Changes

• Closes #14362
• Closes #14030 (will resolve once commit makes it to main)
• I don't think we're affected by any breaking change

Testing

Should pass

Docs

withastro/docs#12444

Changes

• What does this change?
• Be short and concise. Bullet points can help!
• Before/after screenshots can help as well.
• Don't forget a changeset! Run pnpm changeset.
• See https://contribute.docs.astro.build/docs-for-code-changes/changesets/ for more info on writing changesets.

Testing

Docs

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@5.14.1

Patch Changes

• #14440 a3e16ab Thanks @florian-lefebvre! - Fixes a case where the URLs generated by the experimental Fonts API would be incorrect in dev

Changes

Currently, node adapter uses the default HTML files with meta refresh when in static mode. This is not ideal, because it adds extra flash of page on redirections for users, and doesn't apply the proper status code for redirections. It's also likely less friendly to search engines.

This change makes configured redirect handled in the same way for node adapter across static and server mode, align with behaviors for other adapters.

Testing

A new test has been added to test the redirect behavior on static mode.

Docs

While this changes the behavior of node adapter in static mode, it's still within the behavior described in the current document:

In Routing, it says:

When running astro build, Astro will output HTML files with the meta refresh tag by default. Supported adapters will instead write out the host’s configuration file with the redirects.

And in Configuration Reference, it says:

When using SSR or with a static adapter in output: static mode, status codes are supported. Astro will serve redirected GET requests with a status of 301 and use a status of 308 for any other request method.

So this change brings node adapter into the "supported adapters" in the first document, and fulfills the description by the second document.

Changes

• Closes #14438
• I made a change in #14279 but didn't handle the weight correctly

Testing

Unit test updated

Docs

Changeset

Description

Recently I noticed that most packages in this mono-repo are authored under "Chris Swithinbank".
I know that he is the founder of Star(book)light, but at the same time I noticed that most other Astro repos either have no author or just "withastro". So I adapted it here as well.

If I am not aware that this project is still authored by Chris legally, then I am sorry for creating this PR.
Just let me know if I should adapt or close this PR!

Changes

• Fixes a typo in the changelog.

Testing

Tried to use the name from the changelog and received an error. Switched to the new name and it succeeded.

Docs

I've confirmed the docs do not have this typo.

Changes

• Matches Vite requirements

Testing

Should pass

Docs

Changeset updated, docs to be updated

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@5.14.0

Minor Changes

• #13520 a31edb8 Thanks @openscript! - Adds a new property routePattern available to GetStaticPathsOptions

  This provides the original, dynamic segment definition in a routing file path (e.g. /[...locale]/[files]/[slug]) from the Astro render context that would not otherwise be available within the scope of getStaticPaths(). This can be useful to calculate the params and props for each page route.

  For example, you can now localize your route segments and return an array of static paths by passing routePattern to a custom getLocalizedData() helper function. The params object will be set with explicit values for each route segment (e.g. locale, files, and slug). Then, these values will be used to generate the routes and can be used in your page template via Astro.params.

  // src/pages/[...locale]/[files]/[slug].astro
  
  import { getLocalizedData } from "../../../utils/i18n"; export async function getStaticPaths({ routePattern
  }) { const response = await fetch('...'); const data = await response.json(); console.log(routePattern);
  // [...locale]/[files]/[slug] // Call your custom helper with `routePattern` to generate the static
  paths return data.flatMap((file) => getLocalizedData(file, routePattern)); } const { locale, files,
  slug } = Astro.params;

  For more information about this advanced routing pattern, see Astro's routing reference.

• #13651 dcfbd8c Thanks @ADTC! - Adds a new SvgComponent type

  You can now more easily enforce type safety for your .svg assets by directly importing SVGComponent from astro/types:

  ---
  // src/components/Logo.astro
  import type { SvgComponent } from 'astro/types';
  import HomeIcon from './Home.svg';
  interface Link {
    url: string;
    text: string;
    icon: SvgComponent;
  }
  const links: Link[] = [
    {
      url: '/',
      text: 'Home',
      icon: HomeIcon,
    },
  ];
  ---

• #14206 16a23e2 Thanks @Fryuni! - Warn on prerendered routes collision.

  Previously, when two dynamic routes /[foo] and /[bar] returned values on their getStaticPaths that resulted in the same final path, only one of the routes would be rendered while the other would be silently ignored. Now, when this happens, a warning will be displayed explaining which routes collided and on which path.

  Additionally, a new experimental flag failOnPrerenderCollision can be used to fail the build when such a collision occurs.

Patch Changes

• #13811 69572c0 Thanks @florian-lefebvre! - Adds a new getFontData() method to retrieve lower-level font family data programmatically when using the experimental Fonts API

  The getFontData() helper function from astro:assets provides access to font family data for use outside of Astro. This can then be used in an API Route or to generate your own meta tags.

  import { getFontData } from 'astro:assets';
  
  const data = getFontData('--font-roboto');

  For example, getFontData() can get the font buffer from the URL when using satori to generate OpenGraph images:

  // src/pages/og.png.ts
  
  import type { APIRoute } from 'astro';
  import { getFontData } from 'astro:assets';
  import satori from 'satori';
  
  export const GET: APIRoute = (context) => {
    const data = getFontData('--font-roboto');
  
    const svg = await satori(<div style={{ color: 'black' }}>hello, world</div>, {
      width: 600,
      height: 400,
      fonts: [
        {
          name: 'Roboto',
          data: await fetch(new URL(data[0].src[0].url, context.url.origin)).then((res) =>
            res.arrayBuffer(),
          ),
          weight: 400,
          style: 'normal',
        },
      ],
    });
  
    // ...
  };

  See the experimental Fonts API documentation for more information.

@astrojs/react@4.4.0

Minor Changes

• #14386 f75f446 Thanks @yanthomasdev! - Stabilizes the formerly experimental getActionState() and withState() functions introduced in @astrojs/react v3.4.0 used to integrate Astro Actions with React 19's useActionState() hook.

  This example calls a like action that accepts a postId and returns the number of likes. Pass this action to the withState() function to apply progressive enhancement info, and apply to useActionState() to track the result:

  import { actions } from 'astro:actions';
  import { withState } from '@astrojs/react/actions';
  import { useActionState } from 'react';
  
  export function Like({ postId }: { postId: string }) {
    const [state, action, pending] = useActionState(
      withState(actions.like),
      0, // initial likes
    );
  
    return (
      <form action={action}>
        <input type="hidden" name="postId" value={postId} />
        <button disabled={pending}>{state} ❤️</button>
      </form>
    );
  }
  

  You can also access the state stored by useActionState() from your action handler. Call getActionState() with the API context, and optionally apply a type to the result:

  import { defineAction } from 'astro:actions';
  import { z } from 'astro:schema';
  import { getActionState } from '@astrojs/react/actions';
  
  export const server = {
    like: defineAction({
      input: z.object({
        postId: z.string(),
      }),
      handler: async ({ postId }, ctx) => {
        const currentLikes = getActionState<number>(ctx);
        // write to database
        return currentLikes + 1;
      },
    }),
  };
  

  If you were previously using this experimental feature, you will need to update your code to use the new stable exports:

  // src/components/Form.jsx
  import { actions } from 'astro:actions';
  -import { experimental_withState } from '@astrojs/react/actions';
  +import { withState } from '@astrojs/react/actions';
  import { useActionState } from "react";

  // src/actions/index.ts
  import { defineAction, type SafeResult } from 'astro:actions';
  import { z } from 'astro:schema';
  -import { experimental_getActionState } from '@astrojs/react/actions';
  +import { getActionState } from '@astrojs/react/actions';

Changes

Svelte 5.39.1 changed the name of the $$payload prop. We were using this as a heuristic to detect if a component was svelte, meaning that we were no longer detecting it. This PR checks for both.

Testing

Updated fixtures.

Docs

Changes

• Closes #14372
• Using Astro.site or Astro.generator in getStaticPaths will log a warning
• Using any other Astro property in getStaticPaths will throw an error

Testing

Integration tests added.

Docs

withastro/docs#12435 + changeset

Changes

Svelte 5.36 added support for async rendering, including top-level await in scripts (Astro-style!). This PR adds support. The change was literally just adding an await to the render() call, but this PR is larger because we didn't have a test suite for the Svelte integration so this adds one.

Testing

Adds tests, including a fixture that uses async.

Docs

This is a Svelte feature that doesn't need users to do anything Astro-specific, so I don't think it needs docs beyond this changeset.

Changes

Sharp can return a SharedArrayBuffer backed Buffer when used with Wasm32. SharedArrayBuffers have security restrictions which can cause other elements, such as the image GET handler to exception.

This change checks if sharp returns something that seems like a SharedArrayBuffer, then performs a copy if so.

Resolves #14412.

Testing

I was able to test the changes by monkey-patching the generated .js in a separate astro project and the changes worked well both on sharp for win32 and wasm32 sharp.

Tested by running pnpm test before and after forcing sharp to use the wasm32 build (see #14412). I believe I received the same set of errors before and afterwards. I'm not sure how to let the tests run longer or resolve the symlink tests.

astro:test: ℹ tests 1294
astro:test: ℹ suites 503
astro:test: ℹ pass 1286
astro:test: ℹ fail 2
astro:test: ℹ cancelled 1
astro:test: ℹ skipped 5
astro:test: ℹ todo 0
astro:test: ℹ duration_ms 600012.557
astro:test:
astro:test: ✖ failing tests:
astro:test:
astro:test: test at test\content-collections.test.js:108:4
astro:test: ✖ Handles symlinked content (2.2824ms)
astro:test:   AssertionError [ERR_ASSERTION]: Expected values to be strictly deep-equal:
astro:test:   + actual - expected
astro:test:
astro:test:   + []
astro:test:   - [
astro:test:   -   'first.md',
astro:test:   -   'second.md',
astro:test:   -   'third.md'
astro:test:   - ]
astro:test:
astro:test:       at TestContext. (file:///F:/drfuzzyness/astro/packages/astro/test/content-collections.test.js:112:12)
astro:test:       at Test.runInAsyncScope (node:async_hooks:211:14)
astro:test:       at Test.run (node:internal/test_runner/test:979:25)
astro:test:       at async Suite.processPendingSubtests (node:internal/test_runner/test:677:7) {
astro:test:     generatedMessage: true,
astro:test:     code: 'ERR_ASSERTION',
astro:test:     actual: [],
astro:test:     expected: [ 'first.md', 'second.md', 'third.md' ],
astro:test:     operator: 'deepStrictEqual'
astro:test:   }
astro:test:
astro:test: test at test\content-collections.test.js:119:4
astro:test: ✖ Handles symlinked data (0.4368ms)
astro:test:   AssertionError [ERR_ASSERTION]: Expected values to be strictly deep-equal:
astro:test:   + actual - expected
astro:test:
astro:test:   + []
astro:test:   - [
astro:test:   -   'welcome'
astro:test:   - ]
astro:test:
astro:test:       at TestContext. (file:///F:/drfuzzyness/astro/packages/astro/test/content-collections.test.js:124:12)
astro:test:       at Test.runInAsyncScope (node:async_hooks:211:14)
astro:test:       at Test.run (node:internal/test_runner/test:979:25)
astro:test:       at async Suite.processPendingSubtests (node:internal/test_runner/test:677:7) {
astro:test:     generatedMessage: true,
astro:test:     code: 'ERR_ASSERTION',
astro:test:     actual: [],
astro:test:     expected: [ 'welcome' ],
astro:test:     operator: 'deepStrictEqual'
astro:test:   }
astro:test:
astro:test: test at node_modules\.astro\test.mjs:1:1
astro:test: ✖ F:\drfuzzyness\astro\packages\astro\node_modules\.astro\test.mjs (600010.9855ms)
astro:test:   'test timed out after 600000ms'
astro:test:  ELIFECYCLE  Command failed with exit code 1.
astro:test:  ELIFECYCLE  Test failed. See above for more details.
astro:test: ERROR: command finished with error: command (F:\drfuzzyness\astro\packages\astro) C:\nvm4w\nodejs\pnpm.cmd run test exited (1)
astro#test: command (F:\drfuzzyness\astro\packages\astro) C:\nvm4w\nodejs\pnpm.cmd run test exited (1)
Tasks:    0 successful, 1 total

Cached:    0 cached, 1 total

Time:    10m19.025s

Failed:    astro#test
ERROR  run failed: command  exited (1)

 ELIFECYCLE  Command failed with exit code 1.

 ELIFECYCLE  Test failed. See above for more details.

astro:test: ℹ tests 1302
astro:test: ℹ suites 505
astro:test: ℹ pass 1294
astro:test: ℹ fail 2
astro:test: ℹ cancelled 1
astro:test: ℹ skipped 5
astro:test: ℹ todo 0
astro:test: ℹ duration_ms 600008.9105
astro:test:
astro:test: ✖ failing tests:
astro:test:
astro:test: test at test\content-collections.test.js:108:4
astro:test: ✖ Handles symlinked content (2.1965ms)
astro:test:   AssertionError [ERR_ASSERTION]: Expected values to be strictly deep-equal:
astro:test:   + actual - expected
astro:test:
astro:test:   + []
astro:test:   - [
astro:test:   -   'first.md',
astro:test:   -   'second.md',
astro:test:   -   'third.md'
astro:test:   - ]
astro:test:
astro:test:       at TestContext. (file:///F:/drfuzzyness/astro/packages/astro/test/content-collections.test.js:112:12)
astro:test:       at Test.runInAsyncScope (node:async_hooks:211:14)
astro:test:       at Test.run (node:internal/test_runner/test:979:25)
astro:test:       at async Suite.processPendingSubtests (node:internal/test_runner/test:677:7) {
astro:test:     generatedMessage: true,
astro:test:     code: 'ERR_ASSERTION',
astro:test:     actual: [],
astro:test:     expected: [ 'first.md', 'second.md', 'third.md' ],
astro:test:     operator: 'deepStrictEqual'
astro:test:   }
astro:test:
astro:test: test at test\content-collections.test.js:119:4
astro:test: ✖ Handles symlinked data (0.4843ms)
astro:test:   AssertionError [ERR_ASSERTION]: Expected values to be strictly deep-equal:
astro:test:   + actual - expected
astro:test:
astro:test:   + []
astro:test:   - [
astro:test:   -   'welcome'
astro:test:   - ]
astro:test:
astro:test:       at TestContext. (file:///F:/drfuzzyness/astro/packages/astro/test/content-collections.test.js:124:12)
astro:test:       at Test.runInAsyncScope (node:async_hooks:211:14)
astro:test:       at Test.run (node:internal/test_runner/test:979:25)
astro:test:       at async Suite.processPendingSubtests (node:internal/test_runner/test:677:7) {
astro:test:     generatedMessage: true,
astro:test:     code: 'ERR_ASSERTION',
astro:test:     actual: [],
astro:test:     expected: [ 'welcome' ],
astro:test:     operator: 'deepStrictEqual'
astro:test:   }
astro:test:
astro:test: test at node_modules\.astro\test.mjs:1:1
astro:test: ✖ F:\drfuzzyness\astro\packages\astro\node_modules\.astro\test.mjs (600007.373ms)
astro:test:   'test timed out after 600000ms'
astro:test:  ELIFECYCLE  Command failed with exit code 1.
astro:test:  ELIFECYCLE  Test failed. See above for more details.
astro:test: ERROR: command finished with error: command (F:\drfuzzyness\astro\packages\astro) C:\nvm4w\nodejs\pnpm.cmd run test exited (1)
astro#test: command (F:\drfuzzyness\astro\packages\astro) C:\nvm4w\nodejs\pnpm.cmd run test exited (1)
Tasks:    0 successful, 1 total

Cached:    0 cached, 1 total

Time:    10m18.385s

Failed:    astro#test
ERROR  run failed: command  exited (1)

 ELIFECYCLE  Command failed with exit code 1.

 ELIFECYCLE  Test failed. See above for more details.

Docs

No user-facing changes.

Changes

• Closes #14365
• Removes polyfills for node 18 and node 20 (import.meta.resolve)
• Update CLI entrypoints
• Keep undocumented support for node 20. Once stackblitz supports 22, we'll have to quietly hard require node 22

Testing

Should still pass

Docs

withastro/docs#12423 + changeset

Changes

• Removes deprecated emitESMImage()
• Removes internal todos
• Depends on #14407

Testing

Should still pass

Docs

withastro/docs#12403

Reverts #14415

Reverts #14414

Changes

• Closes #14368

Testing

Updates test and removes irrelevant ones, should pass

Docs

withastro/docs#12401 + changeset

Changes

• The astro.locals symbol is only used in dev by official adapters, so it can be removed from here
• the astro.clientAddress symbol is meant to be used internally only, now that clientAddress can be passed to app.render()

Testing

Should still pass

Docs

Shouldn't be needed as it's an undocumented API

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@astrojs/svelte@7.2.0

Minor Changes

• #14430 78011ba Thanks @ascorbic! - Adds support for async server rendering

  Svelte 5.36 added experimental support for async rendering. This allows you to use await in your components in several new places. This worked out of the box with client-rendered components, but server-rendered components needed some extra help. This update adds support for async server rendering in Svelte components used in Astro.

  To use async rendering, you must enable it in your Svelte config:

  // svelte.config.js
  export default {
    compilerOptions: {
      experimental: {
        async: true,
      },
    },
  };

  Then you can use await in your components:

  <script>
    let data = await fetch('/api/data').then(res => res.json());
  </script>
  <h1>{data.title}</h1>

  See the Svelte docs for more information on using await in Svelte components, including inside $derived blocks and directly in markup.

Patch Changes

• #14433 9cc8f21 Thanks @ascorbic! - Fixes a bug that prevented Svelte 5.39.1+ components rendering when multiple frameworks were present

astro@5.13.11

Patch Changes

• #14409 250a595 Thanks @louisescher! - Fixes an issue where astro info would log errors to console in certain cases.

• #14398 a7df80d Thanks @idawnlight! - Fixes an unsatisfiable type definition when calling addServerRenderer on an experimental container instance

• #13747 120866f Thanks @jp-knj! - Adds automatic request signal abortion when the underlying socket closes in the Node.js adapter

  The Node.js adapter now automatically aborts the request.signal when the client connection is terminated. This enables better resource management and allows applications to properly handle client disconnections through the standard AbortSignal API.

• #14428 32a8acb Thanks @drfuzzyness! - Force sharpService to return a Uint8Array if Sharp returns a SharedArrayBuffer

• #14411 a601186 Thanks @GameRoMan! - Fixes relative links to docs that could not be opened in the editor.

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@5.13.10

Patch Changes

• Updated dependencies [1e2499e]:
  • @astrojs/internal-helpers@0.7.3
  • @astrojs/markdown-remark@6.3.7

@astrojs/cloudflare@12.6.9

Patch Changes

• Updated dependencies [1e2499e]:
  • @astrojs/internal-helpers@0.7.3
  • @astrojs/underscore-redirects@1.0.0

@astrojs/markdoc@0.15.7

Patch Changes

• Updated dependencies [1e2499e]:
  • @astrojs/internal-helpers@0.7.3
  • @astrojs/markdown-remark@6.3.7

@astrojs/mdx@4.3.6

Patch Changes

• Updated dependencies []:
  • @astrojs/markdown-remark@6.3.7

@astrojs/netlify@6.5.11

Patch Changes

• Updated dependencies [1e2499e]:
  • @astrojs/internal-helpers@0.7.3
  • @astrojs/underscore-redirects@1.0.0

@astrojs/node@9.4.4

Patch Changes

• Updated dependencies [1e2499e]:
  • @astrojs/internal-helpers@0.7.3

@astrojs/vercel@8.2.8

Patch Changes

• Updated dependencies [1e2499e]:
  • @astrojs/internal-helpers@0.7.3

@astrojs/internal-helpers@0.7.3

Patch Changes

• #14408 1e2499e Thanks @matthewp! - Handle backslash and encoded backslash in isRemotePath

@astrojs/markdown-remark@6.3.7

Patch Changes

• Updated dependencies [1e2499e]:
  • @astrojs/internal-helpers@0.7.3

Description

Add openstatus docs to the showcase list

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Change	Age	Confidence
@vitejs/plugin-vue (source)	5.2.1 -> 5.2.4
preact (source)	^10.27.1 -> ^10.27.2
svelte (source)	^5.38.7 -> ^5.39.2
svelte2tsx (source)	^0.7.42 -> ^0.7.43

Release Notes

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Change	Age	Confidence
publint (source)	^0.3.12 -> ^0.3.13
svelte (source)	^5.38.10 -> ^5.39.2
typescript-eslint (source)	^8.43.0 -> ^8.44.0

Release Notes

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Changes

Replace relative urls with absolute urls, as relative urls will not work in editors

Testing

No tests needed as no runtime changes

Docs

Docs changes probably not needed as no runtime changes

Changes

• Astro.url.pathname returns value with the correct file .html extension when build.format: 'perserve' is enabled in astro.config.mjs

Closes: #13615

Testing

Here's the screenshot after change:
build.format: 'preserve' is enabled in all screenshot

For routeType: 'page' with a named pathname. Now we have .html extension in pathname property

For routeType: 'page' without a named pathname (no change)

For routeType: 'endpoint' (no change)

Docs

I am not sure, but I think it is not needed.

Changes

• This PR fixes an issue where astro info would sometimes log errors to console if the package manager was unable to retreive the version information for an integration (like Astro DB) because the integration's registered name was not the same as the name of the package.

Testing

• A new test was added to ensure integrations for which a package manager is unable to get the version for are still shown in the output of astro info.

Docs

N/A

Changes

• Handle backslash patterns that could be normalized to remote URLs by browsers and runtimes. This includes single/double backslashes at the start, URL-encoded backslashes, and protocols with backslashes.
• Prevents potential security issues

Testing

• new tests added

Docs

N/A, bug fix

Changes

Closes #14361.

This PR removes a number of APIs and options related to legacy content collections that were deprecated in Astro 5, including:

• The legacy.collections option, which was added in Astro 5 and caused the old content collections system to be used instead of the new one.
• Deprecated functions from astro:content: getEntryBySlug and getDataEntryById are both replaced by getEntry(), which is a drop-in replacement for both.
• Support for the old src/content/config.* file location. You must now use src/content.config.*.
• Automatically generating collections when a src/content/ directory is present and no content config file exists. You must now explicitly define collections in src/content.config.*.
• Support for collections without a loader. You must now use the glob() loader to create collections from filesystem content. This will also mean that generated entries use the new entry format:
  • The id field is now a slug, not a filename. You can access the filename via entry.filePath, which is the path relative to the site root.
  • There is no longer a slug field – use id instead.
  • You can no longer call entry.render() on content entries. Use render(entry) instead, imported from astro:content.

Testing

Literally hundreds of updated tests! We never updated lots of the fixtures in Astro 5, instead relying on the legacy support. This PR takes the plunge and does the update.

A lot of tests are failing in next, so it's not always 100% clear if there are more that need updating. I think I've found them all though.

Docs

The docs already reflect the current behaviour. The upgrade guide is in progress.

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@5.13.9

Patch Changes

• #14402 54dcd04 Thanks @FredKSchott! - Removes warning that caused unexpected console spam when using Bun

Changes

Fixes #14401

previously, Bun users were seeing this when they used bun to install their npm packages, and then ran astro dev, astro build, etc.

This was introduced in #14300 to intentionally add the message to astro info, but not realizing that the helper function getInfoOutput() was called outside of astro info during normal render, for debugging purposes.

This PR removes that warning for now, since we shouldn't be printing inside of a helper utility like that. We could add it back in the future, but I also don't think it's communicating the correct message about our Bun support (tldr: we support Node, and Bun is Node compatible, so Astro should be expected to work correctly in Bun. if it does not, that's bun's problem to solve, but that is different from "Bun is not supported"). Update: wait I was wrong, this is Bun the package installer, not the runtime. AFAIK Astro runs for users who use Bun as their package installer, so I think this message is just wrong vs. not worded correctly. Please correct me if I'm incorrect on that, but we have many Astro users who use bun to install their packages so I can't imagine this is true.

Testing

Not tested, just removed a console log.

Docs

Not needed.

Changes

• Closes #14369

Testing

All existing tests are passed when running pnpm run test

Docs

withastro/docs#12347

Changes

• The AddServerRenderer type previously used name: never to forbid the name property when renderer was a NamedSSRLoadedRendererValue. However, this prevented the compiler from correctly matching the first union branch.
• Removing name: never from the name renderer union type branch will fix this.

Testing

• Verified that TypeScript correctly accepts both union branches.

Docs

• The existing docs already describe the intended behavior, so no changes are needed after this fix.

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@astrojs/starlight@0.36.0

Minor Changes

• #3427 c3b2d0f Thanks @delucis! - Fixes styling of labels that wrap across multiple lines in <Tabs> component

  ⚠️ Potentially breaking change: Tab labels now have a narrower line-height and additional vertical padding. If you have custom CSS targetting the <Tabs> component, you may want to double check the visual appearance of your tabs when updating.

  If you want to preserve the previous styling, you can add the following custom CSS to your site:

  .tab > [role='tab'] {
    line-height: var(--sl-line-height);
    padding-block: 0;
  }

• #3380 3364af3 Thanks @HiDeoo! - Makes head entry parsing stricter in Starlight config and content frontmatter.

  ⚠️ Potentially breaking change: Previously Starlight would accept a head entry for a meta tag defining some content which generates invalid HTML as <meta> is a void element which cannot have any child nodes. Now, it is an error to define a meta tag including some content.

  If you see errors after updating, look for head entries in the Starlight configuration in the astro.config.mjs file or in the frontmatter of your content files that include a content property for a meta tag. To fix the error, move the content property to the attrs object with at least an additional attribute to identify the kind of metadata it represents:

  head: {
    tag: 'meta',
  - content: 'foo',
    attrs: {
      name: 'my-meta',
  +   content: 'foo',
    },
  },

• #3340 2018c31 Thanks @HiDeoo! - Adds missing vertical spacing between Markdown content and UI Framework components using client directives.

  ⚠️ Potentially breaking change: By default, Starlight applies some vertical spacing (--sl-content-gap-y) between Markdown content blocks. This change introduces similar spacing between Markdown content blocks and UI Framework components using client directives which was not present before.

  If you were relying on the previous behavior, you can manually override the spacing by manually specifying the top margin on the component using custom CSS, e.g. by relying on a CSS class to target the component.

  .my-custom-component {
    margin-top: 0;
  }

Patch Changes

• #3423 a0d0670 Thanks @andersk! - Fixes HTML validity in sidebar groups by ensuring <summary> is the first child of <details>

Changes

Cleaning up various issues found by knip – dead code, empty files etc

Testing

Docs

Description

I noticed a while ago in #3374 that if the .github/workflows/ci.yml is updated but nothing in the packages/** directories is, our unit tests and e2e tests do not run. In the case of the linked PR, this was not really a problem, altho, if we were to update an environment variable like NODE_VERSION in this file and nothing else, we want to make sure that all tests run.

This PR updates the dorny/paths-filter configuration to include a new ci filter matching this file used to trigger some jobs that were previously skipped when only this file was changed (I considered adding this file to the existing filters, which would have avoided the need to edit the if conditions, but I felt that it was cleaner to have a dedicated filter for this purpose).

Here are 2 runs for this PR only modifying the CI workflow file:

• Before this changes is fully implemented, tests are skipped
• After this change, all tests run as expected

Changes

#14345 changed a lot of the APIs for App and Pipeline, but didn't update the tests that use them. This fixes the affected unit tests.

Testing

Unit tests pass locally

Docs

Changes

Enables HMR for the environment API

Testing

Manually tested

Docs

Changes

• Instead of having to manually maintain js and dts file in the package root, use built files from dist

Testing

Should still pass

Docs

No changeset as this is a refactor. Debatable since things in package.json#exports change

Changes

Adds support for server islands in environment API.

Currently server islands fail because Vite doesn't know about any server islands at startup, when the manifest is first generated. This PR moves the server islands maps into a separate virtual module that is loaded when needed. It also invalidates that module when new islands are added.

We will probably also want to move them out of the manifest for other app types, but that can come later.

Testing

Added server islands to the test fixture

Docs

Changes

This PR adds the minimumReleaseAge configuration option to the pnpm-workspace.yaml and renovate.json5 files.

This change has been made in light of the recent NPM supply chain attacks, as a preventative measure to ensure Astro is (at least somewhat) safe from newly released malicious versions. For now, the respective settings have been set to 3 days, which feels like a good middle ground.

Documentation for the settings:

• https://docs.renovatebot.com/configuration-options/#minimumreleaseage
• https://pnpm.io/settings#minimumreleaseage

Testing

I've not been able to test this for the renovate configuration. Installing from the root with the new workspace file works fine.

Docs

N/A

Changes

There are two APIs related to using Astro Actions with React 19 that have been experimental for quite a while and also not documented. Fun fact, I've found out this by rewatching Ben's Astro Together talk.

The only documentation we have about this is on the 3.4.0 @astrojs/react changelog, so we might want to discuss if we want to make this a breaking change or a minor change. I am going the conservative way and treating it as a major, but not making a changeset yet.

Testing

I updated the fixtures that test these APIs to use the stable names, altough I am not used with the useActionState() hook, so I would appreciate some double-checking.

Docs

Docs PR updating to stable: withastro/docs#12402

/cc @withastro/maintainers-docs for feedback!

Changes

• This PR updates the new tests for the updated astro info to be skipped command in Vite's ecosystem CI due to manual version overrides being made on their end, which messes with the test result. Refer to this Discord thread on the Vite Discord server for more info.

Testing

• The tests were adjusted to be skipped when run in the ecosystem CI tests.

Docs

N/A (Tests only)

Changes

• Follow https://github.com/withastro/astro/blob/main/CONTRIBUTING.md#entering-prerelease-mode

Testing

Docs

Description

• Closes #3383
• Updates styles applied to tab labels so that they work better for long labels and labels that wrap onto a second line.
• For the default case, with labels that do not wrap, the appearance is unchanged, with the vertical layout identical. However, for labels that do wrap, line height is now tighter (using Starlight’s 1.2 heading line height), making each tab label a bit more compact and a bit more visually distinct.
• For tabs where only some labels wrap, this PR fixes a bug where the bottom border of a tab would not align correctly

Before	After

This gets framework components to render in workerd. SSR and client both work.

Changes

• Fix the dev pipeline's resolve to be dynamic.
• Fix getComponentByRoute to first call getModuleForRoute which captures default routes.
  • This fixes 404s which were broken
• Moves renderers into a virtual module.

Testing

• Tested with our cloudflare example app

Docs

N/A

Changes

This PR updates the Cloudflare entrypoint to generate a handler that works in dev with the env API.

Testing

This updates the Cloudflare vite plugin fixture to use the standard entrypoint, rather than the custom dev one

Docs

Changes

Adds support for Cloudflare image binding service, from #14027. This is the only service that works with the environment API at the moment. Eventually we'll need to work out what to do with the other services in dev.

Stacked on #14357 so it can use the content layer in testing

Testing

Docs

Changes

Adds support for content layer in workerd with env api. It's basically just removing a couple of type guards that are no longer needed that were disabling the watchers, and most of the PR is copying over the content layer fixture into the Vite plugin cf fixture

Testing

Docs

This PR contains the following updates:

Package	Change	Age	Confidence
@astrojs/solid-js (source)	^5.1.0 -> ^5.1.1
@astrojs/svelte (source)	^7.1.0 -> ^7.1.1
@astrojs/vue (source)	^5.1.0 -> ^5.1.1
@cloudflare/workers-types	^4.20250903.0 -> ^4.20250913.0
@netlify/vite-plugin	^2.5.8 -> ^2.5.9
rollup (source)	^4.50.0 -> ^4.50.2
svelte (source)	^5.38.6 -> ^5.38.10
tinyglobby (source)	^0.2.14 -> ^0.2.15
wrangler (source)	4.33.2 -> 4.37.0

Release Notes

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

This PR contains the following updates:

Package	Change	Age	Confidence
@changesets/cli (source)	^2.29.6 -> ^2.29.7
@libsql/client (source)	^0.15.14 -> ^0.15.15
@tailwindcss/vite (source)	^4.1.12 -> ^4.1.13
@types/semver (source)	^7.7.0 -> ^7.7.1
alpinejs (source)	^3.14.9 -> ^3.15.0
debug	^4.4.1 -> ^4.4.3
eslint (source)	^9.34.0 -> ^9.35.0
preact (source)	^10.27.1 -> ^10.27.2
sass	^1.92.0 -> ^1.92.1
svelte (source)	^5.38.6 -> ^5.38.10
tailwindcss (source)	^4.1.12 -> ^4.1.13
tinyglobby (source)	^0.2.14 -> ^0.2.15
typescript-eslint (source)	^8.42.0 -> ^8.43.0

Release Notes

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Changes

• This PR fixes a mistake previously missing from #14300 where the new astro info command tests would fail if one of the versions from the package.json in the fixture was bumped, like seen in #14351.

Testing

The tests themselves were adjusted to make sure this doesn't happen anymore. The versions for integrations and the adapter (if available) are now read in from the package.json.

Docs

N/A (Internal tests only)

This PR contains the following updates:

Package	Change	Age	Confidence
@astrojs/node (source)	9.4.0 -> 9.4.1

GitHub Vulnerability Alerts

CVE-2025-55207

Summary

Following GHSA-cq8c-xv66-36gw, there's still an Open Redirect vulnerability in a subset of Astro deployment scenarios.

Details

Astro 5.12.8 fixed a case where https://example.com//astro.build/press would redirect to the external origin //astro.build/press. However, with the Node deployment adapter in standalone mode and trailingSlash set to "always" in the Astro configuration, https://example.com//astro.build/press still redirects to //astro.build/press.

Proof of Concept

1. Create a new minimal Astro project (astro@5.12.8)
2. Configure it to use the Node adapter (@astrojs/node@9.4.0) and force trailing slashes:

   // astro.config.mjs
   import { defineConfig } from 'astro/config';
   import node from '@​astrojs/node';
   
   export default defineConfig({
     trailingSlash: 'always',
     adapter: node({ mode: 'standalone' }),
   });

3. Build the site by running astro build.
4. Run the server, e.g. with astro preview.
5. Append //astro.build/press to the preview URL, e.g. http://localhost:4321//astro.build/press
6. The site will redirect to the external Astro Build origin.

Example reproduction

1. Open this StackBlitz reproduction.
2. Open the preview in a separate window so the StackBlitz embed doesn't cause security errors.
3. Append //astro.build/press to the preview URL, e.g. https://x.local-corp.webcontainer.io//astro.build/press.
4. See it redirect to the external Astro Build origin.

Impact

This is classified as an Open Redirection vulnerability (CWE-601). It affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks.

No authentication is required to exploit this vulnerability. Any unauthenticated user can trigger the redirect by clicking a malicious link.

Release Notes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Changes

When looking at ways to catch misuse of live collections I realised that currently we're silently ignoring errors when parsing content config. This PR changes it to log errors in these cases. Because these aren't currently fatal errors, throwing would be a breaking change, so I'm just logging for now.

Additionally, if live collections are enabled then it checks if it failed becausecreateLiveCollection has been used in content.config.ts and if so it does throw an error (which was I was originally trying to do).

Testing

Docs

The <summary> element must be the first child of <details>.

The <summary> element can only contain phrasing content elements like <span>, not flow content elements like <div>.

This makes no styling difference in these cases, as these are flexbox children.

The <select> element does not have a value attribute. (There is a value property on the HTMLSelectElement object, but that’s different.)

Remove these invalid HTML tags from the output when context.site is unset:

• <link rel="canonical"/> with missing href
• <meta property="og:url"/> with missing content

#14272

Changes

This PR does a further refactor of our internals. The main issue I was facing was the fact that I was trying to use the DevApp both in our internal dev server and the dev server spawned by external plugins such as Cloudflare.

This wasn't working and driving me nuts because DevApp uses a lot of Node.js APIs across the board. It was mental. So after thinking more about what @ascorbic said, we should try to use App instead, it actually made sense and it was the right approach. However, in dev, we handle a few things differently compared to production. For example, we handle 500 errors differently in dev.

So now, we have two apps:

• AstroServerApp (which uses its own AstroServerPipeline)
• DevApp (which uses its own DevPipeline)

AstroServerApp

It uses the code and business logic we currently use in our Astro server. The old DevPipeline has been renamed to AstroServerPipeline

DevApp

This new DevApp is mostly the same as App. They both use the same methods (such as render), they slightly differ in the match implementation, for example.

Since App and DevApp share the same logic, they are runtime-agnostic.

The new DevPipeline, for now, is a copy-paste of AppPipeline, however, we changed the logic of the function getComponentByRoute. In development, we don't have the compiled Astro files, so we need to dynamically import them e.g. import("path/to/file.astro). Eventually, in dev, our rollup plugin is triggered, and it should return the compiled code.

Testing

Minimal and react examples still work locally

Docs

Changes

• TS changed the definitions of some types, so I tried to convert data properly in 441d7dc (#14304)
• However this breaks eg. cloudflare, so insted I replaced those by type casts

Testing

Should pass

Docs

Changeset

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@astrojs/db@0.18.0

Minor Changes

• #14204 d71448e Thanks @Adammatthiesen! - Adds a new libSQL web driver to support environments that require a non-Node.js libSQL client such as Cloudflare or Deno. Also adds a new mode configuration option to allow you to set your client connection type: node (default) or web.

  The default db node driver mode is identical to the previous AstroDB functionality. No changes have been made to how AstroDB works in Node.js environments, and this is still the integration's default behavior. If you are currently using AstroDB, no changes to your project code are required and setting a mode is not required.

  However, if you have previously been unable to use AstroDB because you required a non-Node.js libSQL client, you can now install and configure the libSQL web driver by setting mode: 'web' in your db configuration:

  import db from '@astrojs/db';
  import { defineConfig } from 'astro/config';
  
  // https://astro.build/config
  export default defineConfig({
    integrations: [db({ mode: 'web' })],
  });

  For more information, see the @astrojs/db documentation.

@astrojs/sitemap@3.6.0

Minor Changes

• #14285 bedc31b Thanks @jdcolombo! - Adds a new configuration option namespaces for more control over XML namespaces used in sitemap generation

  Excluding unused namespaces can help create cleaner, more focused sitemaps that are faster for search engines to parse and use less bandwidth. If your site doesn't have news content, videos, or multiple languages, you can exclude those namespaces to reduce XML bloat.

  The namespaces option allows you to configure news, xhtml, image, and video namespaces independently. All namespaces are enabled by default for backward compatibility and no change to existing projects is necessary. But now, you can choose to streamline your XML and avoid unnecessary code.

  For example, to exclude the video namespace from your sitemap, set video: false in your configuration:

  // astro.config.mjs
  import { sitemap } from '@astrojs/sitemap';
  
  export default {
    integrations: [
      sitemap({
        namespaces: {
          video: false,
          // other namespaces remain enabled by default
        }
      })
    ]
  };
  

  The generated XML will not include the xmlns:video namespace:

  <?xml version="1.0" encoding="UTF-8"?>
  <urlset
    xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"
    xmlns:news="http://www.google.com/schemas/sitemap-news/0.9"
    xmlns:xhtml="http://www.w3.org/1999/xhtml"
    xmlns:image="http://www.google.com/schemas/sitemap-image/1.1"
  >
    <!-- ... -->
  </urlset>
  

astro@5.13.8

Patch Changes

• #14300 bd4a70b Thanks @louisescher! - Adds Vite version & integration versions to output of astro info

• #14341 f75fd99 Thanks @delucis! - Fixes support for declarative Shadow DOM when using the <ClientRouter> component

• #14350 f59581f Thanks @ascorbic! - Improves error reporting for content collections by adding logging for configuration errors that had previously been silently ignored. Also adds a new error that is thrown if a live collection is used in content.config.ts rather than live.config.ts.

• #14343 13f7d36 Thanks @florian-lefebvre! - Fixes a regression in non node runtimes

Changes

• Fixes #14340
• <ClientRouter> uses DOMParser to parse the HTML fetched by the router, but this does not support attaching declarative Shadow DOM (<template> elements using the shadowrootmode attribute) the same way as browsers do when pages load normally.
• One fix would be to use APIs like document.parseHTMLUnsafe(), but that would be more disruptive to our code (especially as it’s not widely supported yet so would need a polyfill), so instead I left the DOMParser untouched and manually upgrade any templates in the swapBodyElement() function.
• The function used is based on this polyfill.

Testing

New E2E test in the view transition fixture.

• Failing in c1317b0 which adds only the new test: ❌ test run
• Passing in 2d49c8c, which adds logic to attach shadow roots during transitions: ✅ test run

Docs

N/A — bug fix.

Changes

• Adds collapseHeaders option to experimental.csp configuration
• When used with adapters supporting experimentalStaticHeaders, consolidates all CSP headers into a single catch-all route
• Prevents build errors for large sites with many routes / large CSP config
• Reduces configuration file size from MB to KB for large sites (especially with i18n)
• Maintains full backward compatibility with existing CSP usage
• Benefits all adapters that support experimentalStaticHeaders automatically (Vercel, Netlify, Node)

Before: 15k+ individual CSP route entries → 9MB config file → Build failures
After: 1 global CSP route entry → 10KB config file → Successful builds

Reference: #13996 (comment)

Usage:

// Default behavior (unchanged)
experimental: {
  csp: true
}

// New option
experimental: {
  csp: {
    collapseHeaders: true
  }
}

Testing

• Added tests for all (3) adapters that support experimentalStaticHeaders using existing static-headers.test.js files for Vercel, Netlify, and Node adapters.
• Created test fixtures with collapseHeaders: true configuration for each adapter
• Verified collapsed headers create single catch-all route entries across all platforms
• Confirmed backward compatibility with existing CSP configurations
• All tests passing

Docs

This is a core CSP feature that works universally with all adapters supporting experimentalStaticHeaders which affects behavior for large sites experiencing build size limits with CSP enabled.

Documentation updates needed for:

• New collapseHeaders option in experimental CSP configuration
• When to use collapsed vs per-route CSP headers
• Usage examples with different adapters
• Build / performance implications and best practices

/cc @withastro/maintainers-docs for feedback!

Changes

This PR does the following:

• adds a new specifier to Astro named astro/app/dev. This new specifier exposes two bindings: a default, which is createExports, and DevApp if users need to use it
• adds a devEntrypoint to the adapters, which is used inside the Astro dev server plugin. If it is absent, the plugin uses astro/app/dev as a fallback

This should get us closer to use the cloudflare plugin

Testing

Minimal and React examples still work

Docs

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@5.13.7

Patch Changes

• #14330 72e14ab Thanks @ascorbic! - Removes pinned package that is no longer needed.

• #14335 17c7b03 Thanks @florian-lefebvre! - Bumps sharp minimal version to 0.34.0

Changes

• Bumps sharp optional peer dep min version to 0.34.0
• Updates sharp in various fixtures
• Removed an outdated renovate config

Testing

Should still pass

Docs

Changeset

Changes

This refactors the dev server to use an entrypoint to load the application.

Testing

The minimal example works, the react example works.

Docs

Changes

The vulnerable version of simple-swizzle has been removed from npm, so we can remove this when we next publish

Testing

Docs

Changes

Pins to avoid a compromised dep

Testing

Docs

Changes

Update vite to 6.3.6 to fix :

• GHSA-g4jq-h2w9-997c
• GHSA-jqfw-vq24-v9c3

Testing

should pass

Docs

N/A

Changes

This PR fixes a regression where createRoutesList is called twice: once when creating the build runner, once inside the plugin.

This unfortunately calls createRoutesList twice. I will fix this problem in a later PR

Testing

New tests are now passing

Docs

Changes

Creates an environment called content that is used to load the content config. This allows it to happen when the main dev environment is a non-runnable env.

This also changes a few other uses of ssr to remove the type guard, when they don't need the runner.

Testing

Manually tested some content layer fixtures

Docs

Changes

• Adds experimental content layer data store splitting when saving to disk.
• This avoids both handling enormous strings in large content collections, and file size limits for certain deployment platforms for medium and large collections.
• Data store is now a directory, with manifest file that allows for recreation of collections.
• Splitting strategy:
  • Split by collection, then
  • Split entries into chunks of 1000
  • Use devalue to stringify the chunk of 1000 entries
  • Further split the resulting string into smaller parts not greater than 20MB
• Resolves withastro/roadmap#1213
• Resolves #13360

Manifest format:

{
  "collectionName": [
     ["collectionName.hash1.js", "collectionName.hash2.js"], // 1000 entries, split into two strings
     ["collectionName.hash3.js"], // rest of entries
  ],
  "anotherCollection": ["..."]
}

Testing

Content layer tests have already great coverage, I've added test cases where relevant to run the suite with experimental flag as well.

Docs

Needs a new experimental feature page.

/cc @withastro/maintainers-docs

Description

Pending the release of Algolia's @docsearch/js@3.10.0, which will add support for customizing keyboard shortcuts, this PR does the work to render these custom keyboard shortcuts in the @astrojs/starlight-docsearch component.

I'm now relying on the default rendering of these buttons for Ctrl/Cmd+K, but kept the familiar / rendering. Happy to change it too, but figured you'd probably prefer consistency where possible.

With all keyboard shortcuts disabled

With Ctrl/Cmd+K enabled

With / enabled

Changes

• Adds globalCsp option to experimentalStaticHeaders configuration in @astrojs/vercel
• Prevents "Body exceeded 3300kb limit" Vercel build errors for large sites with CSP enabled
• Consolidates duplicate CSP headers into a single catch-all /(.*) route entry
• Reduces .vercel/output/config.json file size from MB to KB for large sites
• Maintains full backward compatibility with existing experimentalStaticHeaders: true usage

Astro Site with ~2,500 static pages:

Before: 15k+ individual CSP route entries → 9MB config file → Vercel build failure
After: 1 global CSP route entry → 10KB config file → Successful builds

Usage:

// Default (unchanged)
experimentalStaticHeaders: true

// New global option
experimentalStaticHeaders: {
  globalCsp: true
}

Reference: #13996 (comment)

Testing

• Extended existing test/static-headers.test.js with global CSP mode tests
• Added test/fixtures/static-headers-global/ fixture to test global CSP functionality
• Verified global mode creates single /(.*) route with CSP header
• Confirmed backward compatibility with existing boolean configuration
• All tests passing: 3 tests, 2 suites, 0 failures

Test command: cd packages/integrations/vercel && node --test test/static-headers.test.js

Docs

This change affects user behavior for large sites experiencing Vercel build size limits. Documentation updates needed for:

• New globalCsp option in Vercel adapter configuration
• When to use global vs per-route CSP (large sites vs granular control)
• Migration guide for sites hitting Vercel build limits

/cc @withastro/maintainers-docs for feedback!

Changes

This PR adds a new virtual module that allows to return the list of routes inside an Astro project.

This virtual module essentially replaces the RoutesList type that we create when we start the dev server.

Testing

Unit tests should pass. Integration tests pass on my machine, they will still time out here

Docs

N/A

Changes

• Added --concurrency=auto flag to ESLint commands for improved performance

Testing

Docs

No user-facing behavior changes.

ref: https://eslint.org/blog/2025/08/multithread-linting/

Changes

Adds the Cloudflare Vite plugin. This takes over the dev server and runs its own.

Testing

Docs

@playwright/test 1.55.0
cheerio 1.1.2
typescript 5.9.2
rollup: 4.50.0
saas: 1.91.0

Changes

• Extracted from #13749

Testing

Docs

Changes

• Extracted from #13749

Testing

Docs

Changes

• Extracted from #13749

Testing

Docs

Changes

Removes generate from RouteData. generate is still present in IntegrationRouteData

The reason why we want to remove this function from RouteData is because we plan to make RouteData[] a virtual module, so downstream plugins can pull the data whenever they want.

Testing

CI currently times out, however I made sure that locally no tests broke.

Docs

N/A

Changes

The handling of base paths with trailingSlash never was causing an empty pattern to be generated for the root index. This PR ensures that it will always match /

Fixes #14245

Testing

Fixed a test that was missing this

Docs

Changes

This PR adds information about the versions of Vite and the installed integrations when running astro info. It does so by modifying the current info command and resolving the package.json files of both Astro and the integrations using the createRequire function.

In cases where the name of the integration does not match the package's name, no version information is displayed.

Testing

A new test was added to check whether the correct version of Vite is displayed.

Docs

The output on https://docs.astro.build/en/reference/cli-reference/#astro-info is now (even more) outdated.

Changes

This PR refactors how the manifest is computed and pulled during development and build.

There's a new module called astro:serialized-manifest. While it returns a deserialised manifest, it's actually deserialised during its creation. It means that it's computed from AstroSettings, and it's deserialised inside the virtual module.

Happy to bikeshed the name.

Now astro:config/server and astro:config/client use this module to pull the information. Plus, I refactored them to use this.environment.name instead of opts.ssr

Testing

Updated. They should all pass

Docs

N/A

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@5.13.6

Patch Changes

• #14294 e005855 Thanks @martrapp! - Restores the ability to use Google Analytics History change trigger with the <ClientRouter />.

• #14326 c24a8f4 Thanks @jsparkdev! - Updates vite version to fix CVE

• #14108 218e070 Thanks @JusticeMatthew! - Updates dynamic route split regex to avoid infinite retries/exponential complexity

• #14327 c1033be Thanks @ascorbic! - Pins simple-swizzle to avoid compromised version

@astrojs/db@0.17.2

Patch Changes

• #14326 c24a8f4 Thanks @jsparkdev! - Updates vite version to fix CVE

@astrojs/alpinejs@0.4.9

Patch Changes

• #14326 c24a8f4 Thanks @jsparkdev! - Updates vite version to fix CVE

@astrojs/cloudflare@12.6.8

Patch Changes

• #14326 c24a8f4 Thanks @jsparkdev! - Updates vite version to fix CVE

• Updated dependencies []:

  • @astrojs/underscore-redirects@1.0.0

@astrojs/markdoc@0.15.6

Patch Changes

• #14326 c24a8f4 Thanks @jsparkdev! - Updates vite version to fix CVE

@astrojs/mdx@4.3.5

Patch Changes

• #14326 c24a8f4 Thanks @jsparkdev! - Updates vite version to fix CVE

@astrojs/netlify@6.5.10

Patch Changes

• #14326 c24a8f4 Thanks @jsparkdev! - Updates vite version to fix CVE

• Updated dependencies []:

  • @astrojs/underscore-redirects@1.0.0

@astrojs/preact@4.1.1

Patch Changes

• #14326 c24a8f4 Thanks @jsparkdev! - Updates vite version to fix CVE

@astrojs/react@4.3.1

Patch Changes

• #14326 c24a8f4 Thanks @jsparkdev! - Updates vite version to fix CVE

@astrojs/solid-js@5.1.1

Patch Changes

• #14326 c24a8f4 Thanks @jsparkdev! - Updates vite version to fix CVE

@astrojs/svelte@7.1.1

Patch Changes

• #14326 c24a8f4 Thanks @jsparkdev! - Updates vite version to fix CVE

@astrojs/vue@5.1.1

Patch Changes

• #14326 c24a8f4 Thanks @jsparkdev! - Updates vite version to fix CVE