withastro/astro @astrojs/node@10.0.0

on GitHub

Major Changes

• #15654 a32aee6 Thanks @florian-lefebvre! - Removes the experimentalErrorPageHost option

  This option allowed fetching a prerendered error page from a different host than the server is currently running on.

  However, there can be security implications with prefetching from other hosts, and often more customization was required to do this safely. This has now been removed as a built-in option so that you can implement your own secure solution as needed and appropriate for your project via middleware.

  What should I do?

  If you were previously using this feature, you must remove the option from your adapter configuration as it no longer exists:

  // astro.config.mjs
  import { defineConfig } from 'astro/config'
  import node from '@astrojs/node'
  
  export default defineConfig({
    adapter: node({
      mode: 'standalone',
  -    experimentalErrorPageHost: 'http://localhost:4321'
    })
  })

  You can replicate the previous behavior by checking the response status in a middleware and fetching the prerendered page yourself:

  // src/middleware.ts
  import { defineMiddleware } from 'astro:middleware';
  
  export const onRequest = defineMiddleware(async (ctx, next) => {
    const response = await next();
    if (response.status === 404 || response.status === 500) {
      return fetch(`http://localhost:4321/${response.status}.html`);
    }
    return response;
  });

Minor Changes

• #15258 d339a18 Thanks @ematipico! - Stabilizes the adapter feature experimentalStatiHeaders. If you were using this feature in any of the supported adapters, you'll need to change the name of the flag:

  export default defineConfig({
    adapter: netlify({
  -    experimentalStaticHeaders: true
  +    staticHeaders: true
    })
  })

• #15759 39ff2a5 Thanks @matthewp! - Adds a new bodySizeLimit option to the @astrojs/node adapter

  You can now configure a maximum allowed request body size for your Node.js standalone server. The default limit is 1 GB. Set the value in bytes, or pass 0 to disable the limit entirely:

  import node from '@astrojs/node';
  import { defineConfig } from 'astro/config';
  
  export default defineConfig({
    adapter: node({
      mode: 'standalone',
      bodySizeLimit: 1024 * 1024 * 100, // 100 MB
    }),
  });

• #15006 f361730 Thanks @florian-lefebvre! - Adds new session driver object shape

  For greater flexibility and improved consistency with other Astro code, session drivers are now specified as an object:

  -import { defineConfig } from 'astro/config'
  +import { defineConfig, sessionDrivers } from 'astro/config'
  
  export default defineConfig({
    session: {
  -    driver: 'redis',
  -    options: {
  -      url: process.env.REDIS_URL
  -    },
  +    driver: sessionDrivers.redis({
  +      url: process.env.REDIS_URL
  +    }),
    }
  })

  Specifying the session driver as a string has been deprecated, but will continue to work until this feature is removed completely in a future major version. The object shape is the current recommended and documented way to configure a session driver.

• #14946 95c40f7 Thanks @ematipico! - Removes the experimental.csp flag and replaces it with a new configuration option security.csp - (v6 upgrade guidance)

Patch Changes

• #15473 d653b86 Thanks @matthewp! - Improves error page loading to read from disk first before falling back to configured host

• #15562 e14a51d Thanks @florian-lefebvre! - Updates to new Adapter API introduced in v6

• #15585 98ea30c Thanks @matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #15777 02e24d9 Thanks @matthewp! - Fixes CSRF origin check mismatch by passing the actual server listening port to createRequest, ensuring the constructed URL origin includes the correct port (e.g., http://localhost:4321 instead of http://localhost). Also restricts X-Forwarded-Proto to only be trusted when allowedDomains is configured.

• #15714 9a2c949 Thanks @ematipico! - Fixes an issue where static headers weren't correctly applied when the website uses base.

• #15763 1567e8c Thanks @matthewp! - Normalizes static file paths before evaluating dotfile access rules for improved consistency

• #15164 54dc11d Thanks @HiDeoo! - Fixes an issue where the Node.js adapter could fail to serve a 404 page matching a pre-rendered dynamic route pattern.

• #15745 20b05c0 Thanks @matthewp! - Hardens static file handler path resolution to ensure resolved paths stay within the client directory

• #15495 5b99e90 Thanks @leekeh! - Refactors to use middlewareMode adapter feature (set to classic)

• #15657 cb625b6 Thanks @qzio! - Adds a new security.actionBodySizeLimit option to configure the maximum size of Astro Actions request bodies.

  This lets you increase the default 1 MB limit when your actions need to accept larger payloads. For example, actions that handle file uploads or large JSON payloads can now opt in to a higher limit.

  If you do not set this option, Astro continues to enforce the 1 MB default to help prevent abuse.

  // astro.config.mjs
  export default defineConfig({
    security: {
      actionBodySizeLimit: 10 * 1024 * 1024, // set to 10 MB
    },
  });

• Updated dependencies [4ebc1e3, 4e7f3e8, a164c77, cf6ea6b, a18d727, 240c317, 745e632]:

  • @astrojs/internal-helpers@0.8.0