Skip to content

[ci] release#14466

Merged
matthewp merged 2 commits intomainfrom
changeset-release/main
Oct 8, 2025
Merged

[ci] release#14466
matthewp merged 2 commits intomainfrom
changeset-release/main

Conversation

@astrobot-houston
Copy link
Copy Markdown
Contributor

@astrobot-houston astrobot-houston commented Oct 1, 2025
edited
Loading

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

astro@5.14.2

Patch Changes

  • #14459 916f9c2 Thanks @florian-lefebvre! - Improves font files URLs in development when using the experimental fonts API by showing the subset if present

  • b8ca69b Thanks @ascorbic! - Aligns dev image server file base with Vite rules

  • #14469 1c090b0 Thanks @delucis! - Updates tinyexec dependency

  • #14460 008dc75 Thanks @florian-lefebvre! - Fixes a case where astro:config/server values typed as URLs would be serialized as strings

  • #13730 7260367 Thanks @razonyang! - Fixes a bug in i18n, where Astro caused an infinite loop when a locale that doesn't have an index, and Astro falls back to the index of the default locale.

  • 6ee63bf Thanks @matthewp! - Adds security.allowedDomains configuration to validate X-Forwarded-Host headers in SSR

    The X-Forwarded-Host header will now only be trusted if it matches one of the configured allowed host patterns. This prevents host header injection attacks that can lead to cache poisoning and other security vulnerabilities.

    Configure allowed host patterns to enable X-Forwarded-Host support:

    // astro.config.mjs
export default defineConfig({
  output: 'server',
  adapter: node(),
  security: {
    allowedDomains: [
      { hostname: 'example.com' },
      { hostname: '*.example.com' },
      { hostname: 'cdn.example.com', port: '443' },
    ],
  },
});

    The patterns support wildcards (* and **) for flexible hostname matching and can optionally specify protocol and port.

    Breaking change

    Previously, Astro.url would reflect the value of the X-Forwarded-Host header. While this header is commonly used by reverse proxies like Nginx to communicate the original host, it can be sent by any client, potentially allowing malicious actors to poison caches with incorrect URLs.

    If you were relying on X-Forwarded-Host support, add security.allowedDomains to your configuration to restore this functionality securely. When allowedDomains is not configured, X-Forwarded-Host headers are now ignored by default.

  • #14488 badc929 Thanks @olcanebrem! - Fixes a case where styles on the custom 500 error page would not be included

  • #14487 1e5b72c Thanks @florian-lefebvre! - Fixes a case where the URLs generated by the experimental Fonts API would be incorrect in dev

  • #14475 ae034ae Thanks @florian-lefebvre! - Warns if the font family name is not supported by the provider when using the experimental fonts API

  • b8ca69b Thanks @ascorbic! - Refactor remote path detection

  • #14468 2f2a5da Thanks @delucis! - Updates @capsizecss/unpack dependency

  • Updated dependencies [b8ca69b]:

    • @astrojs/internal-helpers@0.7.4
    • @astrojs/markdown-remark@6.3.8

@astrojs/cloudflare@12.6.10

Patch Changes

  • b8ca69b Thanks @ascorbic! - Refactor remote path detection

  • Updated dependencies [b8ca69b]:

    • @astrojs/internal-helpers@0.7.4
    • @astrojs/underscore-redirects@1.0.0

@astrojs/markdoc@0.15.8

Patch Changes

  • Updated dependencies [b8ca69b]:
    • @astrojs/internal-helpers@0.7.4
    • @astrojs/markdown-remark@6.3.8

@astrojs/mdx@4.3.7

Patch Changes

  • Updated dependencies []:
    • @astrojs/markdown-remark@6.3.8

@astrojs/netlify@6.5.12

Patch Changes

  • #14473 d9634d3 Thanks @florian-lefebvre! - Fixes a bug that caused too many files to be bundled in SSR

  • Updated dependencies [b8ca69b]:

    • @astrojs/internal-helpers@0.7.4
    • @astrojs/underscore-redirects@1.0.0

@astrojs/node@9.4.5

Patch Changes

  • Updated dependencies [b8ca69b]:
    • @astrojs/internal-helpers@0.7.4

@astrojs/vercel@8.2.9

Patch Changes

@astrojs/internal-helpers@0.7.4

Patch Changes

@astrojs/markdown-remark@6.3.8

Patch Changes

  • Updated dependencies [b8ca69b]:
    • @astrojs/internal-helpers@0.7.4

@github-actions github-actions bot added pkg: example Related to an example package (scope) pkg: astro Related to the core `astro` package (scope) labels Oct 1, 2025
@github-actions github-actions bot force-pushed the changeset-release/main branch from c116c1d to 287957b Compare October 1, 2025 09:02
@codspeed-hq
Copy link
Copy Markdown

codspeed-hq bot commented Oct 1, 2025

CodSpeed Performance Report

Merging #14466 will not alter performance

Comparing changeset-release/main (c116c1d) with main (008dc75)1

Summary

✅ 6 untouched

Footnotes

  1. No successful run was found on main (33aad75) during the generation of this report, so 008dc75 was used instead as the comparison base. There might be some changes unrelated to this pull request in this report.

@github-actions github-actions bot force-pushed the changeset-release/main branch 11 times, most recently from 1f3f08c to 8548d4b Compare October 6, 2025 19:13
@florian-lefebvre florian-lefebvre mentioned this pull request Oct 7, 2025
Closed
@github-actions github-actions bot force-pushed the changeset-release/main branch 5 times, most recently from e1bbe75 to 4665a4f Compare October 8, 2025 13:00
@matthewp matthewp force-pushed the changeset-release/main branch from 4665a4f to 2539e30 Compare October 8, 2025 17:03
@github-actions github-actions bot added feat: markdown Related to Markdown (scope) pkg: integration Related to any renderer integration (scope) labels Oct 8, 2025
@matthewp
Skip yarn test that fails with unpublished dependencies
967983f 
The yarn test packs astro and attempts to install it, which fails when
workspace dependencies like @astrojs/internal-helpers have been bumped
but not yet published to npm. Skip this test to allow the release to proceed.
@matthewp matthewp merged commit 3bb14b7 into main Oct 8, 2025
52 of 55 checks passed
@ArmandPhilippot ArmandPhilippot mentioned this pull request Oct 9, 2025
Merged
@ArmandPhilippot ArmandPhilippot mentioned this pull request Dec 12, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matthewp matthewp matthewp approved these changes

Assignees

No one assigned

Labels

feat: markdown Related to Markdown (scope) pkg: astro Related to the core `astro` package (scope) pkg: example Related to an example package (scope) pkg: integration Related to any renderer integration (scope)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@astrobot-houston @matthewp