astro

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated. ⚠️⚠️⚠️⚠️⚠️⚠️ is currently in pre mode so this branch has prereleases rather than normal releases. If you want to exit prereleases, run on . ⚠️⚠️⚠️⚠️⚠️⚠️ Releases astro@6.0.0-beta.20 Minor Changes #15700 Thanks @ocavue! - Updates the internal logic during SSR by providing additional metadata for UI framework integrations. Patch Changes #15712 Thanks @florian-lefebvre! - Improves by supporting more operating systems when copying the information to the clipboard. #15780 Thanks @ematipico! - Prevents misconfiguration from exposing environment variables in client-side bundles. Astro now throws a clear error at startup if any entry matches a variable declared with in . For example, the following configuration will throw an error for because it's defined as its name matches defined in : #15778 Thanks @ematipico! - Fixes an issue where the computed was incorrect in cases of a Request header with multiple values. The is now also validated to contain only characters valid in IP addresses, rejecting injection payloads. #15776 Thanks @matthewp! - Hardens error page response merging to ensure framing headers from the original response are not carried over to the rendered error page #15759 Thanks @matthewp! - Adds a new option to the adapter You can now configure a maximum allowed request body size for your Node.js standalone server. The default limit is 1 GB. Set the value in bytes, or pass to disable the limit entirely: #15777 Thanks @matthewp! - Fixes CSRF origin check mismatch by passing the actual server listening port to , ensuring the constructed URL origin includes the correct port (e.g., instead of ). Also restricts to only be trusted when is configured. #15757 Thanks @matthewp! - Hardens URL pathname normalization to consistently handle backslash characters after decoding, ensuring middleware and router see the same canonical pathname #15761 Thanks @ematipico! - Fixes an issue where it wasn't possible to set to . #15764 Thanks @matthewp! - Fixes form actions incorrectly auto-executing during error page rendering. When an error page (e.g. 404) is rendered, form actions from the original request are no longer executed, since the full request handling pipeline is not active. Updated dependencies \[, ]: @astrojs/internal-helpers@0.8.0-beta.3 @astrojs/markdown-remark@7.0.0-beta.11 @astrojs/node@10.0.0-beta.9 Minor Changes #15759 Thanks @matthewp! - Adds a new option to the adapter You can now configure a maximum allowed request body size for your Node.js standalone server. The default limit is 1 GB. Set the value in bytes, or pass to disable the limit entirely: Patch Changes #15777 Thanks @matthewp! - Fixes CSRF origin check mismatch by passing the actual server listening port to , ensuring the constructed URL origin includes the correct port (e.g., instead of ). Also restricts to only be trusted when is configured. #15763 Thanks @matthewp! - Normalizes static file paths before evaluating dotfile access rules for improved consistency Updated dependencies \[, ]: @astrojs/internal-helpers@0.8.0-beta.3 @astrojs/internal-helpers@0.8.0-beta.3 Minor Changes #15778 Thanks @ematipico! - Added a new entry point called , which exposes utilities to work with the type: : retrieves the first value of a multi-value header. : checks whether a string contains only characters valid in IPv4/IPv6 addresses. : extracts the first value from a header and validates it as an IP address. : retrieves and validates the first IP from the header. Patch Changes #15700 Thanks @ocavue! - Adds a fork of from without Node.js APIs. @astrojs/cloudflare@13.0.0-beta.14 Patch Changes #15778 Thanks @ematipico! - Fixes an issue where the computed was incorrect in cases of a Request header with multiple values. The is now also validated to contain only characters valid in IP addresses, rejecting injection payloads. Updated dependencies \[, ]: @astrojs/internal-helpers@0.8.0-beta.3 @astrojs/underscore-redirects@1.0.0 @astrojs/markdoc@1.0.0-beta.15 Patch Changes Updated dependencies \[, ]: @astrojs/internal-helpers@0.8.0-beta.3 @astrojs/markdown-remark@7.0.0-beta.11 @astrojs/mdx@5.0.0-beta.12 Patch Changes Updated dependencies \[]: @astrojs/markdown-remark@7.0.0-beta.11 @astrojs/netlify@7.0.0-beta.14 Patch Changes Updated dependencies \[, ]: @astrojs/internal-helpers@0.8.0-beta.3 @astrojs/underscore-redirects@1.0.0 @astrojs/preact@5.0.0-beta.5 Patch Changes #15700 Thanks @ocavue! - Improves how Preact components are identified when setting the and/or options in projects where multiple JSX frameworks are used together Updated dependencies \[, ]: @astrojs/internal-helpers@0.8.0-beta.3 @astrojs/react@5.0.0-beta.4 Patch Changes #15700 Thanks @ocavue! - Improves how React components are identified when setting the and/or options in projects where multiple JSX frameworks are used together Updated dependencies \[, ]: @astrojs/internal-helpers@0.8.0-beta.3 @astrojs/vercel@10.0.0-beta.8 Patch Changes #15778 Thanks @ematipico! - Fixes an issue where the computed was incorrect in cases of a Request header with multiple values. The is now also validated to contain only characters valid in IP addresses, rejecting injection payloads. Updated dependencies \[, ]: @astrojs/internal-helpers@0.8.0-beta.3 @astrojs/markdown-remark@7.0.0-beta.11 Patch Changes Updated dependencies \[, ]: @astrojs/internal-helpers@0.8.0-beta.3