fix(deps): update dependency astro to v5 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
astro (source)	^1.0.0-beta.2 -> ^5.0.0

GitHub Vulnerability Alerts

CVE-2024-56140

Summary

A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks.

Details

When the security.checkOrigin configuration option is set to true, Astro middleware will perform a CSRF check. (Source code: https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts)

For example, with the following Astro configuration:

// astro.config.mjs
import { defineConfig } from 'astro/config';
import node from '@​astrojs/node';

export default defineConfig({
	output: 'server',
	security: { checkOrigin: true },
	adapter: node({ mode: 'standalone' }),
});

A request like the following would be blocked if made from a different origin:

// fetch API or <form action="https://test.example.com/" method="POST">
fetch('https://test.example.com/', {
	method: 'POST',
	credentials: 'include',
	body: 'a=b',
	headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
});
// => Cross-site POST form submissions are forbidden

However, a vulnerability exists that can bypass this security.

Pattern 1: Requests with a semicolon after the Content-Type

A semicolon-delimited parameter is allowed after the type in Content-Type.

Web browsers will treat a Content-Type such as application/x-www-form-urlencoded; abc as a simple request and will not perform preflight validation. In this case, CSRF is not blocked as expected.

fetch('https://test.example.com', {
	method: 'POST',
	credentials: 'include',
	body: 'test',
	headers: { 'Content-Type': 'application/x-www-form-urlencoded; abc' },
});
// => Server-side functions are executed (Response Code 200).

Pattern 2: Request without Content-Type header

The Content-Type header is not required for a request. The following examples are sent without a Content-Type header, resulting in CSRF.

// Pattern 2.1 Request without body
fetch('http://test.example.com', { method: 'POST', credentials: 'include' });

// Pattern 2.2 Blob object without type
fetch('https://test.example.com', {
	method: 'POST',
	credentials: 'include',
	body: new Blob(['a=b'], {}),
});

Impact

Bypass CSRF protection implemented with CSRF middleware.

Note

Even with credentials: 'include', browsers may not send cookies due to third-party cookie blocking. This feature depends on the browser version and settings, and is for privacy protection, not as a CSRF measure.

CVE-2024-56159

Summary

A bug in the build process allows any unauthenticated user to read parts of the server source code.

Details

During build, along with client assets such as css and font files, the sourcemap files for the server code are moved to a publicly-accessible folder.
https://github.com/withastro/astro/blob/176fe9f113fd912f9b61e848b00bbcfecd6d5c2c/packages/astro/src/core/build/static-build.ts#L139

Any outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website.

While some server files are hashed, making their access obscure, the files corresponding to the file system router (those in src/pages) are predictably named. For example. the sourcemap file for src/pages/index.astro gets named dist/client/pages/index.astro.mjs.map.

PoC

Here is one example of an affected open-source website:
https://creatorsgarten.org/pages/index.astro.mjs.map

The file can be saved and opened using https://evanw.github.io/source-map-visualization/ to reconstruct the source code.

The above accurately mirrors the source code as seen in the repository: https://github.com/creatorsgarten/creatorsgarten.org/blob/main/src/pages/index.astro

The above was found as the 4th result (and the first one on Astro 5.0+) when making the following search query on GitHub.com (search results link):

path:astro.config.mjs @​sentry/astro

This vulnerability is the root cause of https://github.com/withastro/astro/issues/12703, which links to a simple stackblitz project demonstrating the vulnerability. Upon build, notice the contents of the dist/client (referred to as config.build.client in astro code) folder. All astro servers make the folder in question accessible to the public internet without any authentication. It contains .map files corresponding to the code that runs on the server.

Impact

All server-output (SSR) projects on Astro 5 versions v5.0.3 through v5.0.6 (inclusive), that have sourcemaps enabled, either directly or through an add-on such as sentry, are affected. The fix for server-output projects was released in astro@5.0.7.

Additionally, all static-output (SSG) projects built using Astro 4 versions 4.16.17 or older, or Astro 5 versions 5.0.7 or older, that have sourcemaps enabled are also affected. The fix for static-output projects was released in astro@5.0.8, and backported to Astro v4 in astro@4.16.18.

The immediate impact is limited to source code. Any secrets or environment variables are not exposed unless they are present verbatim in the source code.

There is no immediate loss of integrity within the the vulnerable server. However, it is possible to subsequently discover another vulnerability via the revealed source code .

There is no immediate impact to availability of the vulnerable server. However, the presence of an unsafe regular expression, for example, can quickly be exploited to subsequently compromise the availability.

• Network attack vector.
• Low attack complexity.
• No privileges required.
• No interaction required from an authorized user.
• Scope is limited to first party. Although the source code of closed-source third-party software may also be exposed.

Remediation

The fix for server-output projects was released in astro@5.0.7, and the fix for static-output projects was released in astro@5.0.8 and backported to Astro v4 in astro@4.16.18. Users are advised to update immediately if they are using sourcemaps or an integration that enables sourcemaps.

---

Release Notes

withastro/astro (astro)

v5.1.9

Compare Source

Patch Changes

• #​12986 8911bda Thanks @​wetheredge! - Updates types and dev toolbar for ARIA 1.2 attributes and roles

• #​12892 8f520f1 Thanks @​louisescher! - Adds a more descriptive error when a content collection entry has an invalid ID.

• #​13031 f576519 Thanks @​florian-lefebvre! - Updates the server islands encoding logic to only escape the script end tag open delimiter and opening HTML comment syntax

• #​13026 1d272f6 Thanks @​ascorbic! - Fixes a regression that prevented the import of Markdown files as raw text or URLs.

v5.1.8

Compare Source

Patch Changes

• #​12998 9ce0038 Thanks @​Kynson! - Fixes the issue that audit incorrectly flag images as above the fold when the scrolling container is not body

• #​12990 2e12f1d Thanks @​ascorbic! - Fixes a bug that caused references to be incorrectly reported as invalid

• #​12984 2d259cf Thanks @​ascorbic! - Fixes a bug in dev where files would stop being watched if the Astro config file was edited

• #​12984 2d259cf Thanks @​ascorbic! - Fixes a bug where the content layer would use an outdated version of the Astro config if it was edited in dev

• #​12982 429aa75 Thanks @​bluwy! - Fixes an issue where server islands do not work in projects that use an adapter but only have prerendered pages. If an adapter is added, the server island endpoint will now be added by default.

• #​12995 78fd73a Thanks @​florian-lefebvre! - Fixes a case where astro:actions types would not work when using src/actions.ts

• #​13011 cf30880 Thanks @​ascorbic! - Upgrades Vite

• #​12733 bbf1d88 Thanks @​ascorbic! - Fixes a bug that caused the dev server to return an error if requesting "//"

• #​13001 627aec3 Thanks @​ascorbic! - Fixes a bug that caused Astro to attempt to inject environment variables into non-source files, causing performance problems and broken builds

v5.1.7

Compare Source

Patch Changes

• #​12361 3d89e62 Thanks @​LunaticMuch! - Upgrades the esbuild version to match vite

• #​12980 1a026af Thanks @​florian-lefebvre! - Fixes a case where setting the status of a page to 404 in development would show the default 404 page (or custom one if provided) instead of using the current page

• #​12182 c30070b Thanks @​braden-w! - Improves matching of 404 and 500 routes

• Updated dependencies [3d89e62]:

  • @​astrojs/markdown-remark@​6.0.2

v5.1.6

Compare Source

Patch Changes

• #​12956 3aff68a Thanks @​kaytwo! - Removes encryption of empty props to allow server island cacheability

• #​12977 80067c0 Thanks @​florian-lefebvre! - Fixes a case where accessing astro:env APIs or import.meta.env inside the content config file would not work

• #​12839 57be349 Thanks @​mtwilliams-code! - Fix Astro.currentLocale returning the incorrect locale when using fallback rewrites in SSR mode

• #​12962 4b7a2ce Thanks @​ascorbic! - Skips updating content layer files if content is unchanged

• #​12942 f00c2dd Thanks @​liruifengv! - Improves the session error messages

• #​12966 d864e09 Thanks @​ascorbic! - Ensures old content collection entry is deleted if a markdown frontmatter slug is changed in dev

v5.1.5

Compare Source

Patch Changes

• #​12934 673a518 Thanks @​ematipico! - Fixes a regression where the Astro Container didn't work during the build, using pnpm

• #​12955 db447f2 Thanks @​martrapp! - Lets TypeScript know about the "blocking" and "disabled" attributes of the <link> element.

• #​12922 faf74af Thanks @​adamchal! - Improves performance of static asset generation by fixing a bug that caused image transforms to be performed serially. This fix ensures that processing uses all CPUs when running in a multi-core environment.

• #​12947 3c2292f Thanks @​ascorbic! - Fixes a bug that caused empty content collections when running dev with NODE_ENV set

v5.1.4

Compare Source

Patch Changes

• #​12927 ad2a752 Thanks @​ematipico! - Fixes a bug where Astro attempted to decode a request URL multiple times, resulting in an unexpected behaviour when decoding the character %

• #​12912 0c0c66b Thanks @​florian-lefebvre! - Improves the config error for invalid combinations of context and access properties under env.schema

• #​12935 3d47e6b Thanks @​AirBorne04! - Fixes an issue where Astro.locals coming from an adapter weren't available in the 404.astro, when using the astro dev command,

• #​12925 44841fc Thanks @​ascorbic! - Ensures image styles are not imported unless experimental responsive images are enabled

• #​12926 8e64bb7 Thanks @​oliverlynch! - Improves remote image cache efficiency by separating image data and metadata into a binary and sidecar JSON file.

• #​12920 8b9d530 Thanks @​bluwy! - Processes markdown with empty body as remark and rehype plugins may add additional content or frontmatter

• #​12918 fd12a26 Thanks @​lameuler! - Fixes a bug where the logged output path does not match the actual output path when using build.format: 'preserve'

• #​12676 2ffc0fc Thanks @​koyopro! - Allows configuring Astro modules TypeScript compilation with the vite.esbuild config

• #​12938 dbb04f3 Thanks @​ascorbic! - Fixes a bug where content collections would sometimes appear empty when first running astro dev

• #​12937 30edb6d Thanks @​ematipico! - Fixes a bug where users could use Astro.request.headers during a rewrite inside prerendered routes. This an invalid behaviour, and now Astro will show a warning if this happens.

• #​12937 30edb6d Thanks @​ematipico! - Fixes an issue where the use of Astro.rewrite would trigger the invalid use of Astro.request.headers

v5.1.3

Compare Source

Patch Changes

• #​12877 73a0788 Thanks @​bluwy! - Fixes sourcemap warning generated by the astro:server-islands Vite plugin

• #​12906 2d89492 Thanks @​ascorbic! - Fixes a bug that caused pages that return an empty array from getStaticPath to match every path

• 011fa0f Thanks @​florian-lefebvre! - Fixes a case where astro:content types would be erased when restarting the dev server

• #​12907 dbf1275 Thanks @​florian-lefebvre! - Fixes a regression around the server islands route, which was not passed to the adapters astro:build:done hook

• #​12818 579bd93 Thanks @​ascorbic! - Fixes race condition where dev server would attempt to load collections before the content had loaded

• #​12883 fbac92f Thanks @​kaytwo! - Fixes a bug where responses can be returned before session data is saved

• #​12815 3acc654 Thanks @​ericswpark! - Some non-index files that were incorrectly being treated as index files are now excluded

• #​12884 d7e97a7 Thanks @​ascorbic! - Adds render() to stub content types

• #​12883 fbac92f Thanks @​kaytwo! - Fixes a bug where session data could be corrupted if it is changed after calling .set()

• #​12827 7b5dc6f Thanks @​sinskiy! - Fixes an issue when crawlers try to index Server Islands thinking that Server Islands are pages

v5.1.2

Compare Source

Patch Changes

• #​12798 7b0cb85 Thanks @​ascorbic! - Improves warning logs for invalid content collection configuration

• #​12781 96c4b92 Thanks @​ascorbic! - Fixes a regression that caused default() to not work with reference()

• #​12820 892dd9f Thanks @​ascorbic! - Fixes a bug that caused cookies to not be deleted when destroying a session

• #​12864 440d8a5 Thanks @​kaytwo! - Fixes a bug where the session ID wasn't correctly regenerated

• #​12768 524c855 Thanks @​ematipico! - Fixes an issue where Astro didn't print error logs when Astro Islands were used in incorrect cases.

• #​12814 f12f111 Thanks @​ematipico! - Fixes an issue where Astro didn't log anything in case a file isn't created during the build.

• #​12875 e109002 Thanks @​ascorbic! - Fixes a bug in emulated legacy collections where the entry passed to the getCollection filter function did not include the legacy entry fields.

• #​12768 524c855 Thanks @​ematipico! - Fixes an issue where Astro was printing the incorrect output format when running the astro build command

• #​12810 70a9f0b Thanks @​louisescher! - Fixes server islands failing to check content-type header under certain circumstances

  Sometimes a reverse proxy or similar service might modify the content-type header to include the charset or other parameters in the media type of the response. This previously wasn't handled by the client-side server island script and thus removed the script without actually placing the requested content in the DOM. This fix makes it so the script checks if the header starts with the proper content type instead of exactly matching text/html, so the following will still be considered a valid header: text/html; charset=utf-8

• #​12816 7fb2184 Thanks @​ematipico! - Fixes an issue where an injected route entrypoint wasn't correctly marked because the resolved file path contained a query parameter.

  This fixes some edge case where some injected entrypoint were not resolved when using an adapter.

v5.1.1

Compare Source

Patch Changes

• #​12782 f3d8385 Thanks @​fhiromasa! - update comment in packages/astro/src/types/public/common.ts

• #​12789 f632b94 Thanks @​ascorbic! - Pass raw frontmatter to remark plugins in glob loader

• #​12799 739dbfb Thanks @​ascorbic! - Upgrades Vite to pin esbuild

v5.1.0

Compare Source

Minor Changes

• #​12441 b4fec3c Thanks @​ascorbic! - Adds experimental session support

  Sessions are used to store user state between requests for server-rendered pages, such as login status, shopping cart contents, or other user-specific data.

v5.0.9

Compare Source

Patch Changes

• #​12756 95795f8 Thanks @​matthewp! - Remove debug logging from build

v5.0.8

Compare Source

Patch Changes

• #​12749 039d022 Thanks @​matthewp! - Clean server sourcemaps from static output

v5.0.7

Compare Source

Patch Changes

• #​12746 c879f50 Thanks @​matthewp! - Remove all assets created from the server build

v5.0.6

Compare Source

Patch Changes

• #​12597 564ac6c Thanks @​florian-lefebvre! - Fixes an issue where image and server islands routes would not be passed to the astro:routes:resolved hook during builds

• #​12718 ccc5ad1 Thanks @​ematipico! - Fixes an issue where Astro couldn't correctly handle i18n fallback when using the i18n middleware

• #​12728 ee66a45 Thanks @​argyleink! - Adds type support for the closedby attribute for <dialog> elements

• #​12709 e3bfd93 Thanks @​mtwilliams-code! - Fixes a bug where Astro couldn't correctly parse params and props when receiving i18n fallback URLs

• #​12657 14dffcc Thanks @​darkmaga! - Trailing slash support for actions

• #​12715 029661d Thanks @​ascorbic! - Fixes a bug that caused errors in dev when editing sites with large numbers of MDX pages

• #​12729 8b1cecd Thanks @​JoeMorgan! - "Added inert to htmlBooleanAttributes"

• #​12726 7c7398c Thanks @​florian-lefebvre! - Fixes a case where failing content entries in astro check would not be surfaced

v5.0.5

Compare Source

Patch Changes

• #​12705 0d1eab5 Thanks @​ascorbic! - Fixes a bug where MDX files with certain characters in the name would cause builds to fail

• #​12707 2aaed2d Thanks @​ematipico! - Fixes a bug where the middleware was incorrectly imported during the build

• #​12697 1c4a032 Thanks @​ascorbic! - Fix a bug that caused builds to fail if an image had a quote mark in its name

• #​12694 495f46b Thanks @​ematipico! - Fixes a bug where the experimental feature experimental.svg was incorrectly used when generating ESM images

• #​12658 3169593 Thanks @​jurajkapsz! - Fixes astro info copy to clipboard process not returning to prompt in certain cases.

• #​12712 b01c74a Thanks @​ascorbic! - Fixes a bug which misidentified pages as markdown if a query string ended in a markdown extension

v5.0.4

Compare Source

Patch Changes

• #​12653 e21c7e6 Thanks @​sarah11918! - Updates a reference in an error message

• #​12585 a9373c0 Thanks @​florian-lefebvre! - Fixes a case where process.env would be frozen despite changes made to environment variables in development

• #​12695 a203d5d Thanks @​ascorbic! - Throws a more helpful error when images are missing

• Updated dependencies [f13417b, 87231b1, a71e9b9]:

  • @​astrojs/markdown-remark@​6.0.1

v5.0.3

Compare Source

Patch Changes

• #​12645 8704c54 Thanks @​sarah11918! - Updates some reference links in error messages for new v5 docs.

• #​12641 48ca399 Thanks @​ascorbic! - Fixes a bug where astro info --copy wasn't working correctly on macOS systems.

• #​12461 62939ad Thanks @​kyr0! - Removes the misleading log message telling that a custom renderer is not recognized while it clearly is and works.

• #​12642 ff18b9c Thanks @​ematipico! - Provides more information when logging a warning for accessing Astro.request.headers in prerendered pages

• #​12634 03958d9 Thanks @​delucis! - Improves error message formatting for user config and content collection frontmatter

• #​12547 6b6e18d Thanks @​mtwilliams-code! - Fixes a bug where URL search parameters weren't passed when using the i18n fallback feature.

• #​12449 e6b8017 Thanks @​apatel369! - Fixes an issue where the custom assetFileNames configuration caused assets to be incorrectly moved to the server directory instead of the client directory, resulting in 404 errors when accessed from the client side.

• #​12518 e216250 Thanks @​ematipico! - Fixes an issue where SSR error pages would return duplicated custom headers.

• #​12625 74bfad0 Thanks @​ematipico! - Fixes an issue where the experimental.svg had incorrect type, resulting in some errors in the editors.

• #​12631 dec0305 Thanks @​ascorbic! - Fixes a bug where the class attribute was rendered twice on the image component

• #​12623 0e4fecb Thanks @​ascorbic! - Correctly handles images in content collections with uppercase file extensions

• #​12633 8a551c1 Thanks @​bluwy! - Cleans up content layer sync during builds and programmatic sync() calls

• #​12640 22e405a Thanks @​ascorbic! - Fixes a bug that caused content collections to be returned empty when run in a test environment

• #​12613 306c9f9 Thanks @​matthewp! - Fix use of cloned requests in middleware with clientAddress

  When using context.clientAddress or Astro.clientAddress Astro looks up the address in a hidden property. Cloning a request can cause this hidden property to be lost.

  The fix is to pass the address as an internal property instead, decoupling it from the request.

v5.0.2

Compare Source

Patch Changes

• #​12601 0724929 Thanks @​ascorbic! - Includes "undefined" in types for getEntry

v5.0.1

Compare Source

Patch Changes

• #​12590 92c269b Thanks @​kidonng! - fix: devtools warnings about dev toolbar form fields

v5.0.0

Compare Source

Major Changes

• #​11798 e9e2139 Thanks @​matthewp! - Unflag globalRoutePriority

  The previously experimental feature globalRoutePriority is now the default in Astro 5.

  This was a refactoring of route prioritization in Astro, making it so that injected routes, file-based routes, and redirects are all prioritized using the same logic. This feature has been enabled for all Starlight projects since it was added and should not affect most users.

• #​11864 ee38b3a Thanks @​ematipico! - ### [changed]: entryPoint type inside the hook astro:build:ssr
  In Astro v4.x, the entryPoint type was RouteData.

  Astro v5.0 the entryPoint type is IntegrationRouteData, which contains a subset of the RouteData type. The fields isIndex and fallbackRoutes were removed.

What should I do?

Update your adapter to change the type of entryPoint from RouteData to IntegrationRouteData.

-import type {RouteData} from 'astro';
+import type {IntegrationRouteData} from "astro"

-function useRoute(route: RouteData) {
+function useRoute(route: IntegrationRouteData) {

}

• #​12524 9f44019 Thanks @​bluwy! - Bumps Vite to ^6.0.1 and handles its breaking changes

• #​10742 b6fbdaa Thanks @​ematipico! - The lowest version of Node supported by Astro is now Node v18.17.1 and higher.

• #​11916 46ea29f Thanks @​bluwy! - Updates how the build.client and build.server option values get resolved to match existing documentation. With this fix, the option values will now correctly resolve relative to the outDir option. So if outDir is set to ./dist/nested/, then by default:

  • build.client will resolve to <root>/dist/nested/client/
  • build.server will resolve to <root>/dist/nested/server/

  Previously the values were incorrectly resolved:

  • build.client was resolved to <root>/dist/nested/dist/client/
  • build.server was resolved to <root>/dist/nested/dist/server/

  If you were relying on the previous build paths, make sure that your project code is updated to the new build paths.

• #​11982 d84e444 Thanks @​Princesseuh! - Adds a default exclude and include value to the tsconfig presets. {projectDir}/dist is now excluded by default, and {projectDir}/.astro/types.d.ts and {projectDir}/**/* are included by default.

  Both of these options can be overridden by setting your own values to the corresponding settings in your tsconfig.json file.

• #​11861 3ab3b4e Thanks @​bluwy! - Cleans up Astro-specfic metadata attached to vfile.data in Remark and Rehype plugins. Previously, the metadata was attached in different locations with inconsistent names. The metadata is now renamed as below:

  • vfile.data.__astroHeadings -> vfile.data.astro.headings
  • vfile.data.imagePaths -> vfile.data.astro.imagePaths

  The types of imagePaths has also been updated from Set<string> to string[]. The vfile.data.astro.frontmatter metadata is left unchanged.

  While we don't consider these APIs public, they can be accessed by Remark and Rehype plugins that want to re-use Astro's metadata. If you are using these APIs, make sure to access them in the new locations.

• #​11987 bf90a53 Thanks @​florian-lefebvre! - The locals object can no longer be overridden

  Middleware, API endpoints, and pages can no longer override the locals object in its entirety. You can still append values onto the object, but you can not replace the entire object and delete its existing values.

  If you were previously overwriting like so:

  ctx.locals = {
    one: 1,
    two: 2,
  };

  This can be changed to an assignment on the existing object instead:

  Object.assign(ctx.locals, {
    one: 1,
    two: 2,
  });

• #​11908 518433e Thanks @​Princesseuh! - The image.endpoint config now allow customizing the route of the image endpoint in addition to the entrypoint. This can be useful in niche situations where the default route /_image conflicts with an existing route or your local server setup.

  import { defineConfig } from 'astro/config';
  
  defineConfig({
    image: {
      endpoint: {
        route: '/image',
        entrypoint: './src/image_endpoint.ts',
      },
    },
  });

• #​12008 5608338 Thanks @​Princesseuh! - Welcome to the Astro 5 beta! This release has no changes from the latest alpha of this package, but it does bring us one step closer to the final, stable release.

  Starting from this release, no breaking changes will be introduced unless absolutely necessary.

  To learn how to upgrade, check out the Astro v5.0 upgrade guide in our beta docs site.

• #​11679 ea71b90 Thanks @​florian-lefebvre! - The astro:env feature introduced behind a flag in v4.10.0 is no longer experimental and is available for general use. If you have been waiting for stabilization before using astro:env, you can now do so.

  This feature lets you configure a type-safe schema for your environment variables, and indicate whether they should be available on the server or the client.

  To configure a schema, add the env option to your Astro config and define your client and server variables. If you were previously using this feature, please remove the experimental flag from your Astro config and move your entire env configuration unchanged to a top-level option.

  import { defineConfig, envField } from 'astro/config';
  
  export default defineConfig({
    env: {
      schema: {
        API_URL: envField.string({ context: 'client', access: 'public', optional: true }),
        PORT: envField.number({ context: 'server', access: 'public', default: 4321 }),
        API_SECRET: envField.string({ context: 'server', access: 'secret' }),
      },
    },
  });

  You can import and use your defined variables from the appropriate /client or /server module:

v4.16.18

Compare Source

Patch Changes

• #​12757 d0aaac3 Thanks @​matthewp! - Remove all assets created from the server build

• #​12757 d0aaac3 Thanks @​matthewp! - Clean server sourcemaps from static output

v4.16.17

Compare Source

Patch Changes

• #​12632 e7d14c3 Thanks @​ematipico! - Fixes an issue where the checkOrigin feature wasn't correctly checking the content-type header

v4.16.16

Compare Source

Patch Changes

• #​12542 65e50eb Thanks @​kadykov! - Fix JPEG image size determination

• #​12525 cf0d8b0 Thanks @​ematipico! - Fixes an issue where with i18n enabled, Astro couldn't render the 404.astro component for non-existent routes.

v4.16.15

Compare Source

Patch Changes

• #​12498 b140a3f Thanks @​ematipico! - Fixes a regression where Astro was trying to access Request.headers

v4.16.14

Compare Source

Patch Changes

• #​12480 c3b7e7c Thanks @​matthewp! - Removes the default throw behavior in astro:env

• #​12444 28dd3ce Thanks @​ematipico! - Fixes an i

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[stackblitz]

Run & review this pull request in StackBlitz Codeflow.