This repository was archived by the owner on Nov 22, 2025. It is now read-only.
chore(deps): update dependency @astrojs/node to v9 [security] #192
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Deploying enpitsulin-xyz with
|
| Latest commit: |
f238e2c
|
| Status: | 🚫 Deploy failed. |
renovate
bot
force-pushed
the
renovate/npm-astrojs-node-vulnerability
branch
from
01046da to
a785d6e
Compare
renovate
bot
force-pushed
the
renovate/npm-astrojs-node-vulnerability
branch
from
a785d6e to
c4cae58
Compare
renovate
bot
force-pushed
the
renovate/npm-astrojs-node-vulnerability
branch
from
c4cae58 to
b224a63
Compare
renovate
bot
force-pushed
the
renovate/npm-astrojs-node-vulnerability
branch
from
b224a63 to
20ff1e4
Compare
renovate
bot
force-pushed
the
renovate/npm-astrojs-node-vulnerability
branch
from
20ff1e4 to
f238e2c
Compare
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^8.2.3->^9.0.0GitHub Vulnerability Alerts
CVE-2025-55207
Summary
Following GHSA-cq8c-xv66-36gw, there's still an Open Redirect vulnerability in a subset of Astro deployment scenarios.
Details
Astro 5.12.8 fixed a case where
https://example.com//astro.build/presswould redirect to the external origin//astro.build/press. However, with the Node deployment adapter in standalone mode andtrailingSlashset to"always"in the Astro configuration,https://example.com//astro.build/pressstill redirects to//astro.build/press.Proof of Concept
[email protected])@astrojs/[email protected]) and force trailing slashes:astro build.astro preview.//astro.build/pressto the preview URL, e.g. http://localhost:4321//astro.build/pressExample reproduction
//astro.build/pressto the preview URL, e.g.https://x.local-corp.webcontainer.io//astro.build/press.Impact
This is classified as an Open Redirection vulnerability (CWE-601). It affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks.
No authentication is required to exploit this vulnerability. Any unauthenticated user can trigger the redirect by clicking a malicious link.
CVE-2025-55303
Summary
In affected versions of
astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.Details
On-demand rendered sites built with Astro include an
/_imageendpoint which returns optimized versions of images.The
/_imageendpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using theimage.domainsorimage.remotePatternsoptions).However, a bug in impacted versions of
astroallows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g./_image?href=//example.com/image.png.Proof of Concept
Create a new minimal Astro project (
[email protected]).Configure it to use the Node adapter (
@astrojs/[email protected]— newer versions are not impacted):Build the site by running
astro build.Run the server, e.g. with
astro preview.Append
/_image?href=//placehold.co/600x400to the preview URL, e.g. http://localhost:4321/_image?href=//placehold.co/600x400The site will serve the image from the unauthorized
placehold.coorigin.Impact
Allows a non-authorized third-party to create URLs on an impacted site’s origin that serve unauthorized image content.
In the case of SVG images, this could include the risk of cross-site scripting (XSS) if a user followed a link to a maliciously crafted SVG.
Release Notes
withastro/astro (@astrojs/node)
v9.4.1Compare Source
Patch Changes
5fc3c59Thanks @ematipico! - Fixes a routing bug in standalone mode withtrailingSlashset to"always".v9.4.0Compare Source
Minor Changes
#14188
e3422aaThanks @ascorbic! - Adds support for specifying a host to load prerendered error pagesBy default, if a user defines a custom error page that is prerendered, Astro will load it from the same host as the one that the request is made to. This change allows users to specify a different host for loading prerendered error pages. This can be useful in scenarios such as where the server is running behind a reverse proxy or when prerendered pages are hosted on a different domain.
To use this feature, set the
experimentalErrorPageHostadapter option in your Astro configuration to the desired host URL. For example, if your server is running on localhost and served via a proxy, you can ensure the prerendered error pages are fetched via the localhost URL:For more information on enabling and using this experimental feature, see the
@astrojs/nodeadapter docs.v9.3.3Compare Source
Patch Changes
0567fb7]:v9.3.2Compare Source
Patch Changes
f4e8889]:v9.3.1Compare Source
Patch Changes
e4d74baThanks @ColoredCarrot! - fix(node): emit set-cookie header from middlewares for not-found routes (#14136)v9.3.0Compare Source
Minor Changes
#14012
a125a14Thanks @florian-lefebvre! - Adds a new experimental configuration optionexperimentalDisableStreamingto allow you to opt out of Astro's default HTML streaming for pages rendered on demand.HTML streaming helps with performance and generally provides a better visitor experience. In most cases, disabling streaming is not recommended.
However, when you need to disable HTML streaming (e.g. your host only supports non-streamed HTML caching at the CDN level), you can now opt out of the default behavior:
import { defineConfig } from 'astro/config'; import node from '@​astrojs/node'; export default defineConfig({ adapter: node({ mode: 'standalone', + experimentalDisableStreaming: true, }), });#13972
db8f8beThanks @ematipico! - Adds support for the experimental static headers Astro feature.When the feature is enabled via the option
experimentalStaticHeaders, and experimental Content Security Policy is enabled, the adapter will generateResponseheaders for static pages, which allows support for CSP directives that are not supported inside a<meta>tag (e.g.frame-ancestors).v9.2.2Compare Source
Patch Changes
660e83fThanks @TheOtterlord! - Handle errors where a module is not found when loading the server entrypointv9.2.1Compare Source
Patch Changes
5dd2d3fThanks @florian-lefebvre! - Removes unused codev9.2.0Compare Source
Minor Changes
#13527
2fd6a6bThanks @ascorbic! - The experimental session API introduced in Astro 5.1 is now stable and ready for production use.Sessions are used to store user state between requests for on-demand rendered pages. You can use them to store user data, such as authentication tokens, shopping cart contents, or any other data that needs to persist across requests:
v9.1.3Compare Source
Patch Changes
042d1de]:v9.1.2Compare Source
Patch Changes
1e11f5e]:v9.1.1Compare Source
Patch Changes
c6bf6b3Thanks @lee-arnold! - Fixes the image endpoint entrypointv9.1.0Compare Source
Minor Changes
#13145
8d4e566Thanks @ascorbic! - Automatically configures filesystem storage when experimental session enabledIf the
experimental.sessionflag is enabled when using the Node adapter, Astro will automatically configure session storage using the filesystem driver. You can still manually configure session storage if you need to use a different driver or want to customize the session storage configuration.See the experimental session docs for more information on configuring session storage.
v9.0.3Patch Changes
23094a1Thanks @ascorbic! - Fixes a bug that caused incorrect redirects for static files with numbers in the file extensionv9.0.2Patch Changes
ea4297bThanks @ascorbic! - Fixes a bug that caused the preview server to ignore wildcard host optionsv9.0.1Patch Changes
83cedadThanks @alexanderniebuhr! - Improves Astro 5 supportv9.0.0Major Changes
#375
e7881f7Thanks @Princesseuh! - Updates internal code to works with Astro 5 changes to hybrid rendering. No changes are necessary to your project, apart from using Astro 5#397
776a266Thanks @Princesseuh! - Welcome to the Astro 5 beta! This release has no changes from the latest alpha of this package, but it does bring us one step closer to the final, stable release.Starting from this release, no breaking changes will be introduced unless absolutely necessary.
To learn how to upgrade, check out the Astro v5.0 upgrade guide in our beta docs site.
#392
3a49eb7Thanks @Princesseuh! - Updates internal code for Astro 5 changes. No changes is required to your project, apart from using Astro 5#451
167b369Thanks @ematipico! - Updatessenddependency to v1.1.0Minor Changes
bb725b7Thanks @florian-lefebvre! - Cleans upastro:envsupportv8.3.4Patch Changes
0cf7e91Thanks @bluwy! - Updatessenddependency to 0.19.0v8.3.3Compare Source
Patch Changes
#11535
932bd2eThanks @matthewp! - Move polyfills up before awaiting the env module in the Node.js adapter.Previously the env setting was happening before the polyfills were applied. This means that if the Astro env code (or any dependencies) depended on
crypto, it would not be polyfilled in time.Polyfills should be applied ASAP to prevent races. This moves it to the top of the Node adapter.
v8.3.2Compare Source
Patch Changes
5848d97Thanks @florian-lefebvre! - Fixesastro:envgetSecret compatibilityv8.3.1Compare Source
Patch Changes
#11261
f5f8ed2Thanks @matthewp! - Fix backwards compat with Astro <= 4.9#11263
7d59750Thanks @wackbyte! - Refactor to use Astro's integration logger for loggingv8.3.0Compare Source
Minor Changes
2bdca27Thanks @florian-lefebvre! - Adds support for experimentalastro:envreleased in Astro 4.10v8.2.6Compare Source
Patch Changes
d0248bcThanks @dkobierski! - Fixes suppressed logs when error occursv8.2.5Compare Source
Patch Changes
28e33a2f9c04373eae5da2e6edb0dc2981bce790Thanks @castarco! - Fixes a bug where the preview server wrongly appends trailing slashes to subresource URLs.v8.2.4Compare Source
Patch Changes
83f9105cd50e2756d02ca2be73ab84f9d582d3f8Thanks @lilnasy! - Prevents crashes caused by rejections of offshoot promises.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.