chore(deps): update dependency astro to v6 [security]#10554
chore(deps): update dependency astro to v6 [security]#10554renovate[bot] wants to merge 1 commit intomainfrom
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
✅ Files skipped from review due to trivial changes (1)
📝 WalkthroughWalkthroughUpdated the Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
| Command | Status | Duration | Result |
|---|---|---|---|
nx affected --targets=test:sherif,test:knip,tes... |
❌ Failed | 4m 29s | View ↗ |
nx run-many --target=build --exclude=examples/*... |
✅ Succeeded | 1s | View ↗ |
☁️ Nx Cloud last updated this comment at 2026-04-23 15:05:38 UTC
🚀 Changeset Version PreviewNo changeset entries found. Merging this PR will not cause a version bump for any packages. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@examples/solid/astro/package.json`:
- Line 20: The project currently pins "astro": "^6.0.0" in package.json but
still depends on "@astrojs/tailwind" which only supports Astro ^3/4/5; either
upgrade the "@astrojs/tailwind" dependency to a release that declares support
for Astro 6 or revert "astro" to a compatible major (e.g., "^5.0.0") in
package.json; update the dependency string for "@astrojs/tailwind" or "astro"
accordingly, run your package install (npm/yarn/pnpm) and verify the build/tests
to ensure compatibility.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 7fea1c4e-52cd-45ba-892b-772ca04be383
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (1)
examples/solid/astro/package.json
| "@tanstack/solid-query": "^5.99.2", | ||
| "@tanstack/solid-query-devtools": "^5.99.2", | ||
| "astro": "^5.5.6", | ||
| "astro": "^6.0.0", |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Read current versions declared in the reviewed package.json
cat examples/solid/astro/package.json | jq '.dependencies | {
astro,
"@astrojs/check",
"@astrojs/node",
"@astrojs/solid-js",
"@astrojs/tailwind",
"@astrojs/vercel"
}'
echo
echo "Checking npm peerDependencies for Astro compatibility..."
for pkg in `@astrojs/check` `@astrojs/node` `@astrojs/solid-js` `@astrojs/tailwind` `@astrojs/vercel`; do
echo "---- $pkg ----"
npm view "$pkg" version peerDependencies --json
echo
done
echo "Expected result:"
echo "- Each `@astrojs/`* package version used by this example should list a peerDependency range that includes astro@^6."Repository: TanStack/query
Length of output: 1035
@astrojs/tailwind incompatibility with Astro 6 must be resolved.
Astro 6 is incompatible with @astrojs/tailwind@^6.0.2—its peerDependency declares support only for astro: ^3.0.0 || ^4.0.0 || ^5.0.0. Either upgrade @astrojs/tailwind to a version supporting Astro 6, or revert Astro to a compatible major version before merge.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@examples/solid/astro/package.json` at line 20, The project currently pins
"astro": "^6.0.0" in package.json but still depends on "@astrojs/tailwind" which
only supports Astro ^3/4/5; either upgrade the "@astrojs/tailwind" dependency to
a release that declares support for Astro 6 or revert "astro" to a compatible
major (e.g., "^5.0.0") in package.json; update the dependency string for
"@astrojs/tailwind" or "astro" accordingly, run your package install
(npm/yarn/pnpm) and verify the build/tests to ensure compatibility.
size-limit report 📦
|
renovate
Bot
force-pushed
the
renovate/npm-astro-vulnerability
branch
from
d114842 to
b89b2b6
Compare
renovate
Bot
force-pushed
the
renovate/npm-astro-vulnerability
branch
from
b89b2b6 to
9f44be8
Compare
This PR contains the following updates:
^5.5.6→^6.0.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Astro: XSS in define:vars via incomplete </script> tag sanitization
CVE-2026-41067 / GHSA-j687-52p2-xcff
More information
Details
Summary
The
defineScriptVarsfunction in Astro's server-side rendering pipeline uses a case-sensitive regex/<\/script>/gto sanitize values injected into inline<script>tags via thedefine:varsdirective. HTML parsers close<script>elements case-insensitively and also accept whitespace or/before the closing>, allowing an attacker to bypass the sanitization with payloads like</Script>,</script >, or</script/>and inject arbitrary HTML/JavaScript.Details
The vulnerable function is
defineScriptVarsatpackages/astro/src/runtime/server/render/util.ts:42-53:This function is called from
renderElementatutil.ts:172-174when a<script>element hasdefine:vars:The regex
/<\/script>/gfails to match three classes of closing script tags that HTML parsers accept per the HTML specification §13.2.6.4:</Script>,</SCRIPT>,</sCrIpT>— HTML tag names are case-insensitive but the regex has noiflag.>:</script >,</script\t>,</script\n>— after the tag name, the HTML tokenizer enters the "before attribute name" state on ASCII whitespace.</script/>— the tokenizer enters "self-closing start tag" state on/.JSON.stringify()does not escape<,>, or/characters, so all these payloads pass through serialization unchanged.Execution flow: User-controlled input (e.g.,
Astro.url.searchParams) → assigned to a variable → passed viadefine:varson a<script>tag →renderElement→defineScriptVars→ incomplete sanitization → injected into<script>block in HTML response → browser closes the script element early → attacker-controlled HTML parsed and executed.PoC
Step 1: Create an SSR Astro page (
src/pages/index.astro):Step 2: Ensure SSR is enabled in
astro.config.mjs:Step 3: Start the dev server and visit:
Step 4: View the HTML source. The output contains:
The browser's HTML parser matches
</Script>case-insensitively, closing the script block. The<img onerror=alert(document.cookie)>is then parsed as HTML and the JavaScript inonerrorexecutes.Alternative bypass payloads:
Impact
An attacker can execute arbitrary JavaScript in the context of a victim's browser session on any SSR Astro application that passes request-derived data to
define:varson a<script>tag. This is a documented and expected usage pattern in Astro.Exploitation enables:
document.cookie)The vulnerability affects all Astro versions that support
define:varsand is exploitable in any SSR deployment where user input reaches adefine:varsscript variable.Recommended Fix
Replace the case-sensitive exact-match regex with a comprehensive escape that covers all HTML parser edge cases. The simplest correct fix is to escape all
<characters in the JSON output:This is the standard approach used by frameworks like Next.js and Rails. Replacing every
<with\u003cis safe inside JSON string contexts (JavaScript treats\u003cas<at runtime) and eliminates all possible</script>variants including case variations, whitespace, and self-closing forms.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
withastro/astro (astro)
v6.1.6Compare Source
Patch Changes
#16202
b5c2fbaThanks @matthewp! - Fixes Actions failing withActionsWithoutServerOutputErrorwhen usingoutput: 'static'with an adapter#16303
b06eabfThanks @matthewp! - Improves handling of special characters in inline<script>content#14924
bb4586aThanks @aralroca! - Fixes SCSS and CSS module file changes triggering a full page reload instead of hot-updating styles in place during developmentv6.1.5Compare Source
Patch Changes
#16171
5bcd03cThanks @Desel72! - Fixes a build error that occurred when a pre-rendered page used the<Picture>component and another page calledrender()on content collection entries.#16239
7c65c04Thanks @dataCenter430! - Fixes sync content inside<Fragment>not streaming to the browser until all async sibling expressions have resolved.#16242
686c312Thanks @martrapp! - Revives UnoCSS in dev mode when used with the client router.This change partly reverts #16089, which in hindsight turned out to be too general. Instead of automatically persisting all style sheets, we now do this only for styles from Vue components.
#16192
79d86b8Thanks @alexanderniebuhr! - Uses today’s date for Cloudflarecompatibility_dateinastro add cloudflareWhen creating new projects,
astro add cloudflarenow setscompatibility_dateto the current date. Previously, this date was resolved from locally installed packages, which could be unreliable in some package manager environments. Using today’s date is simpler and more reliable across environments, and is supported byworkerd.#16259
34df955Thanks @gameroman! - Removeddlvdependencyv6.1.4Compare Source
Patch Changes
#16197
21f9fe2Thanks @SchahinRohani! - Remove unused re-exports from assets/utils barrel file to fix Vite build warning#16059
6d5469eThanks @matthewp! - FixesExpected 'miniflare' to be definederrors and 404 responses in dev mode when using the Cloudflare adapter and the config file changes. Instead of creating a brand new Vite server on config changes, Astro now performs a Vite in-place restart, allowing the Cloudflare adapter to reuse its existing miniflare instance across restarts.#16154
7610ba4Thanks @Desel72! - Fixes pages with dots in their filenames (e.g.hello.world.astro) returning 404 when accessed with a trailing slash in the dev server. ThetrailingSlashForPathfunction now only forcestrailingSlash: 'never'for endpoints with file extensions, allowing pages to correctly respect the user'strailingSlashconfig.#16193
23425e2Thanks @matthewp! - FixestrailingSlash: "always"producing redirect HTML instead of the actual response for extensionless endpoints during static buildsv6.1.3Compare Source
Patch Changes
#16161
b51f297Thanks @matthewp! - Fixes a dev rendering issue with the Cloudflare adapter where head metadata could be missing and dev CSS/scripts could be injected in the wrong place#16110
de669f0Thanks @tmimmanuel! - Fixes skew protection query parameters not being appended to inter-chunk JavaScript imports in client bundles, which could cause version mismatches during rolling deployments on Vercel#16162
a0a49e9Thanks @rururux! - Fixes an issue where HMR would not trigger when modifying files while using @astrojs/cloudflare with prerenderEnvironment: 'node' enabled.#16142
7454854Thanks @rururux! - Fixes HTML content being incorrectly escaped as plain text when rendering a MDX component using theAstroContainerAPIs.#16116
12602a9Thanks @riderx! - Fixes a bug where page-level CSS could leak between unrelated pages when traversing style parents across top-level route boundaries#16178
a7e7567Thanks @matthewp! - Fixes SSR builds failing with "No matching renderer found" when a project only has injected routes and nosrc/pages/directoryv6.1.2Compare Source
Patch Changes
#16104
47a394dThanks @matthewp! - Fixesastro previewignoringvite.preview.allowedHostsset inastro.config.mjs#16047
711f837Thanks @matthewp! - Fixes catch-all routes incorrectly intercepting requests for static assets when using the@astrojs/nodeadapter in middleware mode.#15981
a60cbb6Thanks @moktamd! - Fix Zod v4 validation error formatting to show human-readable messages instead of raw JSONv6.1.1Compare Source
Patch Changes
#16105
23d60deThanks @matthewp! - Fix dev toolbar audit crash when encountering theimageARIA role#16089
999c875Thanks @martrapp! - Fixes an issue with the client router where Vue's:deep()notation was ignored in dev mode.v6.1.0Compare Source
Minor Changes
#15804
a5e7232Thanks @merlinnot! - Allows setting codec-specific defaults for Astro's built-in Sharp image service viaimage.service.config.You can now configure encoder-level options such as
jpeg.mozjpeg,webp.effort,webp.alphaQuality,avif.effort,avif.chromaSubsampling, andpng.compressionLevelwhen usingastro/assets/services/sharpfor compile-time image generation.These settings apply as defaults for the built-in Sharp pipeline, while per-image
qualitystill takes precedence when set on<Image />,<Picture />, orgetImage().#15455
babf57fThanks @AhmadYasser1! - AddsfallbackRoutesto theIntegrationResolvedRoutetype, exposing i18n fallback routes to integrations via theastro:routes:resolvedhook for projects usingfallbackType: 'rewrite'.This allows integrations such as the sitemap integration to properly include generated fallback routes in their output.
#15340
10a1a5aThanks @trueberryless! - Adds support for advanced configuration of SmartyPants in Markdown.You can now pass an options object to
markdown.smartypantsin your Astro configuration to fine-tune how punctuation, dashes, and quotes are transformed.This is helpful for projects that require specific typographic standards, such as "oldschool" dash handling or localized quotation marks.
See the
retext-smartypantsoptions for more information.Patch Changes
#16025
a09f319Thanks @koji-1009! - Instructs the client router to skip view transition animations when the browser is already providing its own visual transition, such as a swipe gesture.#16055
ccecb8fThanks @Gautam-Bharadwaj! - Fixes an issue whereclient:onlycomponents could have duplicateclient:component-pathattributes added in MDX in rare cases#16081
44fc340Thanks @crazylogic03! - Fixes theemitFile() is not supported in serve modewarning that appears duringastro devwhen using integrations that inject before-hydration scripts (e.g.@astrojs/react)#16068
31d733bThanks @Karthikeya1500! - Fixes the dev toolbar a11y audit incorrectly classifyingmenuitemradioas a non-interactive ARIA role.#16080
e80ac73Thanks @ematipico! - Fixesexperimental.queuedRenderingincorrectly escaping the HTML output of.htmlpage files, causing the page content to render as plain text instead of HTML in the browser.#16048
13b9d56Thanks @matthewp! - Fixes a dev server crash (serverIslandNameMap.get is not a function) that occurred when navigating to a page withserver:deferafter first visiting a page without one, when using@astrojs/cloudflare#16093
336e086Thanks @Snugug! - Fixes Zod meta not correctly being rendered on top-level schema when converted into JSON Schema#16043
d402485Thanks @ematipico! - FixescheckOriginCSRF protection inastro devbehind a TLS-terminating reverse proxy. The dev server now readsX-Forwarded-Proto(gated onsecurity.allowedDomains, matching production behaviour) so the constructed request origin matches thehttps://origin the browser sends. Also ensuressecurity.allowedDomainsandsecurity.checkOriginare respected in dev.#16064
ba58e0dThanks @ematipico! - Updates the dependencysvgoto the latest, to fix a security issue.#16007
2dcd8d5Thanks @florian-lefebvre! - Fixes a case where fonts files would unecessarily be copied several times during the build#16017
b089b90Thanks @felmonon! - Fix theastro syncerror message whengetImage()is called while loading content collections.#16014
fa73fbbThanks @matthewp! - Fixes a build error where usingastro:config/clientinside a<script>tag would cause Rollup to fail with "failed to resolve importvirtual:astro:routesfromvirtual:astro:manifest"#16054
f74465aThanks @seroperson! - Fixes an issue with the development server, where changes to the middleware weren't picked, and it required a full restart of the server.#16033
198d31bThanks @adampage! - Fixes a bug where the the roleimagewas incorrectly reported by audit tool bar.#15935
278828cThanks @oliverlynch! - Fixes cached assets failing to revalidate due to redirect check mishandling Not Modified responses.#16075
2c1ae85Thanks @florian-lefebvre! - Fixes a case where invalid URLs would be generated in development when using font families with an obliquestyleand angles#16062
87fd6a4Thanks @matthewp! - Warns on dev server startup when Vite 8 is detected at the top level of the user's project, and automatically adds a"overrides": { "vite": "^7" }entry topackage.jsonwhen runningastro add cloudflare. This prevents arequire_dist is not a functioncrash caused by a Vite version split between Astro (requires Vite 7) and packages like@tailwindcss/vitethat hoist Vite 8.Updated dependencies [
10a1a5a]:v6.0.8Compare Source
Patch Changes
#15978
6d182feThanks @seroperson! - Fixes a bug where Astro Actions didn't properly support nested object properties, causing problems when users used zod functions such assuperRefineordiscriminatedUnion.#16011
e752170Thanks @matthewp! - Fixes a dev server hang on the first request when using the Cloudflare adapter#15997
1fddff7Thanks @ematipico! - FixesAstro.rewrite()failing when the target path contains duplicate slashes (e.g.//about). The duplicate slashes are now collapsed before URL parsing, preventing them from being interpreted as a protocol-relative URL.v6.0.7Compare Source
Patch Changes
#15950
acce5e8Thanks @matthewp! - Fixes a build regression in projects with multiple frontend integrations whereserver:deferserver islands could fail at runtime when all pages are prerendered.#15988
c93b4a0Thanks @ossaidqadri! - Fix styles from dynamically imported components not being injected on first dev server load.#15968
3e7a9d5Thanks @chasemccoy! - FixesrenderMarkdownin custom content loaders not resolving images in markdown content. Images referenced in markdown processed byrenderMarkdownare now correctly optimized, matching the behavior of the built-inglob()loader.#15990
1e6017fThanks @ematipico! - Fixes an issue whereAstro.currentLocalewould always be the default locale instead of the actual one when using a dynamic route like[locale].astroor[locale]/index.astro. It now resolves to the correct locale from the URL.#15990
1e6017fThanks @ematipico! - Fixes an issue where visiting an invalid locale URL (e.g./asdf/) would show the content of a dynamic[locale]page with a 404 status code, instead of showing your custom 404 page. Now, the correct 404 page is rendered when the locale in the URL doesn't match any configured locale.#15960
1d84020Thanks @matthewp! - Fixes Cloudflare dev server islands withprerenderEnvironment: 'node'by sharing the serialized manifest encryption key across dev environments and routing server island requests through the SSR runtime.#15735
9685e2dThanks @fa-sharp! - Fixes an EventEmitter memory leak when serving static pages from Node.js middleware.When using the middleware handler, requests that were being passed on to Express / Fastify (e.g. static files / pre-rendered pages / etc.) weren't cleaning up socket listeners before calling
next(), causing a memory leak warning. This fix makes sure to run the cleanup before callingnext().v6.0.6Compare Source
Patch Changes
#15965
2dca307Thanks @matthewp! - Fixes client hydration for components imported through Node.js subpath imports (package.json#imports, e.g.#components/*), for example when using the Cloudflare adapter in development.#15770
6102ca2Thanks @jpc-ae! - Updates thecreate astrowelcome message to highlight the graceful dev/preview server quit command rather than the kill process shortcut#15953
7eddf22Thanks @Desel72! - fix(hmr): eagerly recompile on style-only change to prevent stale slots render#15916
5201ed4Thanks @trueberryless! - FixesInferLoaderSchematype inference for content collections defined with a loader that includes aschema#15864
d3c7de9Thanks @florian-lefebvre! - Removes temporary support for Node >=20.19.1 because Stackblitz now uses Node 22 by default#15944
a5e1acdThanks @fkatsuhiro! - Fixes SSR dynamic routes with.htmlextension (e.g.[slug].html.astro) not working#15937
d236245Thanks @ematipico! - Fixes an issue where HMR didn't correctly work on Windows when adding/changing/deleting routes inpages/.#15931
98dfb61Thanks @Strernd! - Fix skew protection query params not being applied to island hydrationcomponent-urlandrenderer-url, and ensure query params are appended safely for asset URLs with existing search/hash parts.Updated dependencies []:
v6.0.5Compare Source
Patch Changes
#15891
b889231Thanks @matthewp! - Fix dev routing forserver:deferislands when adapters opt into handling prerendered routes in Astro core. Server island requests are now treated as prerender-handler eligible so prerendered pages usingprerenderEnvironment: 'node'can load island content without400errors.#15890
765a887Thanks @matthewp! - Fixesastro:actionsvalidation to check resolved routes, so projects using default static output with at least oneprerender = falsepage or endpoint no longer fail during startup.#15884
dcd2c8eThanks @matthewp! - Avoid aMaxListenersExceededWarningduringastro devstartup by increasing the shared Vite watcher listener limit when attaching content server listeners.#15904
23d5244Thanks @jlukic! - Emit thebefore-hydrationscript chunk for theclientVite environment. The chunk was only emitted forprerenderandssrenvironments, causing a 404 when browsers tried to load it. This broke hydration for any integration usinginjectScript('before-hydration', ...), including Lit SSR.#15933
325901eThanks @ematipico! - Fixes an issue where<style>tags inside SVG components weren't correctly tracked when enabling CSP.#15875
c43ef8aThanks @matthewp! - Ensure custom prerenderers are always torn down during build, even whengetStaticPaths()throws.#15887
1861fedThanks @ematipico! - Fixes an issue where the build incorrectly leaked server entrypoint into the client environment, causing adapters to emit warnings during the build.#15888
925252eThanks @matthewp! - Fix a bug whereserver:defercould fail at runtime in prerendered pages for some adapters (including Cloudflare), causing errors likeserverIslandMap?.get is not a function.#15901
07c1002Thanks @delucis! - Fixes JSON schema generation for content collection schemas that have differences between their input and output shapes.#15882
759f946Thanks @matthewp! - FixAstro.url.pathnamefor the root page when usingbuild.format: "file"so it resolves to/index.htmlinstead of/.htmlduring builds.v6.0.4Compare Source
Patch Changes
#15870
920f10bThanks @matthewp! - Prebundleastro/toolbarin dev when custom dev toolbar apps are registered, preventing re-optimization reloads that can hide or break the toolbar.#15876
f47ac53Thanks @ematipico! - FixesredirectToDefaultLocaleproducing a protocol-relative URL (//locale) instead of an absolute path (/locale) whenbaseis'/'.#15767
e0042f7Thanks @matthewp! - Fixes server islands (server:defer) not working when only used in prerendered pages withoutput: 'server'.#15873
35841edThanks @matthewp! - Fix a dev server bug where newly created pages could miss layout-imported CSS until restart.#15874
ce0669dThanks @ematipico! - Fixes a warning when usingprefetchAll#15754
58f1d63Thanks @rururux! - Fixes a bug where a directory at the project root sharing the same name as a page route would cause the dev server to return a 404 instead of serving the page.#15869
76b3a5eThanks @matthewp! - Update the unknown file extension error hint to recommendvite.resolve.noExternal, which is the correct Vite 7 config key.v6.0.3Compare Source
Patch Changes
#15711
b2bd27bThanks @OliverSpeir! - Improves Astro core's dev environment handling for prerendered routes by ensuring route/CSS updates and prerender middleware behavior work correctly across both SSR and prerender environments.This enables integrations that use Astro's prerender dev environment (such as Cloudflare with
prerenderEnvironment: 'node') to get consistent route matching and HMR behavior during development.#15852
1cdaf9fThanks @ematipico! - Fixes a regression where the the routes emitted by theastro:build:donehook didn't have thedistURLarray correctly populated.#15765
ca76ff1Thanks @matthewp! - Hardens server island POST endpoint validation to use own-property checks for improved consistencyv6.0.2Compare Source
Patch Changes
95e12a2Thanks @Princesseuh! - Fixesreturn;syntax not working in the frontmatter correctly in certain contextsv6.0.1Compare Source
Patch Changes
a4c0d0bThanks @matthewp! - Fixesastro addso the tsconfig preview shows the actual pending changes before confirmationv6.0.0Compare Source
Major Changes
#14446
ece667aThanks @florian-lefebvre! - RemovesentryPointsonastro:build:ssrhook (Integration API) - (v6 upgrade guidance)#15535
dfe2e22Thanks @florian-lefebvre! - DeprecatesloadManifest()andloadApp()fromastro/app/node(Adapter API) - (v6 upgrade guidance)#15006
f361730Thanks @florian-lefebvre! - Removes sessiontestdriver - (v6 upgrade guidance)#15461
9f21b24Thanks @florian-lefebvre! - BREAKING CHANGE to the v6 beta Adapter API only: renamesentryTypetoentrypointResolutionand updates possible valuesAstro 6 introduced a way to let adapters have more control over the entrypoint by passing
entryType: 'self'tosetAdapter(). However during beta development, the name was unclear and confusing.entryTypeis now renamed toentrypointResolutionand its possible values are updated:legacy-dynamicbecomesexplicit.selfbecomesauto.If you are building an adapter with v6 beta and specifying
entryType, update it:setAdapter({ // ... - entryType: 'legacy-dynamic' + entrypointResolution: 'explicit' }) setAdapter({ // ... - entryType: 'self' + entrypointResolution: 'auto' })#14426
861b9ccThanks @florian-lefebvre! - Removes the deprecatedemitESMImage()function - (v6 upgrade guidance)#15006
f361730Thanks @florian-lefebvre! - Deprecates session driver string signature - (v6 upgrade guidance)#15180
8780ff2Thanks @Princesseuh! - Adds support for converting SVGs to raster images (PNGs, WebP, etc) to the default Sharp image service - (v6 upgrade guidance)#14446
ece667aThanks @florian-lefebvre! - Removesroutesonastro:build:donehook (Integration API) - (v6 upgrade guidance)#15424
33d6146Thanks @Princesseuh! - Throws an error whengetImage()fromastro:assetsis called on the client - (v6 upgrade guidance)#14462
9fdfd4cThanks @florian-lefebvre! - Removes the oldapp.render()signature (Adapter API) - (v6 upgrade guidance)#14956
0ff51dfThanks @matthewp! - Astro v6.0 upgrades to Zod v4 for schema validation - (v6 upgrade guidance)#14759
d7889f7Thanks @florian-lefebvre! - Updates how schema types are inferred for content loaders with schemas (Loader API) - (v6 upgrade guidance)#15192
ada2808Thanks @gameroman! - Removes support for CommonJS config files - (v6 upgrade guidance)#14462
9fdfd4cThanks @florian-lefebvre! - Removesprefetch()withoption - (v6 upgrade guidance)#14306
141c4a2Thanks @ematipico! - Removes support for routes with percent-encoded percent signs (e.g.%25) - (v6 upgrade guidance)#14432
b1d87ecThanks @florian-lefebvre! - DeprecatesAstroingetStaticPaths()- (v6 upgrade guidance)#14759
d7889f7Thanks @florian-lefebvre! - Removes the option to define dynamic schemas in content loaders as functions and adds a new equivalentcreateSchema()property (Loader API) - (v6 upgrade guidance)#14457
049da87Thanks @florian-lefebvre! - Updates trailing slash behavior of endpoint URLs - (v6 upgrade guidance)#14494
727b0a2Thanks @florian-lefebvre! - Updates Markdown heading ID generation - (v6 upgrade guidance)#14461
55a1a91Thanks @florian-lefebvre! - Deprecatesimport.meta.env.ASSETS_PREFIX- (v6 upgrade guidance)#14586
669ca5bThanks @ocavue! - Changes the values allowed inparamsreturned bygetStaticPaths()- (v6 upgrade guidance)#15668
1118ac4Thanks @florian-lefebvre! - Changes TypeScript configuration - (v6 upgrade guidance)#14421
df6d2d7Thanks @florian-lefebvre! - Removes the previously deprecatedAstro.glob()- (v6 upgrade guidance)#15049
beddfebThanks @Ntale3! - Removes the ability to render Astro components in Vitest client environments - ([v6 upgrade guidance](https://docs.astro.build/en/Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.
Summary by CodeRabbit