Skip to content

fix(deps): update astro monorepo (major)#10

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/major-astro-monorepo
Open

fix(deps): update astro monorepo (major)#10
renovate[bot] wants to merge 1 commit intomainfrom
renovate/major-astro-monorepo

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 10, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@astrojs/node (source) ^9.5.4^10.0.0 age confidence
@astrojs/vercel (source) ^9.0.4^10.0.0 age confidence
astro (source) ^5.18.0^6.0.0 age confidence

Release Notes

withastro/astro (@​astrojs/node)

v10.0.3

Compare Source

Patch Changes

  • #​15735 9685e2d Thanks @​fa-sharp! - Fixes an EventEmitter memory leak when serving static pages from Node.js middleware.

    When using the middleware handler, requests that were being passed on to Express / Fastify (e.g. static files / pre-rendered pages / etc.) weren't cleaning up socket listeners before calling next(), causing a memory leak warning. This fix makes sure to run the cleanup before calling next().

v10.0.2

Compare Source

Patch Changes

v10.0.1

Compare Source

Patch Changes

v10.0.0

Compare Source

Major Changes

  • #​15654 a32aee6 Thanks @​florian-lefebvre! - Removes the experimentalErrorPageHost option

    This option allowed fetching a prerendered error page from a different host than the server is currently running on.

    However, there can be security implications with prefetching from other hosts, and often more customization was required to do this safely. This has now been removed as a built-in option so that you can implement your own secure solution as needed and appropriate for your project via middleware.

What should I do?

If you were previously using this feature, you must remove the option from your adapter configuration as it no longer exists:

// astro.config.mjs
import { defineConfig } from 'astro/config'
import node from '@​astrojs/node'

export default defineConfig({
  adapter: node({
    mode: 'standalone',
-    experimentalErrorPageHost: 'http://localhost:4321'
  })
})

You can replicate the previous behavior by checking the response status in a middleware and fetching the prerendered page yourself:

// src/middleware.ts
import { defineMiddleware } from 'astro:middleware';

export const onRequest = defineMiddleware(async (ctx, next) => {
  const response = await next();
  if (response.status === 404 || response.status === 500) {
    return fetch(`http://localhost:4321/${response.status}.html`);
  }
  return response;
});
Minor Changes

  • #​15258 d339a18 Thanks @​ematipico! - Stabilizes the adapter feature experimentalStatiHeaders. If you were using this feature in any of the supported adapters, you'll need to change the name of the flag:

    export default defineConfig({
  adapter: netlify({
-    experimentalStaticHeaders: true
+    staticHeaders: true
  })
})

  • #​15759 39ff2a5 Thanks @​matthewp! - Adds a new bodySizeLimit option to the @astrojs/node adapter

    You can now configure a maximum allowed request body size for your Node.js standalone server. The default limit is 1 GB. Set the value in bytes, or pass 0 to disable the limit entirely:

    import node from '@​astrojs/node';
import { defineConfig } from 'astro/config';

export default defineConfig({
  adapter: node({
    mode: 'standalone',
    bodySizeLimit: 1024 * 1024 * 100, // 100 MB
  }),
});

  • #​15006 f361730 Thanks @​florian-lefebvre! - Adds new session driver object shape

    For greater flexibility and improved consistency with other Astro code, session drivers are now specified as an object:

    -import { defineConfig } from 'astro/config'
+import { defineConfig, sessionDrivers } from 'astro/config'

export default defineConfig({
  session: {
-    driver: 'redis',
-    options: {
-      url: process.env.REDIS_URL
-    },
+    driver: sessionDrivers.redis({
+      url: process.env.REDIS_URL
+    }),
  }
})

    Specifying the session driver as a string has been deprecated, but will continue to work until this feature is removed completely in a future major version. The object shape is the current recommended and documented way to configure a session driver.

  • #​14946 95c40f7 Thanks @​ematipico! - Removes the experimental.csp flag and replaces it with a new configuration option security.csp - (v6 upgrade guidance)

Patch Changes

  • #​15473 d653b86 Thanks @​matthewp! - Improves error page loading to read from disk first before falling back to configured host

  • #​15562 e14a51d Thanks @​florian-lefebvre! - Updates to new Adapter API introduced in v6

  • #​15585 98ea30c Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

  • #​15777 02e24d9 Thanks @​matthewp! - Fixes CSRF origin check mismatch by passing the actual server listening port to createRequest, ensuring the constructed URL origin includes the correct port (e.g., http://localhost:4321 instead of http://localhost). Also restricts X-Forwarded-Proto to only be trusted when allowedDomains is configured.

  • #​15714 9a2c949 Thanks @​ematipico! - Fixes an issue where static headers weren't correctly applied when the website uses base.

  • #​15763 1567e8c Thanks @​matthewp! - Normalizes static file paths before evaluating dotfile access rules for improved consistency

  • #​15164 54dc11d Thanks @​HiDeoo! - Fixes an issue where the Node.js adapter could fail to serve a 404 page matching a pre-rendered dynamic route pattern.

  • #​15745 20b05c0 Thanks @​matthewp! - Hardens static file handler path resolution to ensure resolved paths stay within the client directory

  • #​15495 5b99e90 Thanks @​leekeh! - Refactors to use middlewareMode adapter feature (set to classic)

  • #​15657 cb625b6 Thanks @​qzio! - Adds a new security.actionBodySizeLimit option to configure the maximum size of Astro Actions request bodies.

    This lets you increase the default 1 MB limit when your actions need to accept larger payloads. For example, actions that handle file uploads or large JSON payloads can now opt in to a higher limit.

    If you do not set this option, Astro continues to enforce the 1 MB default to help prevent abuse.

    // astro.config.mjs
export default defineConfig({
  security: {
    actionBodySizeLimit: 10 * 1024 * 1024, // set to 10 MB
  },
});

  • Updated dependencies [4ebc1e3, 4e7f3e8, a164c77, cf6ea6b, a18d727, 240c317, 745e632]:

withastro/astro (@​astrojs/vercel)

v10.0.2

Compare Source

Patch Changes
  • #​15959 335a204 Thanks @​matthewp! - Fix Vercel serverless path override handling so override values are only applied when the trusted middleware secret is present.

v10.0.1

Compare Source

Patch Changes

v10.0.0

Compare Source

Major Changes
Minor Changes

  • #​15258 d339a18 Thanks @​ematipico! - Stabilizes the adapter feature experimentalStatiHeaders. If you were using this feature in any of the supported adapters, you'll need to change the name of the flag:

    export default defineConfig({
  adapter: netlify({
-    experimentalStaticHeaders: true
+    staticHeaders: true
  })
})

  • #​15413 736216b Thanks @​florian-lefebvre! - Updates the implementation to use the new Adapter API

  • #​15495 5b99e90 Thanks @​leekeh! - Adds new middlewareMode adapter feature and deprecates edgeMiddleware option

    The edgeMiddleware option is now deprecated and will be removed in a future release, so users should transition to using the new middlewareMode feature as soon as possible.

    export default defineConfig({
  adapter: vercel({
-    edgeMiddleware: true
+    middlewareMode: 'edge'
  })
})

  • #​14946 95c40f7 Thanks @​ematipico! - Removes the experimental.csp flag and replaces it with a new configuration option security.csp - (v6 upgrade guidance)

Patch Changes

  • #​15781 2de969d Thanks @​ematipico! - Adds a new clientAddress option to the createContext() function

    Providing this value gives adapter and middleware authors explicit control over the client IP address. When not provided, accessing clientAddress throws an error consistent with other contexts where it is not set by the adapter.

    Additionally, both of the official Netlify and Vercel adapters have been updated to provide this information in their edge middleware.

    import { createContext } from 'astro/middleware';

createContext({
  clientAddress: context.headers.get('x-real-ip'),
});

  • #​15778 4ebc1e3 Thanks @​ematipico! - Fixes an issue where the computed clientAddress was incorrect in cases of a Request header with multiple values. The clientAddress is now also validated to contain only characters valid in IP addresses, rejecting injection payloads.

  • #​15460 ee7e53f Thanks @​florian-lefebvre! - Updates to use the new Adapter API

  • #​15450 50c9129 Thanks @​florian-lefebvre! - Fixes a case where build.serverEntry would not be respected when using the new Adapter API

  • #​15461 9f21b24 Thanks @​florian-lefebvre! - Updates to new Adapter API introduced in v6

  • #​15125 6feb0d7 Thanks @​florian-lefebvre! - Updates Node versions data to account for v24 as the default

  • Updated dependencies [4ebc1e3, 4e7f3e8, a164c77, cf6ea6b, a18d727, 240c317, 745e632]:

withastro/astro (astro)

v6.0.8

Compare Source

Patch Changes

  • #​15978 6d182fe Thanks @​seroperson! - Fixes a bug where Astro Actions didn't properly support nested object properties, causing problems when users used zod functions such as superRefine or discriminatedUnion.

  • #​16011 e752170 Thanks @​matthewp! - Fixes a dev server hang on the first request when using the Cloudflare adapter

  • #​15997 1fddff7 Thanks @​ematipico! - Fixes Astro.rewrite() failing when the target path contains duplicate slashes (e.g. //about). The duplicate slashes are now collapsed before URL parsing, preventing them from being interpreted as a protocol-relative URL.

v6.0.7

Compare Source

Patch Changes

  • #​15950 acce5e8 Thanks @​matthewp! - Fixes a build regression in projects with multiple frontend integrations where server:defer server islands could fail at runtime when all pages are prerendered.

  • #​15988 c93b4a0 Thanks @​ossaidqadri! - Fix styles from dynamically imported components not being injected on first dev server load.

  • #​15968 3e7a9d5 Thanks @​chasemccoy! - Fixes renderMarkdown in custom content loaders not resolving images in markdown content. Images referenced in markdown processed by renderMarkdown are now correctly optimized, matching the behavior of the built-in glob() loader.

  • #​15990 1e6017f Thanks @​ematipico! - Fixes an issue where Astro.currentLocale would always be the default locale instead of the actual one when using a dynamic route like [locale].astro or [locale]/index.astro. It now resolves to the correct locale from the URL.

  • #​15990 1e6017f Thanks @​ematipico! - Fixes an issue where visiting an invalid locale URL (e.g. /asdf/) would show the content of a dynamic [locale] page with a 404 status code, instead of showing your custom 404 page. Now, the correct 404 page is rendered when the locale in the URL doesn't match any configured locale.

  • #​15960 1d84020 Thanks @​matthewp! - Fixes Cloudflare dev server islands with prerenderEnvironment: 'node' by sharing the serialized manifest encryption key across dev environments and routing server island requests through the SSR runtime.

  • #​15735 9685e2d Thanks @​fa-sharp! - Fixes an EventEmitter memory leak when serving static pages from Node.js middleware.

    When using the middleware handler, requests that were being passed on to Express / Fastify (e.g. static files / pre-rendered pages / etc.) weren't cleaning up socket listeners before calling next(), causing a memory leak warning. This fix makes sure to run the cleanup before calling next().

v6.0.6

Compare Source

Patch Changes

  • #​15965 2dca307 Thanks @​matthewp! - Fixes client hydration for components imported through Node.js subpath imports (package.json#imports, e.g. #components/*), for example when using the Cloudflare adapter in development.

  • #​15770 6102ca2 Thanks @​jpc-ae! - Updates the create astro welcome message to highlight the graceful dev/preview server quit command rather than the kill process shortcut

  • #​15953 7eddf22 Thanks @​Desel72! - fix(hmr): eagerly recompile on style-only change to prevent stale slots render

  • #​15916 5201ed4 Thanks @​trueberryless! - Fixes InferLoaderSchema type inference for content collections defined with a loader that includes a schema

  • #​15864 d3c7de9 Thanks @​florian-lefebvre! - Removes temporary support for Node >=20.19.1 because Stackblitz now uses Node 22 by default

  • #​15944 a5e1acd Thanks @​fkatsuhiro! - Fixes SSR dynamic routes with .html extension (e.g. [slug].html.astro) not working

  • #​15937 d236245 Thanks @​ematipico! - Fixes an issue where HMR didn't correctly work on Windows when adding/changing/deleting routes in pages/.

  • #​15931 98dfb61 Thanks @​Strernd! - Fix skew protection query params not being applied to island hydration component-url and renderer-url, and ensure query params are appended safely for asset URLs with existing search/hash parts.

  • Updated dependencies []:

v6.0.5

Compare Source

Patch Changes

  • #​15891 b889231 Thanks @​matthewp! - Fix dev routing for server:defer islands when adapters opt into handling prerendered routes in Astro core. Server island requests are now treated as prerender-handler eligible so prerendered pages using prerenderEnvironment: 'node' can load island content without 400 errors.

  • #​15890 765a887 Thanks @​matthewp! - Fixes astro:actions validation to check resolved routes, so projects using default static output with at least one prerender = false page or endpoint no longer fail during startup.

  • #​15884 dcd2c8e Thanks @​matthewp! - Avoid a MaxListenersExceededWarning during astro dev startup by increasing the shared Vite watcher listener limit when attaching content server listeners.

  • #​15904 23d5244 Thanks @​jlukic! - Emit the before-hydration script chunk for the client Vite environment. The chunk was only emitted for prerender and ssr environments, causing a 404 when browsers tried to load it. This broke hydration for any integration using injectScript('before-hydration', ...), including Lit SSR.

  • #​15933 325901e Thanks @​ematipico! - Fixes an issue where <style> tags inside SVG components weren't correctly tracked when enabling CSP.

  • #​15875 c43ef8a Thanks @​matthewp! - Ensure custom prerenderers are always torn down during build, even when getStaticPaths() throws.

  • #​15887 1861fed Thanks @​ematipico! - Fixes an issue where the build incorrectly leaked server entrypoint into the client environment, causing adapters to emit warnings during the build.

  • #​15888 925252e Thanks @​matthewp! - Fix a bug where server:defer could fail at runtime in prerendered pages for some adapters (including Cloudflare), causing errors like serverIslandMap?.get is not a function.

  • #​15901 07c1002 Thanks @​delucis! - Fixes JSON schema generation for content collection schemas that have differences between their input and output shapes.

  • #​15882 759f946 Thanks @​matthewp! - Fix Astro.url.pathname for the root page when using build.format: "file" so it resolves to /index.html instead of /.html during builds.

v6.0.4

Compare Source

Patch Changes

  • #​15870 920f10b Thanks @​matthewp! - Prebundle astro/toolbar in dev when custom dev toolbar apps are registered, preventing re-optimization reloads that can hide or break the toolbar.

  • #​15876 f47ac53 Thanks @​ematipico! - Fixes redirectToDefaultLocale producing a protocol-relative URL (//locale) instead of an absolute path (/locale) when base is '/'.

  • #​15767 e0042f7 Thanks @​matthewp! - Fixes server islands (server:defer) not working when only used in prerendered pages with output: 'server'.

  • #​15873 35841ed Thanks @​matthewp! - Fix a dev server bug where newly created pages could miss layout-imported CSS until restart.

  • #​15874 ce0669d Thanks @​ematipico! - Fixes a warning when using prefetchAll

  • #​15754 58f1d63 Thanks @​rururux! - Fixes a bug where a directory at the project root sharing the same name as a page route would cause the dev server to return a 404 instead of serving the page.

  • #​15869 76b3a5e Thanks @​matthewp! - Update the unknown file extension error hint to recommend vite.resolve.noExternal, which is the correct Vite 7 config key.

v6.0.3

Compare Source

Patch Changes

  • #​15711 b2bd27b Thanks @​OliverSpeir! - Improves Astro core's dev environment handling for prerendered routes by ensuring route/CSS updates and prerender middleware behavior work correctly across both SSR and prerender environments.

    This enables integrations that use Astro's prerender dev environment (such as Cloudflare with prerenderEnvironment: 'node') to get consistent route matching and HMR behavior during development.

  • #​15852 1cdaf9f Thanks @​ematipico! - Fixes a regression where the the routes emitted by the astro:build:done hook didn't have the distURL array correctly populated.

  • #​15765 ca76ff1 Thanks @​matthewp! - Hardens server island POST endpoint validation to use own-property checks for improved consistency

v6.0.2

Compare Source

Patch Changes

v6.0.1

Compare Source

Patch Changes

v6.0.0

Compare Source

Major Changes

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@vercel
Copy link

vercel bot commented Mar 10, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
patchwork Ready Ready Preview, Comment Mar 20, 2026 10:15pm

@renovate renovate bot force-pushed the renovate/major-astro-monorepo branch from 85ea1da to 405eb1b Compare March 10, 2026 18:08
@renovate renovate bot changed the title fix(deps): update astro monorepo (major) fix(deps): update dependency astro to v6 Mar 10, 2026
@renovate renovate bot force-pushed the renovate/major-astro-monorepo branch from 405eb1b to 2f3266c Compare March 10, 2026 21:32
@renovate renovate bot changed the title fix(deps): update dependency astro to v6 fix(deps): update astro monorepo (major) Mar 10, 2026
@renovate renovate bot force-pushed the renovate/major-astro-monorepo branch from 2f3266c to 39479d4 Compare March 11, 2026 22:03
@renovate renovate bot force-pushed the renovate/major-astro-monorepo branch from 39479d4 to 8ef514f Compare March 12, 2026 04:57
@renovate renovate bot force-pushed the renovate/major-astro-monorepo branch from 8ef514f to 686e0f6 Compare March 12, 2026 14:06
@renovate renovate bot force-pushed the renovate/major-astro-monorepo branch from 686e0f6 to 3ea6fe5 Compare March 12, 2026 17:06
@renovate renovate bot force-pushed the renovate/major-astro-monorepo branch from 3ea6fe5 to 7cc9a6e Compare March 12, 2026 21:59
@renovate renovate bot force-pushed the renovate/major-astro-monorepo branch from 7cc9a6e to ea52eb7 Compare March 16, 2026 15:02
@renovate renovate bot force-pushed the renovate/major-astro-monorepo branch from ea52eb7 to 4b5d974 Compare March 18, 2026 17:10
@renovate renovate bot force-pushed the renovate/major-astro-monorepo branch from 4b5d974 to fb89a0a Compare March 19, 2026 21:55
@renovate renovate bot force-pushed the renovate/major-astro-monorepo branch from fb89a0a to 91fe3a9 Compare March 20, 2026 22:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants