Skip to content

Bump astro, @astrojs/cloudflare and @astrojs/mdx#20

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-b9077217d7
Open

Bump astro, @astrojs/cloudflare and @astrojs/mdx#20
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-b9077217d7

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 13, 2026

Bumps astro, @astrojs/cloudflare and @astrojs/mdx. These dependencies needed to be updated together.
Updates astro from 5.16.8 to 6.3.2

Release notes

Sourced from astro's releases.

astro@6.3.2

Patch Changes

  • #16675 11d4592 Thanks @​ascorbic! - Fixes a regression where Astro.cache was undefined when experimental.cache was not configured.

    The previous documented behavior is for Astro.cache to always be defined as a no-op shim: cache.set() warns once, cache.invalidate() throws and cache.enabled can be used to gate. This allows library and user code can call cache methods without conditional checks. The cache provider registration was being gated at the call site on experimental.cache being configured, which meant the disabled shim branch inside the provider was unreachable and the Astro.cache getter was never attached to the context.

  • #16691 0f0a4ce Thanks @​matthewp! - Fixes HTMLElement is not defined error during HMR when using components with client-side scripts (e.g. Starlight <Tabs>) and the Cloudflare adapter

  • #16562 07529ec Thanks @​matthewp! - Fixes non-prerendered routes failing when a dynamic prerendered route exists in the same project with prerenderEnvironment: 'node'

  • #16638 272185b Thanks @​ematipico! - Fixes a bug where the Astro compiler wasn't freed at the end of the build. After the fix, the memory used by the compiler is now correctly freed at the end of the build.

  • #16544 d365c97 Thanks @​matthewp! - Tightens isRemotePath() to reject control characters after a leading slash and fixes the dev image endpoint origin check

  • #16685 889e748 Thanks @​farrosfr! - Improve validation messages for security.csp.directives when script-src or style-src are incorrectly placed in the directives array.

  • #16605 772f13a Thanks @​rururux! - Fixes assetsPrefix not being available on build from astro:config/server.

  • #16556 f38dec7 Thanks @​matthewp! - Rejects double-encoded URL paths with a 400 response instead of silently falling back to partial decoding

  • #16659 38bcb25 Thanks @​jsparkdev! - Fixes & characters appearing as raw entity strings (e.g. &[#38](https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/38);) in <meta> tags when viewed in link previews or raw HTML.

  • Updated dependencies [d365c97, 9256345]:

    • @​astrojs/internal-helpers@​0.9.1
    • @​astrojs/markdown-remark@​7.1.2

astro@6.3.1

Patch Changes

  • #16646 15fbc41 Thanks @​matthewp! - Fixes local images returning 404 on non-prerendered pages when using the generic image endpoint

astro@6.3.0

Minor Changes

  • #16366 d69f858 Thanks @​matthewp! - Adds a new experimental.advancedRouting option that lets you take full control of Astro's request handling pipeline by creating a src/app.ts file in your project.

    Today, Astro handles every incoming request through a fixed internal pipeline: trailing slash normalization, redirects, actions, middleware, page rendering, i18n, and so on. That pipeline works great for most sites, but as projects grow you often want to run your own logic between those steps — an auth check before rendering, a rate limiter before actions, custom logging around the whole stack. Advanced routing gives you that control.

    When enabled, Astro looks for a src/app.ts file in your project. If it finds one, that file becomes the entrypoint for all server-rendered requests. You compose the pipeline yourself using the handlers Astro provides, and you can slot your own logic anywhere in the chain.

    Enabling advanced routing

    // astro.config.mjs
import { defineConfig } from 'astro/config';
export default defineConfig({
experimental: {
advancedRouting: true,

... (truncated)

Changelog

Sourced from astro's changelog.

6.3.2

Patch Changes

  • #16675 11d4592 Thanks @​ascorbic! - Fixes a regression where Astro.cache was undefined when experimental.cache was not configured.

    The previous documented behavior is for Astro.cache to always be defined as a no-op shim: cache.set() warns once, cache.invalidate() throws and cache.enabled can be used to gate. This allows library and user code can call cache methods without conditional checks. The cache provider registration was being gated at the call site on experimental.cache being configured, which meant the disabled shim branch inside the provider was unreachable and the Astro.cache getter was never attached to the context.

  • #16691 0f0a4ce Thanks @​matthewp! - Fixes HTMLElement is not defined error during HMR when using components with client-side scripts (e.g. Starlight <Tabs>) and the Cloudflare adapter

  • #16562 07529ec Thanks @​matthewp! - Fixes non-prerendered routes failing when a dynamic prerendered route exists in the same project with prerenderEnvironment: 'node'

  • #16638 272185b Thanks @​ematipico! - Fixes a bug where the Astro compiler wasn't freed at the end of the build. After the fix, the memory used by the compiler is now correctly freed at the end of the build.

  • #16544 d365c97 Thanks @​matthewp! - Tightens isRemotePath() to reject control characters after a leading slash and fixes the dev image endpoint origin check

  • #16685 889e748 Thanks @​farrosfr! - Improve validation messages for security.csp.directives when script-src or style-src are incorrectly placed in the directives array.

  • #16605 772f13a Thanks @​rururux! - Fixes assetsPrefix not being available on build from astro:config/server.

  • #16556 f38dec7 Thanks @​matthewp! - Rejects double-encoded URL paths with a 400 response instead of silently falling back to partial decoding

  • #16659 38bcb25 Thanks @​jsparkdev! - Fixes & characters appearing as raw entity strings (e.g. &[#38](https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/38);) in <meta> tags when viewed in link previews or raw HTML.

  • Updated dependencies [d365c97, 9256345]:

    • @​astrojs/internal-helpers@​0.9.1
    • @​astrojs/markdown-remark@​7.1.2

6.3.1

Patch Changes

  • #16646 15fbc41 Thanks @​matthewp! - Fixes local images returning 404 on non-prerendered pages when using the generic image endpoint

6.3.0

Minor Changes

  • #16366 d69f858 Thanks @​matthewp! - Adds a new experimental.advancedRouting option that lets you take full control of Astro's request handling pipeline by creating a src/app.ts file in your project.

    Today, Astro handles every incoming request through a fixed internal pipeline: trailing slash normalization, redirects, actions, middleware, page rendering, i18n, and so on. That pipeline works great for most sites, but as projects grow you often want to run your own logic between those steps — an auth check before rendering, a rate limiter before actions, custom logging around the whole stack. Advanced routing gives you that control.

    When enabled, Astro looks for a src/app.ts file in your project. If it finds one, that file becomes the entrypoint for all server-rendered requests. You compose the pipeline yourself using the handlers Astro provides, and you can slot your own logic anywhere in the chain.

    Enabling advanced routing

    // astro.config.mjs
import { defineConfig } from 'astro/config';

... (truncated)

Commits

Updates @astrojs/cloudflare from 12.6.12 to 13.5.1

Release notes

Sourced from @​astrojs/cloudflare's releases.

@​astrojs/cloudflare@​13.5.1

Patch Changes

  • #16707 2ff3f8f Thanks @​helio-cf! - Fixes remoteBindings: false being ignored during astro build. The Cloudflare prerenderer's internal Vite preview server now receives the user's adapter options, so remote-flagged bindings (e.g. a D1 database with remote: true in wrangler.toml) are emulated locally during build, matching the existing astro dev behavior.

  • #16652 98c32cc Thanks @​greatjourney589! - Fixes user-declared KV namespace bindings being duplicated in the generated dist/server/wrangler.json, which caused wrangler validation to fail with " assigned to multiple KV Namespace bindings." The Astro Cloudflare config customizer now returns only the auto-injected SESSION binding and lets @cloudflare/vite-plugin merge it with the user's wrangler config, instead of pre-merging the user's bindings into the output.

  • #16272 4f9521e Thanks @​barry3406! - Fixes .astro files failing with No matching export in "html:..." for import "default" when default-imported from a .ts file

  • #15723 9256345 Thanks @​rururux! - Fixes an issue where the <Prism /> component failed to work in Cloudflare Workers.

  • Updated dependencies [d365c97]:

    • @​astrojs/internal-helpers@​0.9.1
    • @​astrojs/underscore-redirects@​1.0.3

@​astrojs/cloudflare@​13.5.0

Minor Changes

@​astrojs/cloudflare@​13.4.0

Minor Changes

  • #16519 1b1c218 Thanks @​louisescher! - Adds support for redirecting URLs in remote image optimization.

    Previously, when a remote image URL meant to be optimized by Astro led to a redirect, Astro would fail silently and ignore the redirect. Now, Astro tracks up to 10 redirects for these images. If any of the redirects are not covered by a pattern in image.remotePatterns or a domain in image.domains, Astro will fail with a helpful error message.

    In the following example, the first image would be loaded successfully, while the second would lead to Astro throwing an error:

    export default defineConfig({
  image: {
    domains: ['example.com', 'cdn.example.com'],
  },
});
    {
  /* Redirects to https://cdn.example.com/assets/image.png: */
}
<Image
  src="https://example.com/assets/image.png"
  width="1920"
  height="1080"
  alt="An example image."
/>;
{
/* Redirects to https://malicious.com/image.png: */

... (truncated)

Changelog

Sourced from @​astrojs/cloudflare's changelog.

13.5.1

Patch Changes

  • #16707 2ff3f8f Thanks @​helio-cf! - Fixes remoteBindings: false being ignored during astro build. The Cloudflare prerenderer's internal Vite preview server now receives the user's adapter options, so remote-flagged bindings (e.g. a D1 database with remote: true in wrangler.toml) are emulated locally during build, matching the existing astro dev behavior.

  • #16652 98c32cc Thanks @​greatjourney589! - Fixes user-declared KV namespace bindings being duplicated in the generated dist/server/wrangler.json, which caused wrangler validation to fail with " assigned to multiple KV Namespace bindings." The Astro Cloudflare config customizer now returns only the auto-injected SESSION binding and lets @cloudflare/vite-plugin merge it with the user's wrangler config, instead of pre-merging the user's bindings into the output.

  • #16272 4f9521e Thanks @​barry3406! - Fixes .astro files failing with No matching export in "html:..." for import "default" when default-imported from a .ts file

  • #15723 9256345 Thanks @​rururux! - Fixes an issue where the <Prism /> component failed to work in Cloudflare Workers.

  • Updated dependencies [d365c97]:

    • @​astrojs/internal-helpers@​0.9.1
    • @​astrojs/underscore-redirects@​1.0.3

13.5.0

Minor Changes

13.4.0

Minor Changes

  • #16519 1b1c218 Thanks @​louisescher! - Adds support for redirecting URLs in remote image optimization.

    Previously, when a remote image URL meant to be optimized by Astro led to a redirect, Astro would fail silently and ignore the redirect. Now, Astro tracks up to 10 redirects for these images. If any of the redirects are not covered by a pattern in image.remotePatterns or a domain in image.domains, Astro will fail with a helpful error message.

    In the following example, the first image would be loaded successfully, while the second would lead to Astro throwing an error:

    export default defineConfig({
  image: {
    domains: ['example.com', 'cdn.example.com'],
  },
});
    {
  /* Redirects to https://cdn.example.com/assets/image.png: */
}
<Image
  src="https://example.com/assets/image.png"
  width="1920"
  height="1080"
  alt="An example image."
/>;

... (truncated)

Commits
  • e345bcd [ci] release (#16653)
  • 04fdbb2 Update pnpm to v11 (#16716)
  • 2ff3f8f fix(cloudflare): respect remoteBindings during prerender build (#16707)
  • c0db63d Fix lint errors in CI (#16696)
  • 4f9521e fix(cloudflare): add namespace filter to astro-frontmatter-scan esbuild plugi...
  • 07529ec Fix SSR routes broken by dynamic prerendered routes with Node prerender envir...
  • 9256345 fix: fix error with \<Prism /> component in Cloudflare Workers (#15723)
  • 98c32cc fix(cloudflare): avoid duplicating user KV namespaces when injecting SESSION ...
  • 45e50e4 [ci] release (#16641)
  • 4d72482 fix: bump adapters after changes from advanced routing (#16639)
  • Additional commits viewable in compare view

Updates @astrojs/mdx from 4.3.13 to 5.0.5

Release notes

Sourced from @​astrojs/mdx's releases.

@​astrojs/mdx@​5.0.5

Patch Changes

  • Updated dependencies [9256345]:
    • @​astrojs/markdown-remark@​7.1.2

@​astrojs/mdx@​5.0.4

Patch Changes

  • Updated dependencies [f3485c3]:
    • @​astrojs/markdown-remark@​7.1.1
Changelog

Sourced from @​astrojs/mdx's changelog.

5.0.5

Patch Changes

  • Updated dependencies [9256345]:
    • @​astrojs/markdown-remark@​7.1.2

5.0.4

Patch Changes

  • Updated dependencies [f3485c3]:
    • @​astrojs/markdown-remark@​7.1.1

5.0.3

Patch Changes

  • Updated dependencies [10a1a5a]:
    • @​astrojs/markdown-remark@​7.1.0

5.0.2

Patch Changes

  • #15864 d3c7de9 Thanks @​florian-lefebvre! - Removes temporary support for Node >=20.19.1 because Stackblitz now uses Node 22 by default

  • Updated dependencies []:

    • @​astrojs/markdown-remark@​7.0.1

5.0.1

Patch Changes

5.0.0

Major Changes

Patch Changes

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump astro, @astrojs/cloudflare and @astrojs/mdx
1edb495 
Bumps [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro), [@astrojs/cloudflare](https://github.com/withastro/astro/tree/HEAD/packages/integrations/cloudflare) and [@astrojs/mdx](https://github.com/withastro/astro/tree/HEAD/packages/integrations/mdx). These dependencies needed to be updated together.

Updates `astro` from 5.16.8 to 6.3.2
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/astro@6.3.2/packages/astro)

Updates `@astrojs/cloudflare` from 12.6.12 to 13.5.1
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/main/packages/integrations/cloudflare/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/@astrojs/cloudflare@13.5.1/packages/integrations/cloudflare)

Updates `@astrojs/mdx` from 4.3.13 to 5.0.5
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/main/packages/integrations/mdx/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/@astrojs/mdx@5.0.5/packages/integrations/mdx)

---
updated-dependencies:
- dependency-name: astro
  dependency-version: 6.3.2
  dependency-type: direct:production
- dependency-name: "@astrojs/cloudflare"
  dependency-version: 13.5.1
  dependency-type: direct:production
- dependency-name: "@astrojs/mdx"
  dependency-version: 5.0.5
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 13, 2026
@dependabot dependabot Bot mentioned this pull request May 13, 2026
Closed
@cloudflare-workers-and-pages
Copy link
Copy Markdown
Contributor

cloudflare-workers-and-pages Bot commented May 13, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
❌ Deployment failed
View logs		 mock 1edb495 May 13 2026, 07:13 PM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants