Part of #16241

Part of #16241

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@6.1.8

Patch Changes

• #16348 7d26cd7 Thanks @ocavue! - Fixes a bug where emitted assets during a client build would contain always fresh, new hashes in their name. Now the build should be more stable.

• #16317 d012bfe Thanks @das-peter! - Fixes a bug where allowedDomains weren't correctly propagated when using the development server.

• #16317 d012bfe Thanks @das-peter! - Adds tests to verify settings are properly propagated when using the development server.

• #16282 5b0fdaa Thanks @jmurty! - Fixes build errors on platforms with skew protection enabled (e.g. Vercel, Netlify) for inter-chunk Javascript using dynamic imports

• Updated dependencies [e0b240e]:

  • @astrojs/telemetry@3.3.1

@astrojs/telemetry@3.3.1

Patch Changes

• #16257 e0b240e Thanks @gameroman! - Removed debug dependency

Part of #16241

Part of #16241

Part of #16241

Part of #16241

Part of #16241

This PR shows how to migrate integration tests packages/astro/test/*.js to TypeScript. Only a few tests are migrated. I just want to verify that these TS files are actually picked up by CI for both testing and type checking.

Part of #16241

Changes

Closes #16347

Testing

No new test is added because the issue is non-deterministic and hard to reproduce reliably in a test.

Verified manually by using the repo at #16347.

All existing tests should pass.

Docs

Changeset added.

Summary

• Fixes the TextMate grammar so that the lang attribute on <style> and <script> tags is correctly detected even when it appears on a different line than the opening tag
• Adds a two-phase scanning approach (inspired by Vue's grammar): first scan attributes until lang/type is found on a subsequent line, then enter the correct language scope
• The existing single-line \G lookahead patterns are preserved for same-line cases; the new patterns only activate when lang is not on the opening tag line

Fixes #14657

Test plan

• Added grammar snapshot tests for multi-line lang attribute with SASS, SCSS, and LESS
• All 25 grammar tests pass (22 existing + 3 new)
• Verified snapshots show source.sass, source.css.scss, and source.css.less (not source.css) for multi-line cases
• Verified define:vars with multi-line attributes also works correctly

Summary

Ports all test files in packages/internal-helpers/test/ from JavaScript to TypeScript, as part of the ongoing test migration effort.

• Renamed create-filter.test.js to create-filter.test.ts with type annotations
• Renamed path.test.js to path.test.ts with type annotations for test data arrays
• Renamed request.test.js to request.test.ts with type annotations (e.g., makeRequest helper)
• Added tsconfig.test.json for test typechecking (following the pattern from packages/astro)
• Updated package.json test script to use --strip-types with .test.ts glob, and added typecheck:tests script

All 60 tests pass and tsc --project tsconfig.test.json reports no errors.

Closes #16241 (partial)

Test plan

• pnpm --filter @astrojs/internal-helpers test -- all 60 tests pass
• pnpm --filter @astrojs/internal-helpers typecheck:tests -- no type errors

Changes

This PR creates a new function called loadOrCrateNodeLogger, which is called in every place where we create a logger right before loading the configuration.

It also adds a new --experimental-json (as per RFC) which creates a new JSON logger.

The loading of the logger has been implemented in:

• dev
• build
• sync
• add

Testing

Mostly manual testing. Existing CI should stay green.

Docs

N/A

Changes

• What does this change?
• Be short and concise. Bullet points can help!
• Before/after screenshots can help as well.
• Don't forget a changeset! Run pnpm changeset.
• See https://contribute.docs.astro.build/docs-for-code-changes/changesets/ for more info on writing changesets.

Testing

Docs

Changes

• Updates how svg optimization works
• Instead of having svgo directly in our config types, there's a new SvgOptimizer interface with a built-in svgoOptimizer() implementation. This is partly motivated by the nightmare that was the zod 3 to 4 update
• This makes it easier to make changes to the API and also allows using other services, for example https://github.com/noahbald/oxvg

Testing

• New type test
• Updated test fixture
• Manual check

Docs

• Changeset
• withastro/docs#13732

Changes

• The fetch() call for remote images in the Cloudflare binding image transform (image-binding-transform.ts) now uses { redirect: 'manual' } and rejects 3xx responses with a 404, consistent with every other remote image fetch path in core Astro and the Cloudflare integration.
• Previously this was the only image fetch path that used the default redirect: 'follow' behavior, which meant the worker would follow HTTP redirects to whatever destination the remote server specified, bypassing the isRemoteAllowed() domain check that only validated the initial URL.

Testing

• Added a test that spins up a local HTTP server returning a 302 redirect, requests /_image with that URL (which passes the domain allowlist), and asserts a 404 is returned instead of following the redirect.
• All existing binding image service tests continue to pass.

Docs

• No docs update needed — this is an internal behavior change with no new API surface.

Changes

• Moves the immutable Cache-Control header from send's headers event to the stream event, which only fires on the success path (after precondition checks pass). Previously, conditional request failures (e.g. If-Match mismatch) on hashed /_astro/ assets returned error responses with Cache-Control: public, max-age=31536000, immutable, causing CDNs to cache the error.
• Propagates the real HTTP status code from send's error object (e.g. 412 for precondition failure) instead of always returning 500.

Testing

• Added integration test in test/assets.test.js that sends a request with If-Match: xxx to a hashed asset and asserts it returns 412 without the immutable cache header.
• Existing test for immutable headers on successful asset requests continues to pass.

Docs

• No docs update needed — this is a bugfix with no user-facing API change.

Changes

Part of #16241

Since everyone is working on the unit tests under packages/astro/, let me do something else and migrate the integration tests under packages/integrations/react/.

The React test migration itself is easy and boring: only 3 files to change. However, I want to use it as an example to show that we can migrate integration tests in smaller PRs, contrary to what the original issue suggests:

Once unit tests are ported, we move to integration tests. This might need to require a one-shot PR because our loadFixture utility is used in various packages.

I achieve this by using TypeScript's Project References feature. Basically, it involves splitting the whole monorepo into smaller TypeScript "projects". Each tsconfig.json file with composite: true represents one TypeScript "project".

In this PR, I've added/modified the following TypeScript projects:

New projects:

• .github/scripts/tsconfig.json — for .github/scripts/
• scripts/tsconfig.json — for repo-level scripts/ (replaces the old scripts/jsconfig.json)
• packages/integrations/react/tsconfig.test.json — for React integration tests, and it imports and uses the loadFixture utility from another project.

Modified projects (now composite: true with references):

• packages/astro/tsconfig.json
• packages/astro/tsconfig.test.json (where loadFixture utility is defined)
• packages/astro/test/types/tsconfig.json

The references graph between these projects looks like this:

flowchart BT
    subgraph astro["packages/astro"]
        astroSrc["tsconfig.json<br/><i>(src)</i>"]
        astroTest["tsconfig.test.json<br/><i>(unit tests)</i>"]
        astroTypes["test/types/tsconfig.json<br/><i>(type tests)</i>"]
    end

    subgraph react["packages/integrations/react"]
        reactTest["tsconfig.test.json<br/><i>(integration tests)</i>"]
    end

    subgraph scripts["scripts/"]
        scriptsCfg["tsconfig.json"]
    end

    subgraph ghScripts[".github/scripts/"]
        ghScriptsCfg["tsconfig.json"]
    end

    astroTest -- references --> astroSrc
    astroTest -- references --> scriptsCfg
    reactTest -- references --> astroTest
    scriptsCfg -- references --> ghScriptsCfg

tsc --build instead of tsc --project

I've changed some scripts from tsc --project to tsc --build. This is required by the Project References feature: tsc --project only type-checks the single tsconfig.json you point it at and ignores any references it declares, whereas tsc --build walks the references graph and type-checks each referenced project in dependency order, reusing .tsbuildinfo caches for incremental rebuilds.

I've also added a repo-level typecheck:tests script (pnpm -r typecheck:tests) so that CI runs the type check across all workspace packages that define one, rather than only packages/astro/. For now, only two packages has typecheck:tests.

Testing

CI all green

Docs

No docs needed.

After updating from 5.16.6 to 6.1.5 the CORS handling seems to have changed in dev mode.
Investigation found the following possible changes as origin of the change in behavior:

• #16042
• #15587

Debugging showed that validateForwardedHeaders() didn't get any allowedDomains despite configured, leading to non recognition of forwarded protocol and hence origin mismatch in createOriginCheckMiddleware() triggering errors like

• Cross-site POST form submissions are forbidden

Changes

Adjusted createSerializedManifest() so it forwards the settings.config.security?.allowedDomains in the same way as e.g. settings.config.security?.checkOrigin.

Testing

Manually tested if the from submissions work again as expected as well as verified via debugger breakpoint that the expected allowedDomains value was present in validateForwardedHeaders()

Docs

Changes

This PR fixes a bug where non-SVG images can be converted to SVG output.

Testing

Added various tests

Docs

N/A

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@6.1.7

Patch Changes

• #16027 c62516b Thanks @fkatsuhiro! - Fixes a bug where remote image dimensions were not validated during static builds on Netlify.

• #16311 94048f2 Thanks @Arecsu! - Fixes --port flag being ignored after a Vite-triggered server restart (e.g. when a .env file changes)

• #16316 0fcd04c Thanks @ematipico! - Fixes the /_image endpoint accepting an arbitrary f=svg query parameter and serving non-SVG content as image/svg+xml. The endpoint now validates that the source is actually SVG before honoring f=svg, matching the same guard already enforced on the <Image> component path.

@astrojs/cloudflare@13.1.10

Patch Changes

• #16320 a43eb4b Thanks @matthewp! - Uses redirect: 'manual' for remote image fetches in the Cloudflare binding image transform, consistent with all other image fetch paths

• #16307 a81dd3e Thanks @matthewp! - Surfaces console.log and console.warn output from workerd during prerendering

• Updated dependencies []:

  • @astrojs/underscore-redirects@1.0.3

@astrojs/netlify@7.0.7

Patch Changes

• #16027 c62516b Thanks @fkatsuhiro! - Fixes a bug where remote image dimensions were not validated during static builds on Netlify.

• Updated dependencies []:

  • @astrojs/underscore-redirects@1.0.3

@astrojs/node@10.0.5

Patch Changes

• #16319 940afd5 Thanks @matthewp! - Fixes static asset error responses incorrectly including immutable cache headers. Conditional request failures (e.g. If-Match mismatch) now return the correct status code without far-future cache directives.

Closes #16278

Changes

• This fix has been made by @astrobot-houston. I tested it, works great.
• Fix astro dev --port not being preserved after a Vite-triggered server restart (e.g. .env file change)
• port was missing from the destructured server config in packages/astro/src/core/dev/container.ts — all other server properties (host, headers, open, allowedHosts) were already forwarded to createVite(), but port was simply omitted

Testing

Tested manually: started astro dev --port 7000, modified .env, confirmed the server restarts on port 7000 instead of falling back to Vite's default 5173. Same as astro dev default 4321 port. It will restart properly with 4321

No automated test added — this would require an integration test simulating a Vite restart, which is outside the scope of this fix.

Docs

No docs change needed — --port is already documented as working. This restores the expected behavior.

Changes

• Worker console.log/console.warn output during prerendering was silently swallowed because the internal Vite preview server in @astrojs/cloudflare used logLevel: 'error'. Changed to logLevel: 'info' so that console output from workerd is no longer suppressed.

Closes #16200

Testing

• Tested manually

Docs

• N/A, bug fix

Changes

• Style and script tags with lang or type on a different line than the tag name now get correct syntax highlighting. Previously, the TextMate grammar's \G anchor only matched on the first line after the opening tag, causing multiline attributes to fall through to the default language (CSS/JS) instead of the specified one (Sass, SCSS, TypeScript, etc.)
• Adds a begin/while pattern that consumes intermediate attribute lines until the line containing lang/type is reached, then hands off to the existing lang-detection rules without the \G constraint
• Includes explicit rules for application/ld+json → JSON and type="module" → JavaScript to handle cases where backreference capture groups reset after the while rule

Closes #14657

Testing

• Added 4 grammar snapshot fixtures covering multiline lang detection: sass-multiline.astro, scss-multiline.astro, ts-multiline.astro, and sass-multiline-scoped.astro (three-line split with is:global)
• All 26 grammar tests pass, including existing single-line fixtures confirming no regressions

Docs

• No docs update needed — this is a bug fix in the VS Code extension's TextMate grammar with no user-facing API change

Changes

Closes AST-52

This PR starts the implementation of the new logger functionality. As for now, the implementation and usage is solely focused on development.

Docs haven't been written as they should, and I would like to keep it that way for now, I will focus on writing towards the end of the works.

Here's the RFC: withastro/roadmap#1339

Here's what's been done:

• Updated the configuration to accept the new experimental flag
• Created a new logHandlers with
  • json, that returns a JSON logger
  • node, that returns the Node.js logger
  • console, that returns the console logger
  • compose, which allows to have multiple loggers together
  • New relative entrypoints, so that the specifiers can be easily imported
• The logger particular because we need it as early as possible, before we even start the dev server. So I used the same trick we use to import the configuration: we spawn a temporary vite server, specifically for loading the module. I exposed the inner function used by the loading system of the configuration, so that it's reusable for the logger.
• Created a small vite virtual module for the loading of the logger. We need a virtual module to support the compose API. The plugin for now is very minimal, however we will need to expand it for SSR. It will work very much like the middleware does.
• I established some patterns. Throughout the code base we were creating loggers in two ways, now we use only one way, using the create*Logger functions. This means that the destination becomes an implementation detail.
• I moved all the implementation inside the impls/ folder.
• I removed the _format type I created few days ago, because it's not needed anymore, because the architecture took a different course.
• The JSON logger uses a small regex to remove ANSI characters from the message. In another PR I plan to remove them from our logs, because using colours in our messages means that ANSI will be broadcast to downstream loggers too.

Testing

I updated the existing tests to use the new pattern. Green CI.

I tested locally the new compose API and the new json API.

Docs

N/A

Changes

• Consolidates two independent inline <script> escaping implementations into a single shared stringifyForScript utility in escape.ts
• The new utility escapes all < characters to \u003c in JSON-serialized output, which is a simpler and more thorough approach than the previous pattern-specific replacements
• defineScriptVars in render/util.ts and safeJsonStringify in render/server-islands.ts both now use the shared function, removing duplicated logic

Testing

• Updated existing defineScriptVars test to match the new escape sequence (\u003c instead of \x3C)
• Added tests for case-insensitive tag variants (</Script>, </SCRIPT>, </sCrIpT>)
• Added tests for whitespace variants (</script >, </script\t>)
• Added test for self-closing form (</script/>)
• All tests in packages/astro/test/units/render/html-primitives.test.js

Docs

• No docs update needed — this is an internal refactor with no user-facing API change

Changes

• Closes #16139
• Previous attempt: #15327
• Introduces a new experimental_getFontBuffer() utility to allow working with font buffers during prerendering
• The big thing is that it works thanks to HTTP requests. So during prerendering we have to start a temporary node server

Testing

Added a lot of unit tests, as well as few integration tests

Docs

• errors
• withastro/docs#13729
• changeset

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@clack/prompts (source)	^1.1.0 → ^1.2.0
@playwright/test (source)	1.58.2 → 1.59.1
@preact/signals (source)	2.8.2 → 2.9.0
@types/picomatch (source)	^4.0.2 → ^4.0.3
@vitejs/plugin-vue (source)	^6.0.5 → ^6.0.6
devalue	^5.6.3 → ^5.7.1
diff	^8.0.3 → ^8.0.4
p-queue	^9.1.0 → ^9.1.2
picomatch	^4.0.3 → ^4.0.4
postcss (source)	^8.5.8 → ^8.5.9
postcss-preset-env (source)	^11.2.0 → ^11.2.1
preact (source)	^10.29.0 → ^10.29.1
preact (source)	^10.28.2 → ^10.29.1
react (source)	^19.2.4 → ^19.2.5
react (source)	19.2.4 → 19.2.5
react-dom (source)	^19.2.4 → ^19.2.5
react-dom (source)	19.2.4 → 19.2.5
rollup (source)	^4.58.0 → ^4.60.1
sass	^1.98.0 → ^1.99.0
smol-toml	^1.6.0 → ^1.6.1
solid-js (source)	^1.9.11 → ^1.9.12
svelte (source)	^5.54.0 → ^5.55.3
tinyexec	^1.0.4 → ^1.1.1
tinyglobby (source)	^0.2.15 → ^0.2.16
undici (source)	^7.22.0 → ^7.25.0
unstorage (source)	^1.17.4 → ^1.17.5
vitefu	^1.1.2 → ^1.1.3
vitest (source)	^4.1.0 → ^4.1.4
vue (source)	^3.5.30 → ^3.5.32

Release Notes

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

This PR contains the following updates:

Package	Change	Age	Confidence
@preact/signals (source)	^2.8.2 → ^2.9.0
@vitejs/plugin-vue (source)	^6.0.5 → ^6.0.6
@vue/compiler-sfc (source)	^3.5.30 → ^3.5.32
devalue	^5.6.4 → ^5.7.1
preact (source)	^10.29.0 → ^10.29.1
preact-render-to-string	^6.6.6 → ^6.6.7
react (source)	^19.0.0 → ^19.2.5
react-dom (source)	^19.0.0 → ^19.2.5
solid-js (source)	^1.9.11 → ^1.9.12
svelte (source)	^5.54.1 → ^5.55.3
svelte (source)	^5.17.1 → ^5.55.3
svelte2tsx (source)	^0.7.52 → ^0.7.53
vite-plugin-solid	^2.11.11 → ^2.11.12
vite-plugin-vue-devtools (source)	^8.1.0 → ^8.1.1
vitefu	^1.1.2 → ^1.1.3
vue (source)	^3.5.30 → ^3.5.32

Release Notes

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

On Windows, styles go missing when the import path casing doesn't match the actual filename (e.g., import './Styles.css' when the file is styles.css). The CSS collection walk uses module IDs as map/set keys, and different casing creates different keys for the same file.

Normalizes IDs to lowercase for comparison on Windows (process.platform === 'win32'). Original casing is preserved in output — only the dedup keys are normalized. No-op on case-sensitive systems.

Fixes #14013

Changes

Fixes #16291.

The astro:head-metadata dev plugin (configHeadVitePlugin) previously tracked only the ssr Vite environment. Adapters like @astrojs/cloudflare register a dedicated prerender environment for prerendered routes and load page modules there, so containsHead and propagation were never set on those modules. As a result, maybeRenderHead() could fire inside an unrelated component's <template> element, most visibly trapping every hoisted <style data-vite-dev-id> block inside Starlight's <template id="theme-icons">, leaving affected pages completely unstyled during astro dev.

• Track both ssr and prerender environments in configureServer
• Add a findModule helper so buildImporterGraphFromEnvironment can walk importers across either graph
• Iterate every tracked environment (with module-id dedup) when building the virtual:astro:component-metadata virtual module
• Invalidate the virtual module on all tracked environments on HMR-triggered changes

Testing

• pnpm --filter astro run test:unit - 1175 pass, 0 fail, 3 skipped (includes the full test/units/render/head-propagation/ suite of 29 tests and test/units/render/head-injection-app.test.js)
• pnpm --filter astro run test:types — clean
• test/astro-head.test.js integration test passes
• @astrojs/cloudflare's test/prerender-styles.test.js passes — closest existing test covering hoisted styles through the prerender environment
• biome check and biome format --check clean on the modified file
• Verified end-to-end against the reproduction from #16291: a page routed through Starlight's 404 handler goes from a ~99 KB <template id="theme-icons"> with ~40 hoisted <style> blocks trapped inside, to a ~2 KB template containing only the three SVG icons, with every style block emitted outside the template.

No new regression test added because existing dev-mode test infrastructure in packages/astro/test/ does not exercise a custom prerender environment, reproducing the bug at the unit level requires a Vite dev server configured with both ssr and prerender environments, which is adapter-level setup. The bug is fully covered by @astrojs/cloudflare's prerender-styles.test.js, which now exercises the patched code path end-to-end.

Docs

No docs change needed, this is a dev-mode rendering bug, not a user-visible API change.

Changes

This PR fixes issue #16198 where server.allowedHosts (and vite.preview.allowedHosts) were ignored when using astro preview with the @astrojs/cloudflare adapter.

Technical Details:

• Updated PreviewServerParams interface in astro core to include allowedHosts.
• Updated astro core preview logic to pass allowedHosts from the user configuration to the adapter's preview entrypoint.
• Updated @astrojs/cloudflare preview entrypoint to accept allowedHosts and pass it to Vite's preview configuration, replacing the hardcoded empty array.

These changes ensure that requests with non-localhost Host headers are correctly handled according to the user's security configuration when previewing Cloudflare builds locally.

Testing

Verified by building both astro and @astrojs/cloudflare packages and ensuring type compatibility. All unit tests passed locally.

Docs

No documentation changes required as this fixes an inconsistency between core configuration and adapter behavior.

Closes #16198

Changes

Bumps drizzle-orm in packages/db/package.json from ^0.42.0 to ^0.45.2, patching GHSA-gpj5-g38j-94v9 (CVE-2026-39356), a high severity SQL injection in drizzle-orm's identifier escaping. Changeset added at .changeset/late-lamps-attack.md.

Drizzle 0.44+ wraps query errors in a DrizzleQueryError whose .cause is the original LibsqlError, which broke @astrojs/db's error handling. Adds a new getDbError() helper exported from astro:db that walks the .cause chain and returns the underlying LibsqlError. isDbError() is still exported and still returns true for wrapped errors, but its return type is relaxed from the err is LibsqlError type predicate to boolean since the outer object is no longer a LibsqlError at runtime. Internal call sites in migration-queries.ts, integration/index.ts, and cli/commands/execute/index.ts now use getDbError() so .code and .message are read from the unwrapped error.

Testing

No new tests. The SQL injection fix lives in drizzle-orm, so regression coverage belongs upstream. The existing @astrojs/db suite (86 tests) passes locally, including the error-handling and libsql-remote tests that initially failed on CI after the drizzle bump. The fixture at test/fixtures/error-handling/src/pages/foreign-key-constraint.json.ts was updated to use the new getDbError() helper so it can still read .code and .message off the underlying LibsqlError; the test assertions in test/error-handling.test.js are unchanged.

Docs

User-facing change. Error handling docs for astro:db should document the new getDbError() helper and the isDbError() return type change. Any user code that reads e.code or e.message after catching a db.insert() / db.select() error needs to migrate to getDbError(); the changeset walks through the before/after pattern.

Description

This PR adds my latest plugin, Starlight Recipes, to the plugin showcase page.

Changes

We've been running auto-triage for some time now with a fair amount of success, but over time we identified a few things it didn't do too well. This PR tweaks it a little bit based on the feedback received. Most notably:

The message is still a bit messy to scan, big paragraphs. This PR changes two things in that regard:

• Reduce the total amount of sentences suggested (max before was 7 sentences, now 5)
• Add a bullet point summary at the top, moving the priority reasoning to a single line summary
• Added a tone suggestion explanation to try to keep the messages straight to the point over dramatically describing sometimes mundane things

The AI was quite overconfident in fixes, while this is unavoidable, we can tip its behavior in our favor nonetheless:

• There is now a proper "Low-confidence" path, where the AI will instead produce a branch with comments on where it believes the issue is, and a test if it was able to, hopefully providing a good jump start to anyone who wants to work on the issue.
• In general, some of the language has been updated to err more on the side of "exploration" "jumping point" "analysis".

Some misc things:

• It always priority a bit too high, not considering context enough. For instance, typically experimental features are never higher than P3 naturally. It's possible to fix this partially by editing the label descriptions, but there's a quite strict limit of characters so it's not amazing.
• It sometimes suggested insane things like removing adapters or integrations as potential fixes, lol

This PR also adds a new workflow to clean out branches after issues have been fixed. I know Fred historically used those to see the difference between the automated exploration vs the final PR, but in this future world I'd like for us to use the AI PRs are jumping point, so the history would anyway live in the PR.

Testing

Tried it in local as a skill with a few issues and liked the results better, but of course we'll really only know in production.

Docs

N/A

Changes

• Add script-src-elem, script-src-attr, style-src-elem, and style-src-attr to the allowed CSP directives list so they pass config validation
• Add first-class scriptElemDirective and styleElemDirective config sections (with resources and hashes) alongside the existing scriptDirective/styleDirective
• When script-src-elem or style-src-elem are configured, auto-generated script/style hashes are forwarded into the -elem directive alongside any user-specified hashes
• Expose insertScriptElemResource, insertScriptElemHash, insertStyleElemResource, and insertStyleElemHash on the Astro.csp runtime API
• -attr directives (script-src-attr, style-src-attr) are supported as generic directives via the directives config array or insertDirective() API
• Tighten existing CSP rendering tests to use structured directive parsing and assert absence of CSP3 directives when not configured

Closes #16233

Motivation for this issue is to provide CSP support when using Shiki which uses inline style attributes for syntax highlighting.

Testing

Added unit tests across two files:

• test/units/csp/config.test.ts — 8 tests validating CSP Level 3 directive names are accepted/rejected by the config schema
• test/units/csp/rendering.test.js — rewrote existing tests to use structured parseCsp() helper for exact directive matching; added 12 new tests for -elem rendering, auto-generated hash forwarding, -attr passthrough, and runtime API

All existing CSP tests continue to pass (25 JS + 9 TS unit tests).

Docs

This adds new user-facing config options (scriptElemDirective, styleElemDirective) and runtime API methods (insertScriptElemResource, etc.) that should be documented alongside the existing CSP reference.

Changes

Fix build errors in Vercel deployments caused by assetQueryParams being applied incorrectly to inter-chunk JS dynamic imports e.g. const shared = await import('./shared.js');

Build error is: Expected ":" but found ")"

NOTE: this fix should be credited to @leifmarcus because they suggested it in #16258 (comment) – this PR just tests and applies that suggestion.

Testing

Build errors are normally only seen in Vercel deployments, but can be triggered locally by providing the same deployment ID environment variable provided in the Vercel environment when skew protection is enabled:

VERCEL_DEPLOYMENT_ID=testing pnpm run build

Updated test appends assetQueryParams to relative imports inside client JS chunks to include a dynamic import – not just static imports – so it will trigger the build error if run at the commit 4f772eb that precedes the fix commit.

I also confirmed the fix by linking the patched Astro to a project that previously failed to build locally using the command above. However I have not yet tested a real Vercel deployment with the fix applied: I'm not sure how to go about doing that?

Docs

No docs changes needed.

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@6.1.6

Patch Changes

• #16202 b5c2fba Thanks @matthewp! - Fixes Actions failing with ActionsWithoutServerOutputError when using output: 'static' with an adapter

• #16303 b06eabf Thanks @matthewp! - Improves handling of special characters in inline <script> content

• #14924 bb4586a Thanks @aralroca! - Fixes SCSS and CSS module file changes triggering a full page reload instead of hot-updating styles in place during development

@astrojs/cloudflare@13.1.9

Patch Changes

• #16210 e030bd0 Thanks @matthewp! - Fixes .svelte files in node_modules failing with Unknown file extension ".svelte" when using the Cloudflare adapter with prerenderEnvironment: 'node'

• Updated dependencies []:

  • @astrojs/underscore-redirects@1.0.3

@astrojs/partytown@2.1.7

Patch Changes

• #16265 7fe40bc Thanks @ChrisLaRocque! - Updates @qwik.dev/partytown to 0.13.2

@astrojs/svelte@8.0.5

Patch Changes

• #16210 e030bd0 Thanks @matthewp! - Fixes .svelte files in node_modules failing with Unknown file extension ".svelte" when using the Cloudflare adapter with prerenderEnvironment: 'node'

Changes

Part of #16241

This is a big one because all unit tests we had were using utilities, mocks, etc. Since using ts/js when importing stuff would have caused much more distress, I preferred to port all unit tests.

Each commit is the port of a file (plus deletion of the js file), fix of regressions (latest commits), and porting of test-helpers (first commit).

Testing

Green CI

Docs

Changes

• fix #16276

Testing

tests were added

Docs

just a patch to make the cloudflare adapter work in the expected manner

Fixes #16273

Summary

Custom elements in MDX files bypass the renderer pipeline because the JSX runtime (jsx.ts:96) sends all string-typed vnodes directly to renderElement() — pure string concatenation with no renderer check.

The .astro compiler already handles this correctly by treating custom elements (tags with hyphens) as components (print-to-js.go:381).

Change

One condition added to jsx.ts line 96:

// Before:
case typeof vnode.type === 'string' && vnode.type !== ClientOnlyPlaceholder:

// After:
case typeof vnode.type === 'string' && vnode.type !== ClientOnlyPlaceholder && !vnode.type.includes('-'):

Custom elements (string types containing a hyphen) now fall through to the existing renderComponentToString() path at line 147–153, which calls renderFrameworkComponent() → renderer check().

If no renderer claims the element, the existing fallback in renderComponent() renders it as raw HTML — no regression for projects without a matching renderer.

Testing

Tested across a production site with 80+ web components in MDX pages:

Fixes #16203

Problem

The astro-frontmatter-scan esbuild plugin registers its onLoad handler without a namespace filter. In esbuild, an unfiltered onLoad matches all namespaces, including html. When a .ts file default-imports an .astro component, Vite's dep scanner resolves the .astro file into the html namespace. The plugin intercepts it and returns only the extracted frontmatter — which has no export default — causing:

[ERROR] No matching export in "html:/path/to/Component.astro" for import "default"

Fix

Add namespace: 'file' to the onLoad call so the plugin only handles .astro files resolved from the filesystem. Files in the html namespace now fall through to Vite's built-in htmlTypeOnLoadCallback, which already appends export default {} for non-.vue files.

Test plan

• Verified against the reproduction repo from the issue: error no longer occurs
• file namespace behavior is unchanged — same handler, same logic, only the namespace scope is narrowed

Changes

This PR renames the internal types of our logger in preparation of the upcoming custom logger.

Our internal types are a big old naming-wise, I decided to do some house keeping and make their names a bit more consistent.

Additionally, I added the _format option to the logger options. It's been marked as internal and optional. The option isn't exposed to users yet and not even to the current tests (apart from the new ones), so it's safe to merge without repercussions to users and other libraries.

Testing

I added some preliminary new tests for the _format option.

Docs

Not needed at this stage

Summary

Contributes to #16241

• Ports 16 routing unit test files from JavaScript to TypeScript
• Adds minimal type annotations where needed (type casts for test mocks, parameter types for callbacks)
• Files that depend on the untyped mocks.js helper are intentionally left as JS to avoid cascading changes
• No changes to test logic or assertions — purely a type-level migration

Files ported

api-context, dev-routing, dynamic-route-collision, generator, getstaticpaths-cache, params-validation, prerender, preview-routing, resolved-pathname, rewrite, route-manifest, router-match, route-sanitization, routing-priority, trailing-slash, virtual-routes

Test plan

• All 162 ported TS tests pass (node --experimental-strip-types --test test/units/routing/*.test.ts)
• All 73 remaining JS tests pass (node --test test/units/routing/*.test.js)
• tsc --project tsconfig.test.json --noEmit reports zero errors in ported files

Update package.json to require @qwik.dev/partytown ^0.13.2 and refresh pnpm-lock.yaml accordingly. Run pnpm install to apply the updated dependency and regenerate the lockfile.

There are lighthouse test penalties tied to the current version of the partytown integration that are solved by this latest version

Changes

Update package.json for the partytown integration to require @qwik.dev/partytown ^0.13.2 and refresh pnpm-lock.yaml accordingly. Run pnpm install to apply the updated dependency and regenerate the lockfile.

Testing

There weren't any tests in the partytown integration to start with

Docs

Shouldn't need to be any changes to docs

Fix for #16263

Changes

• The fix converts assetFileNames from a static string template to a function that detects and strips the @_@ pattern before it reaches the output filename, producing clean names like post.arA8i2KH.css. This is applied to both the server and client build output configurations in static-build.ts

Testing

• Rebuilt locally and new file names are generated as expected. My last demo file was /_astro/post.arA8i2KH.css

Docs

No need for documentation changes

Changes

Adding tests for #16261

Testing

Adding tests

Docs

N/A

Description

• Updates the comparisons table on our environmental impact page
• Uses latest data from websitecarbon.com
• Direct link: https://deploy-preview-3812--astro-starlight.netlify.app/environmental-impact/#comparisons

Changes

Adds a changeset for #15565 telemetry changes

Testing

N/A

Docs

N/A

Fixes #14013

Styles were missing in dev mode when the import path casing differed from the actual file path (e.g., ./Component vs component.astro). This affected case-insensitive file systems (macOS, Windows).

Normalized path comparison in the style resolution logic to be case-insensitive.

Ports 8 self-contained unit test files from JavaScript to TypeScript as part of #16241.

Files ported:

• app/dev-url-construction.test
• app/headers.test
• app/url-attribute-xss.test
• assets/image-layout.test
• render/escape.test
• render/hydration.test
• routing/origin-pathname.test
• routing/routing-helpers.test

These files were chosen because they don't depend on shared JS test helpers (mocks.js, test-utils.js), so they can be ported independently without creating mixed JS/TS helper conflicts.

Changes beyond the rename:

• Removed // @ts-check directives (redundant in .ts files)
• Converted JSDoc @param/@returns to native TS types in dev-url-construction.test.ts
• Added as assertions on unescapeHTML return values in escape.test.ts (the return type union doesn't expose [Symbol.asyncIterator] directly)
• Typed the err parameter in hydration.test.ts catch callback
• Added a route() factory helper in routing-helpers.test.ts to satisfy the RouteData parameter type

typecheck:tests, test:unit:ts (1019 pass, 0 fail), and test:unit:js (1328 pass, 0 fail) all pass.

Description

• Add a reusable tag filter UI (src/components/tags/*) for desktop (DesktopAside) and mobile (MobileControl)
• Apply tag filtering to ListView and CardView, including filtering for /changelog and /shorts
• Add FEATURES.tag, update related types/schema logic, and show tags in PostMeta
• Split faqs-and-known-issues.md into standalone /shorts/* entries and add the dynamic shorts route
• Refactor TOC-related components so TOC and tag controls can share the new aside/panel UI
• Refer to Tag Filter in List and Card Views for details

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@6.1.5

Patch Changes

• #16171 5bcd03c Thanks @Desel72! - Fixes a build error that occurred when a pre-rendered page used the <Picture> component and another page called render() on content collection entries.

• #16239 7c65c04 Thanks @dataCenter430! - Fixes sync content inside <Fragment> not streaming to the browser until all async sibling expressions have resolved.

• #16242 686c312 Thanks @martrapp! - Revives UnoCSS in dev mode when used with the client router.

  This change partly reverts #16089, which in hindsight turned out to be too general. Instead of automatically persisting all style sheets, we now do this only for styles from Vue components.

• #16192 79d86b8 Thanks @alexanderniebuhr! - Uses today’s date for Cloudflare compatibility_date in astro add cloudflare

  When creating new projects, astro add cloudflare now sets compatibility_date to the current date. Previously, this date was resolved from locally installed packages, which could be unreliable in some package manager environments. Using today’s date is simpler and more reliable across environments, and is supported by workerd.

• #16259 34df955 Thanks @gameroman! - Removed dlv dependency

@astrojs/cloudflare@13.1.8

Patch Changes

• #16225 756e7be Thanks @travisbreaks! - Fixes ERR_MULTIPLE_CONSUMERS error when using Cloudflare Queues with prerendered pages. The prerender worker config callback now excludes queues.consumers from the entry worker config, since the prerender worker only renders static HTML and should not register as a queue consumer. Queue producers (bindings) are preserved.

• #16192 79d86b8 Thanks @alexanderniebuhr! - Removes an unused function re-export from the /info package path

• Updated dependencies []:

  • @astrojs/underscore-redirects@1.0.3

Changes

Part of #16241

Testing

Gree CI

Docs

Changes

This change partly reverts #16089, which in hindsight turned out to be too general. Instead of automatically persisting all style sheets, we now do this only for styles from Vue components.

Fixes #16204

Testing

See newly added test for #16809

Docs

n.a., bug fix

Description

I created a theme for Starlight (starlight-theme-nord), and would like to add it into documentation.

Changes

• renderFragmentComponent was calling renderSlotToString, which eagerly awaited the entire slot content into a string before returning a RenderInstance. This caused sync siblings inside a <Fragment> to block until all async children resolved, unlike <div> and bare template expressions which streamed immediately.
• Fix: replace renderSlotToString with renderSlot, so Fragment children go through the same renderChild -> buffered async pipeline every other element uses.
• Fixes #13283

Testing

• Added unit test in test/units/render/html-primitives.test.js verifying sync content flushes to the destination before a deferred Promise resolves.
• Added integration tests in test/streaming.test.js using a fixture page that mirrors the issue's exact reproduction — asserts sync content arrives in an earlier stream chunk than the async child.
• All 99 existing + new tests pass.

Docs

No docs change needed

On case-insensitive filesystems (Windows, macOS), running npm run dev from a path with different casing than the canonical filesystem path caused inline <style> blocks to be silently dropped.

Root cause

The HMR handler in vite-plugin-astro/hmr.ts compared file paths using strict equality. When the casing of ctx.file (provided by Vite's watcher using the actual filesystem casing) differed from the key stored in the compile metadata map, lookups failed and CSS was never returned.

Changes

• Normalize path casing for comparison when looking up compile metadata on win32 and darwin.
• Normalize CSS dependency paths using the same approach when checking if an updated file is a CSS dependency.
• Add a changeset for the astro package.

Testing

Existing HMR tests continue to pass. The fix is scoped to case-insensitive platforms so Linux behavior is unaffected.

Fixes #14013

Changes

Added position prop to Astro Image with safe style merging to preserve existing user styles.

• issue : #16215

Testing

After implementation:

Docs

Changes

• Added allowedHosts to the PreviewServerParams interface so adapter preview entrypoints can receive the user's server.allowedHosts configuration
• Pass settings.config.server.allowedHosts from the core preview entrypoint (packages/astro/src/core/preview/index.ts) to adapter preview modules
• Update the Cloudflare adapter's preview entrypoint to use the passed allowedHosts value (allowedHosts ?? []) instead of hardcoding an empty array

Before: astro preview with @astrojs/cloudflare always returns 403 for non-localhost Host headers, regardless of server.allowedHosts config.

After: server.allowedHosts is respected, matching the behavior of astro dev and the static preview server.

Fixes #16198

Testing

• Existing tests in test/astro-preview-allowed-hosts.test.js pass (5/5 tests, 3 suites)
• TypeScript compilation passes for both astro and @astrojs/cloudflare with 0 errors
• Both packages build cleanly (0 errors, 0 warnings)
• Biome lint passes on all changed files
• Manual verification: the static preview server already handles allowedHosts correctly via the same pattern (see static-preview-server.ts); this fix extends that to adapter preview entrypoints

Docs

No docs changes needed. server.allowedHosts is already documented — this fix makes it work correctly with adapter preview entrypoints as users would expect.

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@cloudflare/vite-plugin (source)	^1.25.6 → ^1.32.1
@cloudflare/workers-types	^4.20260228.0 → ^4.20260413.1
@fastify/middie	^9.1.0 → ^9.3.1
@fastify/static	^9.0.0 → ^9.1.0
@netlify/blobs (source)	^10.7.0 → ^10.7.4
@netlify/functions (source)	^5.1.2 → ^5.2.0
@netlify/vite-plugin (source)	^2.10.3 → ^2.11.3
@tailwindcss/vite (source)	^4.2.1 → ^4.2.2
@vercel/nft	^1.3.2 → ^1.5.0
@vitejs/plugin-vue (source)	^6.0.4 → ^6.0.6
devalue	^5.6.3 → ^5.7.1
react (source)	^19.2.4 → ^19.2.5
react-dom (source)	^19.2.4 → ^19.2.5
solid-js (source)	^1.9.11 → ^1.9.12
svelte (source)	^5.53.5 → ^5.55.3
svelte (source)	^5.0.0 → ^5.55.3
tailwindcss (source)	^4.2.1 → ^4.2.2
tinyglobby (source)	^0.2.15 → ^0.2.16
vue (source)	^3.5.29 → ^3.5.32
wrangler (source)	^4.69.0 → ^4.82.1

Release Notes

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

This PR contains the following updates:

Package	Change	Age	Confidence
ovsx (source)	^0.10.9 → ^0.10.10
prettier (source)	^3.8.1 → ^3.8.2
svelte (source)	^5.54.1 → ^5.55.3
tinyglobby (source)	^0.2.15 → ^0.2.16

Release Notes

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Summary

Fixes #16199. The @astrojs/cloudflare adapter's prerender worker config callback spreads the entire entryWorkerConfig into the prerender worker, including queues.consumers. When Miniflare sees two workers both registered as consumers of the same queue, it rejects with ERR_MULTIPLE_CONSUMERS. The prerender worker only renders static HTML and has no need for queue consumer registrations.

Changes

• Destructure queues from entryWorkerConfig in the prerender worker config() callback
• Spread restWorkerConfig (without queues) instead of the full config
• Preserve queues.producers (bindings) when present, since producers are just bindings and don't cause conflicts
• Drop queues.consumers entirely from the prerender worker
• Add test fixture with a hybrid site (prerendered page + SSR endpoint) that defines both queues.consumers and queues.producers in wrangler.jsonc
• Add test verifying the build succeeds and both routes work in preview

Test plan

• New test prerender-queue-consumers.test.js passes (2/2 assertions)
• Existing wrangler-preview-platform.test.js still passes (4/4 assertions)
• Changeset included

Changes

Fix React 19 "Float" mechanism injecting into Astro islands instead of the . This PR adds a filter to @astrojs/react to strip these auto-generated resource from the island's HTML output, ensuring valid HTML structure.

• issue : #16212

Testing

Before Implemented:

After Implemented:

Docs

Changes

• adds a cloudflare cdn cache provider for route caching

Testing

• not sure yet

Docs

• tbd

Changes

• Adds astro-og-canvas@0.11.0 to minimumReleaseAgeExclude in pnpm-workspace.yaml so the smoke test pnpm install step no longer fails
• The docs site (withastro/docs) depends on astro-og-canvas, and version 0.11.0 was published less than 3 days ago, hitting the minimumReleaseAge: 4320 constraint

Testing

• CI smoke tests should pass once this lands; no other test changes needed

Docs

• No docs update needed — this is a CI configuration change only

Changes

• Packages that ship .svelte files (e.g. bits-ui) now work with the Cloudflare adapter's prerenderEnvironment: 'node' option. Previously they failed with Unknown file extension ".svelte" because the prerender environment's resolve.noExternal was missing these packages, so they were loaded via Node's native import() instead of Vite's transform pipeline.
• @astrojs/cloudflare: Removed top-level ssr.noExternal = true from the cf-externals plugin. This was poisoning vitefu's crawlFrameworkPkgs into returning an empty list, since it assumed all packages were already noExternal. The ssr environment still gets resolve.noExternal: true from @cloudflare/vite-plugin directly. Also removed the configEnvironment hook that disabled dep optimization for the prerender environment.
• @astrojs/svelte: Uses crawlFrameworkPkgs to discover packages that peerDepend on svelte and adds them to resolve.noExternal for all server environments (including prerender) via configEnvironment.

Testing

• Added a test to the existing prerenderEnvironment: 'node' test suite that renders a svelte component importing a .svelte file from a fake node_modules package.
• All 6 existing tests continue to pass, including workerd SSR, server islands, and Node.js API access.

Docs

• No docs update needed — this fixes a bug, no new API surface.

Closes #15906

Description

• Fixes #3785
• When adding our draft feature, we added a notice to alert people during dev that page had draft status, but missed adding this same alert if the page used the hero component.
• This PR fixes that by also including the notice in the hero component

Here’s an example of what this looks like if you set draft: true on the homepage of the Starlight docs:

Small viewport	Large viewport

This also required a couple of minor CSS changes:

• We previously did not set grid-template-columns on the hero component for small viewports, but this is risky when components can overflow the viewport width (like the draft notice) as the grid simply adapts to accommodate them. The hero is now explicitly a single, 100%-wide column for small viewports so it contains the notice.
• The hero component uses centre-aligned text on small viewports, but the notice looks quite odd with centred text due to the icon lock-up. So this PR explicitly adds start-alignment to the notice.

I think both of these changes are minor and should be safe enough to release in a patch.

Fixes #16196

This seems likely connected to #16110, which introduced inter-chunk import rewriting for adapter asset query params.

Deployment Failure on Netlify

[ERROR] [vite] ✗ Build failed in 360ms
Syntax error "c"
  Location:
    _astro/page.BsrPi06Q.js:17:50

Changes

• Fix plugin-chunk-imports rewrite logic to preserve valid JS import syntax when appending assetQueryParams.
• Rewrite only the module specifier content (inside quotes) using es-module-lexer offsets, instead of inserting blindly at the previous end offset.
• Merge adapter-provided query params with existing ?query and #hash in relative inter-chunk JS imports.
• Add clarifying inline comments around specifier offsets and param snapshot behavior.
• This addresses cloud-only build failures (e.g. Netlify/Vercel) where generated _astro/*.js could become syntactically invalid in downstream bundling.

Testing

• Reproduced the issue on Netlify before this fix (deployment build failed with syntax errors in generated _astro/*.js chunks).
• After applying this fix, redeployed the same project on Netlify and confirmed the build now succeeds.

Changes

• Adds Semgrep OSS security scanning workflow
• Runs on pull requests and weekly on Saturdays (cron schedule)
• Uses pinned Semgrep container image for reproducibility
• No tokens required - uses OSS version with auto config

Testing

• Workflow file syntax validated locally
• Uses official semgrep/semgrep container with pinned SHA
• OSS scan with --config=auto for comprehensive rule coverage

Docs

• No docs update needed, this is an internal CI improvement that does not affect user-facing behavior

Changes

• Skips the ActionsWithoutServerOutputError validation when an adapter is present. PR #15890 moved this check from astro:config:done to astro:routes:resolved but lost adapter-awareness — the old check was naturally bypassed because adapters override buildOutput to 'server'. The new check only inspects resolved routes, so output: 'static' with all pages prerendered + an adapter (Netlify, Cloudflare, etc.) incorrectly throws.

Testing

• Added a test that starts a dev server with the actions fixture, output: 'static', and testAdapter(), confirming the action endpoint responds successfully.
• Full actions.test.js suite passes (26/26).

Docs

• No docs change needed — this restores previously documented Astro 5 behavior.

Closes #16103

Changes

• Removes four unused re-exports (matchHostname, matchPathname, matchPort, matchProtocol) from packages/astro/src/assets/utils/index.ts
• Updates the sole internal consumer in packages/astro/src/core/app/base.ts to import matchPattern directly from @astrojs/internal-helpers/remote instead of through the barrel file
• Fixes Vite build warning about unused imports that reappeared after the v6 merge (#15036) partially reverted the original fix from #15034

Fixes #16188

Testing

No tests added — this is a cosmetic build warning fix with no runtime behavior change. Verified by running astro build and confirming the warning no longer appears (both static and server output modes).

Docs

No docs update needed — this change has no user-facing behavior impact.

Summary

Bumps @qwik.dev/partytown from ^0.11.2 to ^0.13.2.

This update includes fixes for deprecated Chromium APIs (SharedStorage and AttributionReporting) that were causing Lighthouse warnings in sites using Partytown.

Related: QwikDev/partytown#697
Related: #15494

Changes

• Bumps @qwik.dev/partytown dependency from ^0.11.2 to ^0.13.2
• Resolves Lighthouse deprecation warnings for SharedStorage and AttributionReporting APIs in the Partytown sandbox service worker

Testing

Tested locally by overriding @qwik.dev/partytown to 0.13.2 in a production Astro 6 project. Full build completes successfully and Partytown functions as expected.

Docs

No docs needed, this is a dependency version bump with no documented API changes.

The default cloudflare-binding image service relied on the IMAGES binding for transforms, but this binding is unavailable during the Node-side build pipeline. Prerendered pages were left with un-optimized images. Expand the Sharp fallback to cover both compile and cloudflare-binding build services so that static images are optimized at build time.

Fixes #16035

Changes

• Added needsBuildTimeOptimization flag that covers both compile and cloudflare-binding build services
• compileImageConfig is now passed to the workerd prerender handler for cloudflare-binding, enabling installAddStaticImage to track images during prerendering
• collectStaticImages is now defined for cloudflare-binding, allowing Sharp to process tracked images on the Node side during build
• Added changeset for @astrojs/cloudflare patch

Before: Default cloudflare-binding mode skipped build-time image optimization entirely — prerendered/static pages contained un-optimized images.

After: Sharp processes images at build time for both compile and cloudflare-binding modes, producing optimized output.

Testing

All 136 existing Cloudflare adapter tests pass with 0 failures, including:

• compile-image-service.test.js (5/5 pass)
• binding-image-service.test.js (6/6 pass)
• external-image-service.test.js (2/2 pass)
• dev-image-endpoint.test.js (6/6 pass)
• prerenderer-errors.test.js (1/1 pass)
• static.test.js (1/1 pass)

Reproduction repo: https://github.com/alexanderniebuhr/astro-v6-repro

Docs

No docs changes needed. This fix aligns the default cloudflare-binding behavior with what users already expect — image optimization should work out of the box. The existing Cloudflare adapter docs describe cloudflare-binding as the default image service; this change ensures it actually optimizes images at build time.

Changes

• Extensionless endpoints (e.g. src/pages/demo.ts) with trailingSlash: "always" now produce their actual response instead of redirect HTML during astro build. The bug was in getUrlForPath() in generate.ts, which skipped trailing slash handling for all endpoints. The route manifest correctly applied trailingSlash to extensionless endpoints, but the prerender request URL did not, causing BaseApp.render() to emit a 301 redirect instead of calling the endpoint.
• Endpoints with file extensions (e.g. /feed.xml, /data.json) remain exempt from trailing slash enforcement, matching the documented v6 behavior.

Testing

• Added a unit test in generate.test.js that verifies the prerender request URL includes a trailing slash for extensionless endpoints when trailingSlash: "always" is configured. The test intercepts the URL passed to the prerenderer and asserts it ends with /.
• All existing generate.test.js and trailing-slash.test.js tests continue to pass.

Docs

• No docs update needed — this restores the behavior that the docs already describe.

Closes #16185

closes: #15986
(The error mentioned in the issue title has been confirmed fixed in Astro@6.1.3, but since this warning log was also reported in the same issue, I'm including this fix here as well.)

Changes

When using the @tailwindcss/vite plugin, a Failed to load url astro:server-app.js (resolved id: astro:server-app.js). Does the file exist? warning could appear under certain conditions.

Steps to reproduce

(see also: https://stackblitz.com/edit/github-zxlwk9jg?file=src%2Fpages%2Ftest.astro,src%2Fstyles%2Fglobal.css,src%2Fpages%2Findex.astro)

1. Start the dev server and open a page that loads a CSS file containing Tailwind styles
2. Edit a file on a different page
3. The warning appears in the console

The root cause is that the virtual module ID astro:server-app does not start with virtual:, causing Vite to mistake it for a regular JS file. The fix prefixes the ID with virtual: to ensure Vite handles it correctly.

Testing

Added an e2e test that monitors console output to verify the warning no longer appears.

Docs

N/A, bug fix

Changes

This PR increases the testing coverage of the following parts:

• integration hooks utilities: no changes involved to the source code other than exporting the functions to test.
• image assets utilities: no changes involved to the source code other than exporting the functions to test.
• dev server rewrites and redirects: done a small refactor by creating a "decision" type that decides what to do. Then a self contained function has been created, exported and tested. This was done for redirects and rewrites of the dev server.
• astro config validation: the superRefine function had various number of validation functions. They were extracted into smaller functions so that they could be tested

Testing

Green CI

Docs

Closes #16145

Changes

• Add optional waitUntil to the CacheProvider.onRequest() context type.
• Thread waitUntil through BaseApp.render() so adapters can pass it to runtime cache providers.
• Forward Cloudflare ExecutionContext.waitUntil from the adapter handler into app.render().
• Add a regression test covering a custom cache provider on Cloudflare.
• Added a changeset for astro and @astrojs/cloudflare.

Testing

• pnpm run build
• node --test packages/integrations/cloudflare/test/cache-provider-wait-until.test.js

Docs

• No docs update added. This fixes the implementation to match the existing documented CacheProvider.onRequest() signature.

Changes

• A sync commit accidentally introduced an unused import {createLoggerFromFlags} from "../../../../../src/cli/flags.ts" into the client-side PostComment.tsx test fixture. This Node.js-only import broke React hydration, preventing the onSubmit handler from attaching. The "Comment action - success" and "Logout action redirects" E2E tests failed as a result.

Testing

• Ran the full actions-blog.test.js suite with --repeat-each=10 (76/76 passed) to confirm the fix is stable and not flaky.

Docs

• No docs update needed — this is a test fixture change only.

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@6.1.4

Patch Changes

• #16197 21f9fe2 Thanks @SchahinRohani! - Remove unused re-exports from assets/utils barrel file to fix Vite build warning

• #16059 6d5469e Thanks @matthewp! - Fixes Expected 'miniflare' to be defined errors and 404 responses in dev mode when using the Cloudflare adapter and the config file changes. Instead of creating a brand new Vite server on config changes, Astro now performs a Vite in-place restart, allowing the Cloudflare adapter to reuse its existing miniflare instance across restarts.

• #16154 7610ba4 Thanks @Desel72! - Fixes pages with dots in their filenames (e.g. hello.world.astro) returning 404 when accessed with a trailing slash in the dev server. The trailingSlashForPath function now only forces trailingSlash: 'never' for endpoints with file extensions, allowing pages to correctly respect the user's trailingSlash config.

• #16193 23425e2 Thanks @matthewp! - Fixes trailingSlash: "always" producing redirect HTML instead of the actual response for extensionless endpoints during static builds

@astrojs/react@5.0.3

Patch Changes

• #16224 a2b9eeb Thanks @fkatsuhiro! - Fix React 19 "Float" mechanism injecting into Astro islands instead of the . This PR adds a filter to @astrojs/react to strip these auto-generated resource from the island's HTML output, ensuring valid HTML structure.

Updated Czech translations only

Changes

• Adds preact/hooks and @preact/signals to the Preact integration's client optimizeDeps.include so Vite pre-bundles them upfront instead of discovering them late after the first page load
• Without this, Vite discovers @preact/signals on first request, re-optimizes, and sends a full page reload that races with test interactions

Testing

• Ran e2e/namespaced-component.test.js 10 times with cache cleared before each run: 10/10 passed. Previously failed ~3/5 on main.

Docs

• No docs needed — internal dep optimization change with no user-facing API

Changes

• SSR builds with only injected routes (no src/pages/ directory) were failing at runtime with No matching renderer found.
• The renderer plugin's build optimization strips renderers from the SSR bundle when it determines no SSR pages need them. The way it determines this was not accounting for injected routes. This fixes it.

Testing

• Added unit tests for hasNonPrerenderedRoute covering: project pages, prerendered pages, endpoint exclusion, and the new includeExternal option with injected routes.
• Verified end-to-end against HiDeoo's reproduction

Docs

• N/A, bug fix

Changes

Our unit tests are hanging because runInContainer and createContainer broke in some of the latest changes.

The reason why they break is because internally they use fs-fixture, which create fixtures without node_modules. Our apps now rely on node_modules because we use virtual modules, which are available via node_modules (via vite).

This system doesn't work anymore, so we need to abandon it.

The fix:

• make some tests unit tests
• use real fixtures (they aren't unit tests anymore, but I didn't want to change their location too)

The test frontmatter.test.js was skipped because it keeps crashing.

Testing

Green CI, no timeouts.
I verified that locally tests don't hang anymore.

Docs

Description

• Closes #
• What does this PR change? Give us a brief description.
• Did you change something visual? A before/after screenshot can be helpful.