AstroEco is Contributing…

Changes

Automatically injects Cache-Control: public, max-age=31536000, immutable into Cloudflare's _headers file for hashed Astro assets (/_astro/*), skipping when build.assetsPrefix is set or when the user already has a matching Cache-Control rule.

Testing

Unit tests.

Docs

/cc @withastro/maintainers-docs for feedback!

Changes

astro dev with @astrojs/cloudflare currently responds with HTTP 500 on every page request:

[ERROR] [vite] Internal server error: module is not defined
    at runInRunnerObject (workers/runner-worker/index.js:106:3)
    at _NonRunnablePipeline.getComponentByRoute (.vite/deps_ssr/astro_app_entrypoint_dev.js:196:20)
    at matchRoute (.vite/deps_ssr/astro_app_entrypoint_dev.js:266:14)
    at DevApp.devMatch (.vite/deps_ssr/astro_app_entrypoint_dev.js:375:26)
    at Object.handle [as fetch] (.vite/deps_ssr/@astrojs_cloudflare_entrypoints_server.js:165:20)
    at maybeCaptureError (workers/runner-worker/index.js:50:10)

The cause is the CJS debug package. Its entrypoint (node_modules/debug/src/index.js) reads module.exports at the top level, and module is not a global in the workerd runner that @cloudflare/vite-plugin uses for astro dev, SSR and prerender environments, so evaluation throws ReferenceError: module is not defined.

#15565 already addressed this for astro core by replacing its own debug usage with obug (an ESM fork) and documented adding a Vite alias for the rehype/remark rabbit hole. In practice though, debug is pulled by a much broader set of transitive dependencies — e.g. micromark (via @astrojs/markdown-remark → remark-parse → mdast-util-from-markdown), stylus (via Vite's peer dep), and many others — so any Astro 6 project that uses markdown content or stylus transitively still crashes on every request.

This PR extends the fix to user dependency graphs by aliasing debug to an adapter-owned ESM shim in the Vite config the adapter installs. The shim forwards to obug and also re-exposes a default export, because consumers do import debug from "debug" or require("debug") and obug only ships named exports.

What the shim looks like

// packages/integrations/cloudflare/src/shims/debug.ts
import { createDebug, disable, enable, enabled, namespaces } from 'obug';

export default createDebug;
export { createDebug, disable, enable, enabled, namespaces };

Where the alias is applied

Top-level vite.resolve.alias inside the adapter's astro:config:setup hook, so it propagates to every Vite environment created by the adapter (astro, ssr, prerender):

const debugShim = fileURLToPath(new URL('./shims/debug.js', import.meta.url));

updateConfig({
  // ...
  vite: {
    resolve: {
      alias: { debug: debugShim },
    },
    plugins: [ /* ... */ ],
  },
});

obug is added as a direct dependency of @astrojs/cloudflare so the shim resolves inside the adapter's own package scope regardless of hoisting.

Reproduction

Minimal reproduction — any Astro 6 project using @astrojs/cloudflare@13 with Markdown content or stylus in its dep tree will hit this. Starting from npm create astro@latest with the Cloudflare adapter and one markdown page under src/content/ is enough.

Testing

• Manually verified against a real production blog (Astro 5 → 6 migration in progress, adapter @astrojs/cloudflare@13.3.0, Node 22.22.2). Before the patch: /, /blog/, /posts/:slug/, /about/, /archive/, /projects/ all return HTTP 500 with the module is not defined trace above. With the built adapter dropped into node_modules and no other workaround: all the same routes return HTTP 200 with full content.
• Verified pnpm --filter @astrojs/cloudflare build:ci produces the expected dist/shims/debug.js alongside the patched dist/index.js.
• A dedicated unit test is tricky here because the failure only manifests when the workerd runner attempts to evaluate a module whose dep graph reaches debug; happy to add an integration test under packages/integrations/cloudflare/test/fixtures/ modelled after astro-dev-platform/code-test.astro if maintainers want one — just point me at the preferred shape.

Related

• #15284 — original "Astro v6 with cloudflare adapter does not work with <Code> components" issue (closed)
• #15565 — original logging overhaul that replaced astro core's debug with obug
• #15906 — same workerd-runner class of failure, Svelte path
• expressive-code/expressive-code#439 — same error reported against expressive-code; upstream cause is the same.

Docs

N/A — internal adapter behavior change, transparent to users.

Changes

• Invalidates the astro:data-layer-content virtual module in the SSR module runner's evaluatedModules cache when the data store changes, not just in the server-side module graph. The existing invalidateModule call only clears the server's transformResult, but a subsequent transformRequest (triggered during module resolution) re-populates it before the runner's fetchModule check, causing a false cache hit that returns stale data.

Closes #16561

Testing

• No new tests added. Manually verified with a content collection setup: deleting entries correctly updates getCollection() results on the next page load in dev.

Docs

• No docs update needed; this is a bug fix with no API change.

Changes

• Fixes #16564 — data-astro-prefetch="tap" silently failing when the user clicks a nested child element (e.g. <span>, <img>, <svg>, Astro <Image />) inside an anchor
• e.target on touchstart/mousedown is the deepest element under the pointer, not necessarily the <a> — use closest('a') to walk up to the anchor before checking the strategy
• Particularly impactful on slow connections / data-saver mode, where all strategies collapse to tap — meaning zero prefetching was happening for any link with nested content for the users who would benefit most

Testing

• Added e2e fixture link <a data-astro-prefetch="tap"><span>tap nested</span></a> and a corresponding page
• Added e2e test in prefetch.test.ts that clicks the inner <span> and asserts the prefetch request fires

Docs

No docs change needed — this is a bug fix restoring already-documented behavior, not a new feature or API change.

Closes #16563

Summary

Calling session.delete(key) as the first mutation in a request (no prior get, set, has, keys, etc.) did not write back to session storage. The session stayed dirty in memory, but [PERSIST_SYMBOL]() skipped the save path because #data was still undefined, so the backing store kept the old value and the next request could still read the “deleted” key.

Root cause

• set() initializes the in-memory map with this.#data ??= new Map(); delete() only did this.#data?.delete(key), so #data could remain undefined.
• Persistence gated saves on if (this.#dirty && this.#data), so delete-only flows never called setItem and #toDelete was never applied to storage.

Fix

• Initialize the map in delete() the same way as in set(): this.#data ??= new Map() before removing the key, so the persist path runs and #ensureData() can merge, apply deletions, and serialize to the driver.

Testing

• Added a unit test that pre-seeds backing storage, calls only delete() then persist, and asserts a new AstroSession with the same storage/session id no longer returns the deleted key.
• Adjusted an existing persistence test so the follow-up session’s storage get returns parsed JSON (matching real unstorage behavior) after setItem writes a devalue JSON string.

Docs

No documentation change required; behavior now matches what the session API already promises.

Contributor checklist (see CONTRIBUTING.md)

• pnpm exec changeset for the astro package (user-facing bugfix)
• Tests: pnpm -C packages/astro exec astro-scripts test "test/units/sessions/astro-session.test.ts"

Fixes #16553

Changes

• Fixes non-prerendered routes (e.g. SSR endpoints using cloudflare:workers) failing when a dynamic prerendered route like [page].astro exists in the same project with prerenderEnvironment: 'node'.
• The dev prerender middleware was using matchAllRoutes(), which returns every route matching a pathname. A request to /ssr would match both ssr.astro (non-prerendered) and [page].astro (prerendered), and since one match was prerendered, the request was incorrectly routed to the Node handler. Replaced with matchRoute(), which returns only the highest-priority match.

Testing

• Added a dynamic prerendered route ([page].astro with getStaticPaths) to the existing prerender-node-env fixture. The existing "renders SSR page through workerd" test now exercises this scenario.

Docs

• No docs needed.

This PR contains the following updates:

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Changes

• Updates ./test-utils.js imports to ./test-utils.ts in three .test.js files that were missed when #16492 renamed test-utils.js → test-utils.ts.

Testing

• No new tests. This fixes the existing test:integration:js suite which fails immediately with ERR_MODULE_NOT_FOUND.

Docs

• No docs needed — test-only change.

Changes

Simplify db's tsconfig by removing tsconfig.virtual.json.

Its only purpose is to prevent incorrect auto-imports from editor hints and doesn’t affect the runtime output, so it should be relatively safe to remove it.

This file makes it tricky for the TypeScript project references refactor.

Testing

Green CI

Docs

N/A

Changes

• Fixes a bug in @astrojs/cloudflare where custom KV namespace bindings (e.g. MY_KV, CACHE) were silently removed when Astro's session functionality was enabled.
• The root cause was in packages/integrations/cloudflare/src/wrangler.ts: when injecting the SESSION KV binding, the code returned a fresh single-item array instead of merging with the user's existing kv_namespaces.
• Extracted a withSessionKVBinding helper that copies existing namespaces and appends the SESSION binding, preserving all user-defined bindings.
• Fix applies to both the top-level config and the previews config (same code path).
• Updated the existing test that was asserting the broken behavior, and added a new test covering the previews case.

Closes #16554

Testing

• Updated packages/integrations/cloudflare/test/wrangler.test.ts: fixed the assertion in "adds SESSION binding when other KV bindings exist but not the session one" to verify OTHER_KV is preserved alongside SESSION.
• Added a new test "preserves existing previews KV bindings when adding SESSION binding" covering the same scenario in the previews config.
• No integration test needed: the bug and fix are fully exercised by the unit test suite for cloudflareConfigCustomizer.

Docs

No docs change needed. This is a bug fix restoring behavior that users already rely on — their existing kv_namespaces entries in wrangler.toml now survive when sessions are enabled.

Changes

• Fixes a regex bug where return was incorrectly rewritten inside string literals, template literals, and comments during esbuild's dep-scan / frontmatter error-check phase
• Replaces the two-pass \breturn\b regex with a single-pass state-machine regex that skips over all string/comment tokens before rewriting bare return statements
• Fixes the primary report case: gen.return(value) → was producing gen.throw (value) (syntax error); now preserved correctly
• Extracts a shared replaceTopLevelReturns() helper into utils.ts to deduplicate logic between the cloudflare esbuild plugin and compile.ts

Affected files:

• packages/integrations/cloudflare/src/esbuild-plugin-astro-frontmatter.ts
• packages/astro/src/vite-plugin-astro/utils.ts
• packages/astro/src/vite-plugin-astro/compile.ts

Closes #16551

Testing

The fix is a pure regex change with no new dependencies. Verified manually against the cases from the issue:

No new tests added — the two affected code paths are internal-only (esbuild dep scan and compile-error enhancement), exercised by the existing integration test suite.

Docs

No user-facing behavior change — this only affects internal dep scanning and error reporting during compilation. No docs update needed.

This PR contains the following updates:

Package	Change	Age	Confidence
@netlify/blobs (source)	^10.7.0 → ^10.7.4
@netlify/functions (source)	^5.1.2 → ^5.2.0
@netlify/vite-plugin (source)	^2.10.3 → ^2.12.1
@vercel/nft	^1.3.2 → ^1.5.0
devalue	^5.6.3 → ^5.7.1
tinyglobby (source)	^0.2.15 → ^0.2.16

Release Notes

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Changes

fixes #16524.

with vite.css.transformer: 'lightningcss', scoped styles using a nested & selector inside :where(...) silently produce css where the scope attribute lands on the matched child instead of the intended parent. tailwind v4's space-x-*, space-y-*, and divide-* all expand to this shape and tailwind v4 ships with lightningcss in the loop, so any astro 6 + tailwind v4 project using these utilities in scoped <style> blocks targeting children from another component gets broken spacing in production while the css rule still looks present in the bundle.

what's happening: lightningcss runs inside vite's preprocessCSS() and lowers nesting before @astrojs/compiler injects scope attributes. by the time the compiler sees the css, .parent is buried inside :where(...) and isn't a top-level compound anymore, so the injector prepends [data-astro-cid-X] as a new leading compound — which constrains the wrong element.

fix in packages/astro/src/core/compile/style.ts: when the user has css.transformer: 'lightningcss', call preprocessCSS() with a shallow-cloned vite config whose css.lightningcss.exclude ORs in Features.Nesting, so lightningcss skips its nesting-lowering pass for this preprocess call. vite's final pipeline still lowers nesting for the bundle so output stays compatible with the user's targets. clone is non-mutating per call so it's safe under parallel .astro compiles. lightningcss is resolved from the user's project root via createRequire — same instance vite uses, no new dep added to packages/astro. falls back to the original config if lightningcss can't be resolved.

i think a better fix would live in @astrojs/compiler itself, teach the scope injector to recognize :where(<simple-compound>, ...) as a leading-compound wrapper and attach the cid to the inner compound instead of prepending a new one. similar in spirit to withastro/compiler#1153 but extended to cover the :where(...) case, and it'd cover any future css transform that produces a similarly shaped selector not just lightningcss.

Testing

added a regression fixture under packages/astro/test/:

• lightningcss-scoped-nesting.test.ts — compiles the reporter's exact shape with vite.css.transformer: 'lightningcss' and asserts the scope id binds to .parent, not as a leading compound on the matched child.
• fixture under packages/astro/test/fixtures/lightningcss-scoped-nesting/ — single page using the reporter's :where(& > :not(:last-child)) selector inside a scoped <style> block.

reporter's reproduction repo: https://github.com/rklos/astro-css-bug-repro

Docs

no docs changes. silent regression in css output; behavior after the fix matches what the docs already describe for scoped styles + nested selectors.

Changes

upgrade/package.json has "build": "astro-scripts build \"src/index.ts\" --bundle && tsc". The output dist/index.js should be emitted by astro-scripts, while tsc should only emit .d.ts files.

In #16493, tsc emits both .js and .d.ts files, which overrides the bundled dist/index.js file that was just emitted by astro-scripts.

This PR updates upgrade/tsconfig.json to ensure that tsc won't emit any .js files.

Testing

Before this PR:

$ pnpm -w build
$ tree ./packages/upgrade/dist/
./packages/upgrade/dist/
├── actions
│   ├── context.d.ts
│   ├── context.js
│   ├── help.d.ts
│   ├── help.js
│   ├── install.d.ts
│   ├── install.js
│   ├── verify.d.ts
│   └── verify.js
├── index.d.ts
├── index.js
├── messages.d.ts
├── messages.js
├── shell.d.ts
└── shell.js

2 directories, 14 files

After this PR:

$ pnpm -w build
$ tree ./packages/upgrade/dist/
./packages/upgrade/dist/
├── actions
│   ├── context.d.ts
│   ├── help.d.ts
│   ├── install.d.ts
│   └── verify.d.ts
├── index.d.ts
├── index.js
├── messages.d.ts
└── shell.d.ts

2 directories, 8 files

After this PR, only one bundled dist/index.js file is emitted in dist/.

Docs

The previous and afterward outputs can both work, so there is no behavior change. No docs are needed.