Bump astro and @astrojs/cloudflare

[dependabot]

Bumps astro and @astrojs/cloudflare. These dependencies needed to be updated together.
Updates astro from 5.18.0 to 6.3.3

Release notes

Sourced from astro's releases.

astro@6.3.3

Patch Changes

• #16737 bd84f33 Thanks @​matthewp! - Fixes a reflected XSS vulnerability where slot names on hydrated components were not HTML-escaped in SSR output

astro@6.3.2

Patch Changes

• #16675 11d4592 Thanks @​ascorbic! - Fixes a regression where Astro.cache was undefined when experimental.cache was not configured.

  The previous documented behavior is for Astro.cache to always be defined as a no-op shim: cache.set() warns once, cache.invalidate() throws and cache.enabled can be used to gate. This allows library and user code can call cache methods without conditional checks. The cache provider registration was being gated at the call site on experimental.cache being configured, which meant the disabled shim branch inside the provider was unreachable and the Astro.cache getter was never attached to the context.

• #16691 0f0a4ce Thanks @​matthewp! - Fixes HTMLElement is not defined error during HMR when using components with client-side scripts (e.g. Starlight <Tabs>) and the Cloudflare adapter

• #16562 07529ec Thanks @​matthewp! - Fixes non-prerendered routes failing when a dynamic prerendered route exists in the same project with prerenderEnvironment: 'node'

• #16638 272185b Thanks @​ematipico! - Fixes a bug where the Astro compiler wasn't freed at the end of the build. After the fix, the memory used by the compiler is now correctly freed at the end of the build.

• #16544 d365c97 Thanks @​matthewp! - Tightens isRemotePath() to reject control characters after a leading slash and fixes the dev image endpoint origin check

• #16685 889e748 Thanks @​farrosfr! - Improve validation messages for security.csp.directives when script-src or style-src are incorrectly placed in the directives array.

• #16605 772f13a Thanks @​rururux! - Fixes assetsPrefix not being available on build from astro:config/server.

• #16556 f38dec7 Thanks @​matthewp! - Rejects double-encoded URL paths with a 400 response instead of silently falling back to partial decoding

• #16659 38bcb25 Thanks @​jsparkdev! - Fixes & characters appearing as raw entity strings (e.g. &[#38](https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/38);) in <meta> tags when viewed in link previews or raw HTML.

• Updated dependencies [d365c97, 9256345]:

  • @​astrojs/internal-helpers@​0.9.1
  • @​astrojs/markdown-remark@​7.1.2

astro@6.3.1

Patch Changes

• #16646 15fbc41 Thanks @​matthewp! - Fixes local images returning 404 on non-prerendered pages when using the generic image endpoint

astro@6.3.0

Minor Changes

• #16366 d69f858 Thanks @​matthewp! - Adds a new experimental.advancedRouting option that lets you take full control of Astro's request handling pipeline by creating a src/app.ts file in your project.

  Today, Astro handles every incoming request through a fixed internal pipeline: trailing slash normalization, redirects, actions, middleware, page rendering, i18n, and so on. That pipeline works great for most sites, but as projects grow you often want to run your own logic between those steps — an auth check before rendering, a rate limiter before actions, custom logging around the whole stack. Advanced routing gives you that control.

  When enabled, Astro looks for a src/app.ts file in your project. If it finds one, that file becomes the entrypoint for all server-rendered requests. You compose the pipeline yourself using the handlers Astro provides, and you can slot your own logic anywhere in the chain.

  Enabling advanced routing

  // astro.config.mjs

... (truncated)

Changelog

Sourced from astro's changelog.

6.3.3

Patch Changes

• #16737 bd84f33 Thanks @​matthewp! - Fixes a reflected XSS vulnerability where slot names on hydrated components were not HTML-escaped in SSR output

6.3.2

Patch Changes

• #16675 11d4592 Thanks @​ascorbic! - Fixes a regression where Astro.cache was undefined when experimental.cache was not configured.

  The previous documented behavior is for Astro.cache to always be defined as a no-op shim: cache.set() warns once, cache.invalidate() throws and cache.enabled can be used to gate. This allows library and user code can call cache methods without conditional checks. The cache provider registration was being gated at the call site on experimental.cache being configured, which meant the disabled shim branch inside the provider was unreachable and the Astro.cache getter was never attached to the context.

• #16691 0f0a4ce Thanks @​matthewp! - Fixes HTMLElement is not defined error during HMR when using components with client-side scripts (e.g. Starlight <Tabs>) and the Cloudflare adapter

• #16562 07529ec Thanks @​matthewp! - Fixes non-prerendered routes failing when a dynamic prerendered route exists in the same project with prerenderEnvironment: 'node'

• #16638 272185b Thanks @​ematipico! - Fixes a bug where the Astro compiler wasn't freed at the end of the build. After the fix, the memory used by the compiler is now correctly freed at the end of the build.

• #16544 d365c97 Thanks @​matthewp! - Tightens isRemotePath() to reject control characters after a leading slash and fixes the dev image endpoint origin check

• #16685 889e748 Thanks @​farrosfr! - Improve validation messages for security.csp.directives when script-src or style-src are incorrectly placed in the directives array.

• #16605 772f13a Thanks @​rururux! - Fixes assetsPrefix not being available on build from astro:config/server.

• #16556 f38dec7 Thanks @​matthewp! - Rejects double-encoded URL paths with a 400 response instead of silently falling back to partial decoding

• #16659 38bcb25 Thanks @​jsparkdev! - Fixes & characters appearing as raw entity strings (e.g. &[#38](https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/38);) in <meta> tags when viewed in link previews or raw HTML.

• Updated dependencies [d365c97, 9256345]:

  • @​astrojs/internal-helpers@​0.9.1
  • @​astrojs/markdown-remark@​7.1.2

6.3.1

Patch Changes

• #16646 15fbc41 Thanks @​matthewp! - Fixes local images returning 404 on non-prerendered pages when using the generic image endpoint

6.3.0

Minor Changes

• #16366 d69f858 Thanks @​matthewp! - Adds a new experimental.advancedRouting option that lets you take full control of Astro's request handling pipeline by creating a src/app.ts file in your project.

  Today, Astro handles every incoming request through a fixed internal pipeline: trailing slash normalization, redirects, actions, middleware, page rendering, i18n, and so on. That pipeline works great for most sites, but as projects grow you often want to run your own logic between those steps — an auth check before rendering, a rate limiter before actions, custom logging around the whole stack. Advanced routing gives you that control.

  When enabled, Astro looks for a src/app.ts file in your project. If it finds one, that file becomes the entrypoint for all server-rendered requests. You compose the pipeline yourself using the handlers Astro provides, and you can slot your own logic anywhere in the chain.

... (truncated)

Commits

• 5ec95d0 [ci] release (#16736)
• bce5c34 [ci] format
• bd84f33 fix(security): escape slot names in hydration template attributes to prevent ...
• 42e7eec refactor: fix flaky view-transitions e2e test (#16735)
• 33b54c4 [ci] format
• 0f868b0 chore: remove redundant server assertions (#16721)
• e345bcd [ci] release (#16653)
• 04fdbb2 Update pnpm to v11 (#16716)
• 772f13a fix(astro): correctly export build.assetsPrefix from astro:config/server ...
• d1c258a test: isolate fixture cache dirs for shared fixtures (#16689)
• Additional commits viewable in compare view

Updates @astrojs/cloudflare from 12.6.12 to 13.5.1

Release notes

Sourced from @​astrojs/cloudflare's releases.

@​astrojs/cloudflare@​13.5.1

Patch Changes

• #16707 2ff3f8f Thanks @​helio-cf! - Fixes remoteBindings: false being ignored during astro build. The Cloudflare prerenderer's internal Vite preview server now receives the user's adapter options, so remote-flagged bindings (e.g. a D1 database with remote: true in wrangler.toml) are emulated locally during build, matching the existing astro dev behavior.

• #16652 98c32cc Thanks @​greatjourney589! - Fixes user-declared KV namespace bindings being duplicated in the generated dist/server/wrangler.json, which caused wrangler validation to fail with " assigned to multiple KV Namespace bindings." The Astro Cloudflare config customizer now returns only the auto-injected SESSION binding and lets @cloudflare/vite-plugin merge it with the user's wrangler config, instead of pre-merging the user's bindings into the output.

• #16272 4f9521e Thanks @​barry3406! - Fixes .astro files failing with No matching export in "html:..." for import "default" when default-imported from a .ts file

• #15723 9256345 Thanks @​rururux! - Fixes an issue where the <Prism /> component failed to work in Cloudflare Workers.

• Updated dependencies [d365c97]:

  • @​astrojs/internal-helpers@​0.9.1
  • @​astrojs/underscore-redirects@​1.0.3

@​astrojs/cloudflare@​13.5.0

Minor Changes

• #16639 4d72482 Thanks @​ematipico! - The adapter now depends on Astro 6.3.0.

@​astrojs/cloudflare@​13.4.0

Minor Changes

• #16519 1b1c218 Thanks @​louisescher! - Adds support for redirecting URLs in remote image optimization.

  Previously, when a remote image URL meant to be optimized by Astro led to a redirect, Astro would fail silently and ignore the redirect. Now, Astro tracks up to 10 redirects for these images. If any of the redirects are not covered by a pattern in image.remotePatterns or a domain in image.domains, Astro will fail with a helpful error message.

  In the following example, the first image would be loaded successfully, while the second would lead to Astro throwing an error:

  export default defineConfig({
    image: {
      domains: ['example.com', 'cdn.example.com'],
    },
  });

  {
    /* Redirects to https://cdn.example.com/assets/image.png: */
  }
  <Image
    src="https://example.com/assets/image.png"
    width="1920"
    height="1080"
    alt="An example image."
  />;
  {
  /* Redirects to https://malicious.com/image.png: */

... (truncated)

Changelog

Sourced from @​astrojs/cloudflare's changelog.

13.5.1

Patch Changes

• #16707 2ff3f8f Thanks @​helio-cf! - Fixes remoteBindings: false being ignored during astro build. The Cloudflare prerenderer's internal Vite preview server now receives the user's adapter options, so remote-flagged bindings (e.g. a D1 database with remote: true in wrangler.toml) are emulated locally during build, matching the existing astro dev behavior.

• #16652 98c32cc Thanks @​greatjourney589! - Fixes user-declared KV namespace bindings being duplicated in the generated dist/server/wrangler.json, which caused wrangler validation to fail with " assigned to multiple KV Namespace bindings." The Astro Cloudflare config customizer now returns only the auto-injected SESSION binding and lets @cloudflare/vite-plugin merge it with the user's wrangler config, instead of pre-merging the user's bindings into the output.

• #16272 4f9521e Thanks @​barry3406! - Fixes .astro files failing with No matching export in "html:..." for import "default" when default-imported from a .ts file

• #15723 9256345 Thanks @​rururux! - Fixes an issue where the <Prism /> component failed to work in Cloudflare Workers.

• Updated dependencies [d365c97]:

  • @​astrojs/internal-helpers@​0.9.1
  • @​astrojs/underscore-redirects@​1.0.3

13.5.0

Minor Changes

• #16639 4d72482 Thanks @​ematipico! - The adapter now depends on Astro 6.3.0.

13.4.0

Minor Changes

• #16519 1b1c218 Thanks @​louisescher! - Adds support for redirecting URLs in remote image optimization.

  Previously, when a remote image URL meant to be optimized by Astro led to a redirect, Astro would fail silently and ignore the redirect. Now, Astro tracks up to 10 redirects for these images. If any of the redirects are not covered by a pattern in image.remotePatterns or a domain in image.domains, Astro will fail with a helpful error message.

  In the following example, the first image would be loaded successfully, while the second would lead to Astro throwing an error:

  export default defineConfig({
    image: {
      domains: ['example.com', 'cdn.example.com'],
    },
  });

  {
    /* Redirects to https://cdn.example.com/assets/image.png: */
  }
  <Image
    src="https://example.com/assets/image.png"
    width="1920"
    height="1080"
    alt="An example image."
  />;

... (truncated)

Commits

• e345bcd [ci] release (#16653)
• 04fdbb2 Update pnpm to v11 (#16716)
• 2ff3f8f fix(cloudflare): respect remoteBindings during prerender build (#16707)
• c0db63d Fix lint errors in CI (#16696)
• 4f9521e fix(cloudflare): add namespace filter to astro-frontmatter-scan esbuild plugi...
• 07529ec Fix SSR routes broken by dynamic prerendered routes with Node prerender envir...
• 9256345 fix: fix error with \<Prism /> component in Cloudflare Workers (#15723)
• 98c32cc fix(cloudflare): avoid duplicating user KV namespaces when injecting SESSION ...
• 45e50e4 [ci] release (#16641)
• 4d72482 fix: bump adapters after changes from advanced routing (#16639)
• Additional commits viewable in compare view

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	jackhsu978	c558fb2	May 24 2026, 06:27 AM