with runtimes that don't support CJS dependencies correctly

• #15640 4c1a801 Thanks @ematipico! - Reverts the support of Shiki with CSP. Unfortunately, after exhaustive tests, the highlighter can't be supported to cover all cases.

  Adds a warning when both Content Security Policy (CSP) and Shiki syntax highlighting are enabled, as they are incompatible due to Shiki's use of inline styles

• #15605 f6473fd Thanks @ascorbic! - Improves .astro component SSR rendering performance by up to 2x.

  This includes several optimizations to the way that Astro generates and renders components on the server. These are mostly micro-optimizations, but they add up to a significant improvement in performance. Most pages will benefit, but pages with many components will see the biggest improvement, as will pages with lots of strings (e.g. text-heavy pages with lots of HTML elements).

• #15514 999a7dd Thanks @veeceey! - Fixes font flash (FOUT) during ClientRouter navigation by preserving inline <style> elements and font preload links in the head during page transitions.

  Previously, @font-face declarations from the <Font> component were removed and re-inserted on every client-side navigation, causing the browser to re-evaluate them.

• #15580 a92333c Thanks @ematipico! - Fixes a build error when generating projects with a large number of static routes

• #15549 be1c87e Thanks @0xRozier! - Fixes an issue where original (unoptimized) images from prerendered pages could be kept in the build output during SSR builds.

• #15565 30cd6db Thanks @ematipico! - Fixes an issue where the use of the Code component would result in an unexpected error.

• #15585 98ea30c Thanks @matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #15565 30cd6db Thanks @ematipico! - Fixes an issue where the new Astro v6 development server didn't log anything when navigating the pages.

• #15591 1ed07bf Thanks @renovate! - Upgrades devalue to v5.6.3

• #15633 9d293c2 Thanks @jwoyo! - Fixes a case where <script> tags from components passed as slots to server islands were not included in the response

• #15586 35bc814 Thanks @matthewp! - Fixes an issue where allowlists were not being enforced when handling remote images

@astrojs/rss@4.0.15-beta.4

Patch Changes

• #15561 413b0f7 Thanks @renovate! - Updates fast-xml-parser to v5.3.6

@astrojs/node@10.0.0-beta.5

Patch Changes

• #15562 e14a51d Thanks @florian-lefebvre! - Updates to new Adapter API introduced in v6

• #15585 98ea30c Thanks @matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

@astrojs/preact@5.0.0-beta.4

Patch Changes

• #15619 bbfa7c8 Thanks @rururux! - Fixed an issue where the Preact integration would incorrectly intercept React 19 components, triggering "Invalid hook call" error logs.

@astrojs/svelte@8.0.0-beta.3

Patch Changes

• #15581 2851f10 Thanks @renovate! - Updates svelte to v5.51.5

Changes

To enable upload of larger files, make the action request body limit configurable changesets.

Testing

Docs

This PR doesn't touch docs.

NOTE:

I'm not sure if this should go against main or 5-legacy.
But I need this (or something like this) in the current "stable" version of astro.

fixes: #15518

Changes

In the previous implementation of the Cloudflare Workers integration, the following error occurred when esbuild attempted to scan dependencies by loading the code:

✘ [ERROR] Top-level return cannot be used inside an ECMAScript module

This pull request addresses this issue with the following changes:

• Modified esbuild input: Before passing code to esbuild, return statements are now replaced with throw . This logic is based on the implementation found in vite-plugin-astro/compile.ts. To ensure source maps remain accurate, the replacement includes padding to maintain the original character count.
• Added comments explaining potential errors that might arise from this change in specific edge cases.

Testing

• Verified that the Top-level return cannot be ... error no longer occurs.
• Added a test case to ensure that the replacement logic does not break the syntax (which would previously trigger a Failed to run dependency scan ... error).

Docs

N/A

Changes

• Enforce remote image allowlists when inferring remote sizes and image endpoints
• Cherry-picked from e01e98b

Changes

• Add a default 1MB limit for action request bodies and enforce when Content-Length is missing
• Cherry-picked from 522f880

Description

When build.format is set to 'file', Astro outputs pages with .html extensions (e.g., about.html). However, the sitemap integration was generating URLs without extensions (e.g., /about instead of /about.html), leading to incorrect sitemap entries.

Changes

• Added a check in the sitemap URL generation to append .html when build.format === 'file'
• Updated the corresponding test to expect .html extensions
• Added changeset

Fixes #15526

Description

• Follow up to #3713
• Documents the use of code backticks to escape filenames like __init__.py that otherwise break because the _ is interpreted as Markdown syntax

Docs preview: https://deploy-preview-3714--astro-starlight.netlify.app/components/file-tree/#escape-special-characters

This PR contains the following updates:

Package	Change	Age	Confidence
svelte (source)	5.50.3 → 5.51.5

GitHub Vulnerability Alerts

CVE-2026-27119

In certain circumstances, the server-side rendering output of an <option> element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected.

CVE-2026-27121

Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers.

CVE-2026-27122

When using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected.

CVE-2026-27125

In server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte's control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected.

Release Notes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Changes

Taken from the triage bot.

Closes #15578

Testing

Added a new test, which failed before the fix.

Docs

N/A

Changes

Adds a new experimental Route Caching API and Route Rules for controlling SSR response caching. See the RFC for full details.

Route caching gives you a platform-agnostic way to cache server-rendered responses, based on web standard cache headers. You set caching directives in your routes using Astro.cache (in .astro pages) or context.cache (in API routes and middleware), and Astro translates them into the appropriate headers or runtime behavior depending on your adapter. You can also define cache rules for routes declaratively in your config using experimental.routeRules, without modifying route code.

Getting started

Enable the feature by configuring experimental.cache with a cache provider in your Astro config:

// astro.config.mjs
import { defineConfig } from 'astro/config';
import node from '@astrojs/node';
import { memoryCache } from 'astro/config';

export default defineConfig({
  adapter: node({ mode: 'standalone' }),
  experimental: {
    cache: {
      provider: memoryCache(),
    },
  },
});

Using Astro.cache and context.cache

In .astro pages, use Astro.cache.set() to control caching:

---
// src/pages/index.astro
Astro.cache.set({
  maxAge: 120,       // Cache for 2 minutes
  swr: 60,           // Serve stale for 1 minute while revalidating
  tags: ['home'],    // Tag for targeted invalidation
});
---
<html><body>Cached page</body></html>

In API routes and middleware, use context.cache:

// src/pages/api/data.ts
export function GET(context) {
  context.cache.set({
    maxAge: 300,
    tags: ['api', 'data'],
  });
  return Response.json({ ok: true });
}

Cache options

cache.set() accepts the following options:

• maxAge (number): Time in seconds the response is considered fresh.
• swr (number): Stale-while-revalidate window in seconds. During this window, stale content is served while a fresh response is generated in the background.
• tags (string[]): Cache tags for targeted invalidation. Tags accumulate across multiple set() calls within a request.
• lastModified (Date): When multiple set() calls provide lastModified, the most recent date wins.
• etag (string): Entity tag for conditional requests.

Call cache.set(false) to explicitly opt out of caching for a request.

Multiple calls to cache.set() within a single request are merged: scalar values use last-write-wins, lastModified uses most-recent-wins, and tags accumulate.

Invalidation

Purge cached entries by tag or path using cache.invalidate():

// Invalidate all entries tagged 'data'
await context.cache.invalidate({ tags: ['data'] });

// Invalidate a specific path
await context.cache.invalidate({ path: '/api/data' });

Config-level route rules

Use experimental.routeRules to set default cache options for routes without modifying route code. Supports Nitro-style shortcuts for ergonomic configuration:

import { memoryCache } from 'astro/config';

export default defineConfig({
  experimental: {
    cache: {
      provider: memoryCache(),
    },
    routeRules: {
      // Shortcut form (Nitro-style)
      '/api/*': { swr: 600 },

      // Full form with nested cache
      '/products/*': { cache: { maxAge: 3600, tags: ['products'] } },
    },
  },
});

Route patterns support static paths, dynamic parameters ([slug]), and rest parameters ([...path]). Per-route cache.set() calls merge with (and can override) the config-level defaults.

You can also read the current cache state via cache.options:

const { maxAge, swr, tags } = context.cache.options;

Cache providers

Cache behavior is determined by the configured cache provider. There are two types:

• CDN providers set response headers (e.g. CDN-Cache-Control, Cache-Tag) and let the CDN handle caching. Astro strips these headers before sending the response to the client.
• Runtime providers implement onRequest() to intercept and cache responses in-process, adding an X-Astro-Cache header (HIT/MISS/STALE) for observability.

Built-in memory cache provider

Astro includes a built-in in-memory LRU cache provider. Import memoryCache from astro/config to configure it.

Features:

• In-memory LRU cache with configurable max entries (default: 1000)
• Stale-while-revalidate support
• Tag-based and path-based invalidation
• X-Astro-Cache response header: HIT, MISS, or STALE

Writing a custom cache provider

A cache provider is a module that exports a factory function as its default export:

import type { CacheProviderFactory } from 'astro';

const factory: CacheProviderFactory = (config) => {
  return {
    name: 'my-cache-provider',
    // For CDN-style: set response headers
    setHeaders(options) {
      const headers = new Headers();
      if (options.maxAge !== undefined) {
        headers.set('CDN-Cache-Control', `max-age=${options.maxAge}`);
      }
      return headers;
    },
    // For runtime-style: intercept requests (optional)
    async onRequest(context, next) {
      // ... check cache, call next(), store response
    },
    // Handle invalidation
    async invalidate(options) {
      // ... purge by tags or path
    },
  };
};

export default factory;

Error handling

If you use Astro.cache or context.cache without enabling the feature, Astro throws an AstroError with the name CacheNotEnabled and a message explaining how to configure it. If the configured provider cannot be resolved, Astro throws CacheProviderNotFound at build time.

Testing

Adds comprehensive test suite

Docs

withastro/docs#13305

Changes

• clear the dev route cache when content collections change so slug pages re-evaluate getStaticPaths
• add an HMR test that updates content and verifies slug route output refreshes
• Fixes #15555

Testing

• test/hmr-markdown.test.js updated

Docs

• N/A, bug fix

Changes

• Update the peerDependency for @astrojs/node to include the fix regarding memory exhaustion.

Testing

N/A, package.json change only

Docs

N/A, bug fix

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to 5-legacy, this PR will be updated.

Releases

astro@5.17.3

Patch Changes

• #15564 522f880 Thanks @matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #15569 e01e98b Thanks @matthewp! - Respect image allowlists when inferring remote image sizes and reject remote redirects.

@astrojs/node@9.5.4

Patch Changes

• #15564 522f880 Thanks @matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #15572 ef851bf Thanks @matthewp! - Upgrade astro package support

  astro@5.17.3 includes a fix to prevent Action payloads from exhausting memory. @astrojs/node now depends on this version of Astro as a minimum requirement.

Changes

• Enforce allowlists for remote inferSize and reject remote redirects in image fetch paths.
• Add minimal tests for disallowed inferSize and redirect rejection.
• Include a changeset.

Testing

• New test cases added

Docs

• N/A, bug fix

Changes

Closes #15558

Did some research and textContent is generally safer than innerText, so it's safe to use.

Testing

Added a test

Docs

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

⚠️⚠️⚠️⚠️⚠️⚠️

main is currently in pre mode so this branch has prereleases rather than normal releases. If you want to exit prereleases, run changeset pre exit on main.

⚠️⚠️⚠️⚠️⚠️⚠️

Releases

astro@6.0.0-beta.14

Patch Changes

• #15573 d789452 Thanks @matthewp! - Clear the route cache on content changes so slug pages reflect updated data during dev.

• #15560 170ed89 Thanks @z0mt3c! - Fix X-Forwarded-Proto validation when allowedDomains includes both protocol and hostname fields. The protocol check no longer fails due to hostname mismatch against the hardcoded test URL.

• #15563 e959698 Thanks @ematipico! - Fixes an issue where warnings would be logged during the build using one of the official adapters

Changes

Closes #15284
Closes #15310

This PR address three things

The debug package

Removed it. It's old, not ESM friendly, and it doesn't work with CF. I eventually found obug, a drop-in replacement. Thank you e18e. They will add it to the website soon.

The other problem is that debug is contained in our dependencies too, especially in the rehype-remark rabbit hole. It's pulled in our runtime via Code component. I used an alias to replace it. Thank you vite

Code doesn't work with CF

Not sure why and how it worked before, but Code started to fail, even in our tests. Not sure what changed in these past weeks/months, because it used to work during the refactor to vite environment APIs.

I tried and tried with a coding agent, and the result was always the same: workerd in dev mode can't run the WASM engined used by shiki. Solution? Use the JavaScript engine. It works with this one.

Logging

We lost of our logging or requests in our dev server. Mainly this bit:

Which I restored in this PR via an abstract method, which is implemented only in our dev pipelines. While doing so, I realised that things started to fail because we were pulling Node.js code, so I did the only sane thing and split the utilities/messages in runtime VS node.

Testing

Current CI should pass. Manually tested that DEBUG= still works, --verbose still works and I see logs in dev.

I updated biome.jsonc to match any file that contains runtime in their name. It should match more files.

Docs

N/A

• Add a default 1 MB action request body cap to avoid oversized payloads exhausting memory
• Enforce the limit for chunked bodies by buffering with a hard cap and returning 413

Testing

• New test added to the Actions test with a large buffer in the body.

Docs

N/A, bug fix

Changes

Closes #15509

Testing

Unfortunately this issue doesn't occur with linked packages

Docs

N/A

Changes

• 2nd take on #15418 which didn't reach consensus
• It updates the node adapter as little as possible to new APIs, taking deprecations into account

Testing

Should pass

Docs

Changeset

The protocol validation in validateForwardedHeaders() passed the full pattern object to matchPattern(), which also checked hostname against the hardcoded test URL (example.com). Pass only { protocol } to matchPattern() so that only the protocol field is validated; the host+proto combination is already checked in the host validation block below.

Fixes #15559

Changes

• Pass { protocol: pattern.protocol } instead of the full pattern to matchPattern() in the protocol validation block
• Changeset included

Testing

Added 4 unit tests in node.test.js covering the reverse proxy case (socket.encrypted: false):

• Accepts forwarded https when allowedDomains has protocol + hostname
• Rejects forwarded http when only https is allowed
• Accepts forwarded https with wildcard hostname pattern
• Constructs correct URL behind reverse proxy with all forwarded headers

Docs

No docs changes needed — this restores the documented behavior of security.allowedDomains.

Changes

Refactored astro-attrs.test.js (file, fixtures) to the new unit test format.
Moved React-dependent test cases to integrations/react/test/react-component.test.js to avoid unnecessary dependencies in the core package, as discussed.

Testing

Migrated existing test cases to the new format without adding new functional tests.
Added @ts-check to the test files and included some comments to suppress linting warnings from Biome and fix type errors.

Docs

N/A. This change is limited to test files only.

Changes

• Addresses https://github.com/orgs/withastro/projects/21/views/1?pane=issue&itemId=154871760 (feedback from James: we should be able to forward some options to the cf vite plugin)
• The CF adapter now accepts relevant options from the vite plugin. I chose to use Pick instead of Omit to avoid conflicts with our own options and control better what we support
• I checked the CF docs on what these options were doing before adding support for them and it made sense to me. I basically omitted all the ones that we already set
• I had to rely on globalThis to pass options to astro preview

Testing

Manual

Docs

• Changeset
• withastro/docs#13278

Changes

• Updates or adds jsdocs for AstroAdapter, adapting from v6 docs

Testing

N/A

Docs

Changeset

Summary

Fixes #15503

• Delete original (unoptimized) images from prerendered pages in SSR builds instead of keeping them in the client _astro directory
• Track referencedImages in the prerender environment for server builds, so directly-referenced originals (e.g., <img src={img.src}>) are preserved
• Remove the !env.isSSR guard that blocked all original image deletion in server mode — staticImages only contains images from prerendered pages, so it's safe to clean up unreferenced originals

Changes

Test plan

• Existing SSG image deletion tests still pass (5/5)
• New SSR image deletion tests pass (2/2): originals only used for optimization are deleted, directly referenced originals are preserved
• Full core-image test suite passes (100/100)
• SSR assets test passes (1/1)

🤖 Generated with Claude Code

• option for adding additional langs

• tests

• changeset

• cleanup test

• cleanup test

• cleanup

• clarify changeset

• Update .changeset/tangy-tables-jog.md

• add more details to changeset

• add more details to changeset

• Update .changeset/tangy-tables-jog.md

• Update .changeset/tangy-tables-jog.md

• minor not patch

• Apply suggestions from code review

Changes

• What does this change?
• Be short and concise. Bullet points can help!
• Before/after screenshots can help as well.
• Don't forget a changeset! Run pnpm changeset.
• See https://contribute.docs.astro.build/docs-for-code-changes/changesets/ for more info on writing changesets.

Testing

Docs

Changes

• New: Add proxies support to the triage workflow. Replaces manual GH_TOKEN env passing with a safer github proxy from @flue/client/proxies.
• Chore: Improve triage skills — add explicit SCOPE instructions to all sub-skills, promote git blame in verify skill, refine comment template formatting.
• Chore: Improve AGENTS.md - add environment guide (prefer node -e over python), add bgproc (by @ascorbic!) to help agents manage background dev servers.
• Chore: Bump @flue/cli to 0.0.43 and @flue/client to 0.0.27.

And two unrelated things:

• New: Add analyze-github-action-logs skill for debugging CI logs. Useful for powering a prompt like "review the last 10 completed github action runs of type XXX for issues or potential improvements"
• Refactor: Clean up our other issue-* workflows (issue-opened, issue-needs-repro, issue-wontfix).

Testing

No good way to test CI locally, will need to test post-merge.

Docs

No docs needed.

Changes

Adds a new experimental flag to use the Rust compiler instead of the Go one. This requires users to install @astrojs/compiler-rs in their project manually.

Testing

I edited some tests so that they pass on both the old and the new compiler:

• Two tests had invalid HTML
• LightningCSS does some CSS stuff slightly differently, and not all the minification options are currently enabled in the new compiler because of some issues so I had to change the asserts

Apart from that, I believe that all tests pass on both compilers.

Docs

There's a JSDoc and withastro/docs#13303

fixes: #15521

Changes

Updated HTML attribute handling to support the "until-found" value for the hidden attribute.
Previously, the hidden attribute was only treated as a boolean. it now correctly handles both boolean and string values.

Testing

Added tests to verify that both standard boolean values and the new "until-found" value are handled correctly.
Since Cheerio does not yet support "until-found", I have used regular expressions to validate this specific value in the output.

Docs

N/A, bug fix

Changes

• No code changes, tests only

Testing

• Moves astro-response.test.js to a unit test, nothing here depends on a build.
• Added a test-helpers.js and added a createManifest which is something all of the tests need.

Docs

N/A, tests only

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

⚠️⚠️⚠️⚠️⚠️⚠️

main is currently in pre mode so this branch has prereleases rather than normal releases. If you want to exit prereleases, run changeset pre exit on main.

⚠️⚠️⚠️⚠️⚠️⚠️

Releases

astro@6.0.0-beta.13

Major Changes

• #15451 84d6efd Thanks @ematipico! - Changes how styles applied to code blocks are emitted to support CSP - (v6 upgrade guidance)

Minor Changes

• #15529 a509941 Thanks @florian-lefebvre! - Adds a new build-in font provider npm to access fonts installed as NPM packages

  You can now add web fonts specified in your package.json through Astro's type-safe Fonts API. The npm font provider allows you to add fonts either from locally installed packages in node_modules or from a CDN.

  Set fontProviders.npm() as your fonts provider along with the required name and cssVariable values, and add options as needed:

  import { defineConfig, fontProviders } from 'astro/config';
  
  export default defineConfig({
    experimental: {
      fonts: [
        {
          name: 'Roboto',
          provider: fontProviders.npm(),
          cssVariable: '--font-roboto',
        },
      ],
    },
  });

  See the NPM font provider reference documentation for more details.

• #15548 5b8f573 Thanks @florian-lefebvre! - Adds a new optional embeddedLangs prop to the <Code /> component to support languages beyond the primary lang

  This allows, for example, highlighting .vue files with a <script setup lang="tsx"> block correctly:

  ---
  import { Code } from 'astro:components';
  
  const code = `
  <script setup lang="tsx">
  const Text = ({ text }: { text: string }) => <div>{text}</div>;
  </script>
  
  <template>
    <Text text="hello world" />
  </template>`;
  ---
  
  <Code {code} lang="vue" embeddedLangs={['tsx']} />

  See the <Code /> component documentation for more details.

• #15483 7be3308 Thanks @florian-lefebvre! - Adds streaming option to the createApp() function in the Adapter API, mirroring the same functionality available when creating a new App instance

  An adapter's createApp() function now accepts streaming (defaults to true) as an option. HTML streaming breaks a document into chunks to send over the network and render on the page in order. This normally results in visitors seeing your HTML as fast as possible but factors such as network conditions and waiting for data fetches can block page rendering.

  HTML streaming helps with performance and generally provides a better visitor experience. In most cases, disabling streaming is not recommended.

  However, when you need to disable HTML streaming (e.g. your host only supports non-streamed HTML caching at the CDN level), you can opt out of the default behavior by passing streaming: false to createApp():

  import { createApp } from 'astro/app/entrypoint';
  
  const app = createApp({ streaming: false });

  See more about the createApp() function in the Adapter API reference.

Patch Changes

• #15542 9760404 Thanks @rururux! - Improves rendering by preserving hidden="until-found" value in attribues

• #15550 58df907 Thanks @florian-lefebvre! - Improves the JSDoc annotations for the AstroAdapter type

• #15507 07f6610 Thanks @matthewp! - Avoid bundling SSR renderers when only API endpoints are dynamic

• #15459 a4406b4 Thanks @florian-lefebvre! - Fixes a case where context.csp was logging warnings in development that should be logged in production only

• Updated dependencies [84d6efd]:

  • @astrojs/markdown-remark@7.0.0-beta.7

@astrojs/mdx@5.0.0-beta.8

Major Changes

• #15451 84d6efd Thanks @ematipico! - Changes how styles applied to code blocks are emitted to support CSP - (v6 upgrade guidance)

Patch Changes

• Updated dependencies [84d6efd]:
  • @astrojs/markdown-remark@7.0.0-beta.7

@astrojs/markdown-remark@7.0.0-beta.7

Major Changes

• #15451 84d6efd Thanks @ematipico! - Changes how styles applied to code blocks are emitted to support CSP - (v6 upgrade guidance)

@astrojs/markdoc@1.0.0-beta.11

Patch Changes

• Updated dependencies [84d6efd]:
  • @astrojs/markdown-remark@7.0.0-beta.7

This PR contains the following updates:

Package	Change	Age	Confidence
@cloudflare/vite-plugin (source)	^1.23.0 → ^1.25.0
@cloudflare/workers-types	^4.20260131.0 → ^4.20260213.0
@netlify/blobs (source)	^10.5.0 → ^10.6.0
@netlify/vite-plugin (source)	^2.8.0 → ^2.9.0
@types/react (source)	^18.3.27 → ^18.3.28
@vercel/functions (source)	^3.4.0 → ^3.4.2
@vercel/nft	^1.3.0 → ^1.3.1
@vercel/routing-utils (source)	^5.3.2 → ^5.3.3
@vitejs/plugin-vue (source)	^6.0.3 → ^6.0.4
fastify (source)	^5.7.2 → ^5.7.4
svelte (source)	^5.49.1 → ^5.50.3
vue (source)	^3.5.27 → ^3.5.28
wrangler (source)	^4.61.1 → ^4.65.0