You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
#17035197e50e Thanks @astrobot-houston! - Fixes getRelativeLocaleUrl, getAbsoluteLocaleUrl, and getAbsoluteLocaleUrlList to strip trailing slashes when trailingSlash: 'never' is configured
Previously, any URL containing a double-encoded character (like %255B, which is [ encoded twice) was unconditionally rejected with a 400 Bad Request before middleware or route handlers could run. This broke embedded tools like Sanity Studio whose client-side router legitimately produces double-encoded URLs.
The fix replaces the rejection approach with iterative decoding — multi-level percent-encoding is now fully resolved to its canonical form before being passed to middleware and route matching. This preserves the security fix for CVE-2025-66202 (middleware authorization bypass via double encoding) because middleware now always sees the fully decoded path, making bypass impossible. For example, /api/%2561dmin is decoded to /api/admin, which middleware can correctly block.
#170662f4d92a Thanks @matthewp! - Fixes prerendered redirect targets being incorrectly bundled into the SSR function in hybrid mode, causing massive bundle size inflation
#168928d753b0 Thanks @astrobot-houston! - Fixes custom elements in MDX having their children's slot attribute stripped by the JSX runtime
When custom elements (tags with hyphens like <my-element>) are used in MDX files, the slot HTML attribute on their children is now correctly preserved. Previously, the shared JSX runtime would treat slot as an Astro slot assignment and remove it from the output, breaking Shadow DOM named slot distribution for web components.
#16957544ee76 Thanks @thelazylamaGit! - Fixes stale inline CSS in server-rendered HTML after CSS file edits during dev
When editing a CSS file (.css, .scss, etc.) during development, the inline <style> tags in server-rendered HTML would retain old CSS content instead of updating. This caused a brief flash of old CSS (FOUC) on fresh page loads before Vite's client-side HMR corrected the styles.
The fix ensures that Astro's per-route dev CSS virtual modules are invalidated in both the SSR module graph and the module runner's evaluation cache when a style file changes, so the next page render picks up the fresh CSS.
#170442220d22 Thanks @astrobot-houston! - Fixes CSS from client:only islands leaking to unrelated pages when Rollup bundles non-CSS-importing modules into the same chunk as CSS-importing modules
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Warn
Obfuscated code: npm astro is 90.0% likely obfuscated
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/astro@6.4.8. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
renovate
Bot
changed the title
This PR contains the following updates:
6.4.6→6.4.8Release Notes
withastro/astro (astro)
v6.4.8Compare Source
Patch Changes
27c80eaThanks @ematipico! - Harden the limits on the number of decoding on the URL.v6.4.7Compare Source
Patch Changes
#17035
197e50eThanks @astrobot-houston! - FixesgetRelativeLocaleUrl,getAbsoluteLocaleUrl, andgetAbsoluteLocaleUrlListto strip trailing slashes whentrailingSlash: 'never'is configured#16967
3719765Thanks @astrobot-houston! - Fixes double URL-encoded paths returning 400 Bad Request on on-demand routesPreviously, any URL containing a double-encoded character (like
%255B, which is[encoded twice) was unconditionally rejected with a400 Bad Requestbefore middleware or route handlers could run. This broke embedded tools like Sanity Studio whose client-side router legitimately produces double-encoded URLs.The fix replaces the rejection approach with iterative decoding — multi-level percent-encoding is now fully resolved to its canonical form before being passed to middleware and route matching. This preserves the security fix for CVE-2025-66202 (middleware authorization bypass via double encoding) because middleware now always sees the fully decoded path, making bypass impossible. For example,
/api/%2561dminis decoded to/api/admin, which middleware can correctly block.#17066
2f4d92aThanks @matthewp! - Fixes prerendered redirect targets being incorrectly bundled into the SSR function in hybrid mode, causing massive bundle size inflation#16882
621beb7Thanks @jettwayio! - fix(render): honour compressHTML when joining head elements#16892
8d753b0Thanks @astrobot-houston! - Fixes custom elements in MDX having their children'sslotattribute stripped by the JSX runtimeWhen custom elements (tags with hyphens like
<my-element>) are used in MDX files, theslotHTML attribute on their children is now correctly preserved. Previously, the shared JSX runtime would treatslotas an Astro slot assignment and remove it from the output, breaking Shadow DOM named slot distribution for web components.#16957
544ee76Thanks @thelazylamaGit! - Fixes stale inline CSS in server-rendered HTML after CSS file edits during devWhen editing a CSS file (
.css,.scss, etc.) during development, the inline<style>tags in server-rendered HTML would retain old CSS content instead of updating. This caused a brief flash of old CSS (FOUC) on fresh page loads before Vite's client-side HMR corrected the styles.The fix ensures that Astro's per-route dev CSS virtual modules are invalidated in both the SSR module graph and the module runner's evaluation cache when a style file changes, so the next page render picks up the fresh CSS.
#17044
2220d22Thanks @astrobot-houston! - Fixes CSS fromclient:onlyislands leaking to unrelated pages when Rollup bundles non-CSS-importing modules into the same chunk as CSS-importing modules#17040
7c4763dThanks @astrobot-houston! - Fixes HMR not triggering for files inside thesrc/middleware/directory during dev#16672
52fc862Thanks @martinheidegger! - Fixes support for numeric IDs in YAML frontmatter when using content collection references#16762
9de80aeThanks @alexanderdombroski! - Adds a JSON schema to the Wrangler configuration file generated when runningastro add cloudflare#17046
ef771ecThanks @ematipico! - Improves the diagnostics emitted when Astro parses incorrect.astrofiles.Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.