withastro/astro astro@6.0.0-beta.20

on GitHub

Major Changes

• #15424 33d6146 Thanks @Princesseuh! - Throws an error when getImage() from astro:assets is called on the client - (v6 upgrade guidance)

Minor Changes

• #15700 4e7f3e8 Thanks @ocavue! - Updates the internal logic during SSR by providing additional metadata for UI framework integrations.

• #15781 2de969d Thanks @ematipico! - Adds a new clientAddress option to the createContext() function

  Providing this value gives adapter and middleware authors explicit control over the client IP address. When not provided, accessing clientAddress throws an error consistent with other contexts where it is not set by the adapter.

  Additionally, both of the official Netlify and Vercel adapters have been updated to provide this information in their edge middleware.

  import { createContext } from 'astro/middleware';
  
  createContext({
    clientAddress: context.headers.get('x-real-ip'),
  });

• #15755 f9ee868 Thanks @matthewp! - Adds a new security.serverIslandBodySizeLimit configuration option

  Server island POST endpoints now enforce a body size limit, similar to the existing security.actionBodySizeLimit for Actions. The new option defaults to 1048576 (1 MB) and can be configured independently.

  Requests exceeding the limit are rejected with a 413 response. You can customize the limit in your Astro config:

  export default defineConfig({
    security: {
      serverIslandBodySizeLimit: 2097152, // 2 MB
    },
  });

Patch Changes

• #15712 7ac43c7 Thanks @florian-lefebvre! - Improves astro info by supporting more operating systems when copying the information to the clipboard.

• #15780 e0ac125 Thanks @ematipico! - Prevents vite.envPrefix misconfiguration from exposing access: "secret" environment variables in client-side bundles. Astro now throws a clear error at startup if any vite.envPrefix entry matches a variable declared with access: "secret" in env.schema.

  For example, the following configuration will throw an error for API_SECRET because it's defined as secret its name matches ['PUBLIC_', 'API_'] defined in env.schema:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  
  export default defineConfig({
    env: {
      schema: {
        API_SECRET: envField.string({ context: 'server', access: 'secret', optional: true }),
        API_URL: envField.string({ context: 'server', access: 'public', optional: true }),
      },
    },
    vite: {
      envPrefix: ['PUBLIC_', 'API_'],
    },
  });

• #15778 4ebc1e3 Thanks @ematipico! - Fixes an issue where the computed clientAddress was incorrect in cases of a Request header with multiple values. The clientAddress is now also validated to contain only characters valid in IP addresses, rejecting injection payloads.

• #15776 e9a9cc6 Thanks @matthewp! - Hardens error page response merging to ensure framing headers from the original response are not carried over to the rendered error page

• #15759 39ff2a5 Thanks @matthewp! - Adds a new bodySizeLimit option to the @astrojs/node adapter

  You can now configure a maximum allowed request body size for your Node.js standalone server. The default limit is 1 GB. Set the value in bytes, or pass 0 to disable the limit entirely:

  import node from '@astrojs/node';
  import { defineConfig } from 'astro/config';
  
  export default defineConfig({
    adapter: node({
      mode: 'standalone',
      bodySizeLimit: 1024 * 1024 * 100, // 100 MB
    }),
  });

• #15777 02e24d9 Thanks @matthewp! - Fixes CSRF origin check mismatch by passing the actual server listening port to createRequest, ensuring the constructed URL origin includes the correct port (e.g., http://localhost:4321 instead of http://localhost). Also restricts X-Forwarded-Proto to only be trusted when allowedDomains is configured.

• #15768 6328f1a Thanks @matthewp! - Hardens internal cookie parsing to use a null-prototype object consistently for the fallback path, aligning with how the cookie library handles parsed values

• #15757 631aaed Thanks @matthewp! - Hardens URL pathname normalization to consistently handle backslash characters after decoding, ensuring middleware and router see the same canonical pathname

• #15761 8939751 Thanks @ematipico! - Fixes an issue where it wasn't possible to set experimental.queuedRendering.poolSize to 0.

• #15764 44daecf Thanks @matthewp! - Fixes form actions incorrectly auto-executing during error page rendering. When an error page (e.g. 404) is rendered, form actions from the original request are no longer executed, since the full request handling pipeline is not active.

• #15788 a91da9f Thanks @florian-lefebvre! - Reverts changes made to TSConfig templates

• Updated dependencies [4ebc1e3, 4e7f3e8]:

  • @astrojs/internal-helpers@0.8.0-beta.3
  • @astrojs/markdown-remark@7.0.0-beta.11