fix(deps): update dependency astro to v6.4.8

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
astro (source)	6.3.8 → 6.4.8

---

Release Notes

withastro/astro (astro)

v6.4.8

Compare Source

Patch Changes

• #​17109 27c80ea Thanks @​ematipico! - Harden the limits on the number of decoding on the URL.

v6.4.7

Compare Source

Patch Changes

• #​17035 197e50e Thanks @​astrobot-houston! - Fixes getRelativeLocaleUrl, getAbsoluteLocaleUrl, and getAbsoluteLocaleUrlList to strip trailing slashes when trailingSlash: 'never' is configured

• #​16967 3719765 Thanks @​astrobot-houston! - Fixes double URL-encoded paths returning 400 Bad Request on on-demand routes

  Previously, any URL containing a double-encoded character (like %255B, which is [ encoded twice) was unconditionally rejected with a 400 Bad Request before middleware or route handlers could run. This broke embedded tools like Sanity Studio whose client-side router legitimately produces double-encoded URLs.

  The fix replaces the rejection approach with iterative decoding — multi-level percent-encoding is now fully resolved to its canonical form before being passed to middleware and route matching. This preserves the security fix for CVE-2025-66202 (middleware authorization bypass via double encoding) because middleware now always sees the fully decoded path, making bypass impossible. For example, /api/%2561dmin is decoded to /api/admin, which middleware can correctly block.

• #​17066 2f4d92a Thanks @​matthewp! - Fixes prerendered redirect targets being incorrectly bundled into the SSR function in hybrid mode, causing massive bundle size inflation

• #​16882 621beb7 Thanks @​jettwayio! - fix(render): honour compressHTML when joining head elements

• #​16892 8d753b0 Thanks @​astrobot-houston! - Fixes custom elements in MDX having their children's slot attribute stripped by the JSX runtime

  When custom elements (tags with hyphens like <my-element>) are used in MDX files, the slot HTML attribute on their children is now correctly preserved. Previously, the shared JSX runtime would treat slot as an Astro slot assignment and remove it from the output, breaking Shadow DOM named slot distribution for web components.

• #​16957 544ee76 Thanks @​thelazylamaGit! - Fixes stale inline CSS in server-rendered HTML after CSS file edits during dev

  When editing a CSS file (.css, .scss, etc.) during development, the inline <style> tags in server-rendered HTML would retain old CSS content instead of updating. This caused a brief flash of old CSS (FOUC) on fresh page loads before Vite's client-side HMR corrected the styles.

  The fix ensures that Astro's per-route dev CSS virtual modules are invalidated in both the SSR module graph and the module runner's evaluation cache when a style file changes, so the next page render picks up the fresh CSS.

• #​17044 2220d22 Thanks @​astrobot-houston! - Fixes CSS from client:only islands leaking to unrelated pages when Rollup bundles non-CSS-importing modules into the same chunk as CSS-importing modules

• #​17040 7c4763d Thanks @​astrobot-houston! - Fixes HMR not triggering for files inside the src/middleware/ directory during dev

• #​16672 52fc862 Thanks @​martinheidegger! - Fixes support for numeric IDs in YAML frontmatter when using content collection references

• #​16762 9de80ae Thanks @​alexanderdombroski! - Adds a JSON schema to the Wrangler configuration file generated when running astro add cloudflare

• #​17046 ef771ec Thanks @​ematipico! - Improves the diagnostics emitted when Astro parses incorrect .astro files.

v6.4.6

Compare Source

Patch Changes

• #​16765 b10e86e Thanks @​fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.

• #​17026 add3df1 Thanks @​matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)

• #​17033 ffda27b Thanks @​matthewp! - Validates the request origin against allowedDomains before fetching prerendered error pages. When allowedDomains is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to localhost.

v6.4.5

Compare Source

Patch Changes

• #​16985 4ecff32 Thanks @​maximslo! - Fixes the experimental.logger destination not being used for the "Server listening on..." startup message. The logger is now resolved before the server starts listening, and adapterLogger re-creates itself when the underlying logger changes so the startup message uses the correct destination.

• #​16947 e0703a6 Thanks @​ematipico! - Fixes Astro.request.url not reflecting validated X-Forwarded-Proto/X-Forwarded-Host headers when security.allowedDomains is configured. Previously, only Astro.url was updated with the forwarded origin while Astro.request.url retained the socket-derived URL, causing the two to diverge behind TLS-terminating proxies.

• #​16997 dc45246 Thanks @​matthewp! - Reverts a change to isNode runtime detection that caused a significant build time regression for Cloudflare adapter users with large prerendered sites

v6.4.4

Compare Source

Patch Changes

• #​16926 1b39ae8 Thanks @​narendraio! - Prevents App.match() from throwing on request paths that contain an invalid percent-sequence.

• #​16924 2c0bc94 Thanks @​astrobot-houston! - Fixes an issue where editing a client-side component (e.g. with client:idle, client:load, etc.) caused an unnecessary full program reload of the backend during development.

• #​16958 2c1d50f Thanks @​fkatsuhiro! - Fixes a bug where static file endpoints using getStaticPaths with .html in dynamic param values (e.g. { path: 'file.html' }) would fail with a NoMatchingStaticPathFound error during build. The .html suffix is no longer incorrectly stripped from endpoint route pathnames.

• #​16855 c610cda Thanks @​astrobot-houston! - Fixes dynamic routes returning 500 "TypeError: Missing parameter" when using domain-based i18n routing in SSR.

• #​16946 606c37b Thanks @​ematipico! - Fixes Astro.routePattern to preserve original casing of dynamic parameter names from filenames. Previously, a file at src/pages/blog/[postId].astro would return /blog/[postid] for Astro.routePattern due to an internal .toLowerCase() call. It now correctly returns /blog/[postId].

• #​16720 16d49b6 Thanks @​thomas-callahan-collibra! - Fix an issue where dynamic routes would return the string [object Object] instead of the expected content, in certain runtimes.

• #​16703 17390a6 Thanks @​henrybrewer00-dotcom! - Fixes styles being stripped when the project root is started with a path whose case differs from the actual filesystem case (e.g. running astro dev from d:\dev\app while the folder on disk is D:\dev\app).

• #​16855 c610cda Thanks @​astrobot-houston! - Fixes Astro.currentLocale returning the default locale instead of the domain's locale on dynamic routes served from a mapped domain.

v6.4.3

Compare Source

Patch Changes

• #​16900 17a0fbd Thanks @​ocavue! - Bumps devalue dependency to v5.8.1

• #​16016 0d85e1b Thanks @​felmonon! - Fix a false positive in the dev toolbar accessibility audit for anchors with text inside closed <details> elements.

• #​16911 79c6c46 Thanks @​astrobot-houston! - Fixes a bug where experimental.advancedRouting with astro/hono handlers threw TypeError: Cannot read properties of undefined (reading 'route') for unmatched routes instead of rendering the custom 404 page.

• #​16899 239c469 Thanks @​matthewp! - Fixes a false "does not call the middleware() handler" warning when using astro() in a custom src/app.ts and the first request is a redirect route.

• #​16887 493acdb Thanks @​astrobot-houston! - Fixes redirectToDefaultLocale not working after the Advanced Routing refactoring.

• #​16908 ef53ab9 Thanks @​florian-lefebvre! - Improves optimized fallbacks generation when using the Fonts API by using better metrics for bold variants

v6.4.2

Patch Changes

• #​16889 b94bcfd Thanks @​Princesseuh! - Fixes a plugins is not iterable crash when using a pre-6.0 @astrojs/mdx alongside integrations (e.g. Starlight) that set markdown.remarkPlugins, markdown.rehypePlugins, or markdown.remarkRehype.

• #​16878 b9f6bb9 Thanks @​fkatsuhiro! - Fixes an issue where on-demand (SSR) dynamic routes would return 404 when a prerendered dynamic route with the same URL pattern was sorted first alphabetically. In production builds with @astrojs/node adapter, if [a_prebuild].astro (prerender=true) came before [b_ssr].astro alphabetically, requests to URLs not in the prerendered route's static paths would 404 instead of falling through to the SSR route. The fix adds fallthrough logic so that when a prerendered dynamic route matches but can't serve the request, Astro tries subsequent matching routes.

v6.4.1

Patch Changes

• #​16883 eeb064c Thanks @​Princesseuh! - Restores the astro/jsx/rehype.js entry point so that older versions of @astrojs/mdx continue to work when used with Astro 6.x. This entry point will be removed in Astro 7.0.

v6.4.0

Compare Source

Minor Changes

• #​16468 4cff3a1 Thanks @​matthewp! - Adds a new preserveBuildServerDir adapter feature

  Adapters can now set preserveBuildServerDir: true in their adapter features to keep the dist/server/ directory structure for static builds, mirroring the existing preserveBuildClientDir option. This is useful for adapters that require a consistent dist/client/ and dist/server/ layout regardless of build output type.

  setAdapter({
    name: 'my-adapter',
    adapterFeatures: {
      buildOutput,
      preserveBuildClientDir: true,
      preserveBuildServerDir: true,
    },
  });

• #​16848 f732f3c Thanks @​Princesseuh! - Adds a new markdown.processor configuration option, allowing you to choose an alternative Markdown processor.

  Websites with many Markdown/MDX files tend to be slow to build because the unified ecosystem (e.g., remark, rehype) is slow to process. This feature introduces the ability to replace this part of the build pipeline with another processor.

  The default processor is unified(). This means that existing configurations remain unchanged and your remark/rehype plugins continue to work.

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  import { unified } from '@​astrojs/markdown-remark';
  import remarkToc from 'remark-toc';
  
  export default defineConfig({
    markdown: {
      processor: unified({
        remarkPlugins: [remarkToc],
      }),
    },
  });

  In addition to this new configuration option, Astro provides a new alternative processor based on Rust: Sätteri. You can choose to use it now by installing @astrojs/markdown-satteri, importing the satteri() processor, and adapting your existing configuration:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  import { satteri } from '@​astrojs/markdown-satteri';
  
  export default defineConfig({
    markdown: {
      processor: satteri({
        features: { directive: true },
      }),
    },
  });

  This processor does not support the remark and rehype plugins. This means you may need to convert them to MDAST or HAST plugins to retain your current functionality.

  The existing top-level markdown.remarkPlugins, markdown.rehypePlugins, markdown.remarkRehype, markdown.gfm, and markdown.smartypants options still work, but are now deprecated and will be removed in a future major update. The matching remarkPlugins, rehypePlugins, and remarkRehype options on the MDX integration are also deprecated for the same reason. To anticipate their removal, move them onto unified({...}) (or your preferred plugin processor) :

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  import remarkToc from 'remark-toc';
  import rehypeSlug from 'rehype-slug';
  + import { unified } from '@​astrojs/markdown-remark';
  
  export default defineConfig({
    markdown: {
  +    processor: unified({
  +      remarkPlugins: [remarkToc],
  +      rehypePlugins: [rehypeSlug],
  +      remarkRehype: true,
  +      gfm: true,
  +      smartypants: true,
  +    }),
  -    remarkPlugins: [remarkToc],
  -    rehypePlugins: [rehypeSlug],
  -    remarkRehype: true,
  -    gfm: true,
  -    smartypants: true,
    },
  });

  For more information on enabling and using this feature in your project, see our Markdown guide. To give feedback on this new Rust processor, see the Native Markdown / MDX parsing and processing RFC.

Patch Changes

• #​16468 4cff3a1 Thanks @​matthewp! - Skips the static preview server when an adapter provides its own previewEntrypoint, allowing the adapter to handle both static and dynamic routes

• #​16811 e0e26db Thanks @​matthewp! - Fixes X-Forwarded-Host and X-Forwarded-Proto headers being ignored when set in a custom src/app.ts fetch handler before creating FetchState

• #​16468 4cff3a1 Thanks @​matthewp! - Fixes the static preview server to respect preserveBuildClientDir, serving files from build.client instead of outDir when the adapter requires it

• #​16770 1e2aa11 Thanks @​matthewp! - Fixes a race condition where the Vite dep optimizer could lose React dependencies in dev mode when using Astro Actions

• #​16468 4cff3a1 Thanks @​matthewp! - Exempts internal routes (e.g. server islands) from getStaticPaths() validation, fixing server island rendering on static sites

• #​16468 4cff3a1 Thanks @​matthewp! - Fixes preview for static sites that contain non-prerendered routes. Previously, the preview command ignored SSR routes discovered during route scanning and always used the static preview server.

• Updated dependencies [f732f3c, f732f3c]:

  • @​astrojs/internal-helpers@​0.10.0
  • @​astrojs/markdown-remark@​7.2.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	contribute	fba3847	Commit Preview URL Branch Preview URL	Jun 24 2026, 04:57 PM

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	astro@​6.4.7

View full report