Changes

The Vercel image CDN requires that widths are from a configured list – requesting any other will give an error. The image service does this in most cases, except when the source image is smaller than the requested size. The default getSrcSet clamps the width, ensuring that no sizes are requested larger than the source image, instead requesting the actual image size if a larger size is requested. This is correct for most services except Vercel, which requires us to request the larger breakpoint from the allowlist, for which it will return the original size.

This PR implements a custom getSrcSet for the Vercel image service that ensures the widths are always from the allowlist.

Fixes #14250

Testing

Added tests

Docs

Changes

This PR changes the runtime APIs added for CSP to be available from the getter Astro.csp/ctx.csp

Testing

Updated the tests. CI should pass

Docs

withastro/docs#12241

I'll update the RFC once this lands.

Add support for customizing XML namespaces in generated sitemaps through a new namespaces configuration option. This allows users to exclude unused namespaces like xmlns:news for cleaner sitemap files.

• Add namespaces option to SitemapOptions type
• Update schema validation for namespaces configuration
• Implement namespace filtering in writeSitemap function
• Add comprehensive tests for namespace configuration
• Maintain backward compatibility with all namespaces enabled by default

Changes

• Introduces a new namespaces option in the sitemap integration config.
• Users can now selectively enable/disable XML namespaces (news, xhtml, image, video) in generated sitemaps.
• Schema validation updated to support the new option.
• The sitemap XML output now reflects the selected namespaces.
• Adds tests to verify correct namespace inclusion/exclusion.
• Default behavior remains unchanged (all namespaces included).

Testing

• Added unit and integration tests for all namespace configuration scenarios.
• Verified that disabling specific namespaces removes them from the output XML.
• Ensured backward compatibility by testing default config.

Docs

• This change adds a new config option for users. Documentation should be updated to describe the namespaces option and provide usage examples.
• /cc @withastro/maintainers-docs for feedback!

Changes

Closes #14284

Now CSP headers aren't injected in dev

Testing

Tested locally using the minimal example.

Docs

N/A

Changes

Fixes a regression that was causing node builtins to be accidentally included in Cloudlfare bundles. Reverts #14278, which was working around this.

Testing

Docs

Changes

Currently if middleware includes rewrites, only the first middleware in a sequence that sets cookies is returned to the browser, and any cookies set in subsequent middleware is lost. This PR fixes that.

Fixes #14262

Testing

Added tests

Docs

Changes

• Feedback from the RFC
• In development, update the generated font file url to contain information about its origin (font name, weight, style)

Testing

Adds unit tests

Docs

Changeset

Changes

• Fixes a regression from #14269

Testing

Intergations tests should pass now

Docs

N/A

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@5.13.5

Patch Changes

• #14286 09c5db3 Thanks @ematipico! - BREAKING CHANGES only to the experimental CSP feature

  The following runtime APIs of the Astro global have been renamed:

  • Astro.insertDirective to Astro.csp.insertDirective
  • Astro.insertStyleResource to Astro.csp.insertStyleResource
  • Astro.insertStyleHash to Astro.csp.insertStyleHash
  • Astro.insertScriptResource to Astro.csp.insertScriptResource
  • Astro.insertScriptHash to Astro.csp.insertScriptHash

  The following runtime APIs of the APIContext have been renamed:

  • ctx.insertDirective to ctx.csp.insertDirective
  • ctx.insertStyleResource to ctx.csp.insertStyleResource
  • ctx.insertStyleHash to ctx.csp.insertStyleHash
  • ctx.insertScriptResource to ctx.csp.insertScriptResource
  • ctx.insertScriptHash to ctx.csp.insertScriptHash

• #14283 3224637 Thanks @ematipico! - Fixes an issue where CSP headers were incorrectly injected in the development server.

• #14275 3e2f20d Thanks @florian-lefebvre! - Adds support for experimental CSP when using experimental fonts

  Experimental fonts now integrate well with experimental CSP by injecting hashes for the styles it generates, as well as font-src directives.

  No action is required to benefit from it.

• #14280 4b9fb73 Thanks @ascorbic! - Fixes a bug that caused cookies to not be correctly set when using middleware sequences

• #14276 77281c4 Thanks @ArmandPhilippot! - Adds a missing export for resolveSrc, a documented image services utility.

@astrojs/cloudflare@12.6.7

Patch Changes

• #14281 dfd88de Thanks @ascorbic! - Fixes a regression that broke sites that used the compile image service without nodejs_compat set

• Updated dependencies []:

  • @astrojs/underscore-redirects@1.0.0

@astrojs/vercel@8.2.7

Patch Changes

• #14039 da4182d Thanks @ematipico! - Fixes a bug where experimentalStaticHeaders did not work as expected.

• #14289 ed493a6 Thanks @ascorbic! - Fixes a bug that caused invalid image sizes to be generated when the requested widths were larger than the source image

Changes

Adds resolveSrc alongside the exported astro/assets/utils.

We document resolveSrc as a public API for images services, but currently this is still private because a reexport was missing:

Testing

N/A (well, building adds resolveSrc to the d.ts so I don't think we need something else).

Docs

Changeset added, no other changes are needed this is already documented.

Changes

• Adds support for csp when using fonts
• I need for this for a project at work, otherwise I would have waited for either CSP or fonts to be stable
• I had to add an object on settings so I can inject csp related data from within a vite plugin
• The vite plugin generates a hash for each script and will include it on each page, no matter of the style is included on the page or not

Testing

• Manually
• Unit tests
• Integration test

Docs

Changeset

This PR contains the following updates:

Package	Change	Age	Confidence
devalue	5.1.1 -> 5.3.2

GitHub Vulnerability Alerts

CVE-2025-57820

1. devalue.parse allows __proto__ to be set

A string passed to devalue.parse could represent an object with a __proto__ property, which would assign a prototype to an object while allowing properties to be overwritten:

class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5

2. devalue.parse allows array prototype methods to be assigned to object

In a payload constructed with devalue.stringify, values are represented as array indices, where the array contains the 'hydrated' values:

devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]

devalue.parse does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0

This could be used by a creative attacker to bypass server-side validation.

Release Notes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Changes

• What does this change?
  Updates devalue js package to version 5.3.2 to remediate vulnerability
• Be short and concise. Bullet points can help!
• Before/after screenshots can help as well.
• Don't forget a changeset! Run pnpm changeset.
• See https://contribute.docs.astro.build/docs-for-code-changes/changesets/ for more info on writing changesets.

Testing

Covered by existing tests

Docs

I don't believe this will affect docs

Changes

• Refreshes the lockfile to get the latest types
• Discovered in #14154
• I had to override undici's version because cheerio pulls undici@7, which requires node 20 so it was failing in node 18 tests
• I also had to pin wrangler to the latest compatible node 18 version
• Overall this should help with other renovate PRs

Testing

Should pass

Docs

Changeset

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@5.13.4

Patch Changes

• #14260 86a1e40 Thanks @jp-knj! - Fixes Astro.url.pathname to respect trailingSlash: 'never' configuration when using a base path. Previously, the root path with a base would incorrectly return /base/ instead of /base when trailingSlash was set to 'never'.

• #14248 e81c4bd Thanks @julesyoungberg! - Fixes a bug where actions named 'apply' do not work due to being a function prototype method.

@astrojs/cloudflare@12.6.6

Patch Changes

• 9ecf359 Thanks @alexanderniebuhr! - Improves the image proxy endpoint when using the default compile option to adhere to user configuration regarding the allowed remote domains

• Updated dependencies []:

  • @astrojs/underscore-redirects@1.0.0

@astrojs/netlify@6.5.9

Patch Changes

• #14269 4823c42 Thanks @florian-lefebvre! - Updates context.netlify to implement all its properties

• Updated dependencies []:

  • @astrojs/underscore-redirects@1.0.0

Closes: #13736

Problem

When configuring Astro with:

• base: '/mybase'
• trailingSlash: 'never'

The Astro.url.pathname for the root route would return /mybase/ (with trailing slash) instead of the expected /mybase (without trailing slash).

Before/After

Before (Bug)

// astro.config.mjs
{
  base: '/mybase',
  trailingSlash: 'never'
}

// In your Astro
Astro.url.pathname // Returns: '/mybase/' 🙅‍♂️(trailing slash not removed)

After (Fixed)

// astro.config.mjs
{
  base: '/mybase',
  trailingSlash: 'never'
}

// In your Astro
Astro.url.pathname // Returns: '/mybase' 🙆‍♂️ (trailing slash correctly removed)

Changes

• Modified packages/astro/src/vite-plugin-astro-server/request.ts to apply trailing slash configuration after base path concatenation
• Added comprehensive tests to verify the behavior with different configurations

Testing

Added tests covering:

• Root path behavior with base path and trailingSlash: 'never'
• Subpage behavior with trailing slash configurations
• File extension handling (e.g., .json endpoints)

Docs

Changes

The Cloudflare adapter currently logs a warning if it is used with a static build. However there are valid reasons to use it for static builds. Similar warnings have already been removed from other adapters.

Fixes #14236

Testing

Docs

Description

This PR adds a link to the newly released Starlight Galaxy theme.

Addresses #13528
Closes #13528

Changes

• Fixes an issue where user actions could not be named apply (and, by extension, other function prototype names like call).
• Root cause: the proxy previously used objKey in target, which would return true even for properties on the function prototype chain.
  • This meant that an action named apply conflicted with the function prototype’s .apply method and couldn’t be used.
• Updated the check to target.hasOwnProperty(objKey).
  • Now only explicitly defined action properties are returned.
  • Result: user actions can now safely be named apply.
• This change hid Function.prototype.valueOf, which Astro’s runtime internally relies on when invoking actions in progressive enhancement fallback paths.
  • Fix: explicitly define valueOf as an own property on the action object.
  • Astro does not depend on .apply, .call, or .bind, so only .valueOf was patched.

⚠️ Trade‑off:

• After this change, you can define an action named apply.
• However, you cannot directly call .apply, .call, or any other prototype method on an action function.
• If this trade‑off isn’t desirable, an alternative would be to keep the original behavior and document that action names like apply, call, or bind are restricted.

Testing

• Verified with an action named apply, matching the original bug report.
• Confirmed that progressive fallback (actions-blog.test.js) works correctly with the valueOf patch.

Docs

This is a user-facing behavior change:

• Actions can now safely be named apply or call, but not bind.
• Function prototype methods (.apply, .call) are no longer usable on action functions.

/cc @withastro/maintainers-docs for input.

Add Omni Print Documentation to showcase.

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to 4-legacy, this PR will be updated.

Releases

astro@4.16.19

Patch Changes

• #14241 760acc8 Thanks @ematipico! - Fixes an issue where remote paths weren't correctly computed when generating assets

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@astrojs/starlight@0.35.3

Patch Changes

• #1640 d1b3828 Thanks @hippotastic! - Refactors various internal systems, improving code quality and maintainability.

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@5.13.3

Patch Changes

• #14239 d7d93e1 Thanks @wtchnm! - Fixes a bug where the types for the live content collections were not being generated correctly in dev mode

• #14221 eadc9dd Thanks @delucis! - Fixes JSON schema support for content collections using the file() loader

• #14229 1a9107a Thanks @jonmichaeldarby! - Ensures Astro.currentLocale returns the correct locale during SSG for pages that use a locale param (such as [locale].astro or [locale]/index.astro, which produce [locale].html)

@astrojs/cloudflare@12.6.5

Patch Changes

• #14259 02366e9 Thanks @ascorbic! - Removes warning when using the adapter with a static build.

  The Cloudflare adapter now has several uses outside of on-demand rendered pages, so this warning is misleading. Similar warnings have already been removed from other adapters.

• #14234 15b55f3 Thanks @yanthomasdev! - Fixes an issue that could cause duplicate exports when configuring workerEntrypoint.namedExports

• #14240 77b18fb Thanks @delucis! - Increases the minimum supported version of Astro to 5.7.0

• Updated dependencies []:

  • @astrojs/underscore-redirects@1.0.0

@astrojs/netlify@6.5.8

Patch Changes

• #14240 77b18fb Thanks @delucis! - Increases the minimum supported version of Astro to 5.7.0

• Updated dependencies []:

  • @astrojs/underscore-redirects@1.0.0

@astrojs/node@9.4.3

Patch Changes

• #14240 77b18fb Thanks @delucis! - Increases the minimum supported version of Astro to 5.7.0

@astrojs/sitemap@3.5.1

Patch Changes

• #14233 896886c Thanks @gouravkhunger! - Fixes the issue with the option lastmod where if it is defined it applies correctly to <url> entries in each sitemap-${i}.xml file but not the <sitemap> entries in the root sitemap-index.xml file.

Changes

This PR backports a recent fix around how remote paths are evaluated to Astro v4.

The fix differs slightly from Astro v5 because the isRemotePath function is sourced from the internal package @astrojs/internal-helpers, which cannot be upgraded in the 4-legacy branch.

So I created a new isCoreRemotePath function that uses isRemotePath, and it also adds the new regex that we added to the main branch.

All the instances of isRemotePath were replaced with isCoreRemotePath.

Testing

Ci should pass. Ported tests too

Docs

N/A

Changes

• When sessions were stabilized in Astro 5.7.0 (#13527), we updated the Node, Netlify, and Cloudflare adapters to auto-enable the feature.
• However, these adapters did not update their peerDependencies version of astro, meaning it’s possible to install the latest adapter with an older version of astro and see errors because the adapter is setting sessions config which doesn’t exist.
• This PR bumps the peer dependency to 5.7.0 in the three adapters to fix this.
• Technically I’d consider this and the initial decision to auto-enable sessions a breaking change, which should have come with a major release of the adapters, but because that change was made in a minor release, I’ve made this a patch as a “fix” to the behaviour introduced in that minor release.

Testing

N/A — dependency management only

Docs

N/A

Changes

Check whether live content collections config file exists before generating types. Closes #14238.

Testing

I've tested this manually to confirm the fix. I figured an automated test might be overkill for this small change, as it would require a new fixture, but I'm happy to add one if you prefer.

Docs

As this PR fixes an expected behavior, no docs are required.

Changes

The "tap" prefetch strategy was the only strategy that didn't call onPageLoad to attach event listeners to new elements. This caused "tap" to only work on the first clicked link when view transitions were enabled.

Testing

This behavior isn’t explicitly tested. No new tests were added since this PR only unifies "tap" with the other strategies.

Docs

No docs added since this is a bugfix.

Changes

Currently in docs, we show namedExports including 'default' by default in its type signature, implying that if someone were to override it, they would need to add 'default' to the array manually, which isn't the case.

If someone did do that, that would create two default exports during the build process and would break the build. Now, 'default' gets filtered out, so this issue doesn't happen again.

UPDATE: exports are now generated from a Set, so that should avoid any duplicate export issues.

Testing

I added 'default' to the namedExports array in the existing custom-entryfile fixture and added a corresponding test to verify the build worked successfully. Since we weren't using that fixture in any other tests (that I could find, at least), I thought it was fine to reuse the same one, but I can make a new one if it seems necessary.

Docs

Related docs PR (it doesn't depend on it): withastro/docs#12168
/cc @withastro/maintainers-docs

Changes

• Defining lastmod correctly applies to <url> entries in each sitemap-${i}.xml file
• This PR adds a minor fix to use that lastmod for <sitemap> entries in the root sitemap-index.xml file as well.
• lastmod should also be supported on <sitemap>. See Sample XML Sitemap Index on this doc.

Testing

Added additional test case in custom-sitemaps.test.js.

Docs

This is an internal fix.

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@5.13.2

Patch Changes

• 4d16de7 Thanks @ematipico! - Improves the detection of remote paths in the _image endpoint. Now href parameters that start with // are considered remote paths.

• Updated dependencies [4d16de7]:

  • @astrojs/internal-helpers@0.7.2
  • @astrojs/markdown-remark@6.3.6

@astrojs/cloudflare@12.6.4

Patch Changes

• Updated dependencies [4d16de7]:
  • @astrojs/internal-helpers@0.7.2
  • @astrojs/underscore-redirects@1.0.0

@astrojs/markdoc@0.15.5

Patch Changes

• Updated dependencies [4d16de7]:
  • @astrojs/internal-helpers@0.7.2
  • @astrojs/markdown-remark@6.3.6

@astrojs/mdx@4.3.4

Patch Changes

• Updated dependencies []:
  • @astrojs/markdown-remark@6.3.6

@astrojs/netlify@6.5.7

Patch Changes

• Updated dependencies [4d16de7]:
  • @astrojs/internal-helpers@0.7.2
  • @astrojs/underscore-redirects@1.0.0

@astrojs/node@9.4.2

Patch Changes

• Updated dependencies [4d16de7]:
  • @astrojs/internal-helpers@0.7.2

@astrojs/vercel@8.2.6

Patch Changes

• Updated dependencies [4d16de7]:
  • @astrojs/internal-helpers@0.7.2

@astrojs/internal-helpers@0.7.2

Patch Changes

• 4d16de7 Thanks @ematipico! - Improves the detection of remote paths in the _image endpoint. Now href parameters that start with // are considered remote paths.

@astrojs/markdown-remark@6.3.6

Patch Changes

• Updated dependencies [4d16de7]:
  • @astrojs/internal-helpers@0.7.2

Changes

• Adds normalizeThePath utility function to remove .html from the end of a path or path segment, if it exists, otherwise returns the path or path segment unmodified
• Introduces normalizeThePath to pathHasLocale and computeCurrentLocale to normalize path segments in these functions
• Fixes #14228, where index pages have an incorrect currentLocale during SSG under certain conditions:
  • page uses a param and getStaticPaths (like /pages/[locale]/index.astro or /pages/[locale].astro)
  • config has build.format: file and output: static
• Adds tests to cover the cases described above

Testing

This change was tested by running the newly introduced tests via node --test packages/astro/test/i18n-routing.test.js

Docs

This corrects a bug and makes Astro.currentLocale behave as expected and currently documented under the conditions described above.

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@5.13.1

Patch Changes

• #14225 f2490ab Thanks @delucis! - Fixes the experimental.chromeDevtoolsWorkspace feature.

Changes

• Adds separate scripts for testing astro and all other packages
• Updates the CI workflow to run each of these as a separate job
• The aim is to see if we can save some time by not running all tests in one big job

Testing

Docs

Changes

• Fixes the experimental automatic Chrome DevTools workspace folders support added in Astro 5.13.0
• #14122 added this but for some reason used a data format that did not match what Chrome is actually looking for.
• Chrome documents their com.chrome.devtools.json format like this:

  {
    "workspace": {
      "root": "/Users/foobar/Projects/my-awesome-web-project",
      "uuid": "53b029bb-c989-4dca-969b-835fecec3717"
    }
  }

• Before this PR our endpoint was responding with:

  {
    "version": "1.0",
    "projectId": "53b029bb-c989-4dca-969b-835fecec3717"
    "workspaceRoot": "/Users/foobar/Projects/my-awesome-web-project",
  }

• These do not match 😁
• This PR makes Astro return what Chrome wants when the experimental feature is enabled. (I also added logic to invalidate old dev tools configs as we currently cache these, so the invalid ones would hang around otherwise for anyone who has been trying out the feature.)

Testing

Tested a local dev project to ensure Chrome actually detected the workspace with the changed output in this PR.

Docs

N/A — bug fix

Changes

• What does this change?
• Be short and concise. Bullet points can help!
• Before/after screenshots can help as well.
• Don't forget a changeset! Run pnpm changeset.
• See https://contribute.docs.astro.build/docs-for-code-changes/changesets/ for more info on writing changesets.

Testing

Docs

Changes

• Closes #13536
• Fixes JSON schema output for content collections using the file() loader

Testing

Added a new test in the content-intellisense fixture which checks that the schema produced for the file loader looks correct.

Docs

N/A — just a bug fix

Changes

After doing some more research, i found that if dirPath is not a string or buffer, it will throw an error internally (in https://github.com/nodejs/node/blob/9ec68afdc505215cd7b39c6fab35f11e3efa4fc7/lib/internal/fs/utils.js#L701). However, existsSync does not currently throw that error, it only issues a warning when that error code occurs ( https://github.com/nodejs/node/blob/9ec68afdc505215cd7b39c6fab35f11e3efa4fc7/lib/fs.js#L274).

In future versions of nodejs, if existsSync encounters that error code, it will throw an error. With this, our change should be fine.

The other uses of existsSync in Astro’s codebase already convert the path to a string using path.join or path.resolve, so this should be the only change needed to remove the warning.

closes: #14214
closes #14215

Testing

Docs

Description

• Closes #3044

Just had to debug an issue where a user had a head configuration including a meta tag with some content which is invalid HTML (it's a void element) and found out we already have a feature request to better handle this case so I decided to implement it.

This PR adds a validation steps for meta tags in the head config to ensure that content is not provided and displays a friendly error message if it is.

The error message is different if some attrs are provided or not, to help users fix their config more easily:

with attrs	without attrs

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@5.13.0

Minor Changes

• #14173 39911b8 Thanks @florian-lefebvre! - Adds an experimental flag staticImportMetaEnv to disable the replacement of import.meta.env values with process.env calls and their coercion of environment variable values. This supersedes the rawEnvValues experimental flag, which is now removed.

  Astro allows you to configure a type-safe schema for your environment variables, and converts variables imported via astro:env into the expected type. This is the recommended way to use environment variables in Astro, as it allows you to easily see and manage whether your variables are public or secret, available on the client or only on the server at build time, and the data type of your values.

  However, you can still access environment variables through process.env and import.meta.env directly when needed. This was the only way to use environment variables in Astro before astro:env was added in Astro 5.0, and Astro's default handling of import.meta.env includes some logic that was only needed for earlier versions of Astro.

  The experimental.staticImportMetaEnv flag updates the behavior of import.meta.env to align with Vite's handling of environment variables and for better ease of use with Astro's current implementations and features. This will become the default behavior in Astro 6.0, and this early preview is introduced as an experimental feature.

  Currently, non-public import.meta.env environment variables are replaced by a reference to process.env. Additionally, Astro may also convert the value type of your environment variables used through import.meta.env, which can prevent access to some values such as the strings "true" (which is converted to a boolean value), and "1" (which is converted to a number).

  The experimental.staticImportMetaEnv flag simplifies Astro's default behavior, making it easier to understand and use. Astro will no longer replace any import.meta.env environment variables with a process.env call, nor will it coerce values.

  To enable this feature, add the experimental flag in your Astro config and remove rawEnvValues if it was enabled:

  // astro.config.mjs
  import { defineConfig } from "astro/config";
  
  export default defineConfig({
  +  experimental: {
  +    staticImportMetaEnv: true
  -    rawEnvValues: false
  +  }
  });

  Updating your project

  If you were relying on Astro's default coercion, you may need to update your project code to apply it manually:

  // src/components/MyComponent.astro
  - const enabled: boolean = import.meta.env.ENABLED;
  + const enabled: boolean = import.meta.env.ENABLED === "true";

  If you were relying on the transformation into process.env calls, you may need to update your project code to apply it manually:

  // src/components/MyComponent.astro
  - const enabled: boolean = import.meta.env.DB_PASSWORD;
  + const enabled: boolean = process.env.DB_PASSWORD;

  You may also need to update types:

  // src/env.d.ts
  interface ImportMetaEnv {
    readonly PUBLIC_POKEAPI: string;
  -  readonly DB_PASSWORD: string;
  -  readonly ENABLED: boolean;
  +  readonly ENABLED: string;
  }
  
  interface ImportMeta {
    readonly env: ImportMetaEnv;
  }
  
  + namespace NodeJS {
  +  interface ProcessEnv {
  +    DB_PASSWORD: string;
  +  }
  + }

  See the experimental static import.meta.env documentation for more information about this feature. You can learn more about using environment variables in Astro, including astro:env, in the environment variables documentation.

• #14122 41ed3ac Thanks @ascorbic! - Adds experimental support for automatic Chrome DevTools workspace folders

  This feature allows you to edit files directly in the browser and have those changes reflected in your local file system via a connected workspace folder. This allows you to apply edits such as CSS tweaks without leaving your browser tab!

  With this feature enabled, the Astro dev server will automatically configure a Chrome DevTools workspace for your project. Your project will then appear as a workspace source, ready to connect. Then, changes that you make in the "Sources" panel are automatically saved to your project source code.

  To enable this feature, add the experimental flag chromeDevtoolsWorkspace to your Astro config:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  
  export default defineConfig({
    experimental: {
      chromeDevtoolsWorkspace: true,
    },
  });

  See the experimental Chrome DevTools workspace feature documentation for more information.

@astrojs/sitemap@3.5.0

Minor Changes

• #13682 5824b32 Thanks @gouravkhunger! - Adds a customSitemaps option to include extra sitemaps in the sitemap-index.xml file generated by Astro.

  This is useful for multi-framework setups on the same domain as your Astro site (example.com), such as a blog at example.com/blog whose sitemap is generated by another framework.

  The following example shows configuring your Astro site to include sitemaps for an externally-generated blog and help center along with the generated sitemap entries in sitemap-index.xml:

  Example:

  import { defineConfig } from 'astro/config';
  import sitemap from '@astrojs/sitemap';
  
  export default defineConfig({
    site: 'https://example.com',
    integrations: [
      sitemap({
        customSitemaps: [
          'https://example.com/blog/sitemap.xml',
          'https://example.com/helpcenter/sitemap.xml',
        ],
      }),
    ],
  });

  Learn more in the @astrojs/sitemap configuration documentation.

@astrojs/node@9.4.1

Patch Changes

• 5fc3c59 Thanks @ematipico! - Fixes a routing bug in standalone mode with trailingSlash set to "always".

Changes

• this pr adds a new example which has the "minimal" setup needed for Cloudflare Workers Static Assets deployment
• it does not include all the features or advanced Cloudflare usages

Testing

• pnpm create astro@latest -- --template cloudflare-workers-static-assets

Docs

Not really needed, since custom examples are already documented here: https://docs.astro.build/en/install-and-setup/#use-a-theme-or-starter-template

@sarah11918 we could discuss if we want to add this command pnpm create astro@latest -- --template cloudflare-workers-static-assets to the Cloudflare docs page itself?

Changes

This PR creates a DevApp class that extends from BaseApp

The workflow is mostly the same as it is now, however, for simplicity, the DevApp calls the function handleRequest and then handleRoute instead of BaseApp.render.

handleRequest and handleRoute are the same of the two functions handleRequest and handleRoute we have nowadays. I tweaked a bit the types and information passed to make them a bit more compatible with what we have inside BaseApp.

We now use renderError to render an error page; however, the DevApp rewrites its logic based on what we have today.

Unfortunately, this refactor breaks the AstroSession tests in dev, and I don't know why because I'm not familiar with the code. As for now, I skipped the tests, and I will tackle them once Matt is back from PTO.

I added a task as a reminder.

Testing

Current CI should stay green

Docs

N/A

Description

This PR is a follow-up to the uses-with updates in #3374 and #3375 and aims to disable Node.js version updates for actions/setup-node in Renovate.

As I mentioned in this comment, this is done for a few reasons:

• We want to control the Node.js version used in some workflows
• We probably don't want to deal with such PRs for every Node.js versions

As usual, I don't think there is a way to test this change without merging it, and not explicitely documented (or I missed it), but hopefully after merging this PR and waiting a bit, Renovate should close the 2 existing PRs I mentioned and should create 2 new ones only containing an update for actions/checkout (which was bundled in the previous PRs with the Node.js version update).

If this works as expected, I'll port this change to Astro Docs.

This PR contains the following updates:

Package	Change	Age	Confidence
yargs-parser	^21.1.1 -> ^22.0.0

Release Notes

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@astrojs/db@0.17.1

Patch Changes

• #14207 91283b5 Thanks @Adammatthiesen! - Fixes inferred types for Astro DB tables using column.text fields.

Changes

Fixes type casting for text column and enum inference.

• Test Schema

• Before

• After

Testing

Implement type testing for tables

Docs

This fixes previously working behavior.

Changes

• Instead of silently ignoring lower priority routes in case of conflicts, we show a warning for each occurrence.
• Closes #9832

Testing

New tests reproduce the conflicts and check the warning and error.

Docs

• withastro/docs#12237

Changes

• Closes #13152

This PR solves the outstanding issue that was being caused by the usage of the @libsql/client's default export of their node client, by introducing a new option to switch from the node client to the web client. Allowing users on platforms like Cloudflare to finally be able to use Astro DB since the Studio sunset.

Testing

There is currently no tests testing external server connections. And im not sure how possible it would be to spin up a libsql server locally in CI for tests.

Docs

CC @sarah11918 at your request i'm tagging you!

Description

This PR adds the starlight-github-alerts plugin to the documentation plugin showcase.

Changes

When deciding whether a module update needs a full reload, we check if the module is present in the client module graph. If it isn't, then it's SSR-only and needs a full reload. Currently when editing styles it invalidates both client and SSR modules. However because the SSR module includes an inline flag and the client module doesn't, the HMR check incorrectly thinks it is a server-only module that needs a full reload.

This PR filters out these inline modules so that a full reload isn't triggered. The non-inline version is also invalidated, so it still triggers HMR, but without triggering a full reload.

Fixes #14196

Testing

Adds an e2e test. Previously there were several e2e test for HMR styles, but none of them were the simple case of an inline style with no imports.

Docs

Changes

We need the App to be fully extendable and more flexible, so it can be used in other environments that aren't Node.js. At the moment it is exclusively used inside adapters, however, we foresee its usage in dev and the possibility of build too.

This PR creates a new abstract BaseApp that implements all the methods inside the App class. The only method that must be implemented is createPipeline.

The function AppPipeline.create has been dramatically simplified, since many of the arguments that we were passing can be computed from the manifest, and some other values were hardcoded. AppPipeline is also exposed because the creation of new "Apps" that extend App requires the implementation of cratePipeline. I didn't create a default implementation of createPipeline because of P and AppPipeline (TypeScript doesn't like it). If you know how to fix it, please let me know how.

The method AppPipeline.getModuleForRoute has been moved inside BasePipeline. There's a chance we could reuse it.

Testing

This is a refactor, so the entire CI should stay green

Docs

N/A

Website Carbon Calculator introduced a new model for estimating energy usage, so this PR updates the table to use new measurements. Mostly no change in the ratings but the new model estimates lower CO₂ usage than the earlier version.

I had to update the Docus page being tested as their installation guide repeatedly errored out during testing. (They’re also notably the only entry whose CO₂ usage didn’t decrease this time round, presumably because of changes in their recent release.)

Changes

This PR removes the use of ssrLoadModule in favour of the new way: pulling a runnable environment and use the function runner.import. Here's the docs: https://vite.dev/guide/api-environment-frameworks.html#runnabledevenvironment

Unfortunately there are few places where we pass the instances of the server, so for my next PR I will refactor those places to accept an environment instead of the instance of the server.

Testing

Current tests should pass

Docs

N/A

Description

This PR adds the starlight-changelogs to the resources/plugins page.

Changes

Adds support for enums on the text column for AstroDB

Testing

Not sure if there is a good way to test this, as per the drizzle docs:

You can define { enum: ["value1", "value2"] } config to infer insert and select types, it won’t check runtime values.

So i would assume it would need type testing similar to the last PR I opened for db.

Docs

Currently there is no docs to specific features/options of the different columns, only "shared options"

If docs are required we should also be sure to document any other missing items from our schema.

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@astrojs/db@0.17.0

Minor Changes

• #14190 438adab Thanks @Adammatthiesen! - Adds support for enum support for text columns in Astro DB tables.

  import { column, defineTable } from 'astro:db';
  
  // Table definition
  const UserTable = defineTable({
    columns: {
      id: column.number({ primaryKey: true }),
      name: column.text(),
      rank: column.text({ enum: ['user', 'mod', 'admin'] }),
    },
  });
  
  // Resulting type definition
  type UserTableInferInsert = {
    id: string;
    name: string;
    rank: 'user' | 'mod' | 'admin';
  };

@astrojs/node@9.4.0

Minor Changes

• #14188 e3422aa Thanks @ascorbic! - Adds support for specifying a host to load prerendered error pages

  By default, if a user defines a custom error page that is prerendered, Astro will load it from the same host as the one that the request is made to. This change allows users to specify a different host for loading prerendered error pages. This can be useful in scenarios such as where the server is running behind a reverse proxy or when prerendered pages are hosted on a different domain.

  To use this feature, set the experimentalErrorPageHost adapter option in your Astro configuration to the desired host URL. For example, if your server is running on localhost and served via a proxy, you can ensure the prerendered error pages are fetched via the localhost URL:

  import { defineConfig } from 'astro/config';
  import node from '@astrojs/node';
  export default defineConfig({
    adapter: node({
      // If your server is running on localhost and served via a proxy, set the host like this to ensure prerendered error pages are fetched via the localhost URL
      experimentalErrorPageHost: 'http://localhost:4321',
    }),
  });

  For more information on enabling and using this experimental feature, see the @astrojs/node adapter docs.

astro@5.12.9

Patch Changes

• #14020 9518975 Thanks @jp-knj! - Prevent double-prefixed redirect paths when using fallback and redirectToDefaultLocale together

  Fixes an issue where i18n fallback routes would generate double-prefixed paths (e.g., /es/es/test/item1/) when fallback and redirectToDefaultLocale configurations were used together. The fix adds proper checks to prevent double prefixing in route generation.

• #14199 3e4cb8e Thanks @ascorbic! - Fixes a bug that prevented HMR from working with inline styles

@astrojs/cloudflare@12.6.3

Patch Changes

• #14066 7abde79 Thanks @alexanderniebuhr! - Refactors the internal solution which powers Astro Sessions when running local development with ˋastro devˋ.

  The adapter now utilizes Cloudflare's local support for Cloudflare KV. This internal change is a drop-in replacement and does not require any change to your projectct code.

  However, you now have the ability to connect to the remote Cloudflare KV Namespace if desired and use production data during local development.

• Updated dependencies []:

  • @astrojs/underscore-redirects@1.0.0

Changes

Currently if a user defines a custom error page that is prerendered, Astro will load it from the same host as the one that the request is made to. i.e. if the user made a request to https://example.com/nonexistent, Astro will fetch the custom error page from https://example.com/404.html. This is a problem if the site is running in a container that cannot connect to its own external URL, such as a Docker container that forwards its port. This PR adds a new experimentalErrorPageHost option to the Node adapter that tells it to use a different host to fetch the page. This can be set to the local host and port to ensure it's loaded from inside the container

Fixes #13874

Testing

Added tests

Docs

This will need docs

Changes

Fix AstroDB asDrizzleTable and schema conversion to correctly align table types with drizzle-orm to prevent loss of variables during type inference.

• Closes #13886

Before:

After:

Testing

No tests added, this is a type only change to correct previously broken types.

Docs

This fixes previously broken types. No doc changes needed.

This PR contains the following updates:

Package	Change	Age	Confidence
tinyexec	^0.3.2 -> ^1.0.1

Release Notes

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

This PR contains the following updates:

Package	Change	Age	Confidence
@preact/signals (source)	^2.2.1 -> ^2.3.1
@types/react (source)	^18.3.23 -> ^18.3.24
@vue/compiler-sfc (source)	^3.5.18 -> ^3.5.20
linkedom	^0.18.11 -> ^0.18.12
preact (source)	^10.27.0 -> ^10.27.1
preact-render-to-string	^6.5.13 -> ^6.6.1
solid-js (source)	^1.9.7 -> ^1.9.9
svelte (source)	^5.37.1 -> ^5.38.6
svelte2tsx (source)	^0.7.41 -> ^0.7.42
vue (source)	^3.5.18 -> ^3.5.20

Release Notes

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Changes

Now a newer version of Vite is being used, and the test works correctly locally, so I want to see if it passes in CI to determine if it’s safe to re-enable it

Testing

Docs

Description

Starlight's sl-line-height value was applied even for .not-content. I used the same :not rule that you have elsewhere, but I wonder if this might not be better:

body :not(.not-content *) {
  line-height: var(--sl-line-height);
}

Another possibility might be to set line-height: normal to .not-content, whichever you prefer 😄

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@astrojs/db@0.16.1

Patch Changes

• #14186 9fe883e Thanks @Adammatthiesen! - Fixes types for optional and primary key columns in Astro DB tables.

@astrojs/netlify@6.5.6

Patch Changes

• #14175 1e1cef0 Thanks @ematipico! - Fixes a bug where the adapter would cause a runtime error when calling astro build in CI environments.

Changes

This PR bumps netlify deps. I also pinned @netlify/functions because if upgraded, will generate build errors.

Testing

CI should pass

Docs

Changes

npm is very fussy with peer dependencies, and can easily end up with false positives in its checks when upgrading Astro packages. This is particularly likely when upgrading Astro alongside another package that has a peer dependency on it.

This PR checks to see if installs failed because of a peer dependency issue, and if so retries with the --legacy-peer-deps flag

Fixes #13884

Testing

Added test, and tested manually with the repro from #13884.

To create the test I needed to add support for mocking the shell function. Module mocking isn't supported in Node < 24, so I did it by allowing an optional shell funciton arg to be passed to the install command.

Docs

Changes

• Replaces the rawEnvValues experimental flag by staticImportMetaEnv
• Instead of just disabling the coercion, this flag disables the replacement of import.meta.env.X by process.env.X if process.env.X is available during the build

Testing

Added test for the process.env replacement

Docs

Changeset + withastro/docs#12105