Description

Add lychee to showcase

Description

Implements the change discussed in #1321
Closes #1321

Changes

When using densities with the Vercel image adapter, calculated widths were not being validated against the configured sizes list. This caused Vercel to reject invalid widths, resulting in broken images.

For example, with configured sizes [640, 750, 828, 1080, 1200, 1920, 2048, 3840] and width=600 with densities=[1, 1.5, 2], the calculated widths [600, 900, 1200] were used directly instead of being mapped to valid sizes [640, 828, 1200].

This fix ensures all densities-calculated widths are mapped to the nearest configured width, matching the behavior already implemented for the widths prop.

Fixes #14366

Testing

• Test case added

Docs

N/A, bug fix

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@5.14.7

Patch Changes

• #14566 946fe68 Thanks @matthewp! - Fixes handling malformed cookies gracefully by returning the unparsed value instead of throwing

  When a cookie with an invalid value is present (e.g., containing invalid URI sequences), Astro.cookies.get() now returns the raw cookie value instead of throwing a URIError. This aligns with the behavior of the underlying cookie package and prevents crashes when manually-set or corrupted cookies are encountered.

• #14142 73c5de9 Thanks @P4tt4te! - Updates handling of CSS for hydrated client components to prevent duplicates

Changes

• When a POST request is made to a non-existent action endpoint, return a 404 response with NOT_FOUND error code instead of throwing an unhandled ActionNotFoundError.
• NOT_FOUND is caught and returns a 404 response
• Closes #13549

Testing

• Tests added

Docs

N/A, bug fix

Changes

• When a cookie with an invalid value is present (e.g., containing invalid URI sequences), Astro.cookies.get() now returns the raw cookie value instead of throwing a URIError. This aligns with the behavior of the underlying cookie package and prevents crashes when manually-set or corrupted cookies are encountered.
• Closes #14448

Testing

Added

Docs

N/A, bug fix.

Changes

• Updates the release.yml to use oidc.

Testing

N/A

Docs

N/A

Changes

• Supersedes #14216
• I moved and refactored some logic around to make sure we read the "package.json" only once

Testing

Manual

Docs

Changeset

Changes

This refactors the code by improving the way the cloudflare adapter (and any adapter in the future) and retrieve the BaseApp module.

It creates a astro/app/entrypoint specifier that exposes the new function getApp. This function is responsible for returning an SSR-compatible app based on the dev parameter.

I took the opportunity to rename the virtual modules using the agreed naming convention, which is virtual:astro:<FEATURE>. I didn't rename the astro actions because it has already been done in another branch.

I also updated the cloudflare dependencies. I didn't update to the latest because some deps were released less than three days ago.

Testing

This refactor was done during TBD, and we all verified that it works.

Docs

N/A

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@astrojs/starlight@0.36.2

Patch Changes

• #3484 620fb38 Thanks @gboubeta-uvigo! - Improves Spanish UI translations

Changes

#14553
One boolean HTML attribute behaved differently from others ("muted"). This change fixes that by adding this attribute to the list of HTML boolean attributes in the astro/packages/astro/src/runtime/server/render/util.ts file.
Before:

After:

Testing

This change was tested by linking a local copy of Astro to a local copy of this project. The results are in the screenshots above.

Docs

Not sure, probably not.
/cc @withastro/maintainers-docs for feedback!

Changes

• Prior PR
• Updates Node v18 'retiring' notice to 'deprecated'.
• Removes removeDate from 'deprecated' support status warning.

note: This only removes the deprecation notice. Any user still on Node v18 or older will get a warning and Astro will default to using Node v22 (default) as the runtime.

Testing

n/a

Docs

n/a

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@5.14.6

Patch Changes

• #14562 722bba0 Thanks @erbierc! - Fixes a bug where the behavior of the "muted" HTML attribute was inconsistent with that of other attributes.

• #14538 51ebe6a Thanks @florian-lefebvre! - Improves how Actions are implemented

• #14548 6cdade4 Thanks @ascorbic! - Removes support for the maxAge property in cacheHint objects returned by live loaders.

  ⚠️ Breaking change for experimental live content collections only

  Feedback showed that this did not make sense to set at the loader level, since the loader does not know how long each individual entry should be cached for.

  If your live loader returns cache hints with maxAge, you need to remove this property:

  return {
    entries: [...],
    cacheHint: {
      tags: ['my-tag'],
  -   maxAge: 60,
      lastModified: new Date(),
    },
  };

  The cacheHint object now only supports tags and lastModified properties. If you want to set the max age for a page, you can set the headers manually:

  ---
  Astro.headers.set('cdn-cache-control', 'max-age=3600');
  ---

• #14548 6cdade4 Thanks @ascorbic! - Adds missing rendered property to experimental live collections entry type

  Live collections support a rendered property that allows you to provide pre-rendered HTML for each entry. While this property was documented and implemented, it was missing from the TypeScript types. This could lead to type errors when trying to use it in a TypeScript project.

  No changes to your project code are necessary. You can continue to use the rendered property as before, and it will no longer produce TypeScript errors.

Changes

Removes the experimental.liveContentCollections flag and enables it for all sites.

Closes #14376

Testing

Updated test fixture

Docs

Added changeset. It doesn't have any links to docs, because I'm not sure where they'll live.

@withastro/maintainers-docs

Changes

This PR enables the devtoolbvar inside the DevApp by passing the devtoolbar information via manifest.

I added new types inside SSRManifest. This information is pulled using settings.preferences and getInfoOutput, which are serialisable and can be passed via vite plugin.

These new types are placeholders when building and serialising the manifest for SSR during the build

Testing

Manual testing. I could see the devtool popping up and working. The debug info are also available and visible

Docs

N/A

Changes

• Adds the missing rendered property to live entries. This is documented and functional, but was missing from types
• Removes the cacheHint.maxAge property. From feedback and observing usage, this doesn't make sense to be set by the loader. The max age is something that the user should choose, and isn't information that the loader has. This is a breaking change in the types, but it is an experimental feature so can go in a patch.

Testing

Updated the tests, and added a new test for entry rendering

Docs

• withastro/docs#12571
• The rendered property was already documented.

Title

Fixes and completes Spanish translations

Description

This PR fixes some minor translation errors and completes labels that were still untranslated.

This is a minor change with no functional impact, but it improves the linguistic accuracy of the project.

Title

Fixes and completes Galician translations like Spanish

Description

This PR fixes some minor translation errors and completes labels that were still untranslated.

This is a minor change with no functional impact, but it improves the linguistic accuracy of the project.

Description

• Closes #3446
• Adds a card to the landing page of our starter templates highlighting how to enable the sidebar.
• Also adds a comment to the frontmatter of the landing pages to highlight it. (Begs the question of whether more such comments could be useful, but with any luck the content IntelliSense feature could do a lot of that work in the future.)

Before	After

These changes are tentative — it’s always a hard balance of what to prioritise in the onboarding flow, but I wanted to try these out and gather feedback, so let me know what you think! We do get relatively frequent questions about how to enable the sidebar and template: splash is not super explicit, which is probably why people miss it.

Changes

• Add runtimeConfig.internalFetchHeaders to AstroAdapter interface
• Create astro:adapter-config/client virtual module
• Update Actions, View Transitions, Server Islands, and Prefetch to use adapter headers
• Implement Netlify skew protection with DEPLOY_ID header
• Generate .netlify/v1/skew-protection.json configuration file
• Add comprehensive test fixture for skew protection
• Closes #14545

Testing

• Fixture tests added
• Test project
  • Repo: https://github.com/withastro/astro-netlify-skew-protection
  • Prod app: https://skew-protection-test.netlify.app/

Docs

• withastro/docs#12554

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@astrojs/starlight@0.36.1

Patch Changes

• #3479 2fec483 Thanks @gboubeta-uvigo! - Updates Galician UI translations

• #3457 c6c0c51 Thanks @HiDeoo! - Deduplicates sitemap link tags in the head.

  When enabling sitemap in Starlight, a <link rel="sitemap" href="/sitemap-index.xml"> tag is automatically added to the head of each page. Manually specifying sitemap link tags using the Starlight head configuration option or the head frontmatter field will now override the default sitemap link tag added by Starlight.

  This change ensures that users manually adding the @astrojs/sitemap integration to the Astro integrations array for more fine-grained control over sitemap generation and also using the filenameBase integration option can customize the sitemap link tag in the head.

• #3448 1fc7501 Thanks @dionysuzx! - Enlarges the Farcaster icon to better match other social icons

• #3473 07204dd Thanks @gboubeta! - Fixes a typo in Galician table of contents label

Changes

• Exempts Biome from the minimumReleaseAge requirement in pnpm-workspace.yml
• Alternative: revert #14539 and wait until the Biome release used there is old enough
• I ran pnpm i after applying this change, and the lock file changes showed up, so I included them here in case they are important.

Testing

Existing tests should pass

Docs

n/a

Changes

• Extracted from #14484 and #14529
• While working on actions recently, I found several things could be improved
  • Use a single vite plugin
  • We don't need codegen, I updated the implementation to be closer to virtual-modules/i18n.ts. Allowed to spot some runtime things that were incorrect
  • Things in actions/runtime/virtual were not only imported by the virtual module, so I moved them to actions/runtime
• This will help by being more consistent with other features, and will make the Zod 4 PR diff smaller

Testing

Should pass

Docs

Technically doesn't need a changeset but I'll include one to be safe

Changes

• I did send a PR for this 2 weeks ago but renovate did update the version since then. This time, I excluded nft from renovate updates so it doesn't happen
• See vercel/nft#545

Testing

Should pass

Docs

Changeset

Description

While initially only supporting basic Markdown links, I just updated the starlight-links Visual Studio Code extension to provide IntelliSense for most type of links found in Starlight projects, even custom components, so this is probably a good time to add it to the list of community tools.

Changes

• Merge main into next

Testing

N/A

Docs

N/A

Changes

• Closes #14214
• Supersedes #14219

Testing

N/A, help needed!

Docs

Changeset

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@astrojs/node@9.5.0

Minor Changes

• #14441 62ec8ea Thanks @upsuper! - Updates redirect handling to be consistent across static and server output, aligning with the behavior of other adapters.

  Previously, the Node.js adapter used default HTML files with meta refresh tags when in static output. This often resulted in an extra flash of the page on redirect, while also not applying the proper status code for redirections. It's also likely less friendly to search engines.

  This update ensures that configured redirects are always handled as HTTP redirects regardless of output mode, and the default HTML files for the redirects are no longer generated in static output. It makes the Node.js adapter more consistent with the other official adapters.

  No change to your project is required to take advantage of this new adapter functionality. It is not expected to cause any breaking changes. However, if you relied on the previous redirecting behavior, you may need to handle your redirects differently now. Otherwise you should notice smoother redirects, with more accurate HTTP status codes, and may potentially see some SEO gains.

astro@5.14.5

Patch Changes

• #14525 4f55781 Thanks @penx! - Fixes defineLiveCollection() types

• #14441 62ec8ea Thanks @upsuper! - Updates redirect handling to be consistent across static and server output, aligning with the behavior of other adapters.

  Previously, the Node.js adapter used default HTML files with meta refresh tags when in static output. This often resulted in an extra flash of the page on redirect, while also not applying the proper status code for redirections. It's also likely less friendly to search engines.

  This update ensures that configured redirects are always handled as HTTP redirects regardless of output mode, and the default HTML files for the redirects are no longer generated in static output. It makes the Node.js adapter more consistent with the other official adapters.

  No change to your project is required to take advantage of this new adapter functionality. It is not expected to cause any breaking changes. However, if you relied on the previous redirecting behavior, you may need to handle your redirects differently now. Otherwise you should notice smoother redirects, with more accurate HTTP status codes, and may potentially see some SEO gains.

• #14506 ec3cbe1 Thanks @abdo-spices! - Updates the <Font /> component so that preload links are generated after the style tag, as recommended by capo.js

create-astro@4.13.2

Patch Changes

• #14528 3597371 Thanks @florian-lefebvre! - Fixes a case where a deprecation warning would be shown on Node 24

@astrojs/netlify@6.5.13

Patch Changes

• #14536 9261996 Thanks @florian-lefebvre! - Fixes a bug that caused too many files to be bundled in SSR

• Updated dependencies []:

  • @astrojs/underscore-redirects@1.0.0

@astrojs/vercel@8.2.10

Patch Changes

• #14536 9261996 Thanks @florian-lefebvre! - Fixes a bug that caused too many files to be bundled in SSR

Changes

Fixed a typo in import

• Don't forget a changeset! Run pnpm changeset.

Testing

I saw a TypeScript error locally when looking at node_modules/astro/types/content.d.ts

	export function defineLiveCollection<
		L extends import('astro/loader').LiveLoader,
		S extends import('astro/content/config').BaseSchema | undefined = undefined,
	>(
		config: import('astro/content/config').LiveCollectionConfig<L, S>,
	): import('astro/content/config').LiveCollectionConfig<L, S>;

Cannot find module 'astro/loader' or its corresponding type declarations

This package doesn't seem to exist, and the import seems to be in astro/loaders so opening a quick PR to address.

No further tests done as I'm unfamiliar with Astro internals.

Docs

I don't think any docs are needed.

This PR contains the following updates:

Package	Change	Age	Confidence
@playwright/test (source)	1.55.1 -> 1.56.0
@preact/signals (source)	^2.3.1 -> ^2.3.2
@types/react (source)	^18.3.25 -> ^18.3.26
ci-info	^4.3.0 -> ^4.3.1
eslint (source)	^9.36.0 -> ^9.37.0
fast-xml-parser	^5.2.5 -> ^5.3.0
package-manager-detector	^1.3.0 -> ^1.4.0
publint (source)	^0.3.13 -> ^0.3.14
semver	^7.7.2 -> ^7.7.3
svelte (source)	^5.39.8 -> ^5.39.11
typescript-eslint (source)	^8.45.0 -> ^8.46.0

Release Notes

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Changes

• Make getAllowedDomains() call optional with fallback to empty array
• Update peer dependency to require astro@^5.14.3
• Fixes #14513

Testing

N/A

Docs

N/A

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@5.14.4

Patch Changes

• #14509 7e04caf Thanks @ArmandPhilippot! - Fixes an error in the docs that specified an incorrect version for the security.allowedDomains release.

@astrojs/node@9.4.6

Patch Changes

• #14514 66a26d7 Thanks @matthewp! - Fixes compatibility issue with older versions of Astro by making getAllowedDomains() call optional and updating peer dependency to require astro@^5.14.3

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@5.14.3

Patch Changes

• #14505 28b2a1d Thanks @matthewp! - Fixes Cannot set property manifest error in test utilities by adding a protected setter for the manifest property

• #14235 c4d84bb Thanks @toxeeec! - Fixes a bug where the "tap" prefetch strategy worked only on the first clicked link with view transitions enabled

Changes

• reorder style tag with link tag based capo js to enhance rendering

Testing

n/a

Docs

n/a

Changes

• Some tests were failing, this fixes them

Testing

• Updates them to use the new allowedDomains feature

Docs

N/A, bug fix

Changes

• Depends on #14501
• Updates the create-key command to display help, which involved creating a bunch of abstractions to allow unit testing. I understand it may seem overkill but it's really preparing the refactor of the next commands

Testing

Added unit tests

Docs

N/A, internal refactor

Changes

• Updates the implementation of CLI's create-key command so it's unit testable

Testing

Adds a unit test

Docs

N/A, internal refactor. Will send a docs PR tho because it's not documented in the CLI reference

Description

• Closes #3456

As discussed in the linked issue, this PR dedupes <link rel="sitemap" href="" /> tags in the head, similar to how <link rel="canonical" href="" /> tags are deduped.

I think the changeset is a bit verbose, not quite sure how to make it more concise while still being clear and explaining the use-case. Happy to adjust as needed.

Changes

• Closes #14378

Testing

Updated

Docs

withastro/docs#12510

This PR contains the following updates:

Package	Change	Age	Confidence
@astrojs/sitemap (source)	^3.5.1 -> ^3.6.0
@astrojs/svelte (source)	^7.1.1 -> ^7.2.0
@cloudflare/workers-types	^4.20250913.0 -> ^4.20251003.0
@netlify/blobs	^10.0.10 -> ^10.0.11
@netlify/functions	^4.2.5 -> ^4.2.7
@netlify/vite-plugin	^2.5.9 -> ^2.6.1
@vercel/nft	0.30.1 -> 0.30.2
rollup (source)	^4.50.2 -> ^4.52.3
svelte (source)	^5.38.10 -> ^5.39.8
typescript (source)	^5.9.2 -> ^5.9.3
vue (source)	^3.5.21 -> ^3.5.22
wrangler (source)	4.37.0 -> 4.41.0

Release Notes

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

This PR contains the following updates:

Package	Change	Age	Confidence
@bluwy/giget-core	^0.1.3 -> ^0.1.6
@tailwindcss/vite (source)	^4.1.13 -> ^4.1.14
@types/react (source)	^18.3.24 -> ^18.3.25
svelte (source)	^5.39.6 -> ^5.39.8
tailwindcss (source)	^4.1.13 -> ^4.1.14
typescript (source)	^5.9.2 -> ^5.9.3
typescript (source)	~5.9.2 -> ~5.9.3
typescript-eslint (source)	^8.44.1 -> ^8.45.0

Release Notes

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Changes

• This PR adds a button to copy the stack trace, which makes it easier to add to any LLM or AI editor for easier debugging. More here Discussion #1234
• There is a subtle animation to give feedback that the stack is copied

Testing

I ran pnpm test:e2e:match "error|overlay", all the 18 test cases passed

Test case screenshot

Docs

It is a small UI addition to the error overlay, so i believe no docs are needed

Fixes issue where custom 500.astro pages did not include their styles when rendered dynamically in SSR mode.

Root Cause

Error pages like 500.astro were not always added to the SSR pageMap when pageData2 was missing from internals.pagesByKeys.
This prevented Vite from importing the page during build, so CSS was never collected into the manifest.

Changes

• Modified plugin-ssr.ts to always add pages to pageMap, even if pageData2 is undefined
• Added fallback to use pageData.component in those cases
• Extended custom-500 fixture to include inline styles
• Added regression test: verifies that styles from 500.astro are included in SSR output (checks minified CSS)

Impact

• Ensures custom 500 error pages behave consistently with other routes
• Fix is build-time only; no runtime overhead
• Custom 500.astro remains optional — if missing, Astro still falls back to default error overlay

Closes #13272

Changes

• 500 error pages now properly include their styles in SSR
• Added regression test to prevent future regressions

Testing

• Added new integration test under test/custom-500.test.js
• Verified fixture builds and renders styles correctly
• All existing tests continue to pass (pnpm test)

Docs

• No user-facing docs changes required
• Behavior matches existing 404 error page behavior

Changes

• Closes #14438
• Covers a case forgotten in #14440

Testing

Unit test added, tested manually

Docs

Changeset

Description

This PR adds the saucer documentation to the site showcase

Changes

• Closes #14377

Testing

Updated

Docs

withastro/docs#12494

Changes

• Closes #14371
• See withastro/compiler#1115

Testing

Should pass

Docs

withastro/docs#12480

Changes

• See withastro/compiler#1114
• In v5, renderScript became the default so we update the compiler and remove the option
• Depends on #14480

Testing

Should pass

Docs

N/A, internal change

Changes

This PR adds support for Astro Actions inside the Cloudflare plugin dev app

Testing

I added a new example in the plugin, and made sure that I receive the correct message when navigating to /action-success

Docs

N/A

Changes

• Closes #14370

Testing

N/A, AFAIK none was using rewrite inside an action

Docs

withastro/docs#12477

Changes

• Until now, if unifont couldn't resolve font data for a given family, we should show a generic message. It is valid in some cases
• However in most cases this is due to a config issue, eg. a typo in the font family name
• So we add a log for it

Testing

Adds unit tests

Docs

Changesets

Changes

• These errors should be safe to delete according to our guidelines

Testing

Should pass

Docs

N/A

Changes

• 0.30.2 causes too many files to be bundled, which can cause deployments on serverless platforms to hit limits
• vercel/nft#545

Testing

N/A

Docs

Changeset

Description

• Support searching within content collections rendered through the RenderPost component
• Support collection type filter, batch loading, search term highlighting on the results page, limit on displayed results, and keyboard navigation
• Support linking search results to the nearest heading position in the post
• Add global FEATURES.search option with configs
• Add search frontmatter to control per-post inclusion
• Refer to Search Functionality for details

Changes

• What does this change?
• Be short and concise. Bullet points can help!
• Before/after screenshots can help as well.
• Don't forget a changeset! Run pnpm changeset.
• See https://contribute.docs.astro.build/docs-for-code-changes/changesets/ for more info on writing changesets.

New sitemap optional configuration for named sitemap files chunking strategy

Adds a chunks option to the sitemap configuration schema.
This allows users to define custom chunking strategies for
generating sitemaps, providing flexibility in how the sitemap
is split into multiple files.

			integrations: [
				sitemap({
					serialize(item) {
						return item
					},
					chunks: {
						'blog': (item) => {
							if (/blog/.test(item.url)) {
								item.changefreq = 'weekly';
								item.lastmod = new Date();
								item.priority = 0.9;
								return item;
							}
						},
						'glossary': (item) => {
							if (/glossary/.test(item.url)) {
								item.changefreq = 'weekly';
								item.lastmod = new Date();
								item.priority = 0.9;
								return item;
							}
						}
					},
				}),
			],

Testing

Docs

yes, to add optional configurations for the chunks

@withastro/maintainers-docs for feedback!

Changes

The only change in v1 is that tinyexec now ships as ESM-only, which is non-breaking for us. This package was already lightweight (46 KB), but v1 is even smaller (27 KB)

See https://github.com/tinylibs/tinyexec/releases/tag/1.0.0

Testing

Existing tests should pass

Docs

N/A

Changes

No breaking changes for Astro as v3 was only released to drop support for Node <18, which we had already done. It removes polyfills, making for a lighter dependency (removes blob-to-buffer and cross-fetch from astro’s transitive deps).

See https://github.com/seek-oss/capsize/releases/tag/%40capsizecss%2Funpack%403.0.0

Testing

Existing tests should pass

Docs

N/A

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@5.14.2

Patch Changes

• #14459 916f9c2 Thanks @florian-lefebvre! - Improves font files URLs in development when using the experimental fonts API by showing the subset if present

• b8ca69b Thanks @ascorbic! - Aligns dev image server file base with Vite rules

• #14469 1c090b0 Thanks @delucis! - Updates tinyexec dependency

• #14460 008dc75 Thanks @florian-lefebvre! - Fixes a case where astro:config/server values typed as URLs would be serialized as strings

• #13730 7260367 Thanks @razonyang! - Fixes a bug in i18n, where Astro caused an infinite loop when a locale that doesn't have an index, and Astro falls back to the index of the default locale.

• 6ee63bf Thanks @matthewp! - Adds security.allowedDomains configuration to validate X-Forwarded-Host headers in SSR

  The X-Forwarded-Host header will now only be trusted if it matches one of the configured allowed host patterns. This prevents host header injection attacks that can lead to cache poisoning and other security vulnerabilities.

  Configure allowed host patterns to enable X-Forwarded-Host support:

  // astro.config.mjs
  export default defineConfig({
    output: 'server',
    adapter: node(),
    security: {
      allowedDomains: [
        { hostname: 'example.com' },
        { hostname: '*.example.com' },
        { hostname: 'cdn.example.com', port: '443' },
      ],
    },
  });

  The patterns support wildcards (* and **) for flexible hostname matching and can optionally specify protocol and port.

  Breaking change

  Previously, Astro.url would reflect the value of the X-Forwarded-Host header. While this header is commonly used by reverse proxies like Nginx to communicate the original host, it can be sent by any client, potentially allowing malicious actors to poison caches with incorrect URLs.

  If you were relying on X-Forwarded-Host support, add security.allowedDomains to your configuration to restore this functionality securely. When allowedDomains is not configured, X-Forwarded-Host headers are now ignored by default.

• #14488 badc929 Thanks @olcanebrem! - Fixes a case where styles on the custom 500 error page would not be included

• #14487 1e5b72c Thanks @florian-lefebvre! - Fixes a case where the URLs generated by the experimental Fonts API would be incorrect in dev

• #14475 ae034ae Thanks @florian-lefebvre! - Warns if the font family name is not supported by the provider when using the experimental fonts API

• b8ca69b Thanks @ascorbic! - Refactor remote path detection

• #14468 2f2a5da Thanks @delucis! - Updates @capsizecss/unpack dependency

• Updated dependencies [b8ca69b]:

  • @astrojs/internal-helpers@0.7.4
  • @astrojs/markdown-remark@6.3.8

@astrojs/cloudflare@12.6.10

Patch Changes

• b8ca69b Thanks @ascorbic! - Refactor remote path detection

• Updated dependencies [b8ca69b]:

  • @astrojs/internal-helpers@0.7.4
  • @astrojs/underscore-redirects@1.0.0

@astrojs/markdoc@0.15.8

Patch Changes

• Updated dependencies [b8ca69b]:
  • @astrojs/internal-helpers@0.7.4
  • @astrojs/markdown-remark@6.3.8

@astrojs/mdx@4.3.7

Patch Changes

• Updated dependencies []:
  • @astrojs/markdown-remark@6.3.8

@astrojs/netlify@6.5.12

Patch Changes

• #14473 d9634d3 Thanks @florian-lefebvre! - Fixes a bug that caused too many files to be bundled in SSR

• Updated dependencies [b8ca69b]:

  • @astrojs/internal-helpers@0.7.4
  • @astrojs/underscore-redirects@1.0.0

@astrojs/node@9.4.5

Patch Changes

• Updated dependencies [b8ca69b]:
  • @astrojs/internal-helpers@0.7.4

@astrojs/vercel@8.2.9

Patch Changes

• #14473 d9634d3 Thanks @florian-lefebvre! - Fixes a bug that caused too many files to be bundled in SSR

• Updated dependencies [b8ca69b]:

  • @astrojs/internal-helpers@0.7.4

@astrojs/internal-helpers@0.7.4

Patch Changes

• b8ca69b Thanks @ascorbic! - Refactor remote path detection

@astrojs/markdown-remark@6.3.8

Patch Changes

• Updated dependencies [b8ca69b]:
  • @astrojs/internal-helpers@0.7.4