From 90ddda856b4f99dde5d27745fac96b4028d096d1 Mon Sep 17 00:00:00 2001 From: Matthew Phillips Date: Wed, 10 Jun 2026 11:11:17 -0400 Subject: [PATCH 1/5] Fix triage bot push failures after flue 0.8 upgrade (#17013) --- .github/workflows/issue-triage.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/issue-triage.yml b/.github/workflows/issue-triage.yml index 531a180d69b1..f358d783c494 100644 --- a/.github/workflows/issue-triage.yml +++ b/.github/workflows/issue-triage.yml @@ -58,6 +58,13 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + # Do not persist the default GITHUB_TOKEN as a git credential. + # checkout sets an http.extraheader that overrides any credentials + # embedded in push URLs, including the FREDKBOT_GITHUB_TOKEN used + # by gitPush(). With persist-credentials enabled, git always + # authenticates as github-actions[bot] (read-only), causing pushes + # to fail with 403. + persist-credentials: false - name: Configure Git identity run: | From d332178118eb8914b30be6b54a0c0d78f04ffec2 Mon Sep 17 00:00:00 2001 From: Emanuele Stoppa Date: Wed, 10 Jun 2026 17:04:57 +0100 Subject: [PATCH 2/5] ci: restore "needs repro" workflow (#17029) --- .github/workflows/issue-needs-repro.yml | 56 ++++++++++--------------- 1 file changed, 21 insertions(+), 35 deletions(-) diff --git a/.github/workflows/issue-needs-repro.yml b/.github/workflows/issue-needs-repro.yml index ec6bc28373f1..9f592bbde626 100644 --- a/.github/workflows/issue-needs-repro.yml +++ b/.github/workflows/issue-needs-repro.yml @@ -1,35 +1,21 @@ -# Action taken down due to https://www.stepsecurity.io/blog/actions-cool-issues-helper-github-action-compromised-all-tags-point-to-imposter-commit-that-exfiltrates-ci-cd-credentials -#name: "Issue: Needs Repro" -# -#on: -# issues: -# types: [labeled] -# schedule: -# - cron: "0 0 * * *" -# -#jobs: -# on-labeled: -# if: github.event_name == 'issues' && github.event.label.name == 'needs repro' -# runs-on: ubuntu-latest -# permissions: -# issues: write -# steps: -# - uses: actions-cool/issues-helper@200c78641dbf33838311e5a1e0c31bbdb92d7cf0 # v3.8.0 -# with: -# actions: "create-comment, remove-labels" -# token: ${{ secrets.GITHUB_TOKEN }} -# issue-number: ${{ github.event.issue.number }} -# body: | -# Hello @${{ github.event.issue.user.login }}. Please provide a [minimal reproduction](https://stackoverflow.com/help/minimal-reproducible-example) using a GitHub repository or [StackBlitz](https://astro.new/repro). Issues marked with `needs repro` will be closed if they have no activity within 3 days. -# labels: "needs triage" -# -# close-stale: -# if: github.event_name == 'schedule' && github.repository == 'withastro/astro' -# runs-on: ubuntu-latest -# steps: -# - uses: actions-cool/issues-helper@200c78641dbf33838311e5a1e0c31bbdb92d7cf0 # v3.8.0 -# with: -# actions: "close-issues" -# token: ${{ secrets.GITHUB_TOKEN }} -# labels: "needs repro" -# inactive-day: 3 +name: "Issue: Needs Repro" + +on: + issues: + types: [ labeled ] + +jobs: + reply-labeled: + if: github.repository == 'withastro/astro' + runs-on: depot-ubuntu-24.04-arm-small + steps: + - name: Remove triaging label + if: github.event_name == 'issues' && contains(github.event.issue.labels.*.name, 'needs repro') + env: + GH_TOKEN: ${{ secrets.FREDKBOT_GITHUB_TOKEN }} + ISSUE_NUMBER: ${{ github.event.issue.number }} + REPO: ${{ github.repository }} + run: | + gh issue comment "$ISSUE_NUMBER" --repo "$REPO" --body "Hello @${{ github.event.issue.user.login }}. Please provide a [minimal reproduction](https://stackoverflow.com/help/minimal-reproducible-example) using a GitHub repository or [StackBlitz](https://astro.new/repro). Issues marked with `needs repro` will be closed if they have no activity within 3 days." + + gh issue edit "$ISSUE_NUMBER" --repo "$REPO" --remove-label "needs triage" From ffda27b7c8697d4b7ed530e93385a420e1fc4acd Mon Sep 17 00:00:00 2001 From: Matthew Phillips Date: Wed, 10 Jun 2026 13:16:14 -0400 Subject: [PATCH 3/5] Validate origin in prerendered error page fetch against allowedDomains (#17033) * Validate origin in prerendered error page fetch against allowedDomains * Gracefully handle error page fetch failures and update test --- .changeset/quick-sides-beg.md | 5 + .../astro/src/core/errors/default-handler.ts | 51 +++--- .../test/custom-fetch-error-pages.test.ts | 9 +- .../astro/test/units/app/error-pages.test.ts | 152 ++++++++++++++++++ 4 files changed, 194 insertions(+), 23 deletions(-) create mode 100644 .changeset/quick-sides-beg.md diff --git a/.changeset/quick-sides-beg.md b/.changeset/quick-sides-beg.md new file mode 100644 index 000000000000..2fb48933860c --- /dev/null +++ b/.changeset/quick-sides-beg.md @@ -0,0 +1,5 @@ +--- +'astro': patch +--- + +Validates the request origin against `allowedDomains` before fetching prerendered error pages. When `allowedDomains` is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to `localhost`. diff --git a/packages/astro/src/core/errors/default-handler.ts b/packages/astro/src/core/errors/default-handler.ts index 1560a026a0ca..9a556df1a5b5 100644 --- a/packages/astro/src/core/errors/default-handler.ts +++ b/packages/astro/src/core/errors/default-handler.ts @@ -8,6 +8,7 @@ import { AstroMiddleware } from '../middleware/astro-middleware.js'; import { PagesHandler } from '../pages/handler.js'; import { matchRoute } from '../routing/match.js'; import { provideSession } from '../session/handler.js'; +import { validateHost } from '../app/validate-headers.js'; import type { ErrorHandler } from './handler.js'; type ErrorPagePath = @@ -54,30 +55,44 @@ export class DefaultErrorHandler implements ErrorHandler { if (errorRouteData) { if (errorRouteData.prerender) { const maybeDotHtml = errorRouteData.route.endsWith(`/${status}`) ? '.html' : ''; - const statusURL = new URL(`${app.baseWithoutTrailingSlash}/${status}${maybeDotHtml}`, url); + // Validate the request URL origin before using it for the error page fetch. + // Without this, an attacker-controlled Host header flows into statusURL, + // causing the server to fetch from an arbitrary origin (SSRF). + const allowedDomains = app.manifest.allowedDomains; + const validatedHost = validateHost(url.host, url.protocol.replace(':', ''), allowedDomains); + const safeOrigin = validatedHost ? url.origin : `${url.protocol}//localhost`; + const statusURL = new URL(`${app.baseWithoutTrailingSlash}/${status}${maybeDotHtml}`, safeOrigin); if ( statusURL.toString() !== request.url && resolvedRenderOptions.prerenderedErrorPageFetch ) { - const response = await resolvedRenderOptions.prerenderedErrorPageFetch( - statusURL.toString() as ErrorPagePath, - ); + try { + const response = await resolvedRenderOptions.prerenderedErrorPageFetch( + statusURL.toString() as ErrorPagePath, + ); - // In order for the response of the remote to be usable as a response - // for this request, it needs to have our status code in the response - // instead of the likely successful 200 code it returned when fetching - // the error page. - // - // Furthermore, remote may have returned a compressed page - // (the Content-Encoding header was set to e.g. `gzip`). The fetch - // implementation in the `mergeResponses` method will make a decoded - // response available, so Content-Length and Content-Encoding will - // not match the body we provide and need to be removed. - const override = { status, removeContentEncodingHeaders: true }; + // In order for the response of the remote to be usable as a response + // for this request, it needs to have our status code in the response + // instead of the likely successful 200 code it returned when fetching + // the error page. + // + // Furthermore, remote may have returned a compressed page + // (the Content-Encoding header was set to e.g. `gzip`). The fetch + // implementation in the `mergeResponses` method will make a decoded + // response available, so Content-Length and Content-Encoding will + // not match the body we provide and need to be removed. + const override = { status, removeContentEncodingHeaders: true }; - const newResponse = mergeResponses(response, originalResponse, override); - prepareResponse(newResponse, resolvedRenderOptions); - return newResponse; + const newResponse = mergeResponses(response, originalResponse, override); + prepareResponse(newResponse, resolvedRenderOptions); + return newResponse; + } catch { + // If the error page fetch fails (e.g. connection refused), fall + // through to the plain error response below. + const response = mergeResponses(new Response(null, { status }), originalResponse); + prepareResponse(response, resolvedRenderOptions); + return response; + } } } const mod = await app.pipeline.getComponentByRoute(errorRouteData); diff --git a/packages/astro/test/custom-fetch-error-pages.test.ts b/packages/astro/test/custom-fetch-error-pages.test.ts index 9c220974d0ef..77e9c0f6d2c2 100644 --- a/packages/astro/test/custom-fetch-error-pages.test.ts +++ b/packages/astro/test/custom-fetch-error-pages.test.ts @@ -74,18 +74,17 @@ describe('Custom Fetch for Error Pages', () => { assert.equal($('h1').text(), 'Custom Fetch Response'); }); - it('falls back to global fetch when preRenderedFetch is not provided', async () => { + it('falls back to global fetch with localhost origin when preRenderedFetch is not provided', async () => { const request = new Request('http://example.com/not-found'); const response = await app.render(request); // Verify our custom fetch was NOT called assert.equal(fetchCalls.length, 0); - // Response should be the default 404 page + // Without allowedDomains, the error page fetch origin is rewritten + // to localhost (not the request's Host header), so global fetch will + // fail to connect and the response falls back to a plain 404. assert.equal(response.status, 404); - const html = await response.text(); - const $ = cheerio.load(html); - assert.equal($('h1').text(), 'Example Domain'); // actual fetch requesting example.com and gets that. }); }); }); diff --git a/packages/astro/test/units/app/error-pages.test.ts b/packages/astro/test/units/app/error-pages.test.ts index 6adb8358dba0..75641887ec16 100644 --- a/packages/astro/test/units/app/error-pages.test.ts +++ b/packages/astro/test/units/app/error-pages.test.ts @@ -464,6 +464,158 @@ describe('App render error pages', () => { assert.match(await response.text(), /Something went horribly wrong!/); }); + it('does not use an untrusted Host header origin for prerendered error page fetch', async () => { + const errorRouteData = makeRouteData({ + route: '/causes-error', + component: 'src/pages/causes-error.astro', + params: [], + pathname: '/causes-error', + distURL: [], + pattern: /^\/causes-error\/?$/, + segments: [[{ content: 'causes-error', dynamic: false, spread: false }]], + type: 'page', + prerender: false, + fallbackRoutes: [], + isIndex: false, + origin: 'project', + }); + + const prerenderedErrorRouteData = makeRouteData({ + route: '/500', + component: 'src/pages/500.astro', + params: [], + pathname: '/500', + distURL: [], + pattern: /^\/500\/?$/, + segments: [[{ content: '500', dynamic: false, spread: false }]], + type: 'page', + prerender: true, + fallbackRoutes: [], + isIndex: false, + origin: 'project', + }); + + const pageMap = new Map([ + [ + errorRouteData.component, + async () => ({ + page: async () => ({ + default: createComponent(() => { + throw new Error('boom'); + }), + }), + }), + ], + ]); + + const app = makeApp({ + routes: [{ routeData: errorRouteData }, { routeData: prerenderedErrorRouteData }], + pageMap, + }); + + // Track what URL prerenderedErrorPageFetch is called with + const fetchedUrls: string[] = []; + const prerenderedErrorPageFetch = async (url: string) => { + fetchedUrls.push(url); + return new Response('

Error

', { + headers: { 'Content-Type': 'text/html' }, + }); + }; + + // Simulate an attacker-controlled Host header by using an evil origin in request.url + const request = new Request('http://evil.attacker:9999/causes-error'); + const response = await app.render(request, { + routeData: errorRouteData, + prerenderedErrorPageFetch, + }); + + assert.equal(response.status, 500); + assert.equal(fetchedUrls.length, 1); + // The fetch URL must NOT contain the attacker-controlled host + assert.ok( + !fetchedUrls[0].includes('evil.attacker'), + `prerenderedErrorPageFetch was called with attacker origin: ${fetchedUrls[0]}`, + ); + assert.ok( + fetchedUrls[0].includes('localhost'), + `prerenderedErrorPageFetch should use localhost, got: ${fetchedUrls[0]}`, + ); + }); + + it('uses validated Host header origin for prerendered error page fetch when allowedDomains matches', async () => { + const errorRouteData = makeRouteData({ + route: '/causes-error', + component: 'src/pages/causes-error.astro', + params: [], + pathname: '/causes-error', + distURL: [], + pattern: /^\/causes-error\/?$/, + segments: [[{ content: 'causes-error', dynamic: false, spread: false }]], + type: 'page', + prerender: false, + fallbackRoutes: [], + isIndex: false, + origin: 'project', + }); + + const prerenderedErrorRouteData = makeRouteData({ + route: '/500', + component: 'src/pages/500.astro', + params: [], + pathname: '/500', + distURL: [], + pattern: /^\/500\/?$/, + segments: [[{ content: '500', dynamic: false, spread: false }]], + type: 'page', + prerender: true, + fallbackRoutes: [], + isIndex: false, + origin: 'project', + }); + + const pageMap = new Map([ + [ + errorRouteData.component, + async () => ({ + page: async () => ({ + default: createComponent(() => { + throw new Error('boom'); + }), + }), + }), + ], + ]); + + const app = makeApp({ + routes: [{ routeData: errorRouteData }, { routeData: prerenderedErrorRouteData }], + pageMap, + allowedDomains: [{ hostname: 'myapp.com' }], + }); + + const fetchedUrls: string[] = []; + const prerenderedErrorPageFetch = async (url: string) => { + fetchedUrls.push(url); + return new Response('

Error

', { + headers: { 'Content-Type': 'text/html' }, + }); + }; + + // Legitimate host that matches allowedDomains + const request = new Request('http://myapp.com/causes-error'); + const response = await app.render(request, { + routeData: errorRouteData, + prerenderedErrorPageFetch, + }); + + assert.equal(response.status, 500); + assert.equal(fetchedUrls.length, 1); + // The fetch URL should use the validated host + assert.ok( + fetchedUrls[0].includes('myapp.com'), + `prerenderedErrorPageFetch should use validated host, got: ${fetchedUrls[0]}`, + ); + }); + it('renders the 404 page when a route does not match with trailingSlash always and routeData', async () => { const notFoundRouteData = makeRouteData({ route: '/404', From f1baeea1923518aead11db128c773cd844499aaa Mon Sep 17 00:00:00 2001 From: Matthew Phillips Date: Wed, 10 Jun 2026 17:18:05 +0000 Subject: [PATCH 4/5] [ci] format --- packages/astro/src/core/errors/default-handler.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/packages/astro/src/core/errors/default-handler.ts b/packages/astro/src/core/errors/default-handler.ts index 9a556df1a5b5..be7f2e57c86d 100644 --- a/packages/astro/src/core/errors/default-handler.ts +++ b/packages/astro/src/core/errors/default-handler.ts @@ -61,7 +61,10 @@ export class DefaultErrorHandler implements ErrorHandler { const allowedDomains = app.manifest.allowedDomains; const validatedHost = validateHost(url.host, url.protocol.replace(':', ''), allowedDomains); const safeOrigin = validatedHost ? url.origin : `${url.protocol}//localhost`; - const statusURL = new URL(`${app.baseWithoutTrailingSlash}/${status}${maybeDotHtml}`, safeOrigin); + const statusURL = new URL( + `${app.baseWithoutTrailingSlash}/${status}${maybeDotHtml}`, + safeOrigin, + ); if ( statusURL.toString() !== request.url && resolvedRenderOptions.prerenderedErrorPageFetch From 19ad1b4159ad8109b831437b0a782d30f5bebb49 Mon Sep 17 00:00:00 2001 From: "Houston (Bot)" <108291165+astrobot-houston@users.noreply.github.com> Date: Wed, 10 Jun 2026 10:25:56 -0700 Subject: [PATCH 5/5] [ci] release (#17023) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .changeset/busy-trains-see.md | 5 --- .changeset/hot-walls-grin.md | 5 --- .changeset/quick-sides-beg.md | 5 --- .changeset/yummy-hoops-grin.md | 5 --- examples/advanced-routing/package.json | 2 +- examples/basics/package.json | 2 +- examples/blog/package.json | 2 +- examples/component/package.json | 2 +- examples/container-with-vitest/package.json | 2 +- examples/framework-alpine/package.json | 2 +- examples/framework-multiple/package.json | 2 +- examples/framework-preact/package.json | 2 +- examples/framework-react/package.json | 2 +- examples/framework-solid/package.json | 2 +- examples/framework-svelte/package.json | 2 +- examples/framework-vue/package.json | 2 +- examples/hackernews/package.json | 2 +- examples/integration/package.json | 2 +- examples/minimal/package.json | 2 +- examples/portfolio/package.json | 2 +- examples/ssr/package.json | 2 +- examples/starlog/package.json | 2 +- examples/toolbar-app/package.json | 2 +- examples/with-markdoc/package.json | 2 +- examples/with-mdx/package.json | 2 +- examples/with-nanostores/package.json | 2 +- examples/with-tailwindcss/package.json | 2 +- examples/with-vitest/package.json | 2 +- packages/astro/CHANGELOG.md | 10 +++++ packages/astro/package.json | 2 +- packages/integrations/netlify/CHANGELOG.md | 9 ++++ packages/integrations/netlify/package.json | 2 +- pnpm-lock.yaml | 48 ++++++++++----------- 33 files changed, 69 insertions(+), 70 deletions(-) delete mode 100644 .changeset/busy-trains-see.md delete mode 100644 .changeset/hot-walls-grin.md delete mode 100644 .changeset/quick-sides-beg.md delete mode 100644 .changeset/yummy-hoops-grin.md diff --git a/.changeset/busy-trains-see.md b/.changeset/busy-trains-see.md deleted file mode 100644 index 462a05e16489..000000000000 --- a/.changeset/busy-trains-see.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'astro': patch ---- - -Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing. diff --git a/.changeset/hot-walls-grin.md b/.changeset/hot-walls-grin.md deleted file mode 100644 index 48605813dc1d..000000000000 --- a/.changeset/hot-walls-grin.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'astro': patch ---- - -Hardens `addAttribute` to drop attribute names containing characters that are invalid per the HTML spec (`"`, `'`, `>`, `/`, `=`, whitespace) diff --git a/.changeset/quick-sides-beg.md b/.changeset/quick-sides-beg.md deleted file mode 100644 index 2fb48933860c..000000000000 --- a/.changeset/quick-sides-beg.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'astro': patch ---- - -Validates the request origin against `allowedDomains` before fetching prerendered error pages. When `allowedDomains` is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to `localhost`. diff --git a/.changeset/yummy-hoops-grin.md b/.changeset/yummy-hoops-grin.md deleted file mode 100644 index f6c98acc48bf..000000000000 --- a/.changeset/yummy-hoops-grin.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'@astrojs/netlify': patch ---- - -Hardens `remotePatterns` regex generation to match canonical wildcard semantics more strictly diff --git a/examples/advanced-routing/package.json b/examples/advanced-routing/package.json index 6577b3c904ab..2c40e3ef4e2e 100644 --- a/examples/advanced-routing/package.json +++ b/examples/advanced-routing/package.json @@ -14,7 +14,7 @@ }, "dependencies": { "@astrojs/node": "^10.1.4", - "astro": "^6.4.5", + "astro": "^6.4.6", "hono": "^4.12.14" } } diff --git a/examples/basics/package.json b/examples/basics/package.json index cef9143e5e45..c60e324a3712 100644 --- a/examples/basics/package.json +++ b/examples/basics/package.json @@ -13,6 +13,6 @@ "astro": "astro" }, "dependencies": { - "astro": "^6.4.5" + "astro": "^6.4.6" } } diff --git a/examples/blog/package.json b/examples/blog/package.json index 23371a34f928..b989c06d7b49 100644 --- a/examples/blog/package.json +++ b/examples/blog/package.json @@ -16,7 +16,7 @@ "@astrojs/mdx": "^6.0.3", "@astrojs/rss": "^4.0.18", "@astrojs/sitemap": "^3.7.3", - "astro": "^6.4.5", + "astro": "^6.4.6", "sharp": "^0.34.3" } } diff --git a/examples/component/package.json b/examples/component/package.json index 8ffe345c50a3..14c5fb7fe70b 100644 --- a/examples/component/package.json +++ b/examples/component/package.json @@ -18,7 +18,7 @@ ], "scripts": {}, "devDependencies": { - "astro": "^6.4.5" + "astro": "^6.4.6" }, "peerDependencies": { "astro": "^5.0.0 || ^6.0.0" diff --git a/examples/container-with-vitest/package.json b/examples/container-with-vitest/package.json index ab3c758b10bc..c893b7947949 100644 --- a/examples/container-with-vitest/package.json +++ b/examples/container-with-vitest/package.json @@ -15,7 +15,7 @@ }, "dependencies": { "@astrojs/react": "^5.0.7", - "astro": "^6.4.5", + "astro": "^6.4.6", "react": "^18.3.1", "react-dom": "^18.3.1", "vitest": "^4.1.0" diff --git a/examples/framework-alpine/package.json b/examples/framework-alpine/package.json index acb6a5da2aaf..b63a9c758fd7 100644 --- a/examples/framework-alpine/package.json +++ b/examples/framework-alpine/package.json @@ -16,6 +16,6 @@ "@astrojs/alpinejs": "^0.5.0", "@types/alpinejs": "^3.13.11", "alpinejs": "^3.15.8", - "astro": "^6.4.5" + "astro": "^6.4.6" } } diff --git a/examples/framework-multiple/package.json b/examples/framework-multiple/package.json index b0a7f2a51359..79c4b07b8578 100644 --- a/examples/framework-multiple/package.json +++ b/examples/framework-multiple/package.json @@ -20,7 +20,7 @@ "@astrojs/vue": "^6.0.1", "@types/react": "^18.3.28", "@types/react-dom": "^18.3.7", - "astro": "^6.4.5", + "astro": "^6.4.6", "preact": "^10.28.4", "react": "^18.3.1", "react-dom": "^18.3.1", diff --git a/examples/framework-preact/package.json b/examples/framework-preact/package.json index 63d1c9f9fe04..b97fefd000ff 100644 --- a/examples/framework-preact/package.json +++ b/examples/framework-preact/package.json @@ -15,7 +15,7 @@ "dependencies": { "@astrojs/preact": "^5.1.5", "@preact/signals": "^2.8.1", - "astro": "^6.4.5", + "astro": "^6.4.6", "preact": "^10.28.4" } } diff --git a/examples/framework-react/package.json b/examples/framework-react/package.json index e2ac29f2f306..760bd04168d9 100644 --- a/examples/framework-react/package.json +++ b/examples/framework-react/package.json @@ -16,7 +16,7 @@ "@astrojs/react": "^5.0.7", "@types/react": "^18.3.28", "@types/react-dom": "^18.3.7", - "astro": "^6.4.5", + "astro": "^6.4.6", "react": "^18.3.1", "react-dom": "^18.3.1" } diff --git a/examples/framework-solid/package.json b/examples/framework-solid/package.json index 845708001c53..caa26df7dc91 100644 --- a/examples/framework-solid/package.json +++ b/examples/framework-solid/package.json @@ -14,7 +14,7 @@ }, "dependencies": { "@astrojs/solid-js": "^6.0.1", - "astro": "^6.4.5", + "astro": "^6.4.6", "solid-js": "^1.9.11" } } diff --git a/examples/framework-svelte/package.json b/examples/framework-svelte/package.json index 8109360f107b..8079ec4df502 100644 --- a/examples/framework-svelte/package.json +++ b/examples/framework-svelte/package.json @@ -14,7 +14,7 @@ }, "dependencies": { "@astrojs/svelte": "^8.1.2", - "astro": "^6.4.5", + "astro": "^6.4.6", "svelte": "^5.53.5" } } diff --git a/examples/framework-vue/package.json b/examples/framework-vue/package.json index 1125d08b2f9e..c15360010fa5 100644 --- a/examples/framework-vue/package.json +++ b/examples/framework-vue/package.json @@ -14,7 +14,7 @@ }, "dependencies": { "@astrojs/vue": "^6.0.1", - "astro": "^6.4.5", + "astro": "^6.4.6", "vue": "^3.5.29" } } diff --git a/examples/hackernews/package.json b/examples/hackernews/package.json index cbc76d6e474b..bac1fdd958ed 100644 --- a/examples/hackernews/package.json +++ b/examples/hackernews/package.json @@ -14,6 +14,6 @@ }, "dependencies": { "@astrojs/node": "^10.1.4", - "astro": "^6.4.5" + "astro": "^6.4.6" } } diff --git a/examples/integration/package.json b/examples/integration/package.json index bbc95daea684..a568390a18ab 100644 --- a/examples/integration/package.json +++ b/examples/integration/package.json @@ -18,7 +18,7 @@ ], "scripts": {}, "devDependencies": { - "astro": "^6.4.5" + "astro": "^6.4.6" }, "peerDependencies": { "astro": "^4.0.0" diff --git a/examples/minimal/package.json b/examples/minimal/package.json index 279dda5f0865..01c7faecc14d 100644 --- a/examples/minimal/package.json +++ b/examples/minimal/package.json @@ -13,6 +13,6 @@ "astro": "astro" }, "dependencies": { - "astro": "^6.4.5" + "astro": "^6.4.6" } } diff --git a/examples/portfolio/package.json b/examples/portfolio/package.json index ba0670960a34..72be8d642f09 100644 --- a/examples/portfolio/package.json +++ b/examples/portfolio/package.json @@ -13,6 +13,6 @@ "astro": "astro" }, "dependencies": { - "astro": "^6.4.5" + "astro": "^6.4.6" } } diff --git a/examples/ssr/package.json b/examples/ssr/package.json index addf418d653d..ccf367b727b7 100644 --- a/examples/ssr/package.json +++ b/examples/ssr/package.json @@ -16,7 +16,7 @@ "dependencies": { "@astrojs/node": "^10.1.4", "@astrojs/svelte": "^8.1.2", - "astro": "^6.4.5", + "astro": "^6.4.6", "svelte": "^5.53.5" } } diff --git a/examples/starlog/package.json b/examples/starlog/package.json index df8f64d4a465..833eaf767e6f 100644 --- a/examples/starlog/package.json +++ b/examples/starlog/package.json @@ -9,7 +9,7 @@ "astro": "astro" }, "dependencies": { - "astro": "^6.4.5", + "astro": "^6.4.6", "sass": "^1.97.3", "sharp": "^0.34.3" }, diff --git a/examples/toolbar-app/package.json b/examples/toolbar-app/package.json index aca47b79eb83..e76c57701c18 100644 --- a/examples/toolbar-app/package.json +++ b/examples/toolbar-app/package.json @@ -16,7 +16,7 @@ }, "devDependencies": { "@types/node": "^22.10.6", - "astro": "^6.4.5" + "astro": "^6.4.6" }, "engines": { "node": ">=22.12.0" diff --git a/examples/with-markdoc/package.json b/examples/with-markdoc/package.json index 4cccb7a80232..86c77730319d 100644 --- a/examples/with-markdoc/package.json +++ b/examples/with-markdoc/package.json @@ -14,6 +14,6 @@ }, "dependencies": { "@astrojs/markdoc": "^1.0.6", - "astro": "^6.4.5" + "astro": "^6.4.6" } } diff --git a/examples/with-mdx/package.json b/examples/with-mdx/package.json index b579fa202906..e1d2705aba28 100644 --- a/examples/with-mdx/package.json +++ b/examples/with-mdx/package.json @@ -15,7 +15,7 @@ "dependencies": { "@astrojs/mdx": "^6.0.3", "@astrojs/preact": "^5.1.5", - "astro": "^6.4.5", + "astro": "^6.4.6", "preact": "^10.28.4" } } diff --git a/examples/with-nanostores/package.json b/examples/with-nanostores/package.json index 655bd4350d6f..4239645b245a 100644 --- a/examples/with-nanostores/package.json +++ b/examples/with-nanostores/package.json @@ -15,7 +15,7 @@ "dependencies": { "@astrojs/preact": "^5.1.5", "@nanostores/preact": "^1.0.0", - "astro": "^6.4.5", + "astro": "^6.4.6", "nanostores": "^1.1.1", "preact": "^10.28.4" } diff --git a/examples/with-tailwindcss/package.json b/examples/with-tailwindcss/package.json index 4a70693eb126..1a0cb2157612 100644 --- a/examples/with-tailwindcss/package.json +++ b/examples/with-tailwindcss/package.json @@ -16,7 +16,7 @@ "@astrojs/mdx": "^6.0.3", "@tailwindcss/vite": "^4.2.1", "@types/canvas-confetti": "^1.9.0", - "astro": "^6.4.5", + "astro": "^6.4.6", "canvas-confetti": "^1.9.4", "tailwindcss": "^4.2.1", "vite": "^7.3.2" diff --git a/examples/with-vitest/package.json b/examples/with-vitest/package.json index 8fa543241312..c88ae91475fb 100644 --- a/examples/with-vitest/package.json +++ b/examples/with-vitest/package.json @@ -14,7 +14,7 @@ "test": "vitest" }, "dependencies": { - "astro": "^6.4.5", + "astro": "^6.4.6", "vitest": "^4.1.0" } } diff --git a/packages/astro/CHANGELOG.md b/packages/astro/CHANGELOG.md index 4f81be17c32c..1e1c4cab9b6e 100644 --- a/packages/astro/CHANGELOG.md +++ b/packages/astro/CHANGELOG.md @@ -1,5 +1,15 @@ # astro +## 6.4.6 + +### Patch Changes + +- [#16765](https://github.com/withastro/astro/pull/16765) [`b10e86e`](https://github.com/withastro/astro/commit/b10e86e6dbaf04678127c86366befc0b78a164f6) Thanks [@fkatsuhiro](https://github.com/fkatsuhiro)! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing. + +- [#17026](https://github.com/withastro/astro/pull/17026) [`add3df1`](https://github.com/withastro/astro/commit/add3df10fdaff469ae0228f09d99290de170029a) Thanks [@matthewp](https://github.com/matthewp)! - Hardens `addAttribute` to drop attribute names containing characters that are invalid per the HTML spec (`"`, `'`, `>`, `/`, `=`, whitespace) + +- [#17033](https://github.com/withastro/astro/pull/17033) [`ffda27b`](https://github.com/withastro/astro/commit/ffda27b7c8697d4b7ed530e93385a420e1fc4acd) Thanks [@matthewp](https://github.com/matthewp)! - Validates the request origin against `allowedDomains` before fetching prerendered error pages. When `allowedDomains` is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to `localhost`. + ## 6.4.5 ### Patch Changes diff --git a/packages/astro/package.json b/packages/astro/package.json index 2aed8dd5aefb..a775c367ff40 100644 --- a/packages/astro/package.json +++ b/packages/astro/package.json @@ -1,6 +1,6 @@ { "name": "astro", - "version": "6.4.5", + "version": "6.4.6", "description": "Astro is a modern site builder with web best practices, performance, and DX front-of-mind.", "type": "module", "author": "withastro", diff --git a/packages/integrations/netlify/CHANGELOG.md b/packages/integrations/netlify/CHANGELOG.md index 3624fb9ad8b4..190abfee1581 100644 --- a/packages/integrations/netlify/CHANGELOG.md +++ b/packages/integrations/netlify/CHANGELOG.md @@ -1,5 +1,14 @@ # @astrojs/netlify +## 7.0.13 + +### Patch Changes + +- [#17018](https://github.com/withastro/astro/pull/17018) [`1310277`](https://github.com/withastro/astro/commit/1310277db33cd93aa99e87492650c633af0fe257) Thanks [@matthewp](https://github.com/matthewp)! - Hardens `remotePatterns` regex generation to match canonical wildcard semantics more strictly + +- Updated dependencies []: + - @astrojs/underscore-redirects@1.0.3 + ## 7.0.12 ### Patch Changes diff --git a/packages/integrations/netlify/package.json b/packages/integrations/netlify/package.json index 96b753086af5..20e9bc6019ab 100644 --- a/packages/integrations/netlify/package.json +++ b/packages/integrations/netlify/package.json @@ -1,7 +1,7 @@ { "name": "@astrojs/netlify", "description": "Deploy your site to Netlify", - "version": "7.0.12", + "version": "7.0.13", "type": "module", "types": "./dist/index.d.ts", "author": "withastro", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index de12e247b5fb..2ac5b4394611 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -197,7 +197,7 @@ importers: specifier: ^10.1.4 version: link:../../packages/integrations/node astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro hono: specifier: ^4.12.14 @@ -206,7 +206,7 @@ importers: examples/basics: dependencies: astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro examples/blog: @@ -221,7 +221,7 @@ importers: specifier: ^3.7.3 version: link:../../packages/integrations/sitemap astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro sharp: specifier: ^0.34.3 @@ -230,7 +230,7 @@ importers: examples/component: devDependencies: astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro examples/container-with-vitest: @@ -239,7 +239,7 @@ importers: specifier: ^5.0.7 version: link:../../packages/integrations/react astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro react: specifier: ^18.3.1 @@ -270,7 +270,7 @@ importers: specifier: ^3.15.8 version: 3.15.8 astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro examples/framework-multiple: @@ -297,7 +297,7 @@ importers: specifier: ^18.3.7 version: 18.3.7(@types/react@18.3.28) astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro preact: specifier: ^10.28.4 @@ -327,7 +327,7 @@ importers: specifier: ^2.8.1 version: 2.8.2(preact@10.29.0) astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro preact: specifier: ^10.28.4 @@ -345,7 +345,7 @@ importers: specifier: ^18.3.7 version: 18.3.7(@types/react@18.3.28) astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro react: specifier: ^18.3.1 @@ -360,7 +360,7 @@ importers: specifier: ^6.0.1 version: link:../../packages/integrations/solid astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro solid-js: specifier: ^1.9.11 @@ -372,7 +372,7 @@ importers: specifier: ^8.1.2 version: link:../../packages/integrations/svelte astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro svelte: specifier: ^5.53.5 @@ -384,7 +384,7 @@ importers: specifier: ^6.0.1 version: link:../../packages/integrations/vue astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro vue: specifier: ^3.5.29 @@ -396,25 +396,25 @@ importers: specifier: ^10.1.4 version: link:../../packages/integrations/node astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro examples/integration: devDependencies: astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro examples/minimal: dependencies: astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro examples/portfolio: dependencies: astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro examples/ssr: @@ -426,7 +426,7 @@ importers: specifier: ^8.1.2 version: link:../../packages/integrations/svelte astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro svelte: specifier: ^5.53.5 @@ -435,7 +435,7 @@ importers: examples/starlog: dependencies: astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro sass: specifier: ^1.97.3 @@ -450,7 +450,7 @@ importers: specifier: ^22.19.0 version: 22.19.19 astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro examples/with-markdoc: @@ -459,7 +459,7 @@ importers: specifier: ^1.0.6 version: link:../../packages/integrations/markdoc astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro examples/with-mdx: @@ -471,7 +471,7 @@ importers: specifier: ^5.1.5 version: link:../../packages/integrations/preact astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro preact: specifier: ^10.28.4 @@ -486,7 +486,7 @@ importers: specifier: ^1.0.0 version: 1.0.0(nanostores@1.1.1)(preact@10.29.0) astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro nanostores: specifier: ^1.1.1 @@ -507,7 +507,7 @@ importers: specifier: ^1.9.0 version: 1.9.0 astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro canvas-confetti: specifier: ^1.9.4 @@ -522,7 +522,7 @@ importers: examples/with-vitest: dependencies: astro: - specifier: ^6.4.5 + specifier: ^6.4.6 version: link:../../packages/astro vitest: specifier: ^4.1.0