chore(deps): update dependency astro to v5.16.4

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
astro (source)	5.14.5 → 5.16.4

---

Release Notes

withastro/astro (astro)

v5.16.4

Compare Source

Patch Changes

• #​14940 2cf79c2 Thanks @​ematipico! - Fixes a bug where Astro didn't properly combine CSP resources from the csp configuration with those added using the runtime API (Astro.csp.insertDirective()) to form grammatically correct CSP headers

  Now Astro correctly deduplicate CSP resources. For example, if you have a global resource in the configuration file, and then you add a
  a new one using the runtime APIs.

v5.16.3

Compare Source

Patch Changes

• #​14889 4bceeb0 Thanks @​florian-lefebvre! - Fixes actions types when using specific TypeScript configurations

• #​14929 e0f277d Thanks @​matthewp! - Fixes authentication bypass via double URL encoding in middleware

  Prevents attackers from bypassing path-based authentication checks using multi-level URL encoding (e.g., /%2561dmin instead of /%61dmin). Pathnames are now validated after decoding to ensure no additional encoding remains.

v5.16.2

Compare Source

Patch Changes

• #​14876 b43dc7f Thanks @​florian-lefebvre! - Fixes a vite warning log during builds when using npm

• #​14884 10273e0 Thanks @​florian-lefebvre! - Fixes a case where setting the status of a page to 404 in ssr would show an empty page (or 404.astro page if provided) instead of using the current page

v5.16.1

Compare Source

Patch Changes

• #​14769 b43ee71 Thanks @​adriandlam! - Fixes an unhandled rejection issue when using Astro with Vercel Workflow DevKit

• #​14761 345eb22 Thanks @​ooga! - Updates button attributes types to allow command and commandfor

• #​14866 65e214b Thanks @​GameRoMan! - Fixes Astro.glob to be correctly marked as deprecated

• #​14894 1ad9a5b Thanks @​delucis! - Fixes support for Astro component rendering in Vitest test suites using a “client” environment such as happy-dom or jsdom

• #​14782 abed929 Thanks @​florian-lefebvre! - Improves syncing

v5.16.0

Compare Source

Minor Changes

• #​13880 1a2ed01 Thanks @​azat-io! - Adds experimental SVGO optimization support for SVG assets

  Astro now supports automatic SVG optimization using SVGO during build time. This experimental feature helps reduce SVG file sizes while maintaining visual quality, improving your site's performance.

  To enable SVG optimization with default settings, add the following to your astro.config.mjs:

  import { defineConfig } from 'astro/config';
  
  export default defineConfig({
    experimental: {
      svgo: true,
    },
  });

  To customize optimization, pass a SVGO configuration object:

  export default defineConfig({
    experimental: {
      svgo: {
        plugins: [
          'preset-default',
          {
            name: 'removeViewBox',
            active: false,
          },
        ],
      },
    },
  });

  For more information on enabling and using this feature in your project, see the experimental SVG optimization docs.

• #​14810 2e845fe Thanks @​ascorbic! - Adds a hint for code agents to use the --yes flag to skip prompts when running astro add

• #​14698 f42ff9b Thanks @​mauriciabad! - Adds the ActionInputSchema utility type to automatically infer the TypeScript type of an action's input based on its Zod schema

  For example, this type can be used to retrieve the input type of a form action:

  import { type ActionInputSchema, defineAction } from 'astro:actions';
  import { z } from 'astro/zod';
  
  const action = defineAction({
    accept: 'form',
    input: z.object({ name: z.string() }),
    handler: ({ name }) => ({ message: `Welcome, ${name}!` }),
  });
  
  type Schema = ActionInputSchema<typeof action>;
  // typeof z.object({ name: z.string() })
  
  type Input = z.input<Schema>;
  // { name: string }

• #​14574 4356485 Thanks @​jacobdalamb! - Adds new CLI shortcuts available when running astro preview:

  • o + enter: open the site in your browser
  • q + enter: quit the preview
  • h + enter: print all available shortcuts

Patch Changes

• #​14813 e1dd377 Thanks @​ematipico! - Removes picocolors as dependency in favor of the fork piccolore.

• #​14609 d774306 Thanks @​florian-lefebvre! - Improves astro info

• #​14796 c29a785 Thanks @​florian-lefebvre! - BREAKING CHANGE to the experimental Fonts API only

  Updates the default subsets to ["latin"]

  Subsets have been a common source of confusion: they caused a lot of files to be downloaded by default. You now have to manually pick extra subsets.

  Review your Astro config and update subsets if you need, for example if you need greek characters:

  import { defineConfig, fontProviders } from "astro/config"
  
  export default defineConfig({
      experimental: {
          fonts: [{
              name: "Roboto",
              cssVariable: "--font-roboto",
              provider: fontProviders.google(),
  +            subsets: ["latin", "greek"]
          }]
      }
  })

v5.15.9

Compare Source

Patch Changes

• #​14786 758a891 Thanks @​mef! - Add handling of invalid encrypted props and slots in server islands.

• #​14783 504958f Thanks @​florian-lefebvre! - Improves the experimental Fonts API build log to show the number of downloaded files. This can help spotting excessive downloading because of misconfiguration

• #​14791 9e9c528 Thanks @​Princesseuh! - Changes the remote protocol checks for images to require explicit authorization in order to use data URIs.

  In order to allow data URIs for remote images, you will need to update your astro.config.mjs file to include the following configuration:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  
  export default defineConfig({
    images: {
      remotePatterns: [
        {
          protocol: 'data',
        },
      ],
    },
  });

• #​14787 0f75f6b Thanks @​matthewp! - Fixes wildcard hostname pattern matching to correctly reject hostnames without dots

  Previously, hostnames like localhost or other single-part names would incorrectly match patterns like *.example.com. The wildcard matching logic has been corrected to ensure that only valid subdomains matching the pattern are accepted.

• #​14776 3537876 Thanks @​ktym4a! - Fixes the behavior of passthroughImageService so it does not generate webp.

• Updated dependencies [9e9c528, 0f75f6b]:

  • @​astrojs/internal-helpers@​0.7.5
  • @​astrojs/markdown-remark@​6.3.9

v5.15.8

Compare Source

Patch Changes

• #​14772 00c579a Thanks @​matthewp! - Improves the security of Server Islands slots by encrypting them before transmission to the browser, matching the security model used for props. This improves the integrity of slot content and prevents injection attacks, even when component templates don't explicitly support slots.

  Slots continue to work as expected for normal usage—this change has no breaking changes for legitimate requests.

• #​14771 6f80081 Thanks @​matthewp! - Fix middleware pathname matching by normalizing URL-encoded paths

  Middleware now receives normalized pathname values, ensuring that encoded paths like /%61dmin are properly decoded to /admin before middleware checks. This prevents potential security issues where middleware checks might be bypassed through URL encoding.

v5.15.7

Compare Source

Patch Changes

• #​14765 03fb47c Thanks @​florian-lefebvre! - Fixes a case where process.env wouldn't be properly populated during the build

• #​14690 ae7197d Thanks @​fredriknorlin! - Fixes a bug where Astro's i18n fallback system with fallbackType: 'rewrite' would not generate fallback files for pages whose filename started with a locale key.

v5.15.6

Compare Source

Patch Changes

• #​14751 18c55e1 Thanks @​delucis! - Fixes hydration of client components when running the dev server and using a barrel file that re-exports both Astro and UI framework components.

• #​14750 35122c2 Thanks @​florian-lefebvre! - Updates the experimental Fonts API to log a warning if families with a conflicting cssVariable are provided

• #​14737 74c8852 Thanks @​Arecsu! - Fixes an error when using transition:persist with components that use declarative Shadow DOM. Astro now avoids re-attaching a shadow root if one already exists, preventing "Unable to re-attach to existing ShadowDOM" navigation errors.

• #​14750 35122c2 Thanks @​florian-lefebvre! - Updates the experimental Fonts API to allow for more granular configuration of remote font families

  A font family is defined by a combination of properties such as weights and styles (e.g. weights: [500, 600] and styles: ["normal", "bold"]), but you may want to download only certain combinations of these.

  For greater control over which font files are downloaded, you can specify the same font (ie. with the same cssVariable, name, and provider properties) multiple times with different combinations. Astro will merge the results and download only the required files. For example, it is possible to download normal 500 and 600 while downloading only italic 500:

  // astro.config.mjs
  import { defineConfig, fontProviders } from 'astro/config';
  
  export default defineConfig({
    experimental: {
      fonts: [
        {
          name: 'Roboto',
          cssVariable: '--roboto',
          provider: fontProviders.google(),
          weights: [500, 600],
          styles: ['normal'],
        },
        {
          name: 'Roboto',
          cssVariable: '--roboto',
          provider: fontProviders.google(),
          weights: [500],
          styles: ['italic'],
        },
      ],
    },
  });

v5.15.5

Compare Source

Patch Changes

• #​14712 91780cf Thanks @​florian-lefebvre! - Fixes a case where build's process.env would be inlined in the server output

• #​14713 666d5a7 Thanks @​florian-lefebvre! - Improves fallbacks generation when using the experimental Fonts API

• #​14743 dafbb1b Thanks @​matthewp! - Improves X-Forwarded header validation to prevent cache poisoning and header injection attacks. Now properly validates X-Forwarded-Proto, X-Forwarded-Host, and X-Forwarded-Port headers against configured allowedDomains patterns, rejecting malformed or suspicious values. This is especially important when running behind a reverse proxy or load balancer.

v5.15.4

Compare Source

Patch Changes

• #​14703 970ac0f Thanks @​ArmandPhilippot! - Adds missing documentation for some public utilities exported from astro:i18n.

• #​14715 3d55c5d Thanks @​ascorbic! - Adds support for client hydration in getContainerRenderer()

  The getContainerRenderer() function is exported by Astro framework integrations to simplify the process of rendering framework components when using the experimental Container API inside a Vite or Vitest environment. This update adds the client hydration entrypoint to the returned object, enabling client-side interactivity for components rendered using this function. Previously this required users to manually call container.addClientRenderer() with the appropriate client renderer entrypoint.

  See the container-with-vitest demo for a usage example, and the Container API documentation for more information on using framework components with the experimental Container API.

• #​14711 a4d284d Thanks @​deining! - Fixes typos in documenting our error messages and public APIs.

• #​14701 9be54c7 Thanks @​florian-lefebvre! - Fixes a case where the experimental Fonts API would filter available font files too aggressively, which could prevent the download of woff files when using the google provider

v5.15.3

Compare Source

Patch Changes

• #​14627 b368de0 Thanks @​matthewp! - Fixes skew protection support for images and font URLs

  Adapter-level query parameters (assetQueryParams) are now applied to all image and font asset URLs, including:

  • Dynamic optimized images via /_image endpoint
  • Static optimized image files
  • Font preload tags and font requests when using the experimental Fonts API

• #​14631 3ad33f9 Thanks @​KurtGokhan! - Adds the astro/jsx-dev-runtime export as an alias for astro/jsx-runtime

v5.15.2

Compare Source

Patch Changes

• #​14623 c5fe295 Thanks @​delucis! - Fixes a leak of server runtime code when importing SVGs in client-side code. Previously, when importing an SVG file in client code, Astro could end up adding code for rendering SVGs on the server to the client bundle.

• #​14621 e3175d9 Thanks @​GameRoMan! - Updates vite version to fix CVE

v5.15.1

Compare Source

Patch Changes

• #​14612 18552c7 Thanks @​ematipico! - Fixes a regression introduced in Astro v5.14.7 that caused ?url imports to not work correctly. This release reverts #​14142.

v5.15.0

Compare Source

Minor Changes

• #​14543 9b3241d Thanks @​matthewp! - Adds two new adapter configuration options assetQueryParams and internalFetchHeaders to the Adapter API.

  Official and community-built adapters can now use client.assetQueryParams to specify query parameters that should be appended to asset URLs (CSS, JavaScript, images, fonts, etc.). The query parameters are automatically appended to all generated asset URLs during the build process.

  Adapters can also use client.internalFetchHeaders to specify headers that should be included in Astro's internal fetch calls (Actions, View Transitions, Server Islands, Prefetch).

  This enables features like Netlify's skew protection, which requires the deploy ID to be sent with both internal requests and asset URLs to ensure client and server versions match during deployments.

• #​14489 add4277 Thanks @​dev-shetty! - Adds a new Copy to Clipboard button to the error overlay stack trace.

  When an error occurs in dev mode, you can now copy the stack trace with a single click to more easily share it in a bug report, a support thread, or with your favorite LLM.

• #​14564 5e7cebb Thanks @​florian-lefebvre! - Updates astro add cloudflare to scaffold more configuration files

  Running astro add cloudflare will now emit wrangler.jsonc and public/.assetsignore, allowing your Astro project to work out of the box as a worker.

Patch Changes

• #​14591 3e887ec Thanks @​matthewp! - Adds TypeScript support for the components prop on MDX Content component when using await render(). Developers now get proper IntelliSense and type checking when passing custom components to override default MDX element rendering.

• #​14598 7b45c65 Thanks @​delucis! - Reduces terminal text styling dependency size by switching from kleur to picocolors

• #​13826 8079482 Thanks @​florian-lefebvre! - Adds the option to specify in the preload directive which weights, styles, or subsets to preload for a given font family when using the experimental Fonts API:

  ---
  import { Font } from 'astro:assets';
  ---
  
  <Font
    cssVariable="--font-roboto"
    preload={[{ subset: 'latin', style: 'normal' }, { weight: '400' }]}
  />

  Variable weight font files will be preloaded if any weight within its range is requested. For example, a font file for font weight 100 900 will be included when 400 is specified in a preload object.

v5.14.8

Compare Source

Patch Changes

• #​14590 577d051 Thanks @​matthewp! - Fixes image path resolution in content layer collections to support bare filenames. The image() helper now normalizes bare filenames like "cover.jpg" to relative paths "./cover.jpg" for consistent resolution behavior between markdown frontmatter and JSON content collections.

v5.14.7

Compare Source

Patch Changes

• #​14582 7958c6b Thanks @​florian-lefebvre! - Fixes a regression that caused Actions to throw errors while loading

• #​14567 94500bb Thanks @​matthewp! - Fixes the actions endpoint to return 404 for non-existent actions instead of throwing an unhandled error

• #​14566 946fe68 Thanks @​matthewp! - Fixes handling malformed cookies gracefully by returning the unparsed value instead of throwing

  When a cookie with an invalid value is present (e.g., containing invalid URI sequences), Astro.cookies.get() now returns the raw cookie value instead of throwing a URIError. This aligns with the behavior of the underlying cookie package and prevents crashes when manually-set or corrupted cookies are encountered.

• #​14142 73c5de9 Thanks @​P4tt4te! - Updates handling of CSS for hydrated client components to prevent duplicates

• #​14576 2af62c6 Thanks @​aprici7y! - Fixes a regression that caused Astro.site to always be undefined in getStaticPaths()

v5.14.6

Compare Source

Patch Changes

• #​14562 722bba0 Thanks @​erbierc! - Fixes a bug where the behavior of the "muted" HTML attribute was inconsistent with that of other attributes.

• #​14538 51ebe6a Thanks @​florian-lefebvre! - Improves how Actions are implemented

• #​14548 6cdade4 Thanks @​ascorbic! - Removes support for the maxAge property in cacheHint objects returned by live loaders.

⚠️ Breaking change for experimental live content collections only

Feedback showed that this did not make sense to set at the loader level, since the loader does not know how long each individual entry should be cached for.

If your live loader returns cache hints with maxAge, you need to remove this property:

return {
  entries: [...],
  cacheHint: {
    tags: ['my-tag'],
-   maxAge: 60,
    lastModified: new Date(),
  },
};

The cacheHint object now only supports tags and lastModified properties. If you want to set the max age for a page, you can set the headers manually:

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for mentoss canceled.

Name	Link
🔨 Latest commit	b288b7a
🔍 Latest deploy log	https://app.netlify.com/projects/mentoss/deploys/69601638bf64d70008cf24b3