You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on May 15, 2026. It is now read-only.
Only certain resources require quotes (e.g. 'self' but not https://cdn.example.com), so Astro no longer adds quotes to any resources. You must now provide the quotes yourself for resources such as 'self' when necessary:
#1391476c5480 Thanks @ematipico! - BREAKING CHANGE to the experimental Content Security Policy feature only
Removes support for experimental Content Security Policy (CSP) when using the <ClientRouter /> component for view transitions.
It is no longer possible to enable experimental CSP while using Astro's view transitions. Support was already unstable with the <ClientRouter /> because CSP required making its underlying implementation asynchronous. This caused breaking changes for several users and therefore, this PR removes support completely.
If you are currently using the component for view transitions, please remove the experimental CSP flag as they cannot be used together.
Alternatively, to continue using experimental CSP in your project, you can consider migrating to the browser native View Transition API and remove the <ClientRouter /> from your project. You may be able to achieve similar results if you are not using Astro's enhancements to the native View Transitions and Navigation APIs.
Support might be reintroduced in future releases. You can follow this experimental feature's development in the CSP RFC.
CSP is an important feature to provide fine-grained control over resources that can or cannot be downloaded and executed by a document. In particular, it can help protect against cross-site scripting (XSS) attacks.
Enabling this feature adds additional security to Astro's handling of processed and bundled scripts and styles by default, and allows you to further configure these, and additional, content types. This new experimental feature has been designed to work in every Astro rendering environment (static pages, dynamic pages and single page applications), while giving you maximum flexibility and with type-safety in mind.
It is compatible with most of Astro's features such as client islands, and server islands, although Astro's view transitions using the <ClientRouter /> are not yet fully supported. Inline scripts are not supported out of the box, but you can provide your own hashes for external and inline scripts.
To enable this feature, add the experimental flag in your Astro config:
When creating a content loader, you will now have access to a renderMarkdown function that allows you to render Markdown content directly within your loaders. It uses the same settings and plugins as the renderer used for Markdown files in Astro, and follows any Markdown settings you have configured in your Astro project.
This allows you to render Markdown content from various sources, such as a CMS or other data sources, directly in your loaders without needing to preprocess the Markdown content separately.
importtype{Loader}from'astro/loaders';import{loadFromCMS}from'./cms';exportfunctionmyLoader(settings): Loader{return{name: 'my-loader',asyncload({ renderMarkdown, store }){constentries=awaitloadFromCMS();store.clear();for(constentryofentries){// Assume each entry has a 'content' field with markdown contentstore.set(entry.id,{id: entry.id,data: entry,rendered: awaitrenderMarkdown(entry.content),});}},};}
The return value of renderMarkdown is an object with two properties: html and metadata. These match the rendered property of content entries in content collections, so you can use them to render the content in your components or pages.
This change adds a new image.experimentalDefaultStyles option that allows you to disable the default styles applied to responsive images.
When using experimental responsive images, Astro applies default styles to ensure the images resize correctly. In most cases this is what you want – and they are applied with low specificity so your own styles override them. However in some cases you may want to disable these default styles entirely. This is particularly useful when using Tailwind 4, because it uses CSS cascade layers to apply styles, making it difficult to override the default styles.
image.experimentalDefaultStyles is a boolean option that defaults to true, so you can change it in your Astro config file like this:
Node.js 18 has now reached end-of-life and should not be used. For now, Astro will continue to support Node.js 18.20.8, which is the final LTS release of Node.js 18, as well as Node.js 20 and Node.js 22 or later. We will drop support for Node.js 18 in a future release, so we recommend upgrading to Node.js 22 as soon as possible. See Astro's Node.js support policy for more details.
⚠️Important note for users of Cloudflare Pages: The current build image for Cloudflare Pages uses Node.js 18.17.1 by default, which is no longer supported by Astro. If you are using Cloudflare Pages you should override the default Node.js version to Node.js 22. This does not affect users of Cloudflare Workers, which uses Node.js 22 by default.
#1337350ef568 Thanks @jpwienekus! - Fixes a bug where highlights and tooltips render over the audit list window.
#13769e9fc456 Thanks @romanstetsyk! - Expand ActionError codes to include all IANA-registered HTTP error codes.
#13668866285a Thanks @sapphi-red! - Replaces internal CSS chunking behavior for Astro components' scoped styles to use Vite's cssScopeTo feature. The feature is a port of Astro's implementation so this should not change the behavior.
#137887d0b7ac Thanks @florian-lefebvre! - Fixes a case where an error would not be thrown when using the <Font /> component from the experimental fonts API without adding fonts in the Astro config
#13784d7a1889 Thanks @florian-lefebvre! - Fixes the experimental fonts API to correctly take config.base, config.build.assets and config.build.assetsPrefix into account
#13777a56b8ea Thanks @L4Ph! - Fixed an issue where looping GIF animation would stop when converted to WebP
📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
If you want to rebase/retry this PR, check this box
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
This PR includes no changesets
When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types
Because you closed this PR without merging, Renovate will ignore this update (5.9.2). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.
If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
None yet
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.7.12->5.9.2Release Notes
withastro/astro (astro)
v5.9.2Compare Source
Patch Changes
#13919
423fe60Thanks @ematipico! - Fixes a bug where Astro added quotes to the CSP resources.Only certain resources require quotes (e.g.
'self'but nothttps://cdn.example.com), so Astro no longer adds quotes to any resources. You must now provide the quotes yourself for resources such as'self'when necessary:export default defineConfig({ experimental: { csp: { styleDirective: { resources: [ - "self", + "'self'", "https://cdn.example.com" ] } } } })#13914
76c5480Thanks @ematipico! - BREAKING CHANGE to the experimental Content Security Policy feature onlyRemoves support for experimental Content Security Policy (CSP) when using the
<ClientRouter />component for view transitions.It is no longer possible to enable experimental CSP while using Astro's view transitions. Support was already unstable with the
<ClientRouter />because CSP required making its underlying implementation asynchronous. This caused breaking changes for several users and therefore, this PR removes support completely.If you are currently using the component for view transitions, please remove the experimental CSP flag as they cannot be used together.
import { defineConfig } from 'astro/config'; export default defineConfig({ experimental: { - csp: true } });Alternatively, to continue using experimental CSP in your project, you can consider migrating to the browser native View Transition API and remove the
<ClientRouter />from your project. You may be able to achieve similar results if you are not using Astro's enhancements to the native View Transitions and Navigation APIs.Support might be reintroduced in future releases. You can follow this experimental feature's development in the CSP RFC.
v5.9.1Compare Source
Patch Changes
#13899
7a1303dThanks @reknih! - Fix bug where error pages would return invalid bodies if the upstream response was compressed#13902
051bc30Thanks @arHSM! - Fixes a bug where vite virtual module ids were incorrectly added in the dev server#13905
81f71caThanks @jsparkdev! - Fixes wrong contents in CSP meta tag.#13907
8246bccThanks @martrapp! - Fixes a bug that caused view transition names to be lost.#13901
37fa0a2Thanks @ansg191! - fix fallback not being removed when server island is renderedv5.9.0Compare Source
Minor Changes
#13802
0eafe14Thanks @ematipico! - Adds experimental Content Security Policy (CSP) supportCSP is an important feature to provide fine-grained control over resources that can or cannot be downloaded and executed by a document. In particular, it can help protect against cross-site scripting (XSS) attacks.
Enabling this feature adds additional security to Astro's handling of processed and bundled scripts and styles by default, and allows you to further configure these, and additional, content types. This new experimental feature has been designed to work in every Astro rendering environment (static pages, dynamic pages and single page applications), while giving you maximum flexibility and with type-safety in mind.
It is compatible with most of Astro's features such as client islands, and server islands, although Astro's view transitions using the
<ClientRouter />are not yet fully supported. Inline scripts are not supported out of the box, but you can provide your own hashes for external and inline scripts.To enable this feature, add the experimental flag in your Astro config:
For more information on enabling and using this feature in your project, see the Experimental CSP docs.
For a complete overview, and to give feedback on this experimental API, see the Content Security Policy RFC.
#13850
1766d22Thanks @ascorbic! - Provides a Markdown renderer to content loadersWhen creating a content loader, you will now have access to a
renderMarkdownfunction that allows you to render Markdown content directly within your loaders. It uses the same settings and plugins as the renderer used for Markdown files in Astro, and follows any Markdown settings you have configured in your Astro project.This allows you to render Markdown content from various sources, such as a CMS or other data sources, directly in your loaders without needing to preprocess the Markdown content separately.
The return value of
renderMarkdownis an object with two properties:htmlandmetadata. These match therenderedproperty of content entries in content collections, so you can use them to render the content in your components or pages.v5.8.2Compare Source
Patch Changes
#13877
5a7797fThanks @yuhang-dong! - Fixes a bug that causedAstro.rewriteto fail when used insequenced middleware#13872
442b841Thanks @isVivek99! - Fixes rendering of thedownloadattribute when it has a boolean valuev5.8.1Compare Source
Patch Changes
#13037
de2fc9bThanks @nanarino! - Fixes rendering of thepopoverattribute when it has a boolean value#13851
45ae95aThanks @ascorbic! - Allows disabling default styles for responsive imagesThis change adds a new
image.experimentalDefaultStylesoption that allows you to disable the default styles applied to responsive images.When using experimental responsive images, Astro applies default styles to ensure the images resize correctly. In most cases this is what you want – and they are applied with low specificity so your own styles override them. However in some cases you may want to disable these default styles entirely. This is particularly useful when using Tailwind 4, because it uses CSS cascade layers to apply styles, making it difficult to override the default styles.
image.experimentalDefaultStylesis a boolean option that defaults totrue, so you can change it in your Astro config file like this:#13858
cb1a168Thanks @florian-lefebvre! - Fixes the warning shown when client directives are used on Astro components#12574
da266d0Thanks @apatel369! - Allows using server islands in mdx files#13843
fbcfa68Thanks @z1haze! - Export typeAstroSessionto allow use in explicitly typed safe code.v5.8.0Compare Source
Minor Changes
#13809
3c3b492Thanks @ascorbic! - Increases minimum Node.js version to 18.20.8Node.js 18 has now reached end-of-life and should not be used. For now, Astro will continue to support Node.js 18.20.8, which is the final LTS release of Node.js 18, as well as Node.js 20 and Node.js 22 or later. We will drop support for Node.js 18 in a future release, so we recommend upgrading to Node.js 22 as soon as possible. See Astro's Node.js support policy for more details.
Patch Changes
3c3b492]:v5.7.14Compare Source
Patch Changes
#13773
3aa5337Thanks @sijad! - Ignores lightningcss unsupported pseudo-class warning.#13833
5a6d2aeThanks @ascorbic! - Fixes an issue where session modules would fail to resolve in Node.js < 20.6#13383
f7f712cThanks @Haberkamp! - Stop toolbar settings from overflowing#13794
85b19d8Thanks @alexcarpenter! - Exclude pre tags froma11y-no-noninteractive-tabindexaudit check.#13373
50ef568Thanks @jpwienekus! - Fixes a bug where highlights and tooltips render over the audit list window.#13769
e9fc456Thanks @romanstetsyk! - Expand ActionError codes to include all IANA-registered HTTP error codes.#13668
866285aThanks @sapphi-red! - Replaces internal CSS chunking behavior for Astro components' scoped styles to use Vite'scssScopeTofeature. The feature is a port of Astro's implementation so this should not change the behavior.v5.7.13Compare Source
Patch Changes
#13761
a2e8463Thanks @jp-knj! - Adds new content collections errors#13788
7d0b7acThanks @florian-lefebvre! - Fixes a case where an error would not be thrown when using the<Font />component from the experimental fonts API without adding fonts in the Astro config#13784
d7a1889Thanks @florian-lefebvre! - Fixes the experimental fonts API to correctly takeconfig.base,config.build.assetsandconfig.build.assetsPrefixinto account#13777
a56b8eaThanks @L4Ph! - Fixed an issue where looping GIF animation would stop when converted to WebP#13566
0489d8fThanks @TheOtterlord! - Fix build errors being ignored when build.concurrency > 1Configuration
📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.