Skip to content

AstroEco is Contributing…

Display your GitHub pull requests using astro-loader-github-prs

withastro/astro
fix(create-astro): validate integration names to prevent shell injection
withastro/astro
#15429

Description

Fixes #15420

The --add flag was passing user input directly to shell commands, allowing shell metacharacters to be interpreted as shell syntax. For example:

npm create --yes astro poc -- --add "react; open -a Calculator.app;" --install --yes

Would result in open -a Calculator.app being executed.

Changes

  • Added VALID_INTEGRATION_NAME regex pattern that matches valid npm package names (lowercase letters, numbers, hyphens, underscores, dots, and scoped packages)
  • Added isValidIntegrationName() validation function
  • Invalid integration names are now filtered out with a clear error message
  • Added 3 tests for validation behavior:
    • Rejects integration names with shell metacharacters
    • Accepts valid integration names
    • Filters out only invalid names (keeps valid ones)

Testing

All 73 tests pass, including the 3 new tests:

  • rejects integration names with shell metacharacters
  • accepts valid integration names
  • filters out only invalid integration names
withastro/astro
[ci] release (beta)
withastro/astro
#15426

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

⚠️⚠️⚠️⚠️⚠️⚠️

main is currently in pre mode so this branch has prereleases rather than normal releases. If you want to exit prereleases, run changeset pre exit on main.

⚠️⚠️⚠️⚠️⚠️⚠️

Releases

@astrojs/cloudflare@13.0.0-beta.6

Major Changes

  • #15345 840fbf9 Thanks @matthewp! - Removes the cloudflareModules adapter option

    The cloudflareModules option has been removed because it is no longer necessary. Cloudflare natively supports importing .sql, .wasm, and other module types.

    What should I do?

    Remove the cloudflareModules option from your Cloudflare adapter configuration if you were using it:

    import cloudflare from '@astrojs/cloudflare';

export default defineConfig({
  adapter: cloudflare({
-   cloudflareModules: true
  })
});

Minor Changes

  • #15077 a164c77 Thanks @matthewp! - Adds support for prerendering pages using the workerd runtime.

    The Cloudflare adapter now uses the new setPrerenderer() API to prerender pages via HTTP requests to a local preview server running workerd, instead of using Node.js. This ensures prerendered pages are built using the same runtime that serves them in production.

Patch Changes

  • Updated dependencies [a164c77]:
    • @astrojs/internal-helpers@0.8.0-beta.1
    • @astrojs/underscore-redirects@1.0.0

astro@6.0.0-beta.10

Minor Changes

  • #15231 3928b87 Thanks @rururux! - Adds a new optional getRemoteSize() method to the Image Service API.

    Previously, inferRemoteSize() had a fixed implementation that fetched the entire image to determine its dimensions.
    With this new helper function that extends inferRemoteSize(), you can now override or extend how remote image metadata is retrieved.

    This enables use cases such as:

    • Caching: Storing image dimensions in a database or local cache to avoid redundant network requests.
    • Provider APIs: Using a specific image provider's API (like Cloudinary or Vercel) to get dimensions without downloading the file.

    For example, you can add a simple cache layer to your existing image service:

    const cache = new Map();

const myService = {
  ...baseService,
  async getRemoteSize(url, imageConfig) {
    if (cache.has(url)) return cache.get(url);

    const result = await baseService.getRemoteSize(url, imageConfig);
    cache.set(url, result);
    return result;
  },
};

    See the Image Services API reference documentation for more information.

  • #15077 a164c77 Thanks @matthewp! - Updates the Integration API to add setPrerenderer() to the astro:build:start hook, allowing adapters to provide custom prerendering logic.

    The new API accepts either an AstroPrerenderer object directly, or a factory function that receives the default prerenderer:

    'astro:build:start': ({ setPrerenderer }) => {
  setPrerenderer((defaultPrerenderer) => ({
    name: 'my-prerenderer',
    async setup() {
      // Optional: called once before prerendering starts
    },
    async getStaticPaths() {
      // Returns array of { pathname: string, route: RouteData }
      return defaultPrerenderer.getStaticPaths();
    },
    async render(request, { routeData }) {
      // request: Request
      // routeData: RouteData
      // Returns: Response
    },
    async teardown() {
      // Optional: called after all pages are prerendered
    }
  }));
}

    Also adds the astro:static-paths virtual module, which exports a StaticPaths class for adapters to collect all prerenderable paths from within their target runtime. This is useful when implementing a custom prerenderer that runs in a non-Node environment:

    // In your adapter's request handler (running in target runtime)
import { App } from 'astro/app';
import { StaticPaths } from 'astro:static-paths';

export function createApp(manifest) {
  const app = new App(manifest);

  return {
    async fetch(request) {
      const { pathname } = new URL(request.url);

      // Expose endpoint for prerenderer to get static paths
      if (pathname === '/__astro_static_paths') {
        const staticPaths = new StaticPaths(app);
        const paths = await staticPaths.getAll();
        return new Response(JSON.stringify({ paths }));
      }

      // Normal request handling
      return app.render(request);
    },
  };
}

    See the adapter reference for more details on implementing a custom prerenderer.

  • #15345 840fbf9 Thanks @matthewp! - Adds a new emitClientAsset function to astro/assets/utils for integration authors. This function allows emitting assets that will be moved to the client directory during SSR builds, useful for assets referenced in server-rendered content that need to be available on the client.

    import { emitClientAsset } from 'astro/assets/utils';

// Inside a Vite plugin's transform or load hook
const handle = emitClientAsset(this, {
  type: 'asset',
  name: 'my-image.png',
  source: imageBuffer,
});

Patch Changes

  • #15423 c5ea720 Thanks @matthewp! - Improves error message when a dynamic redirect destination does not match any existing route.

    Previously, configuring a redirect like /categories/[category]/categories/[category]/1 in static output mode would fail with a misleading "getStaticPaths required" error. Now, Astro detects this early and provides a clear error explaining that the destination does not match any existing route.

  • #15345 840fbf9 Thanks @matthewp! - Fixes an issue where .sql files (and other non-asset module types) were incorrectly moved to the client assets folder during SSR builds, causing "no such module" errors at runtime.

    The ssrMoveAssets function now reads the Vite manifest to determine which files are actual client assets (CSS and static assets like images) and only moves those, leaving server-side module files in place.

  • #15422 68770ef Thanks @matthewp! - Upgrade to @astrojs/compiler@3.0.0-beta

  • Updated dependencies [a164c77]:

    • @astrojs/internal-helpers@0.8.0-beta.1
    • @astrojs/markdown-remark@7.0.0-beta.6

@astrojs/markdoc@1.0.0-beta.9

Minor Changes

  • #15345 840fbf9 Thanks @matthewp! - Uses Astro's new emitClientAsset API for image emission in content collections

Patch Changes

  • Updated dependencies [a164c77]:
    • @astrojs/internal-helpers@0.8.0-beta.1
    • @astrojs/markdown-remark@7.0.0-beta.6

@astrojs/internal-helpers@0.8.0-beta.1

Minor Changes

  • #15077 a164c77 Thanks @matthewp! - Adds normalizePathname() utility function for normalizing URL pathnames to match the canonical form used by route generation.

@astrojs/mdx@5.0.0-beta.6

Patch Changes

  • Updated dependencies []:
    • @astrojs/markdown-remark@7.0.0-beta.6

@astrojs/netlify@7.0.0-beta.8

Patch Changes

  • Updated dependencies [a164c77]:
    • @astrojs/internal-helpers@0.8.0-beta.1
    • @astrojs/underscore-redirects@1.0.0

@astrojs/node@10.0.0-beta.3

Patch Changes

  • Updated dependencies [a164c77]:
    • @astrojs/internal-helpers@0.8.0-beta.1

@astrojs/vercel@10.0.0-beta.3

Patch Changes

  • Updated dependencies [a164c77]:
    • @astrojs/internal-helpers@0.8.0-beta.1

@astrojs/markdown-remark@7.0.0-beta.6

Patch Changes

  • Updated dependencies [a164c77]:
    • @astrojs/internal-helpers@0.8.0-beta.1
withastro/astro
fix(routing): improve error for invalid dynamic redirect destinations
withastro/astro
#15423

Changes

  • Adds early validation in createRedirectRoutes() to detect when a dynamic redirect destination doesn't match any existing route
  • Throws a new InvalidRedirectDestination error with a clear message instead of the misleading "getStaticPaths required" error
  • Only applies to static output mode (server mode handles dynamic redirects at runtime)

Closes #12036. Supersedes #14161 which was closed due to inactivity.

Testing

Added test case in packages/astro/test/redirects.test.js that reproduces the issue and verifies the new error message.

Docs

N/A, bug fix

withastro/astro
Use the beta version of the compiler
withastro/astro
#15422

Changes

  • Upgrades to the beta version of the compiler

Testing

N/A

Docs

N/A

withastro/astro
fix: remove left-over log in CSP
withastro/astro
#15421

Changes

Left over logging was left in the last beta, this should fix it

Testing

I mean

Docs

N/A

withastro/astro
fix(create-astro): make --add stricter
withastro/astro
#15419

Changes

Closes #15420

I refactored the solution to make more generic and apply it to --add and astro add. We have a generic regex that checks wether the name follows the npmjs naming convention. If not, we throw an error.

I preferred to have this regex inside the internal helpers, so both create-astro and astro can use the same source of truth.

Note

Solution designed by me. Code and tests generated via AI. I checked all the code

Testing

Added various tests.

Added new tests. Tested manually

Docs

N/A

withastro/astro
[ci] release (beta)
withastro/astro
#15416

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

⚠️⚠️⚠️⚠️⚠️⚠️

main is currently in pre mode so this branch has prereleases rather than normal releases. If you want to exit prereleases, run changeset pre exit on main.

⚠️⚠️⚠️⚠️⚠️⚠️

Releases

@astrojs/cloudflare@13.0.0-beta.5

Major Changes

Patch Changes

  • Updated dependencies []:
    • @astrojs/underscore-redirects@1.0.0

astro@6.0.0-beta.9

Patch Changes

withastro/astro
fix: CSP headers in dev
withastro/astro
#15415

Changes

Found this issue while I was working on images + CSP. Decided to open a different PR.

Testing

Manually tested, and confirmed that I don't see headers in dev. Existing tests should pass.

Docs

N/A

withastro/astro
fix(astro): ensure `req.url` has a starting `/` when modifying it in the internal base middleware
withastro/astro
#15414

Changes

This PR fixes the following error found in ecosystem-ci:

[ERROR] [vite] Internal server error: The specifiers must be a non-empty string. Received ""
https://github.com/vitejs/vite-ecosystem-ci/actions/runs/21699933912/job/62578172408#step:7:1774

This error was happening because astro's internal base middleware was assigning a string without the starting / to req.url.

Testing

Tested on ecosystem-ci: https://github.com/vitejs/vite-ecosystem-ci/actions/runs/21707585317/job/62602560591

Docs

No user facing change

withastro/astro
feat: convert netlify and vercel adapters to new API
withastro/astro
#15413

Changes

  • Updates the netlify and vercel adapters to the new adapter API
  • The vercel adapter is updated to use web request/response now that Vercel supports it
  • I'll tackle node in a distinct PR as it should require bigger changes

Testing

Updated

Docs

Changesets, no docs needed

withastro/astro
feat: better adapter type
withastro/astro
#15412

Changes

  • Depends on #15400
  • Improves the AstroAdapter type to better reflect reality, by using a discriminated union
  • Cleans up a few internals around legacy adapters

Testing

Should pass

Docs

Changeset, withastro/docs#13229

withastro/astro
ci: update bench libs
withastro/astro
#15409

Changes

Let's see if this fixes the failures.

Testing

Green benchmarks

Docs

withastro/astro
feat(csp): support responsive images
withastro/astro
#15407

Changes

Adds support for responsive images with CSP.

The solution was to refactor how the styles for responsive images are computed. Until now, they are computed at runtime and injected in the style attribute. This can't be supported via CSP for many reasons.

This PR moves the generation of the styles inside a virtual module, which generates the styles in a static way based on the configuration provided by the user.

The solution uses data attributes, no class names.

Note

The code was generated via Claude Code

Testing

Existing tests should pass. One test was updated due to how --fit and --pos are injected.
One test was moved to E2E because styles emitted via virtual modules are injected by vite after rendering, client side.

Docs

I still need to identify if this is a breaking change or not, and if it needs some docs update.

withastro/astro
fix(deps): lock file maintenance language tools
withastro/astro
#15406

This PR contains the following updates:

Package Type Update Change Age Confidence
lockFileMaintenance All locks refreshed
@volar/language-core (source) devDependencies patch ~2.4.27~2.4.28 age confidence
@volar/kit (source) dependencies patch ~2.4.27~2.4.28 age confidence
@volar/language-core (source) dependencies patch ~2.4.27~2.4.28 age confidence
@volar/language-server (source) devDependencies patch ~2.4.27~2.4.28 age confidence
@volar/language-server (source) dependencies patch ~2.4.27~2.4.28 age confidence
@volar/language-service (source) dependencies patch ~2.4.27~2.4.28 age confidence
@volar/test-utils (source) devDependencies patch ~2.4.27~2.4.28 age confidence
@volar/typescript (source) dependencies patch ~2.4.27~2.4.28 age confidence
@volar/typescript (source) devDependencies patch ~2.4.27~2.4.28 age confidence
@volar/vscode (source) devDependencies patch ~2.4.27~2.4.28 age confidence
prettier (source) dependencies patch ^3.8.0^3.8.1 age confidence
svelte (source) dependencies patch ^5.0.0^5.49.1 age confidence

🔧 This Pull Request updates lock files to use the latest dependency versions.

Configuration

📅 Schedule: Branch creation - "before 4am on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

withastro/astro
fix(deps): lock file maintenance astro dependencies
withastro/astro
#15405

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Type Update Change Pending Age Confidence
lockFileMaintenance All locks refreshed
@preact/signals (source) dependencies minor 2.5.12.6.2 2.7.0 age confidence
preact (source) dependencies patch ^10.28.2^10.28.3 age confidence
unist-util-visit dependencies patch ^5.0.0^5.1.0 age confidence
cheerio (source) devDependencies minor 1.1.21.2.0 age confidence
shiki (source) devDependencies patch ^3.21.0^3.22.0 age confidence
vite (source) devDependencies patch ^7.1.7^7.3.1 age confidence
svelte (source) dependencies patch ^5.46.1^5.49.1 age confidence
vue (source) dependencies patch ^3.5.26^3.5.27 age confidence
solid-js (source) dependencies patch ^1.9.10^1.9.11 age confidence
autoprefixer dependencies patch ^10.4.23^10.4.24 age confidence
react (source) dependencies patch ^19.2.3^19.2.4 age confidence
react-dom (source) dependencies patch ^19.2.3^19.2.4 age confidence
zod (source) dependencies patch ^4.1.12^4.3.6 age confidence
rollup (source) devDependencies patch ^4.55.1^4.57.1 age confidence
sass devDependencies patch ^1.97.2^1.97.3 age confidence
@astrojs/compiler (source) dependencies minor 0.0.0-render-script-202510031204590.33.0 age confidence
@playwright/test (source) devDependencies minor 1.57.01.58.1 age confidence
@types/http-cache-semantics (source) devDependencies patch ^4.0.4^4.2.0 age confidence
ci-info dependencies patch ^4.3.1^4.4.0 age confidence
fontace dependencies patch ~0.4.0~0.4.1 age confidence
shiki (source) dependencies patch ^3.21.0^3.22.0 age confidence
solid-js (source) devDependencies patch ^1.9.10^1.9.11 age confidence
undici (source) devDependencies patch ^7.19.1^7.19.2 7.20.0 age confidence
vite (source) dependencies patch ^7.1.7^7.3.1 age confidence
zod (source) dependencies patch ^4.0.0^4.3.6 age confidence
sass dependencies patch ^1.97.2^1.97.3 age confidence
@astrojs/mdx (source) dependencies patch ^4.3.5^4.3.13 age confidence
@types/react (source) dependencies patch ^18.3.24^18.3.27 age confidence
@vitejs/plugin-vue (source) dependencies patch ^6.0.2^6.0.3 6.0.4 age confidence
preact (source) dependencies patch ^10.25.4^10.28.3 age confidence
vue (source) dependencies patch ^3.5.25^3.5.27 age confidence
react (source) dependencies patch 19.2.319.2.4 age confidence
react-dom (source) dependencies patch 19.2.319.2.4 age confidence

🔧 This Pull Request updates lock files to use the latest dependency versions.

Release Notes

preactjs/signals (@​preact/signals)

v2.6.2

Compare Source

Patch Changes

v2.6.1

Patch Changes

v2.6.0

Minor Changes
Patch Changes
cheeriojs/cheerio (cheerio)

v1.2.0

Compare Source

What's Changed

New Contributors

Full Changelog: cheeriojs/cheerio@v1.1.2...v1.2.0

facebook/react (react)

v19.2.4: 19.2.4 (January 26th, 2026)

Compare Source

React Server Components
withastro/compiler (@​astrojs/compiler)

v0.33.0

Compare Source

Minor Changes
  • 1adac72: Improve error recovery when using the transform function. The compiler will now properly reject the promise with a useful message and stacktrace rather than print internal errors to stdout.
Patch Changes
  • 68d3c0c: Fix edge case where export type could hang the compiler
  • ec1ddf0: Handle edge case with TypeScript generics handling and our TSX output
  • 23d1fc0: Ignore trailing whitespace in components

v0.32.0

Compare Source

Minor Changes
  • 2404848: Remove pathname option in favour of sourcefile option
  • 2ca86f6: Remove site and projectRoot options in favour of the astroGlobalArgs option
  • edd3e0e: Merge sourcefile and moduleId options as a single filename option. Add a new normalizedFilename option to generate stable hashes instead.
  • 08843bd: Remove experimentalStaticExtraction option. It is now the default.

v0.31.4

Compare Source

Patch Changes
  • 960b853: Rename SerializeOtions interface to SerializeOptions
  • fcab891: Fixes export hoisting edge case
  • 47de01a: Handle module IDs containing quotes

v0.31.3

Compare Source

Patch Changes

v0.31.2

Compare Source

Patch Changes
  • 89c0cee: fix: corner case that component in head expression will case body tag missing
  • 20497f4: Improve fidelity of sourcemaps for frontmatter

v0.31.1

Compare Source

Patch Changes
  • 24dcf7e: Allow script and style before HTML
  • ef391fa: fix: corner case with slot expression in head will cause body tag missing

v0.31.0

Compare Source

Minor Changes

v0.30.1

Compare Source

Patch Changes
  • ff9e7ba: Fix edge case where < was not handled properly inside of expressions
  • f31d535: Fix edge case with Prop detection for TSX output

v0.30.0

Compare Source

Minor Changes
  • 963aaab: Provide the moduleId of the astro component

v0.29.19

Compare Source

Patch Changes
  • 3365233: Replace internal tokenizer state logs with proper warnings

v0.29.18

Compare Source

Patch Changes
  • 80de395: fix: avoid nil pointer dereference in table parsing
  • aa3ad9d: Fix parse output to properly account for the location of self-closing tags
  • b89dec4: Internally, replace astro.ParseFragment in favor of astro.ParseFragmentWithOptions. We now check whether an error handler is passed when calling astro.ParseFragmentWithOptions

v0.29.17

Compare Source

Patch Changes
  • 1e7e098: Add warning for invalid spread attributes
  • 3cc6f55: Fix handling of unterminated template literal attributes
  • 48c5677: Update default internalURL to astro/runtime/server/index.js
  • 2893f33: Fix a number of table and expression related bugs

v0.29.16

Compare Source

Patch Changes
  • ec745f4: Self-closing tags will now retreive "end" positional data
  • a6c2822: Fix a few TSX output errors

v0.29.15

Compare Source

Patch Changes
  • 5f6e69b: Fix expression literal handling

v0.29.14

Compare Source

Patch Changes

v0.29.13

Compare Source

Patch Changes
  • 8f3e488: Fix regression introduced to parse handling in the last patch

v0.29.12

Compare Source

Patch Changes
  • a41982a: Fix expression edge cases, improve literal parsing

v0.29.11

Compare Source

Patch Changes

v0.29.10

Compare Source

Patch Changes
  • 07a65df: Print \r when printing TSX output
  • 1250d0b: Add warning when define:vars won't work because of compilation limitations

v0.29.9

Compare Source

Patch Changes
  • 1fe92c0: Fix TSX sourcemaps on Windows (take 4)

v0.29.8

Compare Source

Patch Changes
  • 01b62ea: Fix sourcemap bug on Windows (again x2)

v0.29.7

Compare Source

Patch Changes
  • 108c6c9: Fix TSX sourcemap bug on Windows (again)

v0.29.6

Compare Source

Patch Changes
  • 4b3fafa: Fix TSX sourcemaps on Windows

v0.29.5

Compare Source

Patch Changes
  • 73a2b69: Use an IIFE for define:vars scripts

v0.29.4

Compare Source

Patch Changes
  • 4381efa: Return proper diagnostic code for warnings

v0.29.3

Compare Source

Patch Changes
  • 85e1d31: AST: move start position of elements to the first index of their opening tag

v0.29.2

Compare Source

Patch Changes
  • 035829b: AST: move end position of elements to the last index of their end tag

v0.29.1

Compare Source

Patch Changes
  • a99c014: Ensure comment and text nodes have end positions when generating an AST from parse

v0.29.0

Compare Source

Minor Changes
  • fd2fc28: Fix some utf8 compatability issues
Patch Changes
  • 4b68670: TSX: fix edge case with spread attribute printing
  • 6b204bd: Fix bug with trailing style tags being moved into the html element
  • 66fe230: Fix: include element end location in parse AST

v0.28.1

Compare Source

Patch Changes
  • aac8c89: Fix end tag sourcemappings for TSX mode
  • d7f3288: TSX: Improve self-closing tag behavior and mappings
  • 75dd7cc: Fix spread attribute mappings

v0.28.0

Compare Source

Minor Changes
  • 5da0dc2: Add resolvePath option to control hydration path resolution
  • e816a61: Remove metadata export if resolvePath option provided

v0.27.2

Compare Source

Patch Changes
  • 959f96b: Fix "missing sourcemap" issue
  • 94f6f3e: Fix edge case with multi-line comment usage
  • 85a654a: Fix parse causing a compiler panic when a component with a client directive was imported but didn't have a matching import
  • 5e32cbe: Improvements to TSX output

v0.27.1

Compare Source

Patch Changes

v0.27.0

Compare Source

Minor Changes

  • c770e7b: The compiler will now return diagnostics and unique error codes to be handled by the consumer. For example:

    import type { DiagnosticSeverity, DiagnosticCode } from '@&#8203;astrojs/compiler/types';
import { transform } from '@&#8203;astrojs/compiler';

async function run() {
  const { diagnostics } = await transform(file, opts);

  function log(severity: DiagnosticSeverity, message: string) {
    switch (severity) {
      case DiagnosticSeverity.Error:
        return console.error(message);
      case DiagnosticSeverity.Warning:
        return console.warn(message);
      case DiagnosticSeverity.Information:
        return console.info(message);
      case DiagnosticSeverity.Hint:
        return console.info(message);
    }
  }

  for (const diagnostic of diagnostics) {
    let message = diagnostic.text;
    if (diagnostic.hint) {
      message += `\n\n[hint] ${diagnostic.hint}`;
    }

    // Or customize messages for a known DiagnosticCode
    if (diagnostic.code === DiagnosticCode.ERROR_UNMATCHED_IMPORT) {
      message = `My custom message about an unmatched import!`;
    }
    log(diagnostic.severity, message);
  }
}
Patch Changes
  • 0b24c24: Implement automatic typing for Astro.props in the TSX output

v0.26.1

Compare Source

Patch Changes
  • 920898c: Handle edge case with noscript tags
  • 8ee78a6: handle slots that contains the head element
  • 244e43e: Do not hoist import inside object
  • b8cd954: Fix edge case with line comments and export hoisting
  • 52ebfb7: Fix parse/tsx output to gracefully handle invalid HTML (style outside of body, etc)
  • 884efc6: Fix edge case with multi-line export hoisting

v0.26.0

Compare Source

Minor Changes
  • 0be58ab: Improve sourcemap support for TSX output
Patch Changes
  • e065e29: Prevent head injection from removing script siblings

v0.25.2

Compare Source

Patch Changes
  • 3a51b8e: Ensure that head injection occurs if there is only a hoisted script

v0.25.1

Compare Source

Patch Changes
  • 41fae67: Do not scope empty style blocks
  • 1ab8280: fix(#​517): fix edge case with TypeScript transform
  • a3678f9: Fix import.meta.env usage above normal imports

v0.25.0

Compare Source

Minor Changes
  • 6446ea3: Make Astro styles being printed after user imports
Patch Changes
  • 51bc60f: Fix edge cases with getStaticPaths where valid JS syntax was improperly handled

v0.24.0

Compare Source

Minor Changes
  • 6ebcb4f: Allow preprocessStyle to return an error
Patch Changes
  • abda605: Include filename when calculating scope

v0.23.5

Compare Source

Patch Changes
  • 6bc8e0b: Prevent import assertion from being scanned too soon

v0.23.4

Compare Source

Patch Changes
  • 3b9f0d2: Remove css print escape for experimentalStaticExtraction

v0.23.3

Compare Source

Patch Changes
  • 7693d76: Fix resolution of .jsx modules

v0.23.2

Compare Source

Patch Changes
  • 167ad21: Improve handling of namespaced components when they are multiple levels deep
  • 9283258: Fix quotations in pre-quoted attributes
  • 76fcef3: Better handling for imports which use special characters

v0.23.1

Compare Source

Patch Changes
  • 79376f3: Fix regression with expression rendering

v0.23.0

Compare Source

Minor Changes
  • d8448e2: Prevent printing the doctype in the JS output
Patch Changes
  • a28c3d8: Fix handling of unbalanced quotes in expression attributes
  • 28d1d4d: Fix handling of TS generics inside of expressions
  • 356d3b6: Prevent wraping module scripts with scope

v0.22.1

Compare Source

Patch Changes
  • 973103c: Prevents unescaping attribute expressions

v0.22.0

Compare Source

Minor Changes
  • 558c9dd: Generate a stable scoped class that does NOT factor in local styles. This will allow us to safely do style HMR without needing to update the DOM as well.
  • c19cd8c: Update Astro's CSS scoping algorithm to implement zero-specificity scoping, according to RFC0012.

v0.21.0

Compare Source

Minor Changes
  • 8960d82: New handling for define:vars scripts and styles
Patch Changes
  • 4b318d5: Do not attempt to hoist styles or scripts inside of <noscript>

v0.20.0

Compare Source

Minor Changes
  • 48d33ff: Removes compiler special casing for the Markdown component
  • 4a5352e: Removes limitation where imports/exports must be at the top of an .astro file. Fixes various edge cases around getStaticPaths hoisting.
Patch Changes
  • 245d73e: Add support for HTML minification by passing compact: true to transform.
  • 3ecdd24: Update TSX output to also generate TSX-compatible code for attributes containing dots

v0.19.0

Compare Source

Minor Changes
  • fcb4834: Removes fallback for the site configuration
Patch Changes
  • 02add77: Fixes many edge cases around tables when used with components, slots, or expressions
  • b23dd4d: Fix handling of unmatched close brace in template literals
  • 9457a91: Fix issue with { in template literal attributes
  • c792161: Fix nested expression handling with a proper expression tokenizer stack

v0.18.2

Compare Source

Patch Changes

v0.18.1

Compare Source

Patch Changes
  • aff2f23: Warning on client: usage on scripts

v0.18.0

Compare Source

Minor Changes
  • 4b02776: Fix handling of slot attribute used inside of expressions
Patch Changes
  • 62d2a8e: Properly handle nested expressions that return multiple elements
  • 571d6b9: Ensure html and body elements are scoped

v0.17.1

Compare Source

Patch Changes
  • 3885217: Support <slot is:inline /> and preserve slot attribute when not inside component
  • ea94a26: Fix issue with fallback content inside of slots

v0.17.0

Compare Source

Minor Changes
  • 3a9d166: Add renderHead injection points

v0.16.1

Compare Source

Patch Changes
  • 9fcc43b: Build JS during the release

v0.16.0

Compare Source

Minor Changes
  • 470efc0: Adds component metadata to the TransformResult
Patch Changes

v0.15.2

Compare Source

Patch Changes
  • f951822: Fix wasm parse to save attribute namespace
  • 5221e09: Fix serialize spread attribute

v0.15.1

Compare Source

Patch Changes
  • 26cbcdb: Prevent side-effectual CSS imports from becoming module metadata

v0.15.0

Compare Source

Minor Changes
  • 702e848: Trailing space at the end of Astro files is now stripped from Component output.
Patch Changes
  • 3a1a24b: Fix long-standing bug where a class attribute inside of a spread prop will cause duplicate class attributes
  • 62faceb: Fixes an issue where curly braces in <math> elements would get parsed as expressions instead of raw text.

v0.14.3

Compare Source

Patch Changes
  • 6177620: Fix edge case with expressions inside of tables
  • 79b1ed6: Provides a better error message when we can't match client:only usage to an import statement
  • a4e1957: Fix Astro scoping when class:list is used
  • fda859a: Fix json escape

v0.14.2

Compare Source

Patch Changes
  • 6f30e2e: Fix edge case with nested expression inside <>
  • 15e3ff8: Fix panic when using a <slot /> in head
  • c048567: Fix edge case with select elements and expression children
  • 13d2fc2: Fix #​340, fixing behavior of content after an expression inside of 9e37a72: Fix issue when multiple client-only components are used 67993d5: Add support for block comment only expressions, block comment only shorthand attributes and block comments in shorthand attributes 59fbea2: Fix #​343, edge case with inside component 049dadf: Fix usage of expressions inside caption and colgroup elements v0.14.1 Compare Source Patch Changes 1a82892: Fix bug with <script src> not being hoisted v0.14.0 Compare Source Minor Changes c0da4fe: Implements RFC0016, the new script and style behavior. v0.13.2 Compare Source Patch Changes 014370d: Fix issue with named slots in element da831c1: Fix handling of RegExp literals in frontmatter v0.13.1 Compare Source Patch Changes 2f8334c: Update parse and serialize functions to combine attributes and directives, fix issue with serialize not respecting attributes. b308955: Add self-close option to serialize util v0.13.0 Compare Source Minor Changes [ce3f1a5](https: Configuration 📅 Schedule: Branch creation - "before 4am on monday" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired. [ ] If you want to rebase/retry this PR, check this box This PR was generated by Mend Renovate. View the repository job log.
withastro/astro
fix(deps): lock file maintenance astro client runtimes
withastro/astro
#15404

This PR contains the following updates:

Package Type Update Change Pending Age Confidence
lockFileMaintenance All locks refreshed
vue (source) dependencies patch ^3.5.26^3.5.27 age confidence
@vue/compiler-sfc (source) dependencies patch ^3.5.26^3.5.27 age confidence
cheerio (source) devDependencies minor 1.1.21.2.0 age confidence
solid-js (source) devDependencies patch ^1.9.10^1.9.11 age confidence
svelte (source) dependencies minor 5.46.45.49.1 age confidence
svelte (source) devDependencies patch ^5.46.1^5.49.1 age confidence
@preact/preset-vite dependencies patch ^2.10.2^2.10.3 age confidence
@preact/signals (source) dependencies patch ^2.5.1^2.6.2 2.7.0 age confidence
svelte (source) dependencies patch ^5.46.1^5.49.1 age confidence
svelte2tsx (source) dependencies patch ^0.7.46^0.7.47 age confidence
@vitejs/plugin-vue (source) dependencies patch ^6.0.2^6.0.3 6.0.4 age confidence
vite (source) dependencies patch ^7.1.7^7.3.1 age confidence
vue (source) devDependencies patch ^3.5.26^3.5.27 age confidence
preact (source) devDependencies patch ^10.28.2^10.28.3 age confidence

🔧 This Pull Request updates lock files to use the latest dependency versions.

Release Notes

cheeriojs/cheerio (cheerio)

v1.2.0

Compare Source

What's Changed

New Contributors

Full Changelog: cheeriojs/cheerio@v1.1.2...v1.2.0

sveltejs/svelte (svelte)

v5.49.1

Compare Source

Patch Changes

  • fix: merge consecutive large text nodes (#​17587)

  • fix: only create async functions in SSR output when necessary (#​17593)

  • fix: properly separate multiline html blocks from each other in print() (#​17319)

  • fix: prevent unhandled exceptions arising from dangling promises in <script> (#​17591)

v5.49.0

Compare Source

Minor Changes
  • feat: allow passing ShadowRootInit object to custom element shadow option (#​17088)
Patch Changes

  • fix: throw for unset createContext get on the server (#​17580)

  • fix: reset effects inside skipped branches (#​17581)

  • fix: preserve old dependencies when updating reaction inside fork (#​17579)

  • fix: more conservative assignment_value_stale warnings (#​17574)

  • fix: disregard popover elements when determining whether an element has content (#​17367)

  • fix: fire introstart/outrostart events after delay, if specified (#​17567)

  • fix: increment signal versions when discarding forks (#​17577)

v5.48.5

Compare Source

Patch Changes

  • fix: run boundary onerror callbacks in a microtask, in case they result in the boundary's destruction (#​17561)

  • fix: prevent unintended exports from namespaces (#​17562)

  • fix: each block breaking with effects interspersed among items (#​17550)

v5.48.4

Compare Source

Patch Changes
  • fix: avoid duplicating escaped characters in CSS AST (#​17554)

v5.48.3

Compare Source

Patch Changes

  • fix: hydration failing with settled async blocks (#​17539)

  • fix: add pointer and touch events to a11y_no_static_element_interactions warning (#​17551)

  • fix: handle false dynamic components in SSR (#​17542)

  • fix: avoid unnecessary block effect re-runs after async work completes (#​17535)

  • fix: avoid using dev-mode array.includes wrapper on internal array checks (#​17536)

v5.48.2

Compare Source

Patch Changes
  • fix: export wait function from internal client index (#​17530)

v5.48.1

Compare Source

Patch Changes

  • fix: hoist snippets above const in same block (#​17516)

  • fix: properly hydrate await in {@&#8203;html} (#​17528)

  • fix: batch resolution of async work (#​17511)

  • fix: account for empty statements when visiting in transform async (#​17524)

  • fix: avoid async overhead for already settled promises (#​17461)

  • fix: better code generation for const tags with async dependencies (#​17518)

v5.48.0

Compare Source

Minor Changes
  • feat: export parseCss from svelte/compiler (#​17496)
Patch Changes

  • fix: handle non-string values in svelte:element this attribute (#​17499)

  • fix: faster deduplication of dependencies (#​17503)

v5.47.1

Compare Source

Patch Changes
  • fix: trigger selectedcontent reactivity (#​17486)

v5.47.0

Compare Source

Minor Changes
  • feat: customizable <select> elements (#​17429)
Patch Changes

  • fix: mark subtree of svelte boundary as dynamic (#​17468)

  • fix: don't reset static elements with debug/snippets (#​17477)

Configuration

📅 Schedule: Branch creation - "before 4am on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

withastro/astro
fix(deps): lock file maintenance astro adapters
withastro/astro
#15403

This PR contains the following updates:

Package Type Update Change Pending Age Confidence
lockFileMaintenance All locks refreshed
@vercel/functions (source) dependencies patch ^3.3.6^3.4.0 3.4.1 age confidence
cheerio (source) devDependencies minor 1.1.21.2.0 age confidence
fastify (source) devDependencies patch ^5.7.0^5.7.2 5.7.4 (+1) age confidence
@astrojs/mdx (source) dependencies patch ^4.3.5^4.3.13 age confidence
@netlify/vite-plugin (source) dependencies patch ^2.7.19^2.8.0 age confidence
@types/react (source) dependencies patch ^18.3.24^18.3.27 age confidence
vite (source) dependencies patch ^7.1.7^7.3.1 age confidence
@vitejs/plugin-vue (source) dependencies patch ^6.0.2^6.0.3 6.0.4 age confidence
svelte (source) dependencies patch ^5.46.1^5.49.1 age confidence
vue (source) dependencies patch ^3.5.26^3.5.27 age confidence
solid-js (source) dependencies patch ^1.9.10^1.9.11 age confidence
svelte (source) dependencies patch ^5.46.3^5.49.1 age confidence
vue (source) dependencies patch ^3.5.25^3.5.27 age confidence
@cloudflare/workers-types devDependencies patch ^4.20260124.0^4.20260131.0 4.20260203.0 age confidence
rollup (source) devDependencies patch ^4.55.1^4.57.1 age confidence

🔧 This Pull Request updates lock files to use the latest dependency versions.

Release Notes

cheeriojs/cheerio (cheerio)

v1.2.0

Compare Source

What's Changed

New Contributors

Full Changelog: cheeriojs/cheerio@v1.1.2...v1.2.0

Configuration

📅 Schedule: Branch creation - "before 4am on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

withastro/astro
[ci] release (beta)
withastro/astro
#15401

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

⚠️⚠️⚠️⚠️⚠️⚠️

main is currently in pre mode so this branch has prereleases rather than normal releases. If you want to exit prereleases, run changeset pre exit on main.

⚠️⚠️⚠️⚠️⚠️⚠️

Releases

astro@6.0.0-beta.8

Minor Changes

  • #15258 d339a18 Thanks @ematipico! - Stabilizes the adapter feature experimentalStatiHeaders. If you were using this feature in any of the supported adapters, you'll need to change the name of the flag:

    export default defineConfig({
  adapter: netlify({
-    experimentalStaticHeaders: true
+    staticHeaders: true
  })
})

Patch Changes

  • #15167 4fca170 Thanks @HiDeoo! - Fixes an issue where CSS from unused components, when using content collections, could be incorrectly included between page navigations in development mode.

  • #15268 54e5cc4 Thanks @rururux! - fix: avoid creating unused images during build in Picture component

  • #15133 53b125b Thanks @HiDeoo! - Fixes an issue where adding or removing <style> tags in Astro components would not visually update styles during development without restarting the development server.

  • Updated dependencies [80f0225]:

    • @astrojs/markdown-remark@7.0.0-beta.5

@astrojs/netlify@7.0.0-beta.7

Minor Changes

  • #15258 d339a18 Thanks @ematipico! - Stabilizes the adapter feature experimentalStatiHeaders. If you were using this feature in any of the supported adapters, you'll need to change the name of the flag:

    export default defineConfig({
  adapter: netlify({
-    experimentalStaticHeaders: true
+    staticHeaders: true
  })
})

Patch Changes

  • Updated dependencies []:
    • @astrojs/underscore-redirects@1.0.0

@astrojs/node@10.0.0-beta.2

Minor Changes

  • #15258 d339a18 Thanks @ematipico! - Stabilizes the adapter feature experimentalStatiHeaders. If you were using this feature in any of the supported adapters, you'll need to change the name of the flag:

    export default defineConfig({
  adapter: netlify({
-    experimentalStaticHeaders: true
+    staticHeaders: true
  })
})

@astrojs/vercel@10.0.0-beta.2

Minor Changes

  • #15258 d339a18 Thanks @ematipico! - Stabilizes the adapter feature experimentalStatiHeaders. If you were using this feature in any of the supported adapters, you'll need to change the name of the flag:

    export default defineConfig({
  adapter: netlify({
-    experimentalStaticHeaders: true
+    staticHeaders: true
  })
})

@astrojs/markdoc@1.0.0-beta.8

Patch Changes

  • Updated dependencies [80f0225]:
    • @astrojs/markdown-remark@7.0.0-beta.5

@astrojs/mdx@5.0.0-beta.5

Patch Changes

  • Updated dependencies [80f0225]:
    • @astrojs/markdown-remark@7.0.0-beta.5

@astrojs/markdown-remark@7.0.0-beta.5

Patch Changes

  • #15297 80f0225 Thanks @rururux! - Fixes a case where code blocks generated by prism would include the is:raw attribute in the final output
withastro/astro
fix(deps): update all non-major dependencies
withastro/astro
#15396

This PR contains the following updates:

Package Change Age Confidence Type Update Pending
@astrojs/rss (source) ^4.0.15-beta.3^4.0.15 age confidence dependencies patch
@astrojs/sitemap (source) ^3.6.1-beta.3^3.7.0 age confidence dependencies minor
@playwright/test (source) 1.58.01.58.1 age confidence devDependencies patch
@preact/signals (source) ^2.6.1^2.6.2 age confidence dependencies patch 2.7.0
alpinejs (source) ^3.15.5^3.15.6 age confidence dependencies patch 3.15.8 (+1)
node (source) 22.20.022.22.0 age confidence minor
node 22-bullseye22.21.1-bullseye age confidence final minor 22.22.0
open-props ^1.7.17^1.7.23 age confidence dependencies patch
pnpm (source) 10.28.010.28.2 age confidence packageManager patch
preact (source) ^10.28.2^10.28.3 age confidence dependencies patch
shiki (source) ^3.21.0^3.22.0 age confidence dependencies minor
turbo (source) ^2.8.0^2.8.1 age confidence devDependencies patch 2.8.3 (+1)

Release Notes

withastro/astro (@​astrojs/rss)

v4.0.15

Patch Changes
withastro/astro (@​astrojs/sitemap)

v3.7.0

Compare Source

Minor Changes

  • #​14471 4296373 Thanks @​Slackluky! - Adds the ability to split sitemap generation into chunks based on customizable logic. This allows for better management of large sitemaps and improved performance. The new chunks option in the sitemap configuration allows users to define functions that categorize sitemap items into different chunks. Each chunk is then written to a separate sitemap file.

    integrations: [
  sitemap({
    serialize(item) { th
      return item
    },
    chunks: { // this property will be treated last on the configuration
      'blog': (item) => {  // will produce a sitemap file with `blog` name (sitemap-blog-0.xml)
        if (/blog/.test(item.url)) { // filter path that will be included in this specific sitemap file
          item.changefreq = 'weekly';
          item.lastmod = new Date();
          item.priority = 0.9; // define specific properties for this filtered path
          return item;
        }
      },
      'glossary': (item) => {
        if (/glossary/.test(item.url)) {
          item.changefreq = 'weekly';
          item.lastmod = new Date();
          item.priority = 0.7;
          return item;
        }
      }

      // the rest of the path will be stored in `sitemap-pages.0.xml`
    },
  }),
],
microsoft/playwright (@​playwright/test)

v1.58.1

Compare Source

Highlights

#​39036 fix(msedge): fix local network permissions
#​39037 chore: update cft download location
#​38995 chore(webkit): disable frame sessions on fronzen builds

Browser Versions
  • Chromium 145.0.7632.6
  • Mozilla Firefox 146.0.1
  • WebKit 26.0
nodejs/node (node)

v22.22.0: 2026-01-13, Version 22.22.0 'Jod' (LTS), @​marco-ippolito

Compare Source

This is a security release.

Notable Changes

lib:

  • (CVE-2025-59465) add TLSSocket default error handler
  • (CVE-2025-55132) disable futimes when permission model is enabled
    lib,permission:
  • (CVE-2025-55130) require full read and write to symlink APIs
    src:
  • (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks
    src,lib:
  • (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle
    tls:
  • (CVE-2026-21637) route callback exceptions through error handlers
Commits

v22.21.1: 2025-10-28, Version 22.21.1 'Jod' (LTS), @​aduh95

Compare Source

Commits

v22.21.0: 2025-10-20, Version 22.21.0 'Jod' (LTS), @​aduh95

Compare Source

Notable Changes
  • [1486fedea1] - (SEMVER-MINOR) cli: add --use-env-proxy (Joyee Cheung) #​59151
  • [bedaaa11fc] - (SEMVER-MINOR) http: support http proxy for fetch under NODE_USE_ENV_PROXY (Joyee Cheung) #​57165
  • [af8b5fa29d] - (SEMVER-MINOR) http: add shouldUpgradeCallback to let servers control HTTP upgrades (Tim Perry) #​59824
  • [42102594b1] - (SEMVER-MINOR) http,https: add built-in proxy support in http/https.request and Agent (Joyee Cheung) #​58980
  • [686ac49b82] - (SEMVER-MINOR) src: add percentage support to --max-old-space-size (Asaf Federman) #​59082
Commits
argyleink/open-props (open-props)

v1.7.23

Compare Source

31 January 2026

  • Add commit message input to version-bump workflow #585
  • ✂️ 1.7.23 74515a5

v1.7.22

Compare Source

31 January 2026

  • Add id-token permission to version-bump workflow #584
  • Add TypeScript types to submodule exports #582
  • [WIP] Fix issue with npm_publish workflow not triggering #583
  • ✂️ 1.7.22 ef7acc0

v1.7.21

Compare Source

31 January 2026

  • Add non-adaptive shadows.light.min.css and shadows.dark.min.css exports #580
  • Inject docsite version from package.json at build time #578
  • ✂️ 1.7.21 1368169

v1.7.20

Compare Source

31 January 2026

v1.7.19

Compare Source

31 January 2026

  • Add workflow_dispatch action for version bumping #577
  • Update NPM Publish workflow to latest action versions #576
  • chore: bump version to 1.7.19 1f63fef
pnpm/pnpm (pnpm)

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

  • Security fix: prevent path traversal in directories.bin field.

  • When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

    This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

    Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

  • Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

v10.28.1

Compare Source

preactjs/preact (preact)

v10.28.3

Compare Source

Fixes
Maintenance
shikijs/shiki (shiki)

v3.22.0

Compare Source

   🚀 Features
    View changes on GitHub

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

withastro/astro
fix(fonts): handle query params in dev middleware
withastro/astro
#15394

Changes

  • Fixes #15151
  • Updates the dev middleware to ignore query params

Testing

Manually

Docs

Changeset

withastro/starlight
add Formware to Showcase
withastro/starlight
#3692

Add Formware help center site to the showcase.

Site: https://formware.io/help/

withastro/astro
fix(cloudflare): workers types
withastro/astro
#15391

Changes

  • Closes #15363
  • I tried a few things and it turns out because we have references to @cloudflare/workers-types when building etc, we can avoid doing weird things with types
  • It also allowed removing the Request type augmentation we were doing as part of astro sync, because wrangler types already handles it

Testing

Manually in repro, manually in the custom-entryfile fixture, preview release tested with user's repro

Docs

Changeset

withastro/astro
in `astro add cloudflare` use cloudflare/vite-plugin's function to get latest compatibility date for wrangler.jsonc scaffolding
withastro/astro
#15386

Updates astro add cloudflare to use workerd's compatibility date when scaffolding wrangler.jsonc, instead of the current date.

Adds a /info export to @astrojs/cloudflare that re-exports getLocalWorkerdCompatibilityDate from the vite plugin

Tested manually by adding cloudflare to examples/minimal with this little hack

// Line 794 packages/astro/src/cli/add/index.ts
async function resolveRangeToInstallSpecifier(name: string, range: string): Promise<string> {
+    if (name === '@astrojs/cloudflare') return '@astrojs/cloudflare@workspace:*';
     const versions = await fetchPackageVersions(name);
withastro/astro
fix: content layer loaders can use dynamic imports
withastro/astro
#15385

Changes

  • Fixes content collection loaders that use dynamic imports (await import(), import.meta.glob()) failing during build with "Vite module runner has been closed"
  • Refactors sync to keep the Vite server alive through both content config loading and content layer sync phases
  • Adds regression test for dynamic imports in loaders

Fixes #12689

Testing

Added a test case to content-layer.test.js that creates a collection loader using await import() to load data. This test failed before the fix and passes after.

Docs

N/A, bug fix

withastro/astro
fix(preact): include server.js in SSR optimizeDeps for Cloudflare
withastro/astro
#15383

Changes

  • Fix Preact components failing to render in Cloudflare dev mode
  • Include @astrojs/preact/server.js in Vite's optimizeDeps
  • Previously, server.js was explicitly excluded, causing preact-render-to-string to load a separate Preact instance from user components, breaking hooks
  • Fixes #15361

Testing

  • Added e2e test for Preact component with useEffect and client:load in the Cloudflare fixture

Docs

No docs changes needed - this is a bug fix for existing functionality.

withastro/astro
fix(ci): use simulation mode for codspeed
withastro/astro
#15382

Changes

What the title says

Testing

CI

Docs

N/A

withastro/starlight
[ci] release
withastro/starlight
#3686

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@astrojs/starlight@0.37.6

Patch Changes

withastro/astro
fix: remove font buffer error
withastro/astro
#15380

Changes

Testing

Docs

withastro/astro
fix(react): Fix empty conditional slots hydration issues
withastro/astro
#15378

Changes

  • Fix React slot rendering to skip empty SlotString values and avoid emitting empty <astro-slot> nodes (prevents React hydration mismatches for conditional slots).
  • Add a regression fixture (slots.astro + ConditionalSlot.jsx) and test to validate empty slots don’t render <astro-slot> while filled slots still do.

Minimal example that was causing hydration error:

  <ReactComponent client:load>
    {show ? <span slot="my-slot-name">Visible</span> : null}
  </ReactComponent>

Testing

New test case added.

Docs

  • No docs updates needed (internal integration fix + tests only).
withastro/astro
fix: codspeed action mode
withastro/astro
#15376

Changes

Testing

N/A

Docs

N/A

withastro/astro
fix(deps): update dependency zod to v4
withastro/astro
#15373

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
zod (source) ^3.25.76^4.3.6 age confidence

Release Notes

colinhacks/zod (zod)

v4.3.6

Compare Source

Commits:

v4.3.5

Compare Source

Commits:

v4.3.4

Compare Source

Commits:

v4.3.3

Compare Source

v4.3.2

Compare Source

v4.3.1

Compare Source

Commits:

  • 0fe8840 allow non-overwriting extends with refinements. 4.3.1

v4.3.0

Compare Source

This is Zod's biggest release since 4.0. It addresses several of Zod's longest-standing feature requests.

z.fromJSONSchema()

Convert JSON Schema to Zod (#​5534, #​5586)

You can now convert JSON Schema definitions directly into Zod schemas. This function supports JSON Schema "draft-2020-12", "draft-7", "draft-4", and OpenAPI 3.0.

import * as z from "zod";

const schema = z.fromJSONSchema({
  type: "object",
  properties: {
    name: { type: "string", minLength: 1 },
    age: { type: "integer", minimum: 0 },
  },
  required: ["name"],
});

schema.parse({ name: "Alice", age: 30 }); // ✅

The API should be considered experimental. There are no guarantees of 1:1 "round-trip soundness": MySchema > z.toJSONSchema() > z.fromJSONSchema(). There are several features of Zod that don't exist in JSON Schema and vice versa, which makes this virtually impossible.

Features supported:

  • All primitive types (string, number, integer, boolean, null, object, array)
  • String formats (email, uri, uuid, date-time, date, time, ipv4, ipv6, and more)
  • Composition (anyOf, oneOf, allOf)
  • Object constraints (additionalProperties, patternProperties, propertyNames)
  • Array constraints (prefixItems, items, minItems, maxItems)
  • $ref for local references and circular schemas
  • Custom metadata is preserved

z.xor() — exclusive union (#​5534)

A new exclusive union type that requires exactly one option to match. Unlike z.union() which passes if any option matches, z.xor() fails if zero or more than one option matches.

const schema = z.xor([z.string(), z.number()]);

schema.parse("hello"); // ✅
schema.parse(42);      // ✅
schema.parse(true);    // ❌ zero matches

When converted to JSON Schema, z.xor() produces oneOf instead of anyOf.

z.looseRecord() — partial record validation (#​5534)

A new record variant that only validates keys matching the key schema, passing through non-matching keys unchanged. This is used to represent patternProperties in JSON Schema.

const schema = z.looseRecord(z.string().regex(/^S_/), z.string());

schema.parse({ S_name: "John", other: 123 });
// ✅ { S_name: "John", other: 123 }
// only S_name is validated, "other" passes through

.exactOptional() — strict optional properties (#​5589)

A new wrapper that makes a property key-optional (can be omitted) but does not accept undefined as an explicit value.

const schema = z.object({
  a: z.string().optional(),      // accepts `undefined`
  b: z.string().exactOptional(), // does not accept `undefined`
});

schema.parse({});                  // ✅
schema.parse({ a: undefined });    // ✅
schema.parse({ b: undefined });    // ❌

This makes it possible to accurately represent the full spectrum of optionality expressible using exactOptionalPropertyTypes.

.apply()

A utility method for applying arbitrary transformations to a schema, enabling cleaner schema composition. (#​5463)

const setCommonChecks = <T extends z.ZodNumber>(schema: T) => {
  return schema.min(0).max(100);
};

const schema = z.number().apply(setCommonChecks).nullable();

.brand() cardinality

The .brand() method now accepts a second argument to control whether the brand applies to input, output, or both. Closes #​4764, #​4836.

// output only (default)
z.string().brand<"UserId">();           // output is branded (default)
z.string().brand<"UserId", "out">();    // output is branded
z.string().brand<"UserId", "in">();     // input is branded
z.string().brand<"UserId", "inout">();  // both are branded

Type predicates on .refine() (#​5575)

The .refine() method now supports type predicates to narrow the output type:

const schema = z.string().refine((s): s is "a" => s === "a");

type Input = z.input<typeof schema>;   // string
type Output = z.output<typeof schema>; // "a"

ZodMap methods: min, max, nonempty, size (#​5316)

ZodMap now has parity with ZodSet and ZodArray:

const schema = z.map(z.string(), z.number())
  .min(1)
  .max(10)
  .nonempty();

schema.size; // access the size constraint

.with() alias for .check() (359c0db)

A new .with() method has been added as a more readable alias for .check(). Over time, more APIs have been added that don't qualify as "checks". The new method provides a readable alternative that doesn't muddy semantics.

z.string().with(
  z.minLength(5),
  z.toLowerCase()
);

// equivalent to:
z.string().check(
  z.minLength(5),
  z.trim(),
  z.toLowerCase()
);
z.slugify() transform

Transform strings into URL-friendly slugs. Works great with .with():

// Zod
z.string().slugify().parse("Hello World");           // "hello-world"

// Zod Mini
// using .with() for explicit check composition
z.string().with(z.slugify()).parse("Hello World");   // "hello-world"

z.meta() and z.describe() in Zod Mini (947b4eb)

Zod Mini now exports z.meta() and z.describe() as top-level functions for adding metadata to schemas:

import * as z from "zod/mini";

// add description
const schema = z.string().with(
  z.describe("A user's name"),
);

// add arbitrary metadata
const schema2 = z.number().with(
  z.meta({ deprecated: true })
);

New locales

import * as z from "zod";
import { uz } from "zod/locales";

z.config(uz());





Bug fixes

All of these changes fix soundness issues in Zod. As with any bug fix there's some chance of breakage if you were intentionally or unintentionally relying on this unsound behavior.

⚠️ .pick() and .omit() disallowed on object schemas containing refinements (#​5317)

Using .pick() or .omit() on object schemas with refinements now throws an error. Previously, this would silently drop the refinements, leading to unexpected behavior.

const schema = z.object({
  password: z.string(),
  confirmPassword: z.string(),
}).refine(data => data.password === data.confirmPassword);

schema.pick({ password: true });
// 4.2: refinement silently dropped ⚠️
// 4.3: throws error ❌

Migration: The easiest way to migrate is to create a new schema using the shape of the old one.

const newSchema = z.object(schema.shape).pick({ ... })
⚠️ .extend() disallowed on refined schemas (#​5317)

Similarly, .extend() now throws on schemas with refinements. Use .safeExtend() if you need to extend refined schemas.

const schema = z.object({ a: z.string() }).refine(/* ... */);

// 4.2: refinement silently dropped ⚠️
// 4.3: throws error ✅
schema.extend({ b: z.number() });
// error: object schemas containing refinements cannot be extended. use `.safeExtend()` instead.
⚠️ Stricter object masking methods (#​5581)

Object masking methods (.pick(), .omit()) now validate that the keys provided actually exist in the schema:

const schema = z.object({ a: z.string() });

// 4.3: throws error for unrecognized keys
schema.pick({ nonexistent: true });
// error: unrecognized key: "nonexistent"

Additional changes

  • Fixed JSON Schema generation for z.iso.time with minute precision (#​5557)
  • Fixed error details for tuples with extraneous elements (#​5555)
  • Fixed includes method params typing to accept string | $ZodCheckIncludesParams (#​5556)
  • Fixed numeric formats error messages to be inclusive (#​5485)
  • Fixed implementAsync inferred type to always be a promise (#​5476)
  • Tightened E.164 regex to require a non-zero leading digit and 7–15 digits total (#​5524)
  • Fixed Dutch (nl) error strings (#​5529)
  • Convert Date instances to numbers in minimum/maximum checks (#​5351)
  • Improved numeric keys handling in z.record() (#​5585)
  • Lazy initialization of ~standard schema property (#​5363)
  • Functions marked as @__NO_SIDE_EFFECTS__ for better tree-shaking (#​5475)
  • Improved metadata tracking across child-parent relationships (#​5578)
  • Improved locale translation approach (#​5584)
  • Dropped id uniqueness enforcement at registry level (#​5574)

v4.2.1

Compare Source

v4.2.0

Compare Source

Features

Implement Standard JSON Schema

standard-schema/standard-schema#134

Implement z.fromJSONSchema()
const jsonSchema = {
  type: "object",
  properties: {
    name: { type: "string" },
    age: { type: "number" }
  },
  required: ["name"]
};

const schema = z.fromJSONSchema(jsonSchema);
Implement z.xor()
const schema = z.xor(
  z.object({ type: "user", name: z.string() }),
  z.object({ type: "admin", role: z.string() })
);
// Exactly one of the schemas must match
Implement z.looseRecord()
const schema = z.looseRecord(z.string(), z.number());
// Allows additional properties beyond those defined

Commits:

v4.1.13

Compare Source

v4.1.12

Compare Source

Commits:

v4.1.11

Compare Source

Commits:

v4.1.10

Compare Source

Commits:

v4.1.9

Compare Source

Commits:

v4.1.8

Compare Source

Commits:

v4.1.7

Compare Source

Commits:

v4.1.6

Compare Source

v4.1.5

Compare Source

Commits:

v4.1.4

Compare Source

Commits:

  • 3291c61 fix(v4): toJSONSchema - wrong tuple with null output when targeting openapi-3.0 (#​5156)
  • 23f41c7 test(v4): toJSONSchema - use validateOpenAPI30Schema in all relevant scenarios (#​5163)
  • 0a09fd2 Update installation instructions
  • 4ea5fec 4.1.4

v4.1.3

Compare Source

Commits:

  • 98ff675 Drop stringToBoolean
  • a410616 Fix typo
  • 0cf4589 fix(v4): toJSONSchema - add missing oneOf inside items in tuple conversion (#​5146)
  • 8bf0c16 fix(v4): toJSONSchema tuple path handling for draft-7 with metadata IDs (#​5152)
  • 5c5fa90 fix(v4): toJSONSchema - wrong record output when targeting openapi-3.0 (#​5141)
  • 87b97cc docs(codecs): update example to use payloadSchema (#​5150)
  • 309f358 fix(v4): toJSONSchema - output numbers with exclusive range correctly when targeting openapi-3.0 (#​5139)
  • 1e71ca9 docs: fix refine fn to encode works properly (#​5148)
  • a85ec3c fix(docs): correct example to use LooseDog instead of Dog (#​5136)
  • 3e98274 4.1.3

v4.1.2

Compare Source

Commits:

v4.1.1

Compare Source

Commits:

v4.1.0

Compare Source

The first minor version since the introduction of Zod 4 back in May. This version contains a number of features that barely missed the cut for the 4.0 release. With Zod 4 stable and widely adopted, there's more time to resume feature development.

Codecs

This is the flagship feature of this release. Codecs are a new API & schema type that encapsulates a bi-directional transformation. It's a huge missing piece in Zod that's finally filled, and it unlocks some totally new ways to use Zod.

const stringToDate = z.codec(
  z.iso.datetime(),  // input schema: ISO date string
  z.date(),          // output schema: Date object
  {
    decode: (isoString) => new Date(isoString), 
    encode: (date) => date.toISOString(),
  }
);

New top-level functions are added for processing inputs in the forward direction ("decoding") and backward direction ("encoding").

stringToDate.decode("2025-08-21T20:59:45.500Z")
// => Date

stringToDate.encode(new Date())
// => "2025-08-21T20:59:45.500Z"

Note — For bundle size reasons, these new methods have not added to Zod Mini schemas. Instead, this functionality is available via equivalent top-level functions.

// equivalent at runtime
z.decode(stringToDate, "2024-01-15T10:30:00.000Z");
z.encode(stringToDate, new Date());
.parse() vs .decode()

Both .parse() and decode() process data in the "forward" direction. They behave identically at runtime.

stringToDate.parse("2025-08-21T20:59:45.500Z");
stringToDate.decode("2025-08-21T20:59:45.500Z");

There is an important difference however. While .parse() accepts any input, .decode() expects a strongly typed input. That is, it expects an input of type string, whereas .parse() accepts unknown.

stringToDate.parse(Symbol('not-a-string'));
// => fails at runtime, but no TypeScript error

stringToDate.decode(Symbol("not-a-string"));
//                     ^ ❌ Argument of type 'symbol' is not assignable to parameter of type 'Date'. ts(2345)

This is a highly requested feature unto itself:

Encoding

You can use any Zod schema with .encode(). The vast majority of Zod schemas are non-transforming (the input and output types are identical) so .decode() and .encode() behave identically. Only certain schema types change their behavior:

  • Codecs — runs from B->A and executes the encode transform during encoding
  • Pipes — these execute B->A instead of A->B
  • Defaults and prefaults — Only applied in the forward direction
  • Catch — Only applied in the forward direction

Note — To avoid increasing bundle size unnecessarily, these new methods are not available on Zod Mini schemas. For those schemas, equivalent top-level functions are provided.

The usual async and safe variants exist as well:

// decode methods
stringToDate.decode("2024-01-15T10:30:00.000Z")
await stringToDate.decodeAsync("2024-01-15T10:30:00.000Z")
stringToDate.safeDecode("2024-01-15T10:30:00.000Z")
await stringToDate.safeDecodeAsync("2024-01-15T10:30:00.000Z")

// encode methods
stringToDate.encode(new Date())
await stringToDate.encodeAsync(new Date())
stringToDate.safeEncode(new Date())
await stringToDate.safeEncodeAsync(new Date())
Example codecs

Below are some "worked examples" for some commonly-needed codecs. These examples are all tested internally for correctness. Just copy/paste them into your project as needed. There is a more comprehensive set available at zod.dev/codecs.

stringToBigInt

Converts bigint into a serializable form.

const stringToBigInt = z.codec(z.string(), z.bigint(), {
  decode: (str) => BigInt(str),
  encode: (bigint) => bigint.toString(),
});

stringToBigInt.decode("12345");  // => 12345n
stringToBigInt.encode(12345n);   // => "12345"
json

Parses/stringifies JSON data.

const jsonCodec = z.codec(z.string(), z.json(), {
  decode: (jsonString, ctx) => {
    try {
      return JSON.parse(jsonString);
    } catch (err: any) {
      ctx.issues.push({
        code: "invalid_format",
        format: "json_string",
        input: jsonString,
        message: err.message,
      });
      return z.NEVER;
    }
  },
  encode: (value) => JSON.stringify(value),
});

To further validate the data, .pipe() the result of this codec into another schema.

const Params = z.object({ name: z.string(), age: z.number() });
const JsonToParams = jsonCodec.pipe(Params);

JsonToParams.decode('{"name":"Alice","age":30}');  // => { name: "Alice", age: 30 }
JsonToParams.encode({ name: "Bob", age: 25 });     // => '{"name":"Bob","age":25}'
Further reading

For more examples and a technical breakdown of how encoding works, reads theannouncement blog post and new Codecs docs page. The docs page contains implementations for several other commonly-needed codecs:

.safeExtend()

The existing way to add additional fields to an object is to use .extend().

const A = z.object({ a: z.string() })
const B = A.extend({ b: z.string() })

Unfortunately this is a bit of a misnomer, as it allows you to overwrite existing fields. This means the result of .extend() may not literally extend the original type (in the TypeScript sense).

const A = z.object({ a: z.string() }) // { a: string }
const B = A.extend({ a: z.number() }) // { a: number }

To enforce true extends logic, Zod 4.1 introduces a new .safeExtend() method. This statically enforces that the newly added properties conform to the existing ones.

z.object({ a: z.string() }).safeExtend({ a: z.number().min(5) }); // ✅
z.object({ a: z.string() }).safeExtend({ a: z.any() }); // ✅
z.object({ a: z.string() }).safeExtend({ a: z.number() });
//                                       ^  ❌ ZodNumber is not assignable

Importantly, this new API allows you to safely extend objects containing refinements.

const AB = z.object({ a: z.string(), b: z.string() }).refine(val => val.a === val.b);
const ABC = AB.safeExtend({ c: z.string() });
// ABC includes the refinements defined on AB

Previously (in Zod 4.x) any refinements attached to the base schema were dropped in the extended result. This was too unexpected. It now throws an error. (Zod 3 did not support extension of refined objects either.)

z.hash()

A new top-level string format for validating hashes produced using various common algorithms & encodings.

const md5Schema = z.hash("md5");          
// => ZodCustomStringFormat<"md5_hex">

const sha256Base64 = z.hash("sha256", { enc: "base64" }); 
// => ZodCustomStringFormat<"sha256_base64">

The following hash algorithms and encodings are supported. Each cell provides information about the expected number of characters/padding.

Algorithm / Encoding "hex" "base64" "base64url"
"md5" 32 24 (22 + "==") 22
"sha1" 40 28 (27 + "=") 27
"sha256" 64 44 (43 + "=") 43
"sha384" 96 64 (no padding) 64
"sha512" 128 88 (86 + "==") 86

z.hex()

To validate hexadecimal strings of any length.

const hexSchema = z.hex();

hexSchema.parse("123abc");    // ✅ "123abc"
hexSchema.parse("DEADBEEF");  // ✅ "DEADBEEF" 
hexSchema.parse("xyz");       // ❌ ZodError

Additional changes

  1. z.uuid() now supports the "Max UUID" (FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF) per the RFC
  2. $ZodFunction is now a subtype of $ZodType

Commits

v4.0.17

Compare Source

Commits:

v4.0.16

Compare Source

Commits:

v4.0.15

Compare Source

Commits:

v4.0.14

Compare Source

Commits:

v4.0.13

Compare Source

Commits:

v4.0.12

Compare Source

Commits:

v4.0.11

Compare Source

Commits:

v4.0.10

Compare Source

Commits:

v4.0.9

Compare Source

Commits:

v4.0.8

Compare Source

Commits:

v4.0.7

Compare Source

Commits:

v4.0.6

Compare Source

Commits:

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

withastro/starlight
Add Actionbase to showcase
withastro/starlight
#3685

Add Actionbase documentation site to the showcase.

withastro/astro
fix(internal-helpers): remove unused exports
withastro/astro
#15369

Changes

  • Closes #15311
  • I was looking at writing tests then updating the implementation of collapseDuplicateSlashes() when I realized...we don't even use this function anymore!
  • So I went through all the exports of the path submodule and removed any unused one

Testing

Should pass

Docs

Changeset

withastro/astro
Add `appEntrypoint` to `@astrojs/react` to enable users to wrap every React island with a custom component
withastro/astro
#15368

Changes

  • I added a new option to @astrojs/react, appEntrypoint. It looks a whole lot like the Vue integration’s appEntrypoint option and it functions nearly identically. Specify a path to a file that has a default-exported component and that component will be used to wrap every React island.
  • I added Astro.locals to the render context and am passing Astro.locals through to appEntrypoint’s component as a prop called locals. The prop is only set in a server environment; clientside it’s just undefined. Removed for now but you can see the change here (it’s pretty minimal)

Testing

New tests added that cover appEntrypoint in general as well as the locals prop.

Docs

PR with docs update is here: withastro/docs#13208

withastro/astro
fix(deps): update astro adapters to v19 (major)
withastro/astro
#15367

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@types/react (source) ^18.3.27^19.2.10 age confidence
@types/react-dom (source) ^18.3.7^19.2.3 age confidence
react (source) ^18.3.1^19.2.4 age confidence
react-dom (source) ^18.3.1^19.2.4 age confidence

Release Notes

facebook/react (react)

v19.2.4: 19.2.4 (January 26th, 2026)

Compare Source

React Server Components

v19.2.3: 19.2.3 (December 11th, 2025)

Compare Source

React Server Components

v19.2.2: 19.2.2 (December 11th, 2025)

Compare Source

React Server Components

v19.2.1: 19.2.1 (December 3rd, 2025)

Compare Source

React Server Components

v19.2.0

Compare Source

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features
  • <Activity>: A new API to hide and restore the UI and internal state of its children.
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools
New React DOM Features
  • Added resume APIs for partial pre-rendering with Web Streams:
  • Added resume APIs for partial pre-rendering with Node Streams:
  • Updated prerender APIs to return a postponed state that can be passed to the resume APIs.
Notable changes
  • React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
  • Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
  • Use underscore instead of : IDs generated by useId
All Changes
React
React DOM
React Server Components
React Reconciler

v19.1.5: 19.1.5 (January 26th, 2026)

Compare Source

React Server Components

v19.1.4: 19.1.4 (December 11th, 2025)

Compare Source

React Server Components

v19.1.3: 19.1.3 (December 11th, 2025)

Compare Source

React Server Components

v19.1.2: 19.1.2 (December 3rd, 2025)

Compare Source

React Server Components

v19.1.1

Compare Source

React

v19.1.0

Compare Source

Owner Stack

An Owner Stack is a string representing the components that are directly responsible for rendering a particular component. You can log Owner Stacks when debugging or use Owner Stacks to enhance error overlays or other development tools. Owner Stacks are only available in development builds. Component Stacks in production are unchanged.

  • An Owner Stack is a development-only stack trace that helps identify which components are responsible for rendering a particular component. An Owner Stack is distinct from a Component Stacks, which shows the hierarchy of components leading to an error.
  • The captureOwnerStack API is only available in development mode and returns a Owner Stack, if available. The API can be used to enhance error overlays or log component relationships when debugging. #​29923, #​32353, #​30306,
    #​32538, #​32529, #​32538
React
  • Enhanced support for Suspense boundaries to be used anywhere, including the client, server, and during hydration. #​32069, #​32163, #​32224, #​32252
  • Reduced unnecessary client rendering through improved hydration scheduling #​31751
  • Increased priority of client rendered Suspense boundaries #​31776
  • Fixed frozen fallback states by rendering unfinished Suspense boundaries on the client. #​31620
  • Reduced garbage collection pressure by improving Suspense boundary retries. #​31667
  • Fixed erroneous “Waiting for Paint” log when the passive effect phase was not delayed #​31526
  • Fixed a regression causing key warnings for flattened positional children in development mode. #​32117
  • Updated useId to use valid CSS selectors, changing format from :r123: to «r123». #​32001
  • Added a dev-only warning for null/undefined created in useEffect, useInsertionEffect, and useLayoutEffect. #​32355
  • Fixed a bug where dev-only methods were exported in production builds. React.act is no longer available in production builds. #​32200
  • Improved consistency across prod and dev to improve compatibility with Google Closure Compiler and bindings #​31808
  • Improve passive effect scheduling for consistent task yielding. #​31785
  • Fixed asserts in React Native when passChildrenWhenCloningPersistedNodes is enabled for OffscreenComponent rendering. #​32528
  • Fixed component name resolution for Portal #​32640
  • Added support for beforetoggle and toggle events on the dialog element. #​32479
React DOM
  • Fixed double warning when the href attribute is an empty string #​31783
  • Fixed an edge case where getHoistableRoot() didn’t work properly when the container was a Document #​32321
  • Removed support for using HTML comments (e.g. <!-- -->) as a DOM container. #​32250
  • Added support for <script> and <template> tags to be nested within <select> tags. #​31837
  • Fixed responsive images to be preloaded as HTML instead of headers #​32445
use-sync-external-store
  • Added exports field to package.json for use-sync-external-store to support various entrypoints. #​25231
React Server Components
  • Added unstable_prerender, a new experimental API for prerendering React Server Components on the server #​31724
  • Fixed an issue where streams would hang when receiving new chunks after a global error #​31840, #​31851
  • Fixed an issue where pending chunks were counted twice. #​31833
  • Added support for streaming in edge environments #​31852
  • Added support for sending custom error names from a server so that they are available in the client for console replaying. #​32116
  • Updated the server component wire format to remove IDs for hints and console.log because they have no return value #​31671
  • Exposed registerServerReference in client builds to handle server references in different environments. #​32534
  • Added react-server-dom-parcel package which integrates Server Components with the Parcel bundler #​31725, #​32132, #​31799, #​32294, #​31741

v19.0.4: 19.0.4 (January 26th, 2026)

Compare Source

React Server Components

v19.0.3: 19.0.3 (December 11th, 2025)

Compare Source

React Server Components

v19.0.2: 19.0.2 (December 11th, 2025)

Compare Source

React Server Components

v19.0.1: 19.0.1 (December 3rd, 2025)

Compare Source

React Server Components

v19.0.0

Compare Source

Below is a list of all new features, APIs, deprecations, and breaking changes. Read React 19 release post and React 19 upgrade guide for more information.

Note: To help make the upgrade to React 19 easier, we’ve published a react@​18.3 release that is identical to 18.2 but adds warnings for deprecated APIs and other changes that are needed for React 19. We recommend upgrading to React 18.3.1 first to help identify any issues before upgrading to React 19.

New Features
React
  • Actions: startTransition can now accept async functions. Functions passed to startTransition are called “Actions”. A given Transition can include one or more Actions which update state in the background and update the UI with one commit. In addition to updating state, Actions can now perform side effects including async requests, and the Action will wait for the work to finish before finishing the Transition. This feature allows Transitions to include side effects like fetch() in the pending state, and provides support for error handling, and optimistic updates.
  • useActionState: is a new hook to order Actions inside of a Transition with access to the state of the action, and the pending state. It accepts a reducer that can call Actions, and the initial state used for first render. It also accepts an optional string that is used if the action is passed to a form action prop to support progressive enhancement in forms.
  • useOptimistic: is a new hook to update state while a Transition is in progress. It returns the state, and a set function that can be called inside a transition to “optimistically” update the state to expected final value immediately while the Transition completes in the background. When the transition finishes, the state is updated to the new value.
  • use: is a new API that allows reading resources in render. In React 19, use accepts a promise or Context. If provided a promise, use will suspend until a value is resolved. use can only be used in render but can be called conditionally.
  • ref as a prop: Refs can now be used as props, removing the need for forwardRef.
  • Suspense sibling pre-warming: When a component suspends, React will immediately commit the fallback of the nearest Suspense boundary, without waiting for the entire sibling tree to render. After the fallback commits, React will schedule another render for the suspended siblings to “pre-warm” lazy requests.
React DOM Client
  • <form> action prop: Form Actions allow you to manage forms automatically and integrate with useFormStatus. When a <form> action succeeds, React will automatically reset the form for uncontrolled components. The form can be reset manually with the new requestFormReset API.
  • <button> and <input> formAction prop: Actions can be passed to the formAction prop to configure form submission behavior. This allows using different Actions depending on the input.
  • useFormStatus: is a new hook that provides the status of the parent <form> action, as if the form was a Context provider. The hook returns the values: pending, data, method, and action.
  • Support for Document Metadata: We’ve added support for rendering document metadata tags in components natively. React will automatically hoist them into the <head> section of the document.
  • Support for Stylesheets: React 19 will ensure stylesheets are inserted into the <head> on the client before revealing the content of a Suspense boundary that depends on that stylesheet.
  • Support for async scripts: Async scripts can be rendered anywhere in the component tree and React will handle ordering and deduplication.
  • Support for preloading resources: React 19 ships with preinit, preload, prefetchDNS, and preconnect APIs to optimize initial page loads by moving discovery of additional resources like fonts out of stylesheet loading. They can also be used to prefetch resources used by an anticipated navigation.
React DOM Server
  • Added prerender and prerenderToNodeStream APIs for static site generation. They are designed to work with streaming environments like Node.js Streams and Web Streams. Unlike renderToString, they wait for data to load for HTML generation.
React Server Components
  • RSC features such as directives, server components, and server functions are now stable. This means libraries that ship with Server Components can now target React 19 as a peer dependency with a react-server export condition for use in frameworks that support the Full-stack React Architecture. The underlying APIs used to implement a React Server Components bundler or framework do not follow semver and may break between minors in React 19.x. See docs for how to support React Server Components.
Deprecations
  • Deprecated: element.ref access: React 19 supports ref as a prop, so we’re deprecating element.ref in favor of element.props.ref. Accessing will result in a warning.
  • react-test-renderer: In React 19, react-test-renderer logs a deprecation warning and has switched to concurrent rendering for web usage. We recommend migrating your tests to @​testing-library/react or @​testing-library/react-native
Breaking Changes

React 19 brings in a number of breaking changes, including the removals of long-deprecated APIs. We recommend first upgrading to 18.3.1, where we've added additional deprecation warnings. Check out the upgrade guide for more details and guidance on codemodding.

React
  • New JSX Transform is now required: We introduced a new JSX transform in 2020 to improve bundle size and use JSX without importing React. In React 19, we’re adding additional improvements like using ref as a prop and JSX speed improvements that require the new transform.
  • Errors in render are not re-thrown: Errors that are not caught by an Error Boundary are now reported to window.reportError. Errors that are caught by an Error Boundary are reported to console.error. We’ve introduced onUncaughtError and onCaughtError methods to createRoot and hydrateRoot to customize this error handling.
  • Removed: propTypes: Using propTypes will now be silently ignored. If required, we recommend migrating to TypeScript or another type-checking solution.
  • Removed: defaultProps for functions: ES6 default parameters can be used in place. Class components continue to support defaultProps since there is no ES6 alternative.
  • Removed: contextTypes and getChildContext: Legacy Context for class components has been removed in favor of the contextType API.
  • Removed: string refs: Any usage of string refs need to be migrated to ref callbacks.
  • Removed: Module pattern factories: A rarely used pattern that can be migrated to regular functions.
  • Removed: React.createFactory: Now that JSX is broadly supported, all createFactory usage can be migrated to JSX components.
  • Removed: react-test-renderer/shallow: This has been a re-export of react-shallow-renderer since React 18. If needed, you can continue to use the third-party package directly. We recommend using @​testing-library/react or @​testing-library/react-native instead.
React DOM
  • Removed: react-dom/test-utils: We’ve moved act from react-dom/test-utils to react. All other utilities have been removed.
  • Removed: ReactDOM.render, ReactDOM.hydrate: These have been removed in favor of the concurrent equivalents: ReactDOM.createRoot and ReactDOM.hydrateRoot.
  • Removed: unmountComponentAtNode: Removed in favor of root.unmount().
  • Removed: ReactDOM.findDOMNode: You can replace ReactDOM.findDOMNode with DOM Refs.
Notable Changes
React
  • <Context> as a provider: You can now render <Context> as a provider instead of <Context.Provider>.
  • Cleanup functions for refs: When the component unmounts, React will call the cleanup function returned from the ref callback.
  • useDeferredValue initial value argument: When provided, useDeferredValue will return the initial value for the initial render of a component, then schedule a re-render in the background with the deferredValue returned.
  • Support for Custom Elements: React 19 now passes all tests on Custom Elements Everywhere.
  • StrictMode changes: useMemo and useCallback will now reuse the memoized results from the first render, during the second render. Additionally, StrictMode will now double-invoke ref callback functions on initial mount.
  • UMD builds removed: To load React 19 with a script tag, we recommend using an ESM-based CDN such as esm.sh.
React DOM
  • Diffs for hydration errors: In the case of a mismatch, React 19 logs a single error with a diff of the mismatched content.
  • Compatibility with third-party scripts and extensions: React will now force a client re-render to fix up any mismatched content caused by elements inserted by third-party JS.
TypeScript Changes

The most common changes can be codemodded with npx types-react-codemod@latest preset-19 ./path-to-your-react-ts-files.

  • Removed deprecated TypeScript types:
    • ReactChild (replacement: React.ReactElement | number | string)
    • ReactFragment (replacement: Iterable<React.ReactNode>)
    • ReactNodeArray (replacement: ReadonlyArray<React.ReactNode>)
    • ReactText (replacement: number | string)
    • VoidFunctionComponent (replacement: FunctionComponent)
    • VFC (replacement: FC)
    • Moved to prop-types: Requireable, ValidationMap, Validator, WeakValidationMap
    • Moved to create-react-class: ClassicComponentClass, ClassicComponent, ClassicElement, ComponentSpec, Mixin, ReactChildren, ReactHTML, ReactSVG, SFCFactory
  • Disallow implicit return in refs: refs can now accept cleanup functions. When you return something else, we can’t tell if you intentionally returned something not meant to clean up or returned the wrong value. Implicit returns of anything but functions will now error.
  • Require initial argument to useRef: The initial argument is now required to match useState, createContext etc
  • Refs are mutable by default: Ref objects returned from useRef() are now always mutable instead of sometimes being immutable. This feature was too confusing for users and conflicted with legit cases where refs were managed by React and manually written to.
  • Strict ReactElement typing: The props of React elements now default to unknown instead of any if the element is typed as ReactElement
  • JSX namespace in TypeScript: The global JSX namespace is removed to improve interoperability with other libraries using JSX. Instead, the JSX namespace is available from the React package: import { JSX } from 'react'
  • Better useReducer typings: Most useReducer usage should not require explicit type arguments.
    For example, 
    -useReducer<React.Reducer<State, Action>>(reducer)
+useReducer(reducer)
    or 
    -useReducer<React.Reducer<State, Action>>(reducer)
+useReducer<State, Action>(reducer)
All Changes
React
React DOM

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

withastro/astro
fixes inferSize pollution in <img> tags
withastro/astro
#15362

Changes

This fixes a bug in the image service where inferSize was not correctly deleted when the image was not remote.

Testing

There was no existing test related to inferSize. This PR doesn't add any.

Docs

There is no impact on docs. This only fixes undocumented behavior that also had no effect apart from emitting useless HTML attributes.

Last fetched:  |  Scheduled refresh: Every Saturday

See Customizing GitHub Activity Pages to configure your own

Inspired by prs.atinux.com