[pull] main from withastro:main

.github/workflows/issue-needs-repro.yml

@@ -1,35 +1,21 @@
-# Action taken down due to https://www.stepsecurity.io/blog/actions-cool-issues-helper-github-action-compromised-all-tags-point-to-imposter-commit-that-exfiltrates-ci-cd-credentials
-#name: "Issue: Needs Repro"
-#
-#on:
-#  issues:
-#    types: [labeled]
-#  schedule:
-#    - cron: "0 0 * * *"
-#
-#jobs:
-#  on-labeled:
-#    if: github.event_name == 'issues' && github.event.label.name == 'needs repro'
-#    runs-on: ubuntu-latest
-#    permissions:
-#      issues: write
-#    steps:
-#      - uses: actions-cool/issues-helper@200c78641dbf33838311e5a1e0c31bbdb92d7cf0 # v3.8.0
-#        with:
-#          actions: "create-comment, remove-labels"
-#          token: ${{ secrets.GITHUB_TOKEN }}
-#          issue-number: ${{ github.event.issue.number }}
-#          body: |
-#            Hello @${{ github.event.issue.user.login }}. Please provide a [minimal reproduction](https://stackoverflow.com/help/minimal-reproducible-example) using a GitHub repository or [StackBlitz](https://astro.new/repro). Issues marked with `needs repro` will be closed if they have no activity within 3 days.
-#          labels: "needs triage"
-#
-#  close-stale:
-#    if: github.event_name == 'schedule' && github.repository == 'withastro/astro'
-#    runs-on: ubuntu-latest
-#    steps:
-#      - uses: actions-cool/issues-helper@200c78641dbf33838311e5a1e0c31bbdb92d7cf0 # v3.8.0
-#        with:
-#          actions: "close-issues"
-#          token: ${{ secrets.GITHUB_TOKEN }}
-#          labels: "needs repro"
-#          inactive-day: 3
+name: "Issue: Needs Repro"
+
+on:
+  issues:
+    types: [ labeled ]
+
+jobs:
+  reply-labeled:
+    if: github.repository == 'withastro/astro'
+    runs-on: depot-ubuntu-24.04-arm-small
+    steps:
+      - name: Remove triaging label
+        if: github.event_name == 'issues' && contains(github.event.issue.labels.*.name, 'needs repro')
+        env:
+          GH_TOKEN: ${{ secrets.FREDKBOT_GITHUB_TOKEN }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+          REPO: ${{ github.repository }}
+        run: |
+          gh issue comment "$ISSUE_NUMBER" --repo "$REPO" --body "Hello @${{ github.event.issue.user.login }}. Please provide a [minimal reproduction](https://stackoverflow.com/help/minimal-reproducible-example) using a GitHub repository or [StackBlitz](https://astro.new/repro). Issues marked with `needs repro` will be closed if they have no activity within 3 days."
+
+          gh issue edit "$ISSUE_NUMBER" --repo "$REPO" --remove-label "needs triage"

.github/workflows/issue-triage.yml

@@ -58,6 +58,13 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          # Do not persist the default GITHUB_TOKEN as a git credential.
+          # checkout sets an http.extraheader that overrides any credentials
+          # embedded in push URLs, including the FREDKBOT_GITHUB_TOKEN used
+          # by gitPush(). With persist-credentials enabled, git always
+          # authenticates as github-actions[bot] (read-only), causing pushes
+          # to fail with 403.
+          persist-credentials: false
 
       - name: Configure Git identity
         run: |

examples/advanced-routing/package.json

@@ -14,7 +14,7 @@
   },
   "dependencies": {
     "@astrojs/node": "^10.1.4",
-    "astro": "^6.4.5",
+    "astro": "^6.4.6",
     "hono": "^4.12.14"
   }
 }

examples/basics/package.json

@@ -13,6 +13,6 @@
     "astro": "astro"
   },
   "dependencies": {
-    "astro": "^6.4.5"
+    "astro": "^6.4.6"
   }
 }

examples/blog/package.json

@@ -16,7 +16,7 @@
     "@astrojs/mdx": "^6.0.3",
     "@astrojs/rss": "^4.0.18",
     "@astrojs/sitemap": "^3.7.3",
-    "astro": "^6.4.5",
+    "astro": "^6.4.6",
     "sharp": "^0.34.3"
   }
 }

examples/component/package.json

@@ -18,7 +18,7 @@
   ],
   "scripts": {},
   "devDependencies": {
-    "astro": "^6.4.5"
+    "astro": "^6.4.6"
   },
   "peerDependencies": {
     "astro": "^5.0.0 || ^6.0.0"

examples/container-with-vitest/package.json

@@ -15,7 +15,7 @@
   },
   "dependencies": {
     "@astrojs/react": "^5.0.7",
-    "astro": "^6.4.5",
+    "astro": "^6.4.6",
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
     "vitest": "^4.1.0"

examples/framework-alpine/package.json

@@ -16,6 +16,6 @@
     "@astrojs/alpinejs": "^0.5.0",
     "@types/alpinejs": "^3.13.11",
     "alpinejs": "^3.15.8",
-    "astro": "^6.4.5"
+    "astro": "^6.4.6"
   }
 }

examples/framework-multiple/package.json

@@ -20,7 +20,7 @@
     "@astrojs/vue": "^6.0.1",
     "@types/react": "^18.3.28",
     "@types/react-dom": "^18.3.7",
-    "astro": "^6.4.5",
+    "astro": "^6.4.6",
     "preact": "^10.28.4",
     "react": "^18.3.1",
     "react-dom": "^18.3.1",

examples/framework-preact/package.json

@@ -15,7 +15,7 @@
   "dependencies": {
     "@astrojs/preact": "^5.1.5",
     "@preact/signals": "^2.8.1",
-    "astro": "^6.4.5",
+    "astro": "^6.4.6",
     "preact": "^10.28.4"
   }
 }

examples/framework-react/package.json

@@ -16,7 +16,7 @@
     "@astrojs/react": "^5.0.7",
     "@types/react": "^18.3.28",
     "@types/react-dom": "^18.3.7",
-    "astro": "^6.4.5",
+    "astro": "^6.4.6",
     "react": "^18.3.1",
     "react-dom": "^18.3.1"
   }

examples/framework-solid/package.json

@@ -14,7 +14,7 @@
   },
   "dependencies": {
     "@astrojs/solid-js": "^6.0.1",
-    "astro": "^6.4.5",
+    "astro": "^6.4.6",
     "solid-js": "^1.9.11"
   }
 }

examples/framework-svelte/package.json

@@ -14,7 +14,7 @@
   },
   "dependencies": {
     "@astrojs/svelte": "^8.1.2",
-    "astro": "^6.4.5",
+    "astro": "^6.4.6",
     "svelte": "^5.53.5"
   }
 }

examples/framework-vue/package.json

@@ -14,7 +14,7 @@
   },
   "dependencies": {
     "@astrojs/vue": "^6.0.1",
-    "astro": "^6.4.5",
+    "astro": "^6.4.6",
     "vue": "^3.5.29"
   }
 }

examples/hackernews/package.json

@@ -14,6 +14,6 @@
   },
   "dependencies": {
     "@astrojs/node": "^10.1.4",
-    "astro": "^6.4.5"
+    "astro": "^6.4.6"
   }
 }

examples/integration/package.json

@@ -18,7 +18,7 @@
   ],
   "scripts": {},
   "devDependencies": {
-    "astro": "^6.4.5"
+    "astro": "^6.4.6"
   },
   "peerDependencies": {
     "astro": "^4.0.0"

examples/minimal/package.json

@@ -13,6 +13,6 @@
     "astro": "astro"
   },
   "dependencies": {
-    "astro": "^6.4.5"
+    "astro": "^6.4.6"
   }
 }

examples/portfolio/package.json

@@ -13,6 +13,6 @@
     "astro": "astro"
   },
   "dependencies": {
-    "astro": "^6.4.5"
+    "astro": "^6.4.6"
   }
 }

examples/ssr/package.json

@@ -16,7 +16,7 @@
   "dependencies": {
     "@astrojs/node": "^10.1.4",
     "@astrojs/svelte": "^8.1.2",
-    "astro": "^6.4.5",
+    "astro": "^6.4.6",
     "svelte": "^5.53.5"
   }
 }

examples/starlog/package.json

@@ -9,7 +9,7 @@
     "astro": "astro"
   },
   "dependencies": {
-    "astro": "^6.4.5",
+    "astro": "^6.4.6",
     "sass": "^1.97.3",
     "sharp": "^0.34.3"
   },

examples/toolbar-app/package.json

@@ -16,7 +16,7 @@
   },
   "devDependencies": {
     "@types/node": "^22.10.6",
-    "astro": "^6.4.5"
+    "astro": "^6.4.6"
   },
   "engines": {
     "node": ">=22.12.0"

examples/with-markdoc/package.json

@@ -14,6 +14,6 @@
   },
   "dependencies": {
     "@astrojs/markdoc": "^1.0.6",
-    "astro": "^6.4.5"
+    "astro": "^6.4.6"
   }
 }

examples/with-mdx/package.json

@@ -15,7 +15,7 @@
   "dependencies": {
     "@astrojs/mdx": "^6.0.3",
     "@astrojs/preact": "^5.1.5",
-    "astro": "^6.4.5",
+    "astro": "^6.4.6",
     "preact": "^10.28.4"
   }
 }

examples/with-nanostores/package.json

@@ -15,7 +15,7 @@
   "dependencies": {
     "@astrojs/preact": "^5.1.5",
     "@nanostores/preact": "^1.0.0",
-    "astro": "^6.4.5",
+    "astro": "^6.4.6",
     "nanostores": "^1.1.1",
     "preact": "^10.28.4"
   }

examples/with-tailwindcss/package.json

@@ -16,7 +16,7 @@
     "@astrojs/mdx": "^6.0.3",
     "@tailwindcss/vite": "^4.2.1",
     "@types/canvas-confetti": "^1.9.0",
-    "astro": "^6.4.5",
+    "astro": "^6.4.6",
     "canvas-confetti": "^1.9.4",
     "tailwindcss": "^4.2.1",
     "vite": "^7.3.2"

examples/with-vitest/package.json

@@ -14,7 +14,7 @@
     "test": "vitest"
   },
   "dependencies": {
-    "astro": "^6.4.5",
+    "astro": "^6.4.6",
     "vitest": "^4.1.0"
   }
 }

packages/astro/CHANGELOG.md

@@ -1,5 +1,15 @@
 # astro
 
+## 6.4.6
+
+### Patch Changes
+
+- [#16765](https://github.com/withastro/astro/pull/16765) [`b10e86e`](https://github.com/withastro/astro/commit/b10e86e6dbaf04678127c86366befc0b78a164f6) Thanks [@fkatsuhiro](https://github.com/fkatsuhiro)! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.
+
+- [#17026](https://github.com/withastro/astro/pull/17026) [`add3df1`](https://github.com/withastro/astro/commit/add3df10fdaff469ae0228f09d99290de170029a) Thanks [@matthewp](https://github.com/matthewp)! - Hardens `addAttribute` to drop attribute names containing characters that are invalid per the HTML spec (`"`, `'`, `>`, `/`, `=`, whitespace)
+
+- [#17033](https://github.com/withastro/astro/pull/17033) [`ffda27b`](https://github.com/withastro/astro/commit/ffda27b7c8697d4b7ed530e93385a420e1fc4acd) Thanks [@matthewp](https://github.com/matthewp)! - Validates the request origin against `allowedDomains` before fetching prerendered error pages. When `allowedDomains` is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to `localhost`.
+
 ## 6.4.5
 
 ### Patch Changes

packages/astro/package.json

@@ -1,6 +1,6 @@
 {
   "name": "astro",
-  "version": "6.4.5",
+  "version": "6.4.6",
   "description": "Astro is a modern site builder with web best practices, performance, and DX front-of-mind.",
   "type": "module",
   "author": "withastro",

packages/astro/src/core/errors/default-handler.ts

@@ -8,6 +8,7 @@ import { AstroMiddleware } from '../middleware/astro-middleware.js';
 import { PagesHandler } from '../pages/handler.js';
 import { matchRoute } from '../routing/match.js';
 import { provideSession } from '../session/handler.js';
+import { validateHost } from '../app/validate-headers.js';
 import type { ErrorHandler } from './handler.js';
 
 type ErrorPagePath =
@@ -54,30 +55,47 @@ export class DefaultErrorHandler implements ErrorHandler {
 		if (errorRouteData) {
 			if (errorRouteData.prerender) {
 				const maybeDotHtml = errorRouteData.route.endsWith(`/${status}`) ? '.html' : '';
-				const statusURL = new URL(`${app.baseWithoutTrailingSlash}/${status}${maybeDotHtml}`, url);
+				// Validate the request URL origin before using it for the error page fetch.
+				// Without this, an attacker-controlled Host header flows into statusURL,
+				// causing the server to fetch from an arbitrary origin (SSRF).
+				const allowedDomains = app.manifest.allowedDomains;
+				const validatedHost = validateHost(url.host, url.protocol.replace(':', ''), allowedDomains);
+				const safeOrigin = validatedHost ? url.origin : `${url.protocol}//localhost`;
+				const statusURL = new URL(
+					`${app.baseWithoutTrailingSlash}/${status}${maybeDotHtml}`,
+					safeOrigin,
+				);
 				if (
 					statusURL.toString() !== request.url &&
 					resolvedRenderOptions.prerenderedErrorPageFetch
 				) {
-					const response = await resolvedRenderOptions.prerenderedErrorPageFetch(
-						statusURL.toString() as ErrorPagePath,
-					);
+					try {
+						const response = await resolvedRenderOptions.prerenderedErrorPageFetch(
+							statusURL.toString() as ErrorPagePath,
+						);
 
-					// In order for the response of the remote to be usable as a response
-					// for this request, it needs to have our status code in the response
-					// instead of the likely successful 200 code it returned when fetching
-					// the error page.
-					//
-					// Furthermore, remote may have returned a compressed page
-					// (the Content-Encoding header was set to e.g. `gzip`). The fetch
-					// implementation in the `mergeResponses` method will make a decoded
-					// response available, so Content-Length and Content-Encoding will
-					// not match the body we provide and need to be removed.
-					const override = { status, removeContentEncodingHeaders: true };
+						// In order for the response of the remote to be usable as a response
+						// for this request, it needs to have our status code in the response
+						// instead of the likely successful 200 code it returned when fetching
+						// the error page.
+						//
+						// Furthermore, remote may have returned a compressed page
+						// (the Content-Encoding header was set to e.g. `gzip`). The fetch
+						// implementation in the `mergeResponses` method will make a decoded
+						// response available, so Content-Length and Content-Encoding will
+						// not match the body we provide and need to be removed.
+						const override = { status, removeContentEncodingHeaders: true };
 
-					const newResponse = mergeResponses(response, originalResponse, override);
-					prepareResponse(newResponse, resolvedRenderOptions);
-					return newResponse;
+						const newResponse = mergeResponses(response, originalResponse, override);
+						prepareResponse(newResponse, resolvedRenderOptions);
+						return newResponse;
+					} catch {
+						// If the error page fetch fails (e.g. connection refused), fall
+						// through to the plain error response below.
+						const response = mergeResponses(new Response(null, { status }), originalResponse);
+						prepareResponse(response, resolvedRenderOptions);
+						return response;
+					}
 				}
 			}
 			const mod = await app.pipeline.getComponentByRoute(errorRouteData);