search

sanity-io / sanity-template-astro-clean

Clean starter template with Astro
https://template-astro-clean.sanity.build/
119 stars 39 forks source link

chore(deps): update dependency astro to v4.16.1 [security] #57

Open renovate[bot] opened 1 month ago

renovate[bot] commented 1 month ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
astro (source) 4.11.3 -> 4.16.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-47885

Summary

A DOM Clobbering gadget has been discoverd in Astro's client-side router. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has stored attacker-controlled scriptless HTML elements (i.e., iframe tags with unsanitized name attributes) on the destination pages.

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf [2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadgets found in Astro

We identified a DOM Clobbering gadget in Astro's client-side routing module, specifically in the <ViewTransitions /> component. When integrated, this component introduces the following vulnerable code, which is executed during page transitions (e.g., clicking an <a> link):

https://github.com/withastro/astro/blob/7814a6cad15f06931f963580176d9b38aa7819f2/packages/astro/src/transitions/router.ts#L135-L156

However, this implementation is vulnerable to a DOM Clobbering attack. The document.scripts lookup can be shadowed by an attacker injected non-script HTML elements (e.g., <img name="scripts"><img name="scripts">) via the browser's named DOM access mechanism. This manipulation allows an attacker to replace the intended script elements with an array of attacker-controlled scriptless HTML elements.

The condition script.dataset.astroExec === '' on line 138 can be bypassed because the attacker-controlled element does not have a data-astroExec attribute. Similarly, the check on line 134 can be bypassed as the element does not require a type attribute.

Finally, the innerHTML of an attacker-injected non-script HTML elements, which is plain text content before, will be set to the .innerHTML of an script element that leads to XSS.

PoC

Consider a web application using Astro as the framework with client-side routing enabled and allowing users to embed certain scriptless HTML elements (e.g., form or iframe). This can be done through a bunch of website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

For PoC website, please refer to: https://stackblitz.com/edit/github-4xgj2d. Clicking the "about" button in the menu will trigger an alert(1) from an attacker-injected form element.

---
import Header from "../components/Header.astro";
import Footer from "../components/Footer.astro";
import { ViewTransitions } from "astro:transitions";
import "../styles/global.css";
const { pageTitle } = Astro.props;
---
<html lang="en">
  <head>
    <meta charset="utf-8" />
    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
    <meta name="viewport" content="width=device-width" />
    <meta name="generator" content={Astro.generator} />
    <title>{pageTitle}</title>
    <ViewTransitions />
  </head>
  <body>
    <!--USER INPUT-->
    <iframe name="scripts">alert(1)</iframe>
    <iframe name="scripts">alert(1)</iframe>
    <!--USER INPUT-->

    <Header />
    <h1>{pageTitle}</h1>
    <slot />
    <Footer />
    <script>
      import "../scripts/menu.js";
    </script>
  </body>
</html>

Impact

This vulnerability can result in cross-site scripting (XSS) attacks on websites that built with Astro that enable the client-side routing with ViewTransitions and store the user-inserted scriptless HTML tags without properly sanitizing the name attributes on the page.

Patch

We recommend replacing document.scripts with document.getElementsByTagName('script') for referring to script elements. This will mitigate the possibility of DOM Clobbering attacks leveraging the name attribute.

Reference

Similar issues for reference:

Release Notes

withastro/astro (astro) ### [`v4.16.1`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4161) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.16.0...astro@4.16.1) ##### Patch Changes - [#​12177](https://redirect.github.com/withastro/astro/pull/12177) [`a4ffbfa`](https://redirect.github.com/withastro/astro/commit/a4ffbfaa5cb460c12bd486fd75e36147f51d3e5e) Thanks [@​matthewp](https://redirect.github.com/matthewp)! - Ensure we target scripts for execution in the router Using `document.scripts` is unsafe because if the application has a `name="scripts"` this will shadow the built-in `document.scripts`. Fix is to use `getElementsByTagName` to ensure we're only grabbing real scripts. - [#​12173](https://redirect.github.com/withastro/astro/pull/12173) [`2d10de5`](https://redirect.github.com/withastro/astro/commit/2d10de5f212323e6e19c7ea379826dcc18fe739c) Thanks [@​ematipico](https://redirect.github.com/ematipico)! - Fixes a bug where Astro Actions couldn't redirect to the correct pathname when there was a rewrite involved. ### [`v4.16.0`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4160) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.12...astro@4.16.0) ##### Minor Changes - [#​12039](https://redirect.github.com/withastro/astro/pull/12039) [`710a1a1`](https://redirect.github.com/withastro/astro/commit/710a1a11f488ff6ed3da6d3e0723b2322ccfe27b) Thanks [@​ematipico](https://redirect.github.com/ematipico)! - Adds a `markdown.shikiConfig.langAlias` option that allows [aliasing a non-supported code language to a known language](https://shiki.style/guide/load-lang#custom-language-aliases). This is useful when the language of your code samples is not [a built-in Shiki language](https://shiki.style/languages), but you want your Markdown source to contain an accurate language while also displaying syntax highlighting. The following example configures Shiki to highlight `cjs` code blocks using the `javascript` syntax highlighter: ```js import { defineConfig } from 'astro/config'; export default defineConfig({ markdown: { shikiConfig: { langAlias: { cjs: 'javascript', }, }, }, }); ``` Then in your Markdown, you can use the alias as the language for a code block for syntax highlighting: ````md ```cjs 'use strict'; function commonJs() { return 'I am a commonjs file'; } ``` ```` - [#​11984](https://redirect.github.com/withastro/astro/pull/11984) [`3ac2263`](https://redirect.github.com/withastro/astro/commit/3ac2263ff6070136bec9cffb863c38bcc31ccdfe) Thanks [@​chaegumi](https://redirect.github.com/chaegumi)! - Adds a new `build.concurreny` configuration option to specify the number of pages to build in parallel **In most cases, you should not change the default value of `1`.** Use this option only when other attempts to reduce the overall rendering time (e.g. batch or cache long running tasks like fetch calls or data access) are not possible or are insufficient. Use this option only if the refactors are not possible. If the number is set too high, the page rendering may slow down due to insufficient memory resources and because JS is single-threaded. > \[!WARNING] > This feature is stable and is not considered experimental. However, this feature is only intended to address difficult performance issues, and breaking changes may occur in a [minor release](https://docs.astro.build/en/upgrade-astro/#semantic-versioning) to keep this option as performant as possible. ```js // astro.config.mjs import { defineConfig } from 'astro'; export default defineConfig({ build: { concurrency: 2, }, }); ``` ##### Patch Changes - [#​12160](https://redirect.github.com/withastro/astro/pull/12160) [`c6fd1df`](https://redirect.github.com/withastro/astro/commit/c6fd1df695d0f2a24bb49e6954064f92664ccf67) Thanks [@​louisescher](https://redirect.github.com/louisescher)! - Fixes a bug where `astro.config.mts` and `astro.config.cts` weren't reloading the dev server upon modifications. - [#​12130](https://redirect.github.com/withastro/astro/pull/12130) [`e96bcae`](https://redirect.github.com/withastro/astro/commit/e96bcae535ef2f0661f539c1d49690c531df2d4e) Thanks [@​thehansys](https://redirect.github.com/thehansys)! - Fixes a bug in the parsing of `x-forwarded-\*` `Request` headers, where multiple values assigned to those headers were not correctly parsed. Now, headers like `x-forwarded-proto: https,http` are correctly parsed. - [#​12147](https://redirect.github.com/withastro/astro/pull/12147) [`9db755a`](https://redirect.github.com/withastro/astro/commit/9db755ab7cfe658ec426387e297bdcd32c4bc8de) Thanks [@​ascorbic](https://redirect.github.com/ascorbic)! - Skips setting statusMessage header for HTTP/2 response HTTP/2 doesn't support status message, so setting this was logging a warning. - [#​12151](https://redirect.github.com/withastro/astro/pull/12151) [`bb6d37f`](https://redirect.github.com/withastro/astro/commit/bb6d37f94a283433994f9243189cb4386df0e11a) Thanks [@​ematipico](https://redirect.github.com/ematipico)! - Fixes an issue where `Astro.currentLocale` wasn't incorrectly computed when the `defaultLocale` belonged to a custom locale path. - Updated dependencies \[[`710a1a1`](https://redirect.github.com/withastro/astro/commit/710a1a11f488ff6ed3da6d3e0723b2322ccfe27b)]: - [@​astrojs/markdown-remark](https://redirect.github.com/astrojs/markdown-remark)[@​5](https://redirect.github.com/5).3.0 ### [`v4.15.12`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#41512) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.11...astro@4.15.12) ##### Patch Changes - [#​12121](https://redirect.github.com/withastro/astro/pull/12121) [`2490ceb`](https://redirect.github.com/withastro/astro/commit/2490cebdb93f13ee552cffa72b2e274d64e6b4a7) Thanks [@​ascorbic](https://redirect.github.com/ascorbic)! - Support passing the values `Infinity` and `-Infinity` as island props. - [#​12118](https://redirect.github.com/withastro/astro/pull/12118) [`f47b347`](https://redirect.github.com/withastro/astro/commit/f47b347da899c6e1dcd0b2e7887f7fce6ec8e270) Thanks [@​Namchee](https://redirect.github.com/Namchee)! - Removes the `strip-ansi` dependency in favor of the native Node API - [#​12126](https://redirect.github.com/withastro/astro/pull/12126) [`6e1dfeb`](https://redirect.github.com/withastro/astro/commit/6e1dfeb76bec09d24928bab798c6ad3280f42e84) Thanks [@​ascorbic](https://redirect.github.com/ascorbic)! - Clear content layer cache when astro version changes - [#​12117](https://redirect.github.com/withastro/astro/pull/12117) [`a46839a`](https://redirect.github.com/withastro/astro/commit/a46839a5c818b7de63c36d0c7e27f1a8f3b773dc) Thanks [@​ArmandPhilippot](https://redirect.github.com/ArmandPhilippot)! - Updates Vite links to use their new domain - [#​12124](https://redirect.github.com/withastro/astro/pull/12124) [`499fbc9`](https://redirect.github.com/withastro/astro/commit/499fbc91a6bdad8c86ff13a8caf1fa09433796b9) Thanks [@​ascorbic](https://redirect.github.com/ascorbic)! - Allows special characters in Action names - [#​12123](https://redirect.github.com/withastro/astro/pull/12123) [`b8673df`](https://redirect.github.com/withastro/astro/commit/b8673df51c6cc4ce6a288f8eb609b7a438a07d82) Thanks [@​Princesseuh](https://redirect.github.com/Princesseuh)! - Fixes missing `body` property on CollectionEntry types for content layer entries - [#​12132](https://redirect.github.com/withastro/astro/pull/12132) [`de35daa`](https://redirect.github.com/withastro/astro/commit/de35daa8517555c1b9c72bc7fe9cc955c4997a83) Thanks [@​jcayzac](https://redirect.github.com/jcayzac)! - Updates the [`cookie`](https://npmjs.com/package/cookie) dependency to avoid the [CVE 2024-47764](https://nvd.nist.gov/vuln/detail/CVE-2024-47764) vulnerability. - [#​12113](https://redirect.github.com/withastro/astro/pull/12113) [`a54e520`](https://redirect.github.com/withastro/astro/commit/a54e520d3c139fa123e7029c5933951b5c7f5a39) Thanks [@​ascorbic](https://redirect.github.com/ascorbic)! - Adds a helpful error when attempting to render an undefined collection entry ### [`v4.15.11`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#41511) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.10...astro@4.15.11) ##### Patch Changes - [#​12097](https://redirect.github.com/withastro/astro/pull/12097) [`11d447f`](https://redirect.github.com/withastro/astro/commit/11d447f66b1a0f39489c2600139ebfb565336ce7) Thanks [@​ascorbic](https://redirect.github.com/ascorbic)! - Fixes error where references in content layer schemas sometimes incorrectly report as missing - [#​12108](https://redirect.github.com/withastro/astro/pull/12108) [`918953b`](https://redirect.github.com/withastro/astro/commit/918953bd09f057131dfe029e810019c0909345cf) Thanks [@​lameuler](https://redirect.github.com/lameuler)! - Fixes a bug where [data URL images](https://developer.mozilla.org/en-US/docs/Web/URI/Schemes/data) were not correctly handled. The bug resulted in an `ENAMETOOLONG` error. - [#​12105](https://redirect.github.com/withastro/astro/pull/12105) [`42037f3`](https://redirect.github.com/withastro/astro/commit/42037f33e644d5a2bfba71377697fc7336ecb15b) Thanks [@​ascorbic](https://redirect.github.com/ascorbic)! - Returns custom statusText that has been set in a Response - [#​12109](https://redirect.github.com/withastro/astro/pull/12109) [`ea22558`](https://redirect.github.com/withastro/astro/commit/ea225585fd12d27006434266163512ca66ad572b) Thanks [@​ematipico](https://redirect.github.com/ematipico)! - Fixes a regression that was introduced by an internal refactor of how the middleware is loaded by the Astro application. The regression was introduced by [#​11550](https://redirect.github.com/withastro/astro/pull/11550). When the edge middleware feature is opted in, Astro removes the middleware function from the SSR manifest, and this wasn't taken into account during the refactor. - [#​12106](https://redirect.github.com/withastro/astro/pull/12106) [`d3a74da`](https://redirect.github.com/withastro/astro/commit/d3a74da19644477ffc81acf2a3efb26ad3335a5e) Thanks [@​ascorbic](https://redirect.github.com/ascorbic)! - Handles case where an immutable Response object is returned from an endpoint - [#​12090](https://redirect.github.com/withastro/astro/pull/12090) [`d49a537`](https://redirect.github.com/withastro/astro/commit/d49a537f2aaccd132154a15f1da4db471272ee90) Thanks [@​markjaquith](https://redirect.github.com/markjaquith)! - Server islands: changes the server island HTML placeholder comment so that it is much less likely to get removed by HTML minifiers. ### [`v4.15.10`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#41510) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.9...astro@4.15.10) ##### Patch Changes - [#​12084](https://redirect.github.com/withastro/astro/pull/12084) [`12dae50`](https://redirect.github.com/withastro/astro/commit/12dae50c776474748a80cb65c8bf1c67f0825cb0) Thanks [@​Princesseuh](https://redirect.github.com/Princesseuh)! - Adds missing filePath property on content layer entries - [#​12046](https://redirect.github.com/withastro/astro/pull/12046) [`d7779df`](https://redirect.github.com/withastro/astro/commit/d7779dfae7bc00ff94b1e4596ff5b4897f65aabe) Thanks [@​martrapp](https://redirect.github.com/martrapp)! - View transitions: Fixes Astro's fade animation to prevent flashing during morph transitions. - [#​12043](https://redirect.github.com/withastro/astro/pull/12043) [`1720c5b`](https://redirect.github.com/withastro/astro/commit/1720c5b1d2bfd106ad065833823aed622bee09bc) Thanks [@​bluwy](https://redirect.github.com/bluwy)! - Fixes injected endpoint `prerender` option detection - [#​12095](https://redirect.github.com/withastro/astro/pull/12095) [`76c5fbd`](https://redirect.github.com/withastro/astro/commit/76c5fbd6f3a8d41367f1d7033278d133d518213b) Thanks [@​TheOtterlord](https://redirect.github.com/TheOtterlord)! - Fix installing non-stable versions of integrations with `astro add` ### [`v4.15.9`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4159) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.8...astro@4.15.9) ##### Patch Changes - [#​12034](https://redirect.github.com/withastro/astro/pull/12034) [`5b3ddfa`](https://redirect.github.com/withastro/astro/commit/5b3ddfadcb2d09b6cbd9cd42641f30ca565d0f58) Thanks [@​ematipico](https://redirect.github.com/ematipico)! - Fixes an issue where the middleware wasn't called when a project uses `404.astro`. - [#​12042](https://redirect.github.com/withastro/astro/pull/12042) [`243ecb6`](https://redirect.github.com/withastro/astro/commit/243ecb6d6146dc483b4726d0e76142fb25e56243) Thanks [@​ematipico](https://redirect.github.com/ematipico)! - Fixes a problem in the Container API, where a polyfill wasn't correctly applied. This caused an issue in some environments where `crypto` isn't supported. - [#​12038](https://redirect.github.com/withastro/astro/pull/12038) [`26ea5e8`](https://redirect.github.com/withastro/astro/commit/26ea5e814ab8c973e683fff62389fda28c180940) Thanks [@​ascorbic](https://redirect.github.com/ascorbic)! - Resolves image paths in content layer with initial slash as project-relative When using the `image()` schema helper, previously paths with an initial slash were treated as public URLs. This was to match the behavior of markdown images. However this is a change from before, where paths with an initial slash were treated as project-relative. This change restores the previous behavior, so that paths with an initial slash are treated as project-relative. ### [`v4.15.8`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4158) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.7...astro@4.15.8) ##### Patch Changes - [#​12014](https://redirect.github.com/withastro/astro/pull/12014) [`53cb41e`](https://redirect.github.com/withastro/astro/commit/53cb41e30ea5768bf33d9f6be608fb57d31b7b9e) Thanks [@​ascorbic](https://redirect.github.com/ascorbic)! - Fixes an issue where component styles were not correctly included in rendered MDX - [#​12031](https://redirect.github.com/withastro/astro/pull/12031) [`8c0cae6`](https://redirect.github.com/withastro/astro/commit/8c0cae6d1bd70b332286d83d0f01cfce5272fbbe) Thanks [@​ematipico](https://redirect.github.com/ematipico)! - Fixes a bug where the rewrite via `next(/*..*/)` inside a middleware didn't compute the new `APIContext.params` - [#​12026](https://redirect.github.com/withastro/astro/pull/12026) [`40e7a1b`](https://redirect.github.com/withastro/astro/commit/40e7a1b05d9e5ea3fcda176c9663bbcff86edb63) Thanks [@​bluwy](https://redirect.github.com/bluwy)! - Initializes the Markdown processor only when there's `.md` files - [#​12028](https://redirect.github.com/withastro/astro/pull/12028) [`d3bd673`](https://redirect.github.com/withastro/astro/commit/d3bd673392e63720e241d6a002a131a3564c169c) Thanks [@​bluwy](https://redirect.github.com/bluwy)! - Handles route collision detection only if it matches `getStaticPaths` - [#​12027](https://redirect.github.com/withastro/astro/pull/12027) [`dd3b753`](https://redirect.github.com/withastro/astro/commit/dd3b753aba6400558671d85214e27b8e4fb1654b) Thanks [@​fviolette](https://redirect.github.com/fviolette)! - Add `selected` to the list of boolean attributes - [#​12001](https://redirect.github.com/withastro/astro/pull/12001) [`9be3e1b`](https://redirect.github.com/withastro/astro/commit/9be3e1bba789af96d8b21d9c8eca8542cfb4ff77) Thanks [@​uwej711](https://redirect.github.com/uwej711)! - Remove dependency on path-to-regexp ### [`v4.15.7`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4157) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.6...astro@4.15.7) ##### Patch Changes - [#​12000](https://redirect.github.com/withastro/astro/pull/12000) [`a2f8c5d`](https://redirect.github.com/withastro/astro/commit/a2f8c5d85ff15803f5cedf9148cd70ffc138ddef) Thanks [@​ArmandPhilippot](https://redirect.github.com/ArmandPhilippot)! - Fixes an outdated link used to document Content Layer API - [#​11915](https://redirect.github.com/withastro/astro/pull/11915) [`0b59fe7`](https://redirect.github.com/withastro/astro/commit/0b59fe74d5922c572007572ddca8d11482e2fb5c) Thanks [@​azhirov](https://redirect.github.com/azhirov)! - Fix: prevent island from re-rendering when using transition:persist ([#​11854](https://redirect.github.com/withastro/astro/issues/11854)) ### [`v4.15.6`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4156) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.5...astro@4.15.6) ##### Patch Changes - [#​11993](https://redirect.github.com/withastro/astro/pull/11993) [`ffba5d7`](https://redirect.github.com/withastro/astro/commit/ffba5d716edcdfc42899afaa4188b7a4cd0c91eb) Thanks [@​matthewp](https://redirect.github.com/matthewp)! - Fix getStaticPaths regression This reverts a previous change meant to remove a dependency, to fix a regression with multiple nested spread routes. - [#​11964](https://redirect.github.com/withastro/astro/pull/11964) [`06eff60`](https://redirect.github.com/withastro/astro/commit/06eff60cabb55d91fe4075421b1693b1ab33225c) Thanks [@​TheOtterlord](https://redirect.github.com/TheOtterlord)! - Add wayland (wl-copy) support to `astro info` ### [`v4.15.5`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4155) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.4...astro@4.15.5) ##### Patch Changes - [#​11939](https://redirect.github.com/withastro/astro/pull/11939) [`7b09c62`](https://redirect.github.com/withastro/astro/commit/7b09c62b565cd7b50c35fb68d390729f936a43fb) Thanks [@​bholmesdev](https://redirect.github.com/bholmesdev)! - Adds support for Zod discriminated unions on Action form inputs. This allows forms with different inputs to be submitted to the same action, using a given input to decide which object should be used for validation. This example accepts either a `create` or `update` form submission, and uses the `type` field to determine which object to validate against. ```ts import { defineAction } from 'astro:actions'; import { z } from 'astro:schema'; export const server = { changeUser: defineAction({ accept: 'form', input: z.discriminatedUnion('type', [ z.object({ type: z.literal('create'), name: z.string(), email: z.string().email(), }), z.object({ type: z.literal('update'), id: z.number(), name: z.string(), email: z.string().email(), }), ]), async handler(input) { if (input.type === 'create') { // input is { type: 'create', name: string, email: string } } else { // input is { type: 'update', id: number, name: string, email: string } } }, }), }; ``` The corresponding `create` and `update` forms may look like this: ### [`v4.15.4`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4154) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.3...astro@4.15.4) ##### Patch Changes - [#​11879](https://redirect.github.com/withastro/astro/pull/11879) [`bd1d4aa`](https://redirect.github.com/withastro/astro/commit/bd1d4aaf8262187b4f132d7fe0365902131ddf1a) Thanks [@​matthewp](https://redirect.github.com/matthewp)! - Allow passing a cryptography key via ASTRO_KEY For Server islands Astro creates a cryptography key in order to hash props for the islands, preventing accidental leakage of secrets. If you deploy to an environment with rolling updates then there could be multiple instances of your app with different keys, causing potential key mismatches. To fix this you can now pass the `ASTRO_KEY` environment variable to your build in order to reuse the same key. To generate a key use: astro create-key This will print out an environment variable to set like: ASTRO_KEY=PIAuyPNn2aKU/bviapEuc/nVzdzZPizKNo3OqF/5PmQ= - [#​11935](https://redirect.github.com/withastro/astro/pull/11935) [`c58193a`](https://redirect.github.com/withastro/astro/commit/c58193a691775af5c568e461c63040a42e2471f7) Thanks [@​Princesseuh](https://redirect.github.com/Princesseuh)! - Fixes `astro add` not using the proper export point when adding certain adapters ### [`v4.15.3`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4153) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.2...astro@4.15.3) ##### Patch Changes - [#​11902](https://redirect.github.com/withastro/astro/pull/11902) [`d63bc50`](https://redirect.github.com/withastro/astro/commit/d63bc50d9940c1107e0fee7687e5c332549a0eff) Thanks [@​ascorbic](https://redirect.github.com/ascorbic)! - Fixes case where content layer did not update during clean dev builds on Linux and Windows - [#​11886](https://redirect.github.com/withastro/astro/pull/11886) [`7ff7134`](https://redirect.github.com/withastro/astro/commit/7ff7134b8038a3b798293b2218bbf6dd02d2ac32) Thanks [@​matthewp](https://redirect.github.com/matthewp)! - Fixes a missing error message when actions throws during `astro sync` - [#​11904](https://redirect.github.com/withastro/astro/pull/11904) [`ca54e3f`](https://redirect.github.com/withastro/astro/commit/ca54e3f819fad009ac3c3c8b57a26014a2652a73) Thanks [@​wtchnm](https://redirect.github.com/wtchnm)! - perf(assets): avoid downloading original image when using cache ### [`v4.15.2`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4152) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.1...astro@4.15.2) ##### Patch Changes - [#​11870](https://redirect.github.com/withastro/astro/pull/11870) [`8e5257a`](https://redirect.github.com/withastro/astro/commit/8e5257addaeff809ed6f0c47ac0ed4ded755320e) Thanks [@​ArmandPhilippot](https://redirect.github.com/ArmandPhilippot)! - Fixes typo in documenting the `fallbackType` property in i18n routing - [#​11884](https://redirect.github.com/withastro/astro/pull/11884) [`e450704`](https://redirect.github.com/withastro/astro/commit/e45070459f18976400fc8939812e172781eba351) Thanks [@​ascorbic](https://redirect.github.com/ascorbic)! - Correctly handles content layer data where the transformed value does not match the input schema - [#​11900](https://redirect.github.com/withastro/astro/pull/11900) [`80b4a18`](https://redirect.github.com/withastro/astro/commit/80b4a181a077266c44065a737e61cc7cff6bc6d7) Thanks [@​delucis](https://redirect.github.com/delucis)! - Fixes the user-facing type of the new `i18n.routing.fallbackType` option to be optional ### [`v4.15.1`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4151) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.0...astro@4.15.1) ##### Patch Changes - [#​11872](https://redirect.github.com/withastro/astro/pull/11872) [`9327d56`](https://redirect.github.com/withastro/astro/commit/9327d56755404b481993b058bbfc4aa7880b2304) Thanks [@​bluwy](https://redirect.github.com/bluwy)! - Fixes `astro add` importing adapters and integrations - [#​11767](https://redirect.github.com/withastro/astro/pull/11767) [`d1bd1a1`](https://redirect.github.com/withastro/astro/commit/d1bd1a11f7aca4d2141d1c4665f2db0440393d03) Thanks [@​ascorbic](https://redirect.github.com/ascorbic)! - Refactors content layer sync to use a queue ### [`v4.15.0`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4150) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.14.6...astro@4.15.0) ##### Minor Changes - [#​11729](https://redirect.github.com/withastro/astro/pull/11729) [`1c54e63`](https://redirect.github.com/withastro/astro/commit/1c54e633274ad47f6c83c9a16f375f0caa983fbe) Thanks [@​ematipico](https://redirect.github.com/ematipico)! - Adds a new variant `sync` for the `astro:config:setup` hook's `command` property. This value is set when calling the command `astro sync`. If your integration previously relied on knowing how many variants existed for the `command` property, you must update your logic to account for this new option. - [#​11743](https://redirect.github.com/withastro/astro/pull/11743) [`cce0894`](https://redirect.github.com/withastro/astro/commit/cce08945340312776a0480fc9ffe43929257639a) Thanks [@​ph1p](https://redirect.github.com/ph1p)! - Adds a new, optional property `timeout` for the `client:idle` directive. This value allows you to specify a maximum time to wait, in milliseconds, before hydrating a UI framework component, even if the page is not yet done with its initial load. This means you can delay hydration for lower-priority UI elements with more control to ensure your element is interactive within a specified time frame. ```astro ``` - [#​11677](https://redirect.github.com/withastro/astro/pull/11677) [`cb356a5`](https://redirect.github.com/withastro/astro/commit/cb356a5db6b1ec2799790a603f931a961883ab31) Thanks [@​ematipico](https://redirect.github.com/ematipico)! - Adds a new option `fallbackType` to `i18n.routing` configuration that allows you to control how fallback pages are handled. When `i18n.fallback` is configured, this new routing option controls whether to [redirect](https://docs.astro.build/en/guides/routing/#redirects) to the fallback page, or to [rewrite](https://docs.astro.build/en/guides/routing/#rewrites) the fallback page's content in place. The `"redirect"` option is the default value and matches the current behavior of the existing fallback system. The option `"rewrite"` uses the new [rewriting system](https://docs.astro.build/en/guides/routing/#rewrites) to create fallback pages that render content on the original, requested URL without a browser refresh. For example, the following configuration will generate a page `/fr/index.html` that will contain the same HTML rendered by the page `/en/index.html` when `src/pages/fr/index.astro` does not exist. ```js // astro.config.mjs export default defineConfig({ i18n: { locals: ['en', 'fr'], defaultLocale: 'en', routing: { prefixDefaultLocale: true, fallbackType: 'rewrite', }, fallback: { fr: 'en', }, }, }); ``` - [#​11708](https://redirect.github.com/withastro/astro/pull/11708) [`62b0d20`](https://redirect.github.com/withastro/astro/commit/62b0d20b974dc932769221d210b751627fb4bbc6) Thanks [@​martrapp](https://redirect.github.com/martrapp)! - Adds a new object `swapFunctions` to expose the necessary utility functions on `astro:transitions/client` that allow you to build custom swap functions to be used with view transitions. The example below uses these functions to replace Astro's built-in default `swap` function with one that only swaps the `
` part of the page: ```html ``` See the [view transitions guide](https://docs.astro.build/en/guides/view-transitions/#astrobefore-swap) for more information about hooking into the `astro:before-swap` lifecycle event and adding a custom swap implementation. - [#​11843](https://redirect.github.com/withastro/astro/pull/11843) [`5b4070e`](https://redirect.github.com/withastro/astro/commit/5b4070efef877a77247bb05a4806b75f22e557c8) Thanks [@​bholmesdev](https://redirect.github.com/bholmesdev)! - Exposes `z` from the new `astro:schema` module. This is the new recommended import source for all Zod utilities when using Astro Actions. ### [`v4.14.6`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4146) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.14.5...astro@4.14.6) ##### Patch Changes - [#​11847](https://redirect.github.com/withastro/astro/pull/11847) [`45b599c`](https://redirect.github.com/withastro/astro/commit/45b599c4d40ded6a3e03881181b441ae494cbfcf) Thanks [@​ascorbic](https://redirect.github.com/ascorbic)! - Fixes a case where Vite would be imported by the SSR runtime, causing bundling errors and bloat. - [#​11822](https://redirect.github.com/withastro/astro/pull/11822) [`6fcaab8`](https://redirect.github.com/withastro/astro/commit/6fcaab84de1044ff4d186b2dfa5831964460062d) Thanks [@​bluwy](https://redirect.github.com/bluwy)! - Marks internal `vite-plugin-fileurl` plugin with `enforce: 'pre'` - [#​11713](https://redirect.github.com/withastro/astro/pull/11713) [`497324c`](https://redirect.github.com/withastro/astro/commit/497324c4e87538dc1dc13aea3ced9bd3642d9ba6) Thanks [@​voidfill](https://redirect.github.com/voidfill)! - Prevents prefetching of the same urls with different hashes. - [#​11814](https://redirect.github.com/withastro/astro/pull/11814) [`2bb72c6`](https://redirect.github.com/withastro/astro/commit/2bb72c63969f8f21dd279fa927c32f192ff79a3f) Thanks [@​eduardocereto](https://redirect.github.com/eduardocereto)! - Updates the documentation for experimental Content Layer API with a corrected code example - [#​11842](https://redirect.github.com/withastro/astro/pull/11842) [`1ffaae0`](https://redirect.github.com/withastro/astro/commit/1ffaae04cf790390f730bf900b9722b99642adc1) Thanks [@​stephan281094](https://redirect.github.com/stephan281094)! - Fixes a typo in the `MissingImageDimension` error message - [#​11828](https://redirect.github.com/withastro/astro/pull/11828) [`20d47aa`](https://redirect.github.com/withastro/astro/commit/20d47aa85a3a0d7ac3390f749715d92de830cf3e) Thanks [@​bholmesdev](https://redirect.github.com/bholmesdev)! - Improves error message when invalid data is returned by an Action. ### [`v4.14.5`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4145) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.14.4...astro@4.14.5) ##### Patch Changes - [#​11809](https://redirect.github.com/withastro/astro/pull/11809) [`62e97a2`](https://redirect.github.com/withastro/astro/commit/62e97a20f72bacb017c633ddcb776abc89167660) Thanks [@​bholmesdev](https://redirect.github.com/bholmesdev)! - Fixes usage of `.transform()`, `.refine()`, `.passthrough()`, and other effects on Action form inputs. - [#​11812](https://redirect.github.com/withastro/astro/pull/11812) [`260c4be`](https://redirect.github.com/withastro/astro/commit/260c4be050f91353bc5ba6af073e7bc17429d552) Thanks [@​bholmesdev](https://redirect.github.com/bholmesdev)! - Exposes `ActionAPIContext` type from the `astro:actions` module. - [#​11813](https://redirect.github.com/withastro/astro/pull/11813) [`3f7630a`](https://redirect.github.com/withastro/astro/commit/3f7630afd697809b1d4fbac6edd18153983c70ac) Thanks [@​bholmesdev](https://redirect.github.com/bholmesdev)! - Fixes unexpected `undefined` value when calling an action from the client without a return value. ### [`v4.14.4`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4144) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.14.3...astro@4.14.4) ##### Patch Changes - [#​11794](https://redirect.github.com/withastro/astro/pull/11794) [`3691a62`](https://redirect.github.com/withastro/astro/commit/3691a626fb67d617e5f8bd057443cd2ff6caa054) Thanks [@​bholmesdev](https://redirect.github.com/bholmesdev)! - Fixes unexpected warning log when using Actions on "hybrid" rendered projects. - [#​11801](https://redirect.github.com/withastro/astro/pull/11801) [`9f943c1`](https://redirect.github.com/withastro/astro/commit/9f943c1344671b569a0d1ddba683b3cca0068adc) Thanks [@​delucis](https://redirect.github.com/delucis)! - Fixes a bug where the `filePath` property was not available on content collection entries when using the content layer `file()` loader with a JSON file that contained an object instead of an array. This was breaking use of the `image()` schema utility among other things. ### [`v4.14.3`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4143) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.14.2...astro@4.14.3) ##### Patch Changes - [#​11780](https://redirect.github.com/withastro/astro/pull/11780) [`c6622ad`](https://redirect.github.com/withastro/astro/commit/c6622adaeb405e961b12c91f0e5d02c7333d01cf) Thanks [@​Princesseuh](https://redirect.github.com/Princesseuh)! - Deprecates the Squoosh image service, to be removed in Astro 5.0. We recommend migrating to the default Sharp service. - [#​11790](https://redirect.github.com/withastro/astro/pull/11790) [`41c3fcb`](https://redirect.github.com/withastro/astro/commit/41c3fcb6189709450a67ea8f726071d5f3cdc80e) Thanks [@​sarah11918](https://redirect.github.com/sarah11918)! - Updates the documentation for experimental `astro:env` with a corrected link to the RFC proposal - [#​11773](https://redirect.github.com/withastro/astro/pull/11773) [`86a3391`](https://redirect.github.com/withastro/astro/commit/86a33915ff41b23ff6b35bcfb1805fefc0760ca7) Thanks [@​ematipico](https://redirect.github.com/ematipico)! - Changes messages logged when using unsupported, deprecated, or experimental adapter features for clarity - [#​11745](https://redirect.github.com/withastro/astro/pull/11745) [`89bab1e`](https://redirect.github.com/withastro/astro/commit/89bab1e70786123fbe933a9d7a1b80c9334dcc5f) Thanks [@​bluwy](https://redirect.github.com/bluwy)! - Prints prerender dynamic value usage warning only if it's used - [#​11774](https://redirect.github.com/withastro/astro/pull/11774) [`c6400ab`](https://redirect.github.com/withastro/astro/commit/c6400ab99c5e5f4477bc6ef7e801b7869b0aa9ab) Thanks [@​florian-lefebvre](https://redirect.github.com/florian-lefebvre)! - Fixes the path returned by `injectTypes` - [#​11730](https://redirect.github.com/withastro/astro/pull/11730) [`2df49a6`](https://redirect.github.com/withastro/astro/commit/2df49a6fb4f6d92fe45f7429430abe63defeacd6) Thanks [@​florian-lefebvre](https://redirect.github.com/florian-lefebvre)! - Simplifies path operations of `astro sync` - [#​11771](https://redirect.github.com/withastro/astro/pull/11771) [`49650a4`](https://redirect.github.com/withastro/astro/commit/49650a45550af46c70c6cf3f848b7b529103a649) Thanks [@​florian-lefebvre](https://redirect.github.com/florian-lefebvre)! - Fixes an error thrown by `astro sync` when an `astro:env` virtual module is imported inside the Content Collections config - [#​11744](https://redirect.github.com/withastro/astro/pull/11744) [`b677429`](https://redirect.github.com/withastro/astro/commit/b67742961a384c10e5cd04cf5b02d0f014ea7362) Thanks [@​bluwy](https://redirect.github.com/bluwy)! - Disables the WebSocket server when creating a Vite server for loading config files ### [`v4.14.2`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4142) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.14.1...astro@4.14.2) ##### Patch Changes - [#​11733](https://redirect.github.com/withastro/astro/pull/11733) [`391324d`](https://redirect.github.com/withastro/astro/commit/391324df969db71d1c7ca25c2ed14c9eb6eea5ee) Thanks [@​bluwy](https://redirect.github.com/bluwy)! - Reverts back to `yargs-parser` package for CLI argument parsing ### [`v4.14.1`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4141) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.14.0...astro@4.14.1) ##### Patch Changes - [#​11725](https://redirect.github.com/withastro/astro/pull/11725) [`6c1560f`](https://redirect.github.com/withastro/astro/commit/6c1560fb0d19ce659bc9f9090f8050254d5c03f3) Thanks [@​ascorbic](https://redirect.github.com/ascorbic)! - Prevents content layer importing node builtins in runtime - [#​11692](https://redirect.github.com/withastro/astro/pull/11692) [`35af73a`](https://redirect.github.com/withastro/astro/commit/35af73aace97a7cc898b9aa5040db8bc2ac62687) Thanks [@​matthewp](https://redirect.github.com/matthewp)! - Prevent errant HTML from crashing server islands When an HTML minifier strips away the server island comment, the script can't correctly know where the end of the fallback content is. This makes it so that it simply doesn't remove any DOM in that scenario. This means the fallback isn't removed, but it also doesn't crash the browser. - [#​11727](https://redirect.github.com/withastro/astro/pull/11727) [`3c2f93b`](https://redirect.github.com/withastro/astro/commit/3c2f93b66c6b8e9d2ab58e2cbe941c14ffab89b5) Thanks [@​florian-lefebvre](https://redirect.github.com/florian-lefebvre)! - Fixes a type issue when using the Content Layer in dev ### [`v4.14.0`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4140) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.13.4...astro@4.14.0) ##### Minor Changes - [#​11657](https://redirect.github.com/withastro/astro/pull/11657) [`a23c69d`](https://redirect.github.com/withastro/astro/commit/a23c69d0d0bed229bee52a32e61f135f9ebf9122) Thanks [@​bluwy](https://redirect.github.com/bluwy)! - Deprecates the option for route-generating files to export a dynamic value for `prerender`. Only static values are now supported (e.g. `export const prerender = true` or `= false`). This allows for better treeshaking and bundling configuration in the future. Adds a new [`"astro:route:setup"` hook](https://docs.astro.build/en/reference/integrations-reference/#astroroutesetup) to the Integrations API to allow you to dynamically set options for a route at build or request time through an integration, such as enabling [on-demand server rendering](https://docs.astro.build/en/guides/server-side-rendering/#opting-in-to-pre-rendering-in-server-mode). To migrate from a dynamic export to the new hook, update or remove any dynamic `prerender` exports from individual routing files: ```diff // src/pages/blog/[slug].astro - export const prerender = import.meta.env.PRERENDER ``` Instead, create an integration with the `"astro:route:setup"` hook and update the route's `prerender` option: ```js // astro.config.mjs import { defineConfig } from 'astro/config'; import { loadEnv } from 'vite'; export default defineConfig({ integrations: [setPrerender()], }); function setPrerender() { const { PRERENDER } = loadEnv(process.env.NODE_ENV, process.cwd(), ''); return { name: 'set-prerender', hooks: { 'astro:route:setup': ({ route }) => { if (route.component.endsWith('/blog/[slug].astro')) { route.prerender = PRERENDER; } }, }, }; } ``` - [#​11360](https://redirect.github.com/withastro/astro/pull/11360) [`a79a8b0`](https://redirect.github.com/withastro/astro/commit/a79a8b0230b06ed32ce1802f2a5f84a6cf92dbe7) Thanks [@​ascorbic](https://redirect.github.com/ascorbic)! - Adds a new [`injectTypes()` utility](https://docs.astro.build/en/reference/integrations-reference/#injecttypes-options) to the Integration API and refactors how type generation works Use `injectTypes()` in the `astro:config:done` hook to inject types into your user's project by adding a new a `*.d.ts` file. The `filename` property will be used to generate a file at `/.astro/integrations//.d.ts` and must end with `".d.ts"`. The `content` property will create the body of the file, and must be valid TypeScript. Additionally, `injectTypes()` returns a URL to the normalized path so you can overwrite its content later on, or manipulate it in any way you want. ```js // my-integration/index.js export default { name: 'my-integration', 'astro:config:done': ({ injectTypes }) => { injectTypes({ filename: 'types.d.ts', content: "declare module 'virtual:my-integration' {}", }); }, }; ``` Codegen has been refactored. Although `src/env.d.ts` will continue to work as is, we recommend you update it: ```diff - /// + /// - /// - /// ``` - [#​11605](https://redirect.github.com/withastro/astro/pull/11605) [`d3d99fb`](https://redirect.github.com/withastro/astro/commit/d3d99fba269da9e812e748539a11dfed785ef8a4) Thanks [@​jcayzac](https://redirect.github.com/jcayzac)! - Adds a new property `meta` to Astro's [built-in `` component](https://docs.astro.build/en/reference/api-reference/#code-). This allows you to provide a value for [Shiki's `meta` attribute](https://shiki.style/guide/transformers#meta) to pass options to transformers. The following example passes an option to highlight lines 1 and 3 to Shiki's `tranformerMetaHighlight`: ### [`v4.13.4`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4134) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.13.3...astro@4.13.4) ##### Patch Changes - [#​11678](https://redirect.github.com/withastro/astro/pull/11678) [`34da907`](https://redirect.github.com/withastro/astro/commit/34da907f3b4fb411024e6d28fdb291fa78116950) Thanks [@​ematipico](https://redirect.github.com/ematipico)! - Fixes a case where omitting a semicolon and line ending with carriage return - CRLF - in the `prerender` option could throw an error. - [#​11535](https://redirect.github.com/withastro/astro/pull/11535) [`932bd2e`](https://redirect.github.com/withastro/astro/commit/932bd2eb07f1d7cb2c91e7e7d31fe84c919e302b) Thanks [@​matthewp](https://redirect.github.com/matthewp)! - Encrypt server island props Server island props are now encrypted with a key generated at build-time. This is intended to prevent accidentally leaking secrets caused by exposing secrets through prop-passing. This is not intended to allow a server island to be trusted to skip authentication, or to protect against any other vulnerabilities other than secret leakage. See the RFC for an explanation: https://github.com/withastro/roadmap/blob/server-islands/proposals/server-islands.md#props-serialization - [#​11655](https://redirect.github.com/withastro/astro/pull/11655) [`dc0a297`](https://redirect.github.com/withastro/astro/commit/dc0a297e2a4bea3db8310cc98c51b2f94ede5fde) Thanks [@​billy-le](https://redirect.github.com/billy-le)! - Fixes Astro Actions `input` validation when using `default` values with a form input. - [#​11689](https://redirect.github.com/withastro/astro/pull/11689) [`c7bda4c`](https://redirect.github.com/withastro/astro/commit/c7bda4cd672864babc3cebd19a2dd2e1af85c087) Thanks [@​ematipico](https://redirect.github.com/ematipico)! - Fixes an issue in the Astro actions, where the size of the generated cookie was exceeding the size permitted by the `Set-Cookie` header. ### [`v4.13.3`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4133) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.13.2...astro@4.13.3) ##### Patch Changes - [#​11653](https://redirect.github.com/withastro/astro/pull/11653) [`32be549`](https://redirect.github.com/withastro/astro/commit/32be5494f6d33dbe32208704405162c95a64f0bc) Thanks [@​florian-lefebvre](https://redirect.github.com/florian-lefebvre)! - Updates `astro:env` docs to reflect current developments and usage guidance - [#​11658](https://redirect.github.com/withastro/astro/pull/11658) [`13b912a`](https://redirect.github.com/withastro/astro/commit/13b912a8702afb96e2d0bc20dcc1b4135ae58147) Thanks [@​bholmesdev](https://redirect.github.com/bholmesdev)! - Fixes `orThrow()` type when calling an Action without an `input` validator. - [#​11603](https://redirect.github.com/withastro/astro/pull/11603) [`f31d466`](https://redirect.github.com/withastro/astro/commit/f31d4665c1cbb0918b9e00ba1431fb6f264025f7) Thanks [@​bholmesdev](https://redirect.github.com/bholmesdev)! - Improves user experience when render an Action result from a form POST request: - Removes "Confirm post resubmission?" dialog when refreshing a result. - Removes the `?_astroAction=NAME` flag when a result is rendered. Also improves the DX of directing to a new route on success. Actions will now redirect to the route specified in your `action` string on success, and redirect back to the previous page on error. This follows the routing convention of established backend frameworks like Laravel. For example, say you want to redirect to a `/success` route when `actions.signup` succeeds. You can add `/success` to your `action` string like so: ```astro
``` - On success, Astro will redirect to `/success`. - On error, Astro will redirect back to the current page. You can retrieve the action result from either page using the `Astro.getActionResult()` function. ##### Note on security This uses a temporary cookie to forward the action result to the next page. The cookie will be deleted when that page is rendered. ⚠ **The action result is not encrypted.** In general, we recommend returning minimal data from an action handler to a) avoid leaking sensitive information, and b) avoid unexpected render issues once the temporary cookie is deleted. For example, a `login` function may return a user's session id to retrieve from your Astro frontmatter, rather than the entire user object. ### [`v4.13.2`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4132) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.13.1...astro@4.13.2) ##### Patch Changes - [#​11648](https://redirect.github.com/withastro/astro/pull/11648) [`589d351`](https://redirect.github.com/withastro/astro/commit/589d35158da1a2136387d0ad76609f5c8535c03a) Thanks [@​bholmesdev](https://redirect.github.com/bholmesdev)! - Fixes unexpected error when refreshing a POST request from a form using Actions. - [#​11600](https://redirect.github.com/withastro/astro/pull/11600) [`09ec2ca`](https://redirect.github.com/withastro/astro/commit/09ec2cadce01a9a1f9c54ac433f137348907aa56) Thanks [@​ArmandPhilippot](https://redirect.github.com/ArmandPhilippot)! - Deprecates `getEntryBySlug` and `getDataEntryById` functions exported by `astro:content` in favor of `getEntry`. - [#​11593](https://redirect.github.com/withastro/astro/pull/11593) [`81d7150`](https://redirect.github.com/withastro/astro/commit/81d7150e02472430eab555dfc4f053738bf99bb6) Thanks [@​bholmesdev](https://redirect.github.com/bholmesdev)! - Adds support for `Date()`, `Map()`, and `Set()` from action results. See [devalue](https://redirect.github.com/Rich-Harris/devalue) for a complete list of supported values. Also fixes serialization exceptions when deploying Actions with edge middleware on Netlify and Vercel. - [#​11617](https://redirect.github.com/withastro/astro/pull/11617) [`196092a`](https://redirect.github.com/withastro/astro/commit/196092ae69eb1249206846ddfc162049b03f42b4) Thanks [@​abubakriz](https://redirect.github.com/abubakriz)! - Fix toolbar audit incorrectly flagging images as above the fold. - [#​11634](https://redirect.github.com/withastro/astro/pull/11634) [`2716f52`](https://redirect.github.com/withastro/astro/commit/2716f52aae7194439ebb2336849ddd9e8226658a) Thanks [@​bholmesdev](https://redirect.github.com/bholmesdev)! - Fixes internal server error when calling an Astro Action without arguments on Vercel. - [#​11628](https://redirect.github.com/withastro/astro/pull/11628) [`9aaf58c`](https://redirect.github.com/withastro/astro/commit/9aaf58c1339b54f2c1394e718a0f6f609f0b6342) Thanks [@​madbook](https://redirect.github.com/madbook)! - Ensures consistent CSS chunk hashes across different environments ### [`v4.13.1`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4131) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.13.0...astro@4.13.1) ##### Patch Changes - [#​11584](https://redirect.github.com/withastro/astro/pull/11584) [`a65ffe3`](https://redirect.github.com/withastro/astro/commit/a65ffe314b112213421def26c7cc5b7e7b93558c) Thanks [@​bholmesdev](https://redirect.github.com/bholmesdev)! - Removes async local storage dependency from Astro Actions. This allows Actions to run in Cloudflare and Stackblitz without opt-in flags or other configuration. This also introduces a new convention for calling actions from server code. Instead of calling actions directly, you must wrap function calls with the new `Astro.callAction()` utility. > `callAction()` is meant to *trigger* an action from server code. `getActionResult()` usage with form submissions remains unchanged. ### [`v4.13.0`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4130) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.12.3...astro@4.13.0) ##### Minor Changes - [#​11507](https://redirect.github.com/withastro/astro/pull/11507) [`a62345f`](https://redirect.github.com/withastro/astro/commit/a62345fd182ae4886d586c8406ed8f3e5f942730) Thanks [@​ematipico](https://redirect.github.com/ematipico)! - Adds color-coding to the console output during the build to highlight slow pages. Pages that take more than 500 milliseconds to render will have their build time logged in red. This change can help you discover pages of your site that are not performant and may need attention. - [#​11379](https://redirect.github.com/withastro/astro/pull/11379) [`e5e2d3e`](https://redirect.github.com/withastro/astro/commit/e5e2d3ed3076f10b4645f011b13888d5fa16e92e) Thanks [@​alexanderniebuhr](https://redirect.github.com/alexanderniebuhr)! - The `experimental.contentCollectionJsonSchema` feature introduced behind a flag in [v4.5.0](https://redirect.github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md#450) is no longer experimental and is available for general use. If you are working with

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate using a curated preset maintained by Sanity. View repository job log here

vercel[bot] commented 1 month ago

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
template-astro-clean ✅ Ready (Inspect) Visit Preview 💬 Add feedback Oct 14, 2024 10:17pm
socket-security[bot] commented 1 month ago

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/astro@4.16.1 Transitive: environment, eval, filesystem, network, shell +359 468 MB fredkschott, matthewp, natemoo-re
npm/vite@5.4.9 Transitive: environment, filesystem, network, shell +64 282 MB antfu, patak, soda, ...2 more

🚮 Removed packages: npm/astro@4.11.3, npm/vite@5.3.2

View full report↗︎