Merged
Conversation
🦋 Changeset detectedLatest commit: 82015de The changes in this PR will be included in the next version bump. Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
matthewp
approved these changes
Mar 24, 2026
Merged
dadezzz
pushed a commit
to dadezzz/ice-notes
that referenced
this pull request
Mar 30, 2026
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [astro](https://astro.build) ([source](https://github.com/withastro/astro/tree/HEAD/packages/astro)) | [`6.0.8` → `6.1.1`](https://renovatebot.com/diffs/npm/astro/6.0.8/6.1.1) |  |  | --- ### Release Notes <details> <summary>withastro/astro (astro)</summary> ### [`v6.1.1`](https://github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#611) [Compare Source](https://github.com/withastro/astro/compare/astro@6.1.0...astro@6.1.1) ##### Patch Changes - [#​16105](withastro/astro#16105) [`23d60de`](withastro/astro@23d60de) Thanks [@​matthewp](https://github.com/matthewp)! - Fix dev toolbar audit crash when encountering the `image` ARIA role - [#​16089](withastro/astro#16089) [`999c875`](withastro/astro@999c875) Thanks [@​martrapp](https://github.com/martrapp)! - Fixes an issue with the client router where Vue's `:deep()` notation was ignored in dev mode. ### [`v6.1.0`](https://github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#610) [Compare Source](https://github.com/withastro/astro/compare/astro@6.0.8...astro@6.1.0) ##### Minor Changes - [#​15804](withastro/astro#15804) [`a5e7232`](withastro/astro@a5e7232) Thanks [@​merlinnot](https://github.com/merlinnot)! - Allows setting codec-specific defaults for Astro's built-in Sharp image service via `image.service.config`. You can now configure encoder-level options such as `jpeg.mozjpeg`, `webp.effort`, `webp.alphaQuality`, `avif.effort`, `avif.chromaSubsampling`, and `png.compressionLevel` when using `astro/assets/services/sharp` for compile-time image generation. These settings apply as defaults for the built-in Sharp pipeline, while per-image `quality` still takes precedence when set on `<Image />`, `<Picture />`, or `getImage()`. - [#​15455](withastro/astro#15455) [`babf57f`](withastro/astro@babf57f) Thanks [@​AhmadYasser1](https://github.com/AhmadYasser1)! - Adds `fallbackRoutes` to the `IntegrationResolvedRoute` type, exposing i18n fallback routes to integrations via the `astro:routes:resolved` hook for projects using `fallbackType: 'rewrite'`. This allows integrations such as the sitemap integration to properly include generated fallback routes in their output. ```js { 'astro:routes:resolved': ({ routes }) => { for (const route of routes) { for (const fallback of route.fallbackRoutes) { console.log(fallback.pathname) // e.g. /fr/about/ } } } } ``` - [#​15340](withastro/astro#15340) [`10a1a5a`](withastro/astro@10a1a5a) Thanks [@​trueberryless](https://github.com/trueberryless)! - Adds support for advanced configuration of SmartyPants in Markdown. You can now pass an options object to `markdown.smartypants` in your Astro configuration to fine-tune how punctuation, dashes, and quotes are transformed. This is helpful for projects that require specific typographic standards, such as "oldschool" dash handling or localized quotation marks. ```js // astro.config.mjs export default defineConfig({ markdown: { smartypants: { backticks: 'all', dashes: 'oldschool', ellipses: 'unspaced', openingQuotes: { double: '«', single: '‹' }, closingQuotes: { double: '»', single: '›' }, quotes: false, }, }, }); ``` See [the `retext-smartypants` options](https://github.com/retextjs/retext-smartypants?tab=readme-ov-file#fields) for more information. ##### Patch Changes - [#​16025](withastro/astro#16025) [`a09f319`](withastro/astro@a09f319) Thanks [@​koji-1009](https://github.com/koji-1009)! - Instructs the client router to skip view transition animations when the browser is already providing its own visual transition, such as a swipe gesture. - [#​16055](withastro/astro#16055) [`ccecb8f`](withastro/astro@ccecb8f) Thanks [@​Gautam-Bharadwaj](https://github.com/Gautam-Bharadwaj)! - Fixes an issue where `client:only` components could have duplicate `client:component-path` attributes added in MDX in rare cases - [#​16081](withastro/astro#16081) [`44fc340`](withastro/astro@44fc340) Thanks [@​crazylogic03](https://github.com/crazylogic03)! - Fixes the `emitFile() is not supported in serve mode` warning that appears during `astro dev` when using integrations that inject before-hydration scripts (e.g. `@astrojs/react`) - [#​16068](withastro/astro#16068) [`31d733b`](withastro/astro@31d733b) Thanks [@​Karthikeya1500](https://github.com/Karthikeya1500)! - Fixes the dev toolbar a11y audit incorrectly classifying `menuitemradio` as a non-interactive ARIA role. - [#​16080](withastro/astro#16080) [`e80ac73`](withastro/astro@e80ac73) Thanks [@​ematipico](https://github.com/ematipico)! - Fixes `experimental.queuedRendering` incorrectly escaping the HTML output of `.html` page files, causing the page content to render as plain text instead of HTML in the browser. - [#​16048](withastro/astro#16048) [`13b9d56`](withastro/astro@13b9d56) Thanks [@​matthewp](https://github.com/matthewp)! - Fixes a dev server crash (`serverIslandNameMap.get is not a function`) that occurred when navigating to a page with `server:defer` after first visiting a page without one, when using `@astrojs/cloudflare` - [#​16093](withastro/astro#16093) [`336e086`](withastro/astro@336e086) Thanks [@​Snugug](https://github.com/Snugug)! - Fixes Zod meta not correctly being rendered on top-level schema when converted into JSON Schema - [#​16043](withastro/astro#16043) [`d402485`](withastro/astro@d402485) Thanks [@​ematipico](https://github.com/ematipico)! - Fixes `checkOrigin` CSRF protection in `astro dev` behind a TLS-terminating reverse proxy. The dev server now reads `X-Forwarded-Proto` (gated on `security.allowedDomains`, matching production behaviour) so the constructed request origin matches the `https://` origin the browser sends. Also ensures `security.allowedDomains` and `security.checkOrigin` are respected in dev. - [#​16064](withastro/astro#16064) [`ba58e0d`](withastro/astro@ba58e0d) Thanks [@​ematipico](https://github.com/ematipico)! - Updates the dependency `svgo` to the latest, to fix a security issue. - [#​16007](withastro/astro#16007) [`2dcd8d5`](withastro/astro@2dcd8d5) Thanks [@​florian-lefebvre](https://github.com/florian-lefebvre)! - Fixes a case where fonts files would unecessarily be copied several times during the build - [#​16017](withastro/astro#16017) [`b089b90`](withastro/astro@b089b90) Thanks [@​felmonon](https://github.com/felmonon)! - Fix the `astro sync` error message when `getImage()` is called while loading content collections. - [#​16014](withastro/astro#16014) [`fa73fbb`](withastro/astro@fa73fbb) Thanks [@​matthewp](https://github.com/matthewp)! - Fixes a build error where using `astro:config/client` inside a `<script>` tag would cause Rollup to fail with "failed to resolve import `virtual:astro:routes` from `virtual:astro:manifest`" - [#​16054](withastro/astro#16054) [`f74465a`](withastro/astro@f74465a) Thanks [@​seroperson](https://github.com/seroperson)! - Fixes an issue with the development server, where changes to the middleware weren't picked, and it required a full restart of the server. - [#​16033](withastro/astro#16033) [`198d31b`](withastro/astro@198d31b) Thanks [@​adampage](https://github.com/adampage)! - Fixes a bug where the the role `image` was incorrectly reported by audit tool bar. - [#​15935](withastro/astro#15935) [`278828c`](withastro/astro@278828c) Thanks [@​oliverlynch](https://github.com/oliverlynch)! - Fixes cached assets failing to revalidate due to redirect check mishandling Not Modified responses. - [#​16075](withastro/astro#16075) [`2c1ae85`](withastro/astro@2c1ae85) Thanks [@​florian-lefebvre](https://github.com/florian-lefebvre)! - Fixes a case where invalid URLs would be generated in development when using font families with an oblique `style` and angles - [#​16062](withastro/astro#16062) [`87fd6a4`](withastro/astro@87fd6a4) Thanks [@​matthewp](https://github.com/matthewp)! - Warns on dev server startup when Vite 8 is detected at the top level of the user's project, and automatically adds a `"overrides": { "vite": "^7" }` entry to `package.json` when running `astro add cloudflare`. This prevents a `require_dist is not a function` crash caused by a Vite version split between Astro (requires Vite 7) and packages like `@tailwindcss/vite` that hoist Vite 8. - Updated dependencies \[[`10a1a5a`](withastro/astro@10a1a5a)]: - [@​astrojs/markdown-remark](https://github.com/astrojs/markdown-remark)@​7.1.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44Ni4wIiwidXBkYXRlZEluVmVyIjoiNDMuODYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: Renovate Bot <renovate@zarantonello.dev> Co-committed-by: Renovate Bot <renovate@zarantonello.dev>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
Note
Summary generated via AI
Closes #16042
astro devruns behind a TLS-terminating reverse proxy (Caddy, nginx, Traefik, etc.), the proxy connects to Vite over plain HTTP while the browser communicates over HTTPS. The dev server was always constructing the request URL withhttp://because it only checked whether Vite itself was configured with TLS (vite.server.https). The CSRF origin check then comparedhttp://host(server-side URL) againstOrigin: https://host(browser header) and returned 403 for every non-GET form submission.validateForwardedHeadersto derive the protocol fromX-Forwarded-Proto, gated onsecurity.allowedDomainsbeing non-empty — the same security guard used in production (core/app/node.ts). WithoutallowedDomainsthe header is untrusted and behaviour is identical to before.security.allowedDomainsis now propagated into the dev manifest. It was previously absent, meaning the forwarded-header validation would always short-circuit even if the user had configured it.security.checkOriginis now respected in dev unconditionally. The previousbuildOutput === 'server'gate suppressed CSRF protection in dev regardless of the user's config.getFirstForwardedValue(previously an inline closure innode.ts) is extracted and exported fromvalidate-headers.ts, the natural home for forwarded-header utilities, and reused in bothnode.tsand the dev server.Testing
test/units/app/dev-url-construction.test.jscover the URL construction logic in isolation: noallowedDomains(header ignored), matchingallowedDomains(header trusted), wildcard hostname patterns, multi-value comma-separated headers, malicious injection attempts (javascript:, URL-injection),isHttpsfallback, and the end-to-end CSRF implication (constructedurl.originmatches the browserOriginheader iff and only ifallowedDomainsis configured).node.test.jstests and 35csrf.test.jstests continue to pass with no changes.Docs
N/A