docs(csp): improve validation messages for directives#16685
Merged
Conversation
🦋 Changeset detectedLatest commit: d5ddea3 The changes in this PR will be included in the next version bump. This PR includes changesets to release 421 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
ematipico
reviewed
May 11, 2026
| return value.startsWith(allowedValue); | ||
| }); | ||
| }); | ||
| export const allowedDirectivesSchema: z.ZodType<CspDirective> = z.string().superRefine( |
Member
There was a problem hiding this comment.
The reason why custom was chosen is because it also provides good auto complete in the editors. Is there a way to provide a good error message without losing the editor capabilities?
Contributor
Author
There was a problem hiding this comment.
Thanks for the feedback! You're right, autocomplete is important here.
I've refactored the schema to use z.custom(...) as the base, which restores the editor's ability to suggest directives based on the template literal type. I then chained .superRefine() to it to keep the helpful error messages for script-src and style-src misconfigurations.
Contributor
Author
|
Added a unit test in config-validate.test.ts to verify the new help message surfaces correctly for script-src misconfigurations. |
Merged
dadezzz
pushed a commit
to dadezzz/university_notes
that referenced
this pull request
May 17, 2026
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [astro](https://astro.build) ([source](https://github.com/withastro/astro/tree/HEAD/packages/astro)) | [`6.3.1` → `6.3.2`](https://renovatebot.com/diffs/npm/astro/6.3.1/6.3.2) |  |  | --- ### Release Notes <details> <summary>withastro/astro (astro)</summary> ### [`v6.3.2`](https://github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#632) [Compare Source](https://github.com/withastro/astro/compare/astro@6.3.1...astro@6.3.2) ##### Patch Changes - [#​16675](withastro/astro#16675) [`11d4592`](withastro/astro@11d4592) Thanks [@​ascorbic](https://github.com/ascorbic)! - Fixes a regression where `Astro.cache` was `undefined` when `experimental.cache` was not configured. The previous documented behavior is for `Astro.cache` to always be defined as a no-op shim: `cache.set()` warns once, `cache.invalidate()` throws and `cache.enabled` can be used to gate. This allows library and user code can call cache methods without conditional checks. The cache provider registration was being gated at the call site on `experimental.cache` being configured, which meant the disabled shim branch inside the provider was unreachable and the `Astro.cache` getter was never attached to the context. - [#​16691](withastro/astro#16691) [`0f0a4ce`](withastro/astro@0f0a4ce) Thanks [@​matthewp](https://github.com/matthewp)! - Fixes `HTMLElement is not defined` error during HMR when using components with client-side scripts (e.g. Starlight `<Tabs>`) and the Cloudflare adapter - [#​16562](withastro/astro#16562) [`07529ec`](withastro/astro@07529ec) Thanks [@​matthewp](https://github.com/matthewp)! - Fixes non-prerendered routes failing when a dynamic prerendered route exists in the same project with `prerenderEnvironment: 'node'` - [#​16638](withastro/astro#16638) [`272185b`](withastro/astro@272185b) Thanks [@​ematipico](https://github.com/ematipico)! - Fixes a bug where the Astro compiler wasn't freed at the end of the build. After the fix, the memory used by the compiler is now correctly freed at the end of the build. - [#​16544](withastro/astro#16544) [`d365c97`](withastro/astro@d365c97) Thanks [@​matthewp](https://github.com/matthewp)! - Tightens `isRemotePath()` to reject control characters after a leading slash and fixes the dev image endpoint origin check - [#​16685](withastro/astro#16685) [`889e748`](withastro/astro@889e748) Thanks [@​farrosfr](https://github.com/farrosfr)! - Improve validation messages for `security.csp.directives` when `script-src` or `style-src` are incorrectly placed in the `directives` array. - [#​16605](withastro/astro#16605) [`772f13a`](withastro/astro@772f13a) Thanks [@​rururux](https://github.com/rururux)! - Fixes `assetsPrefix` not being available on `build` from `astro:config/server`. - [#​16556](withastro/astro#16556) [`f38dec7`](withastro/astro@f38dec7) Thanks [@​matthewp](https://github.com/matthewp)! - Rejects double-encoded URL paths with a 400 response instead of silently falling back to partial decoding - [#​16659](withastro/astro#16659) [`38bcb25`](withastro/astro@38bcb25) Thanks [@​jsparkdev](https://github.com/jsparkdev)! - Fixes `&` characters appearing as raw entity strings (e.g. `&#​38;`) in `<meta>` tags when viewed in link previews or raw HTML. - Updated dependencies \[[`d365c97`](withastro/astro@d365c97), [`9256345`](withastro/astro@9256345)]: - [@​astrojs/internal-helpers](https://github.com/astrojs/internal-helpers)@​0.9.1 - [@​astrojs/markdown-remark](https://github.com/astrojs/markdown-remark)@​7.1.2 </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzAuMjAiLCJ1cGRhdGVkSW5WZXIiOiI0My4xNzAuMjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
Closes #16663
script-srcorstyle-srcinside thesecurity.csp.directivesarray.security.csp.scriptDirectiveorsecurity.csp.styleDirectiveinstead.zod-error-map.tsto ensure these specific custom messages are surfaced to the terminal.Testing
I tested this by creating a local reproduction project with the following configuration:
I verified that the terminal now outputs the specific help message instead of the generic Zod union error.
Docs
No documentation changes needed as this only improves an existing error message to match the documented behavior.