Update dependency astro to v5.13.2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
astro (source)	5.7.10 -> 5.13.2

GitHub Vulnerability Alerts

CVE-2025-54793

Summary

There is an Open Redirection vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks.

This affects Astro >=5.2.0 sites that use on-demand rendering (SSR) with the Node or Cloudflare adapter. It does not affect static sites, or sites deployed to Netlify or Vercel.

Background

Astro performs automatic redirection to the canonical URL, either adding or removing trailing slashes according to the value of the trailingSlash configuration option. It follows the following rules:

• If trailingSlash is set to "never", https://example.com/page/ will redirect to https://example.com/page
• If trailingSlash is set to "always", https://example.com/page will redirect to https://example.com/page/

It also collapses multiple trailing slashes, according to the following rules:

• If trailingSlash is set to "always" or "ignore" (the default), https://example.com/page// will redirect to https://example.com/page/
• If trailingSlash is set to "never", https://example.com/page// will redirect to https://example.com/page

It does this by returning a 301 redirect to the target path. The vulnerability occurs because it uses a relative path for the redirect. To redirect from https://example.com/page to https://example.com/page/, it sending a 301 response with the header Location: /page/. The browser resolves this URL relative to the original page URL and redirects to https://example.com/page/

Details

The vulnerability occurs if the target path starts with //. A request for https://example.com//page will send the header Location: //page/. The browser interprets this as a protocol-relative URL, so instead of redirecting to https://example.com//page/, it will attempt to redirect to https://page/. This is unlikely to resolve, but by crafting a URL in the form https://example.com//target.domain/subpath, it will send the header Location: //target.domain/subpath/, which the browser translates as a redirect to https://target.domain/subpath/. The subpath part is required because otherwise Astro will interpret /target.domain as a file download, which skips trailing slash handling.

This leads to an Open Redirect vulnerability.

The URL needed to trigger the vulnerability varies according to the trailingSlash setting.

• If trailingSlash is set to "never", a URL in the form https://example.com//target.domain/subpath/
• If trailingSlash is set to "always", a URL in the form https://example.com//target.domain/subpath
• For any config value, a URL in the form https://example.com//target.domain/subpath//

Impact

This is classified as an Open Redirection vulnerability (CWE-601). It affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks.

No authentication is required to exploit this vulnerability. Any unauthenticated user can trigger the redirect by clicking a malicious link.

Mitigation

You can test if your site is affected by visiting https://yoursite.com//docs.astro.build/en//. If you are redirected to the Astro docs then your site is affected and must be updated.

Upgrade your site to Astro 5.12.8. To mitigate at the network level, block outgoing redirect responses with a Location header value that starts with //.

CVE-2025-55303

Summary

In affected versions of astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.

Details

On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images.

The /_image endpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using the image.domains or image.remotePatterns options).

However, a bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png.

Proof of Concept

1. Create a new minimal Astro project ([email protected]).

2. Configure it to use the Node adapter (@astrojs/[email protected] — newer versions are not impacted):

   // astro.config.mjs
   import { defineConfig } from 'astro/config';
   import node from '@​astrojs/node';
   
   export default defineConfig({
   	adapter: node({ mode: 'standalone' }),
   });

3. Build the site by running astro build.

4. Run the server, e.g. with astro preview.

5. Append /_image?href=//placehold.co/600x400 to the preview URL, e.g. http://localhost:4321/_image?href=//placehold.co/600x400

6. The site will serve the image from the unauthorized placehold.co origin.

Impact

Allows a non-authorized third-party to create URLs on an impacted site’s origin that serve unauthorized image content.
In the case of SVG images, this could include the risk of cross-site scripting (XSS) if a user followed a link to a maliciously crafted SVG.

---

Astros's duplicate trailing slash feature leads to an open redirection security issue

CVE-2025-54793 / GHSA-cq8c-xv66-36gw

More information

Details

Summary

There is an Open Redirection vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks.

This affects Astro >=5.2.0 sites that use on-demand rendering (SSR) with the Node or Cloudflare adapter. It does not affect static sites, or sites deployed to Netlify or Vercel.

Background

Astro performs automatic redirection to the canonical URL, either adding or removing trailing slashes according to the value of the trailingSlash configuration option. It follows the following rules:

• If trailingSlash is set to "never", https://example.com/page/ will redirect to https://example.com/page
• If trailingSlash is set to "always", https://example.com/page will redirect to https://example.com/page/

It also collapses multiple trailing slashes, according to the following rules:

• If trailingSlash is set to "always" or "ignore" (the default), https://example.com/page// will redirect to https://example.com/page/
• If trailingSlash is set to "never", https://example.com/page// will redirect to https://example.com/page

It does this by returning a 301 redirect to the target path. The vulnerability occurs because it uses a relative path for the redirect. To redirect from https://example.com/page to https://example.com/page/, it sending a 301 response with the header Location: /page/. The browser resolves this URL relative to the original page URL and redirects to https://example.com/page/

Details

The vulnerability occurs if the target path starts with //. A request for https://example.com//page will send the header Location: //page/. The browser interprets this as a protocol-relative URL, so instead of redirecting to https://example.com//page/, it will attempt to redirect to https://page/. This is unlikely to resolve, but by crafting a URL in the form https://example.com//target.domain/subpath, it will send the header Location: //target.domain/subpath/, which the browser translates as a redirect to https://target.domain/subpath/. The subpath part is required because otherwise Astro will interpret /target.domain as a file download, which skips trailing slash handling.

This leads to an Open Redirect vulnerability.

The URL needed to trigger the vulnerability varies according to the trailingSlash setting.

• If trailingSlash is set to "never", a URL in the form https://example.com//target.domain/subpath/
• If trailingSlash is set to "always", a URL in the form https://example.com//target.domain/subpath
• For any config value, a URL in the form https://example.com//target.domain/subpath//

Impact

This is classified as an Open Redirection vulnerability (CWE-601). It affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks.

No authentication is required to exploit this vulnerability. Any unauthenticated user can trigger the redirect by clicking a malicious link.

Mitigation

You can test if your site is affected by visiting https://yoursite.com//docs.astro.build/en//. If you are redirected to the Astro docs then your site is affected and must be updated.

Upgrade your site to Astro 5.12.8. To mitigate at the network level, block outgoing redirect responses with a Location header value that starts with //.

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

References

• https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw
• https://nvd.nist.gov/vuln/detail/CVE-2025-54793
• https://github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f
• https://github.com/withastro/astro

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Astro allows unauthorized third-party images in _image endpoint

CVE-2025-55303 / GHSA-xf8x-j4p2-f749

More information

Details

Summary

In affected versions of astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.

Details

On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images.

The /_image endpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using the image.domains or image.remotePatterns options).

However, a bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png.

Proof of Concept

1. Create a new minimal Astro project ([email protected]).

2. Configure it to use the Node adapter (@astrojs/[email protected] — newer versions are not impacted):

   // astro.config.mjs
   import { defineConfig } from 'astro/config';
   import node from '@​astrojs/node';
   
   export default defineConfig({
   	adapter: node({ mode: 'standalone' }),
   });

3. Build the site by running astro build.

4. Run the server, e.g. with astro preview.

5. Append /_image?href=//placehold.co/600x400 to the preview URL, e.g. http://localhost:4321/_image?href=//placehold.co/600x400

6. The site will serve the image from the unauthorized placehold.co origin.

Impact

Allows a non-authorized third-party to create URLs on an impacted site’s origin that serve unauthorized image content.
In the case of SVG images, this could include the risk of cross-site scripting (XSS) if a user followed a link to a maliciously crafted SVG.

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

References

• https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749
• https://nvd.nist.gov/vuln/detail/CVE-2025-55303
• https://github.com/withastro/astro/commit/4d16de7f95db5d1ec1ce88610d2a95e606e83820
• https://github.com/withastro/astro

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

withastro/astro (astro)

v5.13.2

Compare Source

Patch Changes

• 4d16de7 Thanks @​ematipico! - Improves the detection of remote paths in the _image endpoint. Now href parameters that start with // are considered remote paths.

• Updated dependencies [4d16de7]:

  • @​astrojs/internal-helpers@​0.7.2
  • @​astrojs/markdown-remark@​6.3.6

v5.13.1

Compare Source

Patch Changes

• #​14225 f2490ab Thanks @​delucis! - Fixes the experimental.chromeDevtoolsWorkspace feature.

v5.13.0

Compare Source

Minor Changes

• #​14173 39911b8 Thanks @​florian-lefebvre! - Adds an experimental flag staticImportMetaEnv to disable the replacement of import.meta.env values with process.env calls and their coercion of environment variable values. This supersedes the rawEnvValues experimental flag, which is now removed.

  Astro allows you to configure a type-safe schema for your environment variables, and converts variables imported via astro:env into the expected type. This is the recommended way to use environment variables in Astro, as it allows you to easily see and manage whether your variables are public or secret, available on the client or only on the server at build time, and the data type of your values.

  However, you can still access environment variables through process.env and import.meta.env directly when needed. This was the only way to use environment variables in Astro before astro:env was added in Astro 5.0, and Astro's default handling of import.meta.env includes some logic that was only needed for earlier versions of Astro.

  The experimental.staticImportMetaEnv flag updates the behavior of import.meta.env to align with Vite's handling of environment variables and for better ease of use with Astro's current implementations and features. This will become the default behavior in Astro 6.0, and this early preview is introduced as an experimental feature.

  Currently, non-public import.meta.env environment variables are replaced by a reference to process.env. Additionally, Astro may also convert the value type of your environment variables used through import.meta.env, which can prevent access to some values such as the strings "true" (which is converted to a boolean value), and "1" (which is converted to a number).

  The experimental.staticImportMetaEnv flag simplifies Astro's default behavior, making it easier to understand and use. Astro will no longer replace any import.meta.env environment variables with a process.env call, nor will it coerce values.

  To enable this feature, add the experimental flag in your Astro config and remove rawEnvValues if it was enabled:

  // astro.config.mjs
  import { defineConfig } from "astro/config";
  
  export default defineConfig({
  +  experimental: {
  +    staticImportMetaEnv: true
  -    rawEnvValues: false
  +  }
  });

Updating your project

If you were relying on Astro's default coercion, you may need to update your project code to apply it manually:

// src/components/MyComponent.astro
- const enabled: boolean = import.meta.env.ENABLED;
+ const enabled: boolean = import.meta.env.ENABLED === "true";

If you were relying on the transformation into process.env calls, you may need to update your project code to apply it manually:

// src/components/MyComponent.astro
- const enabled: boolean = import.meta.env.DB_PASSWORD;
+ const enabled: boolean = process.env.DB_PASSWORD;

You may also need to update types:

// src/env.d.ts
interface ImportMetaEnv {
  readonly PUBLIC_POKEAPI: string;
-  readonly DB_PASSWORD: string;
-  readonly ENABLED: boolean;
+  readonly ENABLED: string;
}

interface ImportMeta {
  readonly env: ImportMetaEnv;
}

+ namespace NodeJS {
+  interface ProcessEnv {
+    DB_PASSWORD: string;
+  }
+ }

See the experimental static import.meta.env documentation for more information about this feature. You can learn more about using environment variables in Astro, including astro:env, in the environment variables documentation.

• #​14122 41ed3ac Thanks @​ascorbic! - Adds experimental support for automatic Chrome DevTools workspace folders

  This feature allows you to edit files directly in the browser and have those changes reflected in your local file system via a connected workspace folder. This allows you to apply edits such as CSS tweaks without leaving your browser tab!

  With this feature enabled, the Astro dev server will automatically configure a Chrome DevTools workspace for your project. Your project will then appear as a workspace source, ready to connect. Then, changes that you make in the "Sources" panel are automatically saved to your project source code.

  To enable this feature, add the experimental flag chromeDevtoolsWorkspace to your Astro config:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  
  export default defineConfig({
    experimental: {
      chromeDevtoolsWorkspace: true,
    },
  });

  See the experimental Chrome DevTools workspace feature documentation for more information.

v5.12.9

Compare Source

Patch Changes

• #​14020 9518975 Thanks @​jp-knj and @​asieradzk! - Prevent double-prefixed redirect paths when using fallback and redirectToDefaultLocale together

  Fixes an issue where i18n fallback routes would generate double-prefixed paths (e.g., /es/es/test/item1/) when fallback and redirectToDefaultLocale configurations were used together. The fix adds proper checks to prevent double prefixing in route generation.

• #​14199 3e4cb8e Thanks @​ascorbic! - Fixes a bug that prevented HMR from working with inline styles

v5.12.8

Compare Source

Patch Changes

• 0567fb7 Thanks @​ascorbic! - Adds // to list of internal path prefixes that do not have automated trailing slash handling

• #​13894 b36e72f Thanks @​florian-lefebvre! - Removes Astro Studio commands from the CLI help

• Updated dependencies [0567fb7]:

  • @​astrojs/internal-helpers@​0.7.1
  • @​astrojs/markdown-remark@​6.3.5

v5.12.7

Compare Source

Patch Changes

• #​14169 f4e8889 Thanks @​ascorbic! - Skips trailing slash handling for paths that start with /..

• #​14170 34e6b3a Thanks @​ematipico! - Fixes an issue where static redirects couldn't correctly generate a redirect when the destination is a prerendered route, and the output is set to "server".

• #​14169 f4e8889 Thanks @​ascorbic! - Fixes a bug that prevented images from being displayed in dev when using the Netlify adapter with trailingSlash set to always

• Updated dependencies [f4e8889]:

  • @​astrojs/internal-helpers@​0.7.0
  • @​astrojs/markdown-remark@​6.3.4

v5.12.6

Compare Source

Patch Changes

• #​14153 29e9283 Thanks @​jp-knj! - Fixes a regression introduced by a recent optimisation of how SVG images are emitted during the build.

• #​14156 592f08d Thanks @​TheOtterlord! - Fix the client router not submitting forms if the active URL contained a hash

• #​14160 d2e25c6 Thanks @​ascorbic! - Fixes a bug that meant some remote image URLs could cause invalid filenames to be used for processed images

• #​14167 62bd071 Thanks @​ascorbic! - Fixes a bug that prevented destroyed sessions from being deleted from storage unless the session had been loaded

v5.12.5

Compare Source

Patch Changes

• #​14059 19f53eb Thanks @​benosmac! - Fixes a bug in i18n implementation, where Astro didn't emit the correct pages when fallback is enabled, and a locale uses a catch-all route, e.g. src/pages/es/[...catchAll].astro

• #​14155 31822c3 Thanks @​ascorbic! - Fixes a bug that caused an error "serverEntrypointModule[_start] is not a function" in some adapters

v5.12.4

Compare Source

Patch Changes

• #​14031 e9206c1 Thanks @​jp-knj! - Optimized the build pipeline for SVG images. Now, Astro doesn't reprocess images that have already been processed.

• #​14132 976879a Thanks @​ematipico! - Fixes a bug where the property Astro.routePattern/context.routePattern wasn't updated when using a rewrite via middleware.

• #​14131 aafc4d7 Thanks @​florian-lefebvre! - Fixes a case where an error occurring in a middleware would show the dev overlay instead of the custom 500.astro page

• #​14127 2309ada Thanks @​florian-lefebvre! - Upgrades zod

• #​14134 186c201 Thanks @​ascorbic! - Throws a more helpful error in dev if trying to use a server island without an adapter

• #​14129 3572d85 Thanks @​ematipico! - Fixes a bug where the CSP headers was incorrectly added to a page when using an adapter.

v5.12.3

Compare Source

Patch Changes

• #​14119 14807a4 Thanks @​ascorbic! - Fixes a bug that caused builds to fail if a client directive was mistakenly added to an Astro component

• #​14001 4b03d9c Thanks @​dnek! - Fixes an issue where getImage() assigned the resized base URL to the srcset URL of ImageTransform, which matched the width, height, and format of the original image.

v5.12.2

Compare Source

Patch Changes

• #​14071 d2cb35d Thanks @​Grisoly! - Exposes the Code component lang prop type:

  import type { CodeLanguage } from 'astro';

• #​14111 5452ee6 Thanks @​ascorbic! - Fixes a bug that prevented "key" from being used as a prop for Astro components in MDX

• #​14106 b5b39e4 Thanks @​ascorbic! - Exits with non-zero exit code when config has an error

• #​14112 37458b3 Thanks @​ascorbic! - Fixes a bug that meant that SVG components could no longer be serialized with JSON.stringify

• #​14061 c7a7dd5 Thanks @​jonasgeiler! - Add module declaration for ?no-inline asset imports

• #​14109 5a08fa2 Thanks @​ascorbic! - Throw a more helpful error if defineLiveCollection is used outside of a live.config file

• #​14110 e7dd4e1 Thanks @​ascorbic! - Warn if duplicate IDs are found by file loader

v5.12.1

Compare Source

Patch Changes

• #​14094 22e9087 Thanks @​ascorbic! - Correct types to allow priority on all images

• #​14091 26c6b6d Thanks @​ascorbic! - Fixes a bug that caused a type error when defining session options without a driver

• #​14082 93322cb Thanks @​louisescher! - Fixes an issue where Astro's default 404 route would incorrectly match routes containing "/404" in dev

• #​14089 687d253 Thanks @​florian-lefebvre! - Fixes a case where astro:env would not load the right environments variables in dev

• #​14092 6692c71 Thanks @​ascorbic! - Improves error handling in live collections

• #​14074 144a950 Thanks @​abcfy2! - Fixes a bug that caused some image service builds to fail

• #​14092 6692c71 Thanks @​ascorbic! - Fixes a case where zod could not be imported from astro:content virtual module in live collection config

v5.12.0

Compare Source

Minor Changes

• #​13971 fe35ee2 Thanks @​adamhl8! - Adds an experimental flag rawEnvValues to disable coercion of import.meta.env values (e.g. converting strings to other data types) that are populated from process.env

  Astro allows you to configure a type-safe schema for your environment variables, and converts variables imported via astro:env into the expected type.

  However, Astro also converts your environment variables used through import.meta.env in some cases, and this can prevent access to some values such as the strings "true" (which is converted to a boolean value), and "1" (which is converted to a number).

  The experimental.rawEnvValues flag disables coercion of import.meta.env values that are populated from process.env, allowing you to use the raw value.

  To enable this feature, add the experimental flag in your Astro config:

  import { defineConfig } from "astro/config"
  
  export default defineConfig({
  +  experimental: {
  +    rawEnvValues: true,
  +  }
  })

  If you were relying on this coercion, you may need to update your project code to apply it manually:

  - const enabled: boolean = import.meta.env.ENABLED
  + const enabled: boolean = import.meta.env.ENABLED === "true"

  See the experimental raw environment variables reference docs for more information.

• #​13941 6bd5f75 Thanks @​aditsachde! - Adds support for TOML files to Astro's built-in glob() and file() content loaders.

  In Astro 5.2, Astro added support for using TOML frontmatter in Markdown files instead of YAML. However, if you wanted to use TOML files as local content collection entries themselves, you needed to write your own loader.

  Astro 5.12 now directly supports loading data from TOML files in content collections in both the glob() and the file() loaders.

  If you had added your own TOML content parser for the file() loader, you can now remove it as this functionality is now included:

  // src/content.config.ts
  import { defineCollection } from "astro:content";
  import { file } from "astro/loaders";
  - import { parse as parseToml } from "toml";
  const dogs = defineCollection({
  -  loader: file("src/data/dogs.toml", { parser: (text) => parseToml(text) }),
  + loader: file("src/data/dogs.toml")
    schema: /* ... */
  })

  Note that TOML does not support top-level arrays. Instead, the file() loader considers each top-level table to be an independent entry. The table header is populated in the id field of the entry object.

  See Astro's content collections guide for more information on using the built-in content loaders.

Patch Changes

• Updated dependencies [6bd5f75]:
  • @​astrojs/markdown-remark@​6.3.3

v5.11.2

Compare Source

Patch Changes

• #​14064 2eb77d8 Thanks @​jp-knj! - Allows using tsconfig compilerOptions.paths without setting compilerOptions.baseUrl

• #​14068 10189c0 Thanks @​jsparkdev! - Fixes the incorrect CSS import path shown in the terminal message during Tailwind integration setup.

v5.11.1

Compare Source

Patch Changes

• #​14045 3276b79 Thanks @​ghubo! - Fixes a problem where importing animated .avif files returns a NoImageMetadata error.

• #​14041 0c4d5f8 Thanks @​dixslyf! - Fixes a <ClientRouter /> bug where the fallback view transition animations when exiting a page
  ran too early for browsers that do not support the View Transition API.
  This bug prevented event.viewTransition?.skipTransition() from skipping the page exit animation
  when used in an astro:before-swap event hook.

v5.11.0

Compare Source

Minor Changes

• #​13972 db8f8be Thanks @​ematipico! - Updates the NodeApp.match() function in the Adapter API to accept a second, optional parameter to allow adapter authors to add headers to static, prerendered pages.

  NodeApp.match(request) currently checks whether there is a route that matches the given Request. If there is a prerendered route, the function returns undefined, because static routes are already rendered and their headers cannot be updated.

  When the new, optional boolean parameter is passed (e.g. NodeApp.match(request, true)), Astro will return the first matched route, even when it's a prerendered route. This allows your adapter to now access static routes and provides the opportunity to set headers for these pages, for example, to implement a Content Security Policy (CSP).

Patch Changes

• #​14029 42562f9 Thanks @​ematipico! - Fixes a bug where server islands wouldn't be correctly rendered when they are rendered inside fragments.

  Now the following examples work as expected:

v5.10.2

Compare Source

Patch Changes

• #​14000 3cbedae Thanks @​feelixe! - Fix routePattern JSDoc examples to show correct return values

• #​13990 de6cfd6 Thanks @​isVivek99! - Fixes a case where astro:config/client and astro:config/server virtual modules would not contain config passed to integrations updateConfig() during the build

• #​14019 a160d1e Thanks @​ascorbic! - Removes the requirement to set type: 'live' when defining experimental live content collections

  Previously, live collections required a type and loader configured. Now, Astro can determine that your collection is a live collection without defining it explicitly.

  This means it is now safe to remove type: 'live' from your collections defined in src/live.config.ts:

  import { defineLiveCollection } from 'astro:content';
  import { storeLoader } from '@​mystore/astro-loader';
  
  const products = defineLiveCollection({
  -  type: 'live',
    loader: storeLoader({
      apiKey: process.env.STORE_API_KEY,
      endpoint: 'https://api.mystore.com/v1',
    }),
  });
  
  export const collections = { products };

  This is not a breaking change: your existing live collections will continue to work even if you still include type: 'live'. However, we suggest removing this line at your earliest convenience for future compatibility when the feature becomes stable and this config option may be removed entirely.

• #​13966 598da21 Thanks @​msamoylov! - Fixes a broken link on the default 404 page in development

v5.10.1

Compare Source

Patch Changes

• #​13988 609044c Thanks @​ascorbic! - Fixes a bug in live collections that caused it to incorrectly complain about the collection being defined in the wrong file

• #​13909 b258d86 Thanks @​isVivek99! - Fixes rendering of special boolean attributes for custom elements

• #​13983 e718375 Thanks @​florian-lefebvre! - Fixes a case where the toolbar audit would incorrectly flag images processed by Astro in content collections documents

• #​13999 f077b68 Thanks @​ascorbic! - Adds lastModified field to experimental live collection cache hints

  Live loaders can now set a lastModified field in the cache hints for entries and collections to indicate when the data was last modified. This is then available in the cacheHint field returned by getCollection and getEntry.

• #​13987 08f34b1 Thanks @​ematipico! - Adds an informative message in dev mode when the CSP feature is enabled.

• #​14005 82aad62 Thanks @​ematipico! - Fixes a bug where inline styles and scripts didn't work when CSP was enabled. Now when adding <styles> elements inside an Astro component, their hashes care correctly computed.

• #​13985 0b4c641 Thanks @​jsparkdev! - Updates wrong link

v5.10.0

Compare Source

Minor Changes

• #​13917 e615216 Thanks @​ascorbic! - Adds a new priority attribute for Astro's image components.

  This change introduces a new priority option for the <Image /> and <Picture /> components, which automatically sets the loading, decoding, and fetchpriority attributes to their optimal values for above-the-fold images which should be loaded immediately.

  It is a boolean prop, and you can use the shorthand syntax by simply adding priority as a prop to the <Image /> or <Picture /> component. When set, it will apply the following attributes:

  • loading="eager"
  • decoding="sync"
  • fetchpriority="high"

  The individual attributes can still be set manually if you need to customize your images further.

  By default, the Astro <Image /> component generates <img> tags that lazy-load their content by setting loading="lazy" and decoding="async". This improves performance by deferring the loading of images that are not immediately visible in the viewport, and gives the best scores in performance audits like Lighthouse.

  The new priority attribute will override those defaults and automatically add the best settings for your high-priority assets.

  This option was previously available for experimental responsive images, but now it is a standard feature for all images.

Usage

<Image src="/path/to/image.jpg" alt="An example image" priority />

[!Note]
You should only use the priority option for images that are critical to the initial rendering of the page, and ideally only one image per page. This is often an image identified as the LCP element when running Lighthouse tests. Using it for too many images will lead to performance issues, as it forces the browser to load those images immediately, potentially blocking the rendering of other content.

• #​13917 e615216 Thanks @​ascorbic! - The responsive images feature introduced behind a flag in v5.0.0 is no longer experimental and is available for general use.

  The new responsive images feature in Astro automatically generates optimized images for different screen sizes and resolutions, and applies the correct attributes to ensure that images are displayed correctly on all devices.

  Enable the image.responsiveStyles option in your Astro config. Then, set a layout attribute on any or component, or configure a default image.layout, for instantly responsive images with automatically generated srcset and sizes attributes based on the image's dimensions and the layout type.

  Displaying images correctly on the web can be challenging, and is one of the most common performance issues seen in sites. This new feature simplifies the most challenging part of the process: serving your site visitor an image optimized for their viewing experience, and for your website's performance.

  For full details, see the updated Image guide.

Migration from Experimental Responsive Images

The experimental.responsiveImages flag has been removed, and all experimental image configuration options have been renamed to their final names.

If you were using the experimental responsive images feature, you'll need to update your configuration:

Remove the experimental flag

export default defineConfig({
   experimental: {
-    responsiveImages: true,
   },
});

Update image configuration options

During the experimental phase, default styles were applied automatically to responsive images. Now, you need to explicitly set the responsiveStyles option to true if you want these styles applied.

export default defineConfig({
  image: {
+    responsiveStyles: true,
  },
});

The experimental image configuration options have been renamed:

Before:

export default defineConfig({
  image: {
    experimentalLayout: 'constrained',
    experimentalObjectFit: 'cover',
    experimentalObjectPosition: 'center',
    experimentalBreakpoints: [640, 750, 828, 1080, 1280],
    experimentalDefaultStyles: true,
  },
  experimental: {
    responsiveImages: true,
  },
});

After:

export default defineConfig({
  image: {
    layout: 'constrained',
    objectFit: 'cover',
    objectPosition: 'center',
    breakpoints: [640, 750, 828, 1080, 1280],
    responsiveStyles: true, // This is now *false* by default
  },
});

Component usage remains the same

The layout, fit, and position props on <Image> and <Picture> components work exactly the same as before:

<Image
  src={myImage}
  alt="A responsive image"
  layout="constrained"
  fit="cover"
  position="center"
/>

If you weren't using the experimental responsive images feature, no changes are required.

Please see the Image guide for more information on using responsive images in Astro.

• #​13685 3c04c1f Thanks @​ascorbic! - Adds experimental support for live content collections

  Live content collections are a new type of content collection that fetch their data at runtime rather than build time. This allows you to access frequently-updated data from CMSs, APIs, databases, or other sources using a unified API, without needing to rebuild your site when the data changes.

Live collections vs build-time collections

In Astro 5.0, the content layer API added support for adding diverse content sources to content collections. You can create loaders that fetch data from any source at build time, and then access it inside a page via getEntry() and getCollection(). The data is cached between builds, giving fast access and updates.

However there is no method for updating the data store between builds, meaning any updates to the data need a full site deploy, even if the pages are rendered on-demand. This means that content collections are not suitable for pages that update frequently. Instead, today these pages tend to access the APIs directly in the frontmatter. This works, but leads to a lot of boilerplate, and means users don't benefit from the simple, unified API that content loaders offer. In most cases users t

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

---

This change is 

[MarcusSorealheis]

The website doesn't compile when we upgrade

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.