Change8

astro@6.0.0-beta.20

Breaking Changes
📦 astroView on GitHub →
1 breaking2 features🐛 9 fixes🔧 9 symbols

Summary

This release introduces security hardening around environment variables and request processing, adds configuration options for server island body limits and Node adapter body limits, and prevents client-side execution of `getImage()`.

⚠️ Breaking Changes

  • Calling getImage() from astro:assets on the client now throws an error. Ensure image optimization logic is only executed on the server or conditionally based on environment.

Migration Steps

  1. If you were calling `getImage()` in client-side code, move this logic to the server or use conditional rendering based on environment.
  2. If you rely on environment variables marked as 'secret' in your schema, ensure your `vite.envPrefix` configuration does not match the names of these secret variables.

✨ New Features

  • Added a new `clientAddress` option to `createContext()` in middleware, allowing adapter/middleware authors explicit control over the client IP address.
  • Added a new `security.serverIslandBodySizeLimit` configuration option to enforce a body size limit (default 1MB) for Server Island POST endpoints.

🐛 Bug Fixes

  • Prevents misconfiguration of `vite.envPrefix` from exposing 'secret' environment variables in client-side bundles by throwing a clear error at startup if a prefix matches a secret variable.
  • Fixed an issue where the computed `clientAddress` was incorrect when the Request header contained multiple values; `clientAddress` is now also validated to contain only IP address characters.
  • Hardened error page response merging to prevent framing headers from the original response from being carried over to the rendered error page.
  • Fixed CSRF origin check mismatch by ensuring the constructed URL origin includes the correct server listening port when using `createRequest`.
  • Restricted trust of `X-Forwarded-Proto` to only occur when `allowedDomains` is configured.
  • Hardened internal cookie parsing to use a null-prototype object consistently for the fallback path.
  • Hardened URL pathname normalization to consistently handle backslash characters after decoding.
  • Fixed an issue where `experimental.queuedRendering.poolSize` could not be set to `0`.
  • Fixed form actions incorrectly auto-executing during error page rendering (e.g., 404 pages) by preventing execution when the full request handling pipeline is not active.

Affected Symbols

getImage()createContext()security.serverIslandBodySizeLimitvite.envPrefixenv.schema@astrojs/node adaptercreateRequestX-Forwarded-Protoexperimental.queuedRendering.poolSize