astro@5.9.4

Patch Changes

• #13951 7eb88f1 Thanks @ascorbic! - Fixes a issue that caused errors when using an adapter-provided session driver with custom options

• #13953 448bddc Thanks @zaitovalisher! - Fixes a bug where quotes were not added to the 'strict-dynamic' CSP directive

@astrojs/underscore-redirects@1.0.0

Major Changes

• #13952 de82ef2 Thanks @ematipico! - - The type Redirects has been renamed to HostRoutes.

  • RouteDefinition.target is now optional
  • RouteDefinition.weight is now optional
  • Redirects.print has been removed. Now you need to pass Redirects type to the print function

  - redirects.print()
  + import { printAsRedirects } from "@astrojs/underscore-redirects"
  + printAsRedirects(redirects)

Minor Changes

• #13952 de82ef2 Thanks @ematipico! - Adds a new method called createHostedRouteDefinition, which returns a HostRoute type from a IntegrationResolvedRoute.

• #13952 de82ef2 Thanks @ematipico! - Adds a new method called printAsRedirects to print HostRoutes as redirects for the _redirects file.

@astrojs/netlify@6.4.0

Minor Changes

• #13952 de82ef2 Thanks @ematipico! - Adds support for the experimental static headers Astro feature.

  When the feature is enabled via option experimentalStaticHeaders, and experimental Content Security Policy is enabled, the adapter will generate Response headers for static pages, which allows support for CSP directives that are not supported inside a <meta> tag (e.g. frame-ancestors).

  import { defineConfig } from 'astro/config';
  import netlify from '@astrojs/netlify';
  
  export default defineConfig({
    adapter: netlify({
      experimentalStaticHeaders: true,
    }),
    experimental: {
      cps: true,
    },
  });

Patch Changes

• Updated dependencies [de82ef2, de82ef2, de82ef2]:
  • @astrojs/underscore-redirects@1.0.0

@astrojs/cloudflare@12.5.5

Patch Changes

• #13930 acb9b30 Thanks @alexanderniebuhr! - Fixes an issue where setting values for Astro.response resulted in a Cloudflare runtime exception.

• Updated dependencies [de82ef2, de82ef2, de82ef2]:

  • @astrojs/underscore-redirects@1.0.0

astro@5.9.3

Patch Changes

• #13923 a9ac5ed Thanks @ematipico! - BREAKING CHANGE to the experimental Content Security Policy (CSP) only

  Changes the behavior of experimental Content Security Policy (CSP) to now serve hashes differently depending on whether or not a page is prerendered:

  • Via the <meta> element for static pages.
  • Via the Response header content-security-policy for on-demand rendered pages.

  This new strategy allows you to add CSP content that is not supported in a <meta> element (e.g. report-uri, frame-ancestors, and sandbox directives) to on-demand rendered pages.

  No change to your project code is required as this is an implementation detail. However, this will result in a different HTML output for pages that are rendered on demand. Please check your production site to verify that CSP is working as intended.

  To keep up to date with this developing feature, or to leave feedback, visit the CSP Roadmap proposal.

• #13926 953a249 Thanks @ematipico! - Adds a new Astro Adapter Feature called experimentalStaticHeaders to allow your adapter to receive the Headers for rendered static pages.

  Adapters that enable support for this feature can access header values directly, affecting their handling of some Astro features such as Content Security Policy (CSP). For example, Astro will no longer serve the CSP <meta http-equiv="content-security-policy"> element in static pages to adapters with this support.

  Astro will serve the value of the header inside a map that can be retrieved from the hook astro:build:generated. Adapters can read this mapping and use their hosting headers capabilities to create a configuration file.

  A new field called experimentalRouteToHeaders will contain a map of Map<IntegrationResolvedRoute, Headers> where the Headers type contains the headers emitted by the rendered static route.

  To enable support for this experimental Astro Adapter Feature, add it to your adapterFeatures in your adapter config:

  // my-adapter.mjs
  export default function createIntegration() {
    return {
      name: '@example/my-adapter',
      hooks: {
        'astro:config:done': ({ setAdapter }) => {
          setAdapter({
            name: '@example/my-adapter',
            serverEntrypoint: '@example/my-adapter/server.js',
            adapterFeatures: {
              experimentalStaticHeaders: true,
            },
          });
        },
      },
    };
  }

  See the Adapter API docs for more information about providing adapter features.

• #13697 af83b85 Thanks @benosmac! - Fixes issues with fallback route pattern matching when i18n.routing.fallbackType is rewrite.

  • Adds conditions for route matching in generatePath when building fallback routes and checking for existing translated pages

  Now for a route to be matched it needs to be inside a named [locale] folder. This fixes an issue where route.pattern.test() incorrectly matched dynamic routes, causing the page to be skipped.

  • Adds conditions for route matching in findRouteToRewrite

  Now the requested pathname must exist in route.distURL for a dynamic route to match. This fixes an issue where route.pattern.test() incorrectly matched dynamic routes, causing the build to fail.

• #13924 1cd8c3b Thanks @qw-in! - Fixes an edge case where isPrerendered was incorrectly set to false for static redirects.

• #13926 953a249 Thanks @ematipico! - Fixes an issue where the experimental CSP meta element wasn't placed in the <head> element as early as possible, causing these policies to not apply to styles and scripts that came before the meta element.

astro@5.9.2

Patch Changes

• #13919 423fe60 Thanks @ematipico! - Fixes a bug where Astro added quotes to the CSP resources.

  Only certain resources require quotes (e.g. 'self' but not https://cdn.example.com), so Astro no longer adds quotes to any resources. You must now provide the quotes yourself for resources such as 'self' when necessary:

  export default defineConfig({
    experimental: {
      csp: {
        styleDirective: {
          resources: [
  -          "self",
  +          "'self'",
            "https://cdn.example.com"
          ]
        }
      }
    }
  })

• #13914 76c5480 Thanks @ematipico! - BREAKING CHANGE to the experimental Content Security Policy feature only

  Removes support for experimental Content Security Policy (CSP) when using the <ClientRouter /> component for view transitions.

  It is no longer possible to enable experimental CSP while using Astro's view transitions. Support was already unstable with the <ClientRouter /> because CSP required making its underlying implementation asynchronous. This caused breaking changes for several users and therefore, this PR removes support completely.

  If you are currently using the component for view transitions, please remove the experimental CSP flag as they cannot be used together.

  import { defineConfig } from 'astro/config';
  
  export default defineConfig({
    experimental: {
  -   csp: true
     }
  });

  Alternatively, to continue using experimental CSP in your project, you can consider migrating to the browser native View Transition API and remove the <ClientRouter /> from your project. You may be able to achieve similar results if you are not using Astro's enhancements to the native View Transitions and Navigation APIs.

  Support might be reintroduced in future releases. You can follow this experimental feature's development in the CSP RFC.

astro@5.9.1

Patch Changes

• #13899 7a1303d Thanks @reknih! - Fix bug where error pages would return invalid bodies if the upstream response was compressed

• #13902 051bc30 Thanks @arHSM! - Fixes a bug where vite virtual module ids were incorrectly added in the dev server

• #13905 81f71ca Thanks @jsparkdev! - Fixes wrong contents in CSP meta tag.

• #13907 8246bcc Thanks @martrapp! - Fixes a bug that caused view transition names to be lost.

• #13901 37fa0a2 Thanks @ansg191! - fix fallback not being removed when server island is rendered

astro@5.9.0

Minor Changes

• #13802 0eafe14 Thanks @ematipico! - Adds experimental Content Security Policy (CSP) support

  CSP is an important feature to provide fine-grained control over resources that can or cannot be downloaded and executed by a document. In particular, it can help protect against cross-site scripting (XSS) attacks.

  Enabling this feature adds additional security to Astro's handling of processed and bundled scripts and styles by default, and allows you to further configure these, and additional, content types. This new experimental feature has been designed to work in every Astro rendering environment (static pages, dynamic pages and single page applications), while giving you maximum flexibility and with type-safety in mind.

  It is compatible with most of Astro's features such as client islands, and server islands, although Astro's view transitions using the <ClientRouter /> are not yet fully supported. Inline scripts are not supported out of the box, but you can provide your own hashes for external and inline scripts.

  To enable this feature, add the experimental flag in your Astro config:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  
  export default defineConfig({
    experimental: {
      csp: true,
    },
  });

  For more information on enabling and using this feature in your project, see the Experimental CSP docs.

  For a complete overview, and to give feedback on this experimental API, see the Content Security Policy RFC.

• #13850 1766d22 Thanks @ascorbic! - Provides a Markdown renderer to content loaders

  When creating a content loader, you will now have access to a renderMarkdown function that allows you to render Markdown content directly within your loaders. It uses the same settings and plugins as the renderer used for Markdown files in Astro, and follows any Markdown settings you have configured in your Astro project.

  This allows you to render Markdown content from various sources, such as a CMS or other data sources, directly in your loaders without needing to preprocess the Markdown content separately.

  import type { Loader } from 'astro/loaders';
  import { loadFromCMS } from './cms';
  
  export function myLoader(settings): Loader {
    return {
      name: 'my-loader',
      async load({ renderMarkdown, store }) {
        const entries = await loadFromCMS();
  
        store.clear();
  
        for (const entry of entries) {
          // Assume each entry has a 'content' field with markdown content
          store.set(entry.id, {
            id: entry.id,
            data: entry,
            rendered: await renderMarkdown(entry.content),
          });
        }
      },
    };
  }

  The return value of renderMarkdown is an object with two properties: html and metadata. These match the rendered property of content entries in content collections, so you can use them to render the content in your components or pages.

  ---
  import { getEntry, render } from 'astro:content';
  const entry = await getEntry('my-collection', Astro.params.id);
  const { Content } = await render(entry);
  ---
  
  <Content />

  For more information, see the Content Loader API docs.

• #13887 62f0668 Thanks @yanthomasdev! - Adds an option for integration authors to suppress adapter warning/errors in supportedAstroFeatures. This is useful when either an warning/error isn't applicable in a specific context or the default one might conflict and confuse users.

  To do so, you can add suppress: "all" (to suppress both the default and custom message) or suppress: "default" (to only suppress the default one):

  setAdapter({
    name: 'my-astro-integration',
    supportedAstroFeatures: {
      staticOutput: 'stable',
      hybridOutput: 'stable',
      sharpImageService: {
        support: 'limited',
        message:
          "The sharp image service isn't available in the deploy environment, but will be used by prerendered pages on build.",
        suppress: 'default',
      },
    },
  });

  For more information, see the Adapter API reference docs.

@astrojs/cloudflare@12.5.4

Patch Changes

• #13817 b7258f1 Thanks @yanthomasdev! - Clarifies and reduces a few logs when starting the dev server with @astrojs/cloudflare.

  Warnings about sharp support will now be suppressed when you have explicitly set an imageService option.

• Updated dependencies []:

  • @astrojs/underscore-redirects@0.6.1

astro@5.8.2

Patch Changes

• #13877 5a7797f Thanks @yuhang-dong! - Fixes a bug that caused Astro.rewrite to fail when used in sequenced middleware

• #13872 442b841 Thanks @isVivek99! - Fixes rendering of the download attribute when it has a boolean value