astro 5.17.2 → 5.17.3

package/dist/actions/runtime/server.js

@@ -163,6 +163,9 @@ function getActionContext(context) {
         try {
           input = await parseRequestBody(context.request);
         } catch (e) {
+          if (e instanceof ActionError) {
+            return { data: void 0, error: e };
+          }
           if (e instanceof TypeError) {
             return { data: void 0, error: new ActionError({ code: "UNSUPPORTED_MEDIA_TYPE" }) };
           }
@@ -206,18 +209,74 @@ function getCallerInfo(ctx) {
   }
   return void 0;
 }
+const DEFAULT_ACTION_BODY_SIZE_LIMIT = 1024 * 1024;
 async function parseRequestBody(request) {
   const contentType = request.headers.get("content-type");
-  const contentLength = request.headers.get("Content-Length");
+  const contentLengthHeader = request.headers.get("content-length");
+  const contentLength = contentLengthHeader ? Number.parseInt(contentLengthHeader, 10) : void 0;
+  const hasContentLength = typeof contentLength === "number" && Number.isFinite(contentLength);
   if (!contentType) return void 0;
+  if (hasContentLength && contentLength > DEFAULT_ACTION_BODY_SIZE_LIMIT) {
+    throw new ActionError({
+      code: "CONTENT_TOO_LARGE",
+      message: `Request body exceeds ${DEFAULT_ACTION_BODY_SIZE_LIMIT} bytes`
+    });
+  }
   if (hasContentType(contentType, formContentTypes)) {
+    if (!hasContentLength) {
+      const body = await readRequestBodyWithLimit(request.clone(), DEFAULT_ACTION_BODY_SIZE_LIMIT);
+      const formRequest = new Request(request.url, {
+        method: request.method,
+        headers: request.headers,
+        body: toArrayBuffer(body)
+      });
+      return await formRequest.formData();
+    }
     return await request.clone().formData();
   }
   if (hasContentType(contentType, ["application/json"])) {
-    return contentLength === "0" ? void 0 : await request.clone().json();
+    if (contentLength === 0) return void 0;
+    if (!hasContentLength) {
+      const body = await readRequestBodyWithLimit(request.clone(), DEFAULT_ACTION_BODY_SIZE_LIMIT);
+      if (body.byteLength === 0) return void 0;
+      return JSON.parse(new TextDecoder().decode(body));
+    }
+    return await request.clone().json();
   }
   throw new TypeError("Unsupported content type");
 }
+async function readRequestBodyWithLimit(request, limit) {
+  if (!request.body) return new Uint8Array();
+  const reader = request.body.getReader();
+  const chunks = [];
+  let received = 0;
+  while (true) {
+    const { done, value } = await reader.read();
+    if (done) break;
+    if (value) {
+      received += value.byteLength;
+      if (received > limit) {
+        throw new ActionError({
+          code: "CONTENT_TOO_LARGE",
+          message: `Request body exceeds ${limit} bytes`
+        });
+      }
+      chunks.push(value);
+    }
+  }
+  const buffer = new Uint8Array(received);
+  let offset = 0;
+  for (const chunk of chunks) {
+    buffer.set(chunk, offset);
+    offset += chunk.byteLength;
+  }
+  return buffer;
+}
+function toArrayBuffer(buffer) {
+  const copy = new Uint8Array(buffer.byteLength);
+  copy.set(buffer);
+  return copy.buffer;
+}
 export {
   defineAction,
   formDataToObject,

package/dist/assets/build/remote.js

@@ -1,7 +1,10 @@
 import CachePolicy from "http-cache-semantics";
 async function loadRemoteImage(src) {
   const req = new Request(src);
-  const res = await fetch(req);
+  const res = await fetch(req, { redirect: "manual" });
+  if (res.status >= 300 && res.status < 400) {
+    throw new Error(`Failed to load remote image ${src}. The request was redirected.`);
+  }
   if (!res.ok) {
     throw new Error(
       `Failed to load remote image ${src}. The request did not return a 200 OK response. (received ${res.status}))`
@@ -22,7 +25,10 @@ async function revalidateRemoteImage(src, revalidationData) {
     ...revalidationData.lastModified && { "If-Modified-Since": revalidationData.lastModified }
   };
   const req = new Request(src, { headers, cache: "no-cache" });
-  const res = await fetch(req);
+  const res = await fetch(req, { redirect: "manual" });
+  if (res.status >= 300 && res.status < 400) {
+    throw new Error(`Failed to revalidate cached remote image ${src}. The request was redirected.`);
+  }
   if (!res.ok && res.status !== 304) {
     throw new Error(
       `Failed to revalidate cached remote image ${src}. The request did not return a 200 OK / 304 NOT MODIFIED response. (received ${res.status} ${res.statusText})`

package/dist/assets/endpoint/generic.js

@@ -8,8 +8,12 @@ async function loadRemoteImage(src, headers) {
   try {
     const res = await fetch(src, {
       // Forward all headers from the original request
-      headers
+      headers,
+      redirect: "manual"
     });
+    if (res.status >= 300 && res.status < 400) {
+      return void 0;
+    }
     if (!res.ok) {
       return void 0;
     }

package/dist/assets/endpoint/shared.js

@@ -6,7 +6,10 @@ import { getConfiguredImageService } from "../internal.js";
 import { etag } from "../utils/etag.js";
 async function loadRemoteImage(src) {
   try {
-    const res = await fetch(src);
+    const res = await fetch(src, { redirect: "manual" });
+    if (res.status >= 300 && res.status < 400) {
+      return void 0;
+    }
     if (!res.ok) {
       return void 0;
     }

package/dist/assets/internal.js

@@ -1,4 +1,5 @@
 import { isRemotePath } from "@astrojs/internal-helpers/path";
+import { isRemoteAllowed } from "@astrojs/internal-helpers/remote";
 import { AstroError, AstroErrorData } from "../core/errors/index.js";
 import { DEFAULT_HASH_PROPS } from "./consts.js";
 import {
@@ -58,13 +59,21 @@ async function getImage(options, imageConfig) {
   };
   let originalWidth;
   let originalHeight;
-  if (options.inferSize && isRemoteImage(resolvedOptions.src) && isRemotePath(resolvedOptions.src)) {
-    const result = await inferRemoteSize(resolvedOptions.src);
-    resolvedOptions.width ??= result.width;
-    resolvedOptions.height ??= result.height;
-    originalWidth = result.width;
-    originalHeight = result.height;
+  if (options.inferSize) {
     delete resolvedOptions.inferSize;
+    if (isRemoteImage(resolvedOptions.src) && isRemotePath(resolvedOptions.src)) {
+      if (!isRemoteAllowed(resolvedOptions.src, imageConfig)) {
+        throw new AstroError({
+          ...AstroErrorData.RemoteImageNotAllowed,
+          message: AstroErrorData.RemoteImageNotAllowed.message(resolvedOptions.src)
+        });
+      }
+      const result = await inferRemoteSize(resolvedOptions.src, imageConfig);
+      resolvedOptions.width ??= result.width;
+      resolvedOptions.height ??= result.height;
+      originalWidth = result.width;
+      originalHeight = result.height;
+    }
   }
   const originalFilePath = isESMImportedImage(resolvedOptions.src) ? resolvedOptions.src.fsPath : void 0;
   const clonedSrc = isESMImportedImage(resolvedOptions.src) ? (

package/dist/assets/utils/remoteProbe.d.ts

@@ -1,9 +1,13 @@
+import type { AstroConfig } from '../../types/public/config.js';
 import type { ImageMetadata } from '../types.js';
+type RemoteImageConfig = Pick<AstroConfig['image'], 'domains' | 'remotePatterns'>;
 /**
  * Infers the dimensions of a remote image by streaming its data and analyzing it progressively until sufficient metadata is available.
  *
  * @param {string} url - The URL of the remote image from which to infer size metadata.
+ * @param {RemoteImageConfig} [imageConfig] - Optional image config used to validate remote allowlists.
  * @return {Promise<Omit<ImageMetadata, 'src' | 'fsPath'>>} Returns a promise that resolves to an object containing the image dimensions metadata excluding `src` and `fsPath`.
  * @throws {AstroError} Thrown when the fetching fails or metadata cannot be extracted.
  */
-export declare function inferRemoteSize(url: string): Promise<Omit<ImageMetadata, 'src' | 'fsPath'>>;
+export declare function inferRemoteSize(url: string, imageConfig?: RemoteImageConfig): Promise<Omit<ImageMetadata, 'src' | 'fsPath'>>;
+export {};

package/dist/assets/utils/remoteProbe.js

@@ -1,7 +1,39 @@
+import { isRemoteAllowed } from "@astrojs/internal-helpers/remote";
 import { AstroError, AstroErrorData } from "../../core/errors/index.js";
 import { imageMetadata } from "./metadata.js";
-async function inferRemoteSize(url) {
-  const response = await fetch(url);
+async function inferRemoteSize(url, imageConfig) {
+  if (!URL.canParse(url)) {
+    throw new AstroError({
+      ...AstroErrorData.FailedToFetchRemoteImageDimensions,
+      message: AstroErrorData.FailedToFetchRemoteImageDimensions.message(url)
+    });
+  }
+  const allowlistConfig = imageConfig ? {
+    domains: imageConfig.domains ?? [],
+    remotePatterns: imageConfig.remotePatterns ?? []
+  } : void 0;
+  if (!allowlistConfig) {
+    const parsedUrl = new URL(url);
+    if (!["http:", "https:"].includes(parsedUrl.protocol)) {
+      throw new AstroError({
+        ...AstroErrorData.FailedToFetchRemoteImageDimensions,
+        message: AstroErrorData.FailedToFetchRemoteImageDimensions.message(url)
+      });
+    }
+  }
+  if (allowlistConfig && !isRemoteAllowed(url, allowlistConfig)) {
+    throw new AstroError({
+      ...AstroErrorData.RemoteImageNotAllowed,
+      message: AstroErrorData.RemoteImageNotAllowed.message(url)
+    });
+  }
+  const response = await fetch(url, { redirect: "manual" });
+  if (response.status >= 300 && response.status < 400) {
+    throw new AstroError({
+      ...AstroErrorData.FailedToFetchRemoteImageDimensions,
+      message: AstroErrorData.FailedToFetchRemoteImageDimensions.message(url)
+    });
+  }
   if (!response.body || !response.ok) {
     throw new AstroError({
       ...AstroErrorData.FailedToFetchRemoteImageDimensions,

package/dist/assets/vite-plugin-assets.js

@@ -101,11 +101,11 @@ function assets({ fs, settings, sync, logger }) {
         if (id === resolvedVirtualModuleId) {
           return {
             code: `
-							export { getConfiguredImageService, isLocalService } from "astro/assets";
-							import { getImage as getImageInternal } from "astro/assets";
-							export { default as Image } from "astro/components/${imageComponentPrefix}Image.astro";
-							export { default as Picture } from "astro/components/${imageComponentPrefix}Picture.astro";
-							export { inferRemoteSize } from "astro/assets/utils/inferRemoteSize.js";
+								export { getConfiguredImageService, isLocalService } from "astro/assets";
+								import { getImage as getImageInternal } from "astro/assets";
+								import { inferRemoteSize as inferRemoteSizeInternal } from "astro/assets/utils/inferRemoteSize.js";
+								export { default as Image } from "astro/components/${imageComponentPrefix}Image.astro";
+								export { default as Picture } from "astro/components/${imageComponentPrefix}Picture.astro";
 
 							export { default as Font } from "astro/components/Font.astro";
 							export * from "${RUNTIME_VIRTUAL_MODULE_ID}";
@@ -126,6 +126,9 @@ function assets({ fs, settings, sync, logger }) {
 								enumerable: false,
 								configurable: true,
 							});
+							export const inferRemoteSize = async (url) => {
+								return inferRemoteSizeInternal(url, imageConfig)
+							}
 							// This is used by the @astrojs/node integration to locate images.
 							// It's unused on other platforms, but on some platforms like Netlify (and presumably also Vercel)
 							// new URL("dist/...") is interpreted by the bundler as a signal to include that directory

package/dist/cli/infra/build-time-astro-version-provider.js

@@ -1,6 +1,6 @@
 class BuildTimeAstroVersionProvider {
   // Injected during the build through esbuild define
-  version = "5.17.2";
+  version = "5.17.3";
 }
 export {
   BuildTimeAstroVersionProvider

package/dist/content/content-layer.js

@@ -164,7 +164,7 @@ ${contentConfig.error.message}`);
       logger.info("Content config changed");
       shouldClear = true;
     }
-    if (previousAstroVersion && previousAstroVersion !== "5.17.2") {
+    if (previousAstroVersion && previousAstroVersion !== "5.17.3") {
       logger.info("Astro version changed");
       shouldClear = true;
     }
@@ -172,8 +172,8 @@ ${contentConfig.error.message}`);
       logger.info("Clearing content store");
       this.#store.clearAll();
     }
-    if ("5.17.2") {
-      await this.#store.metaStore().set("astro-version", "5.17.2");
+    if ("5.17.3") {
+      await this.#store.metaStore().set("astro-version", "5.17.3");
     }
     if (currentConfigDigest) {
       await this.#store.metaStore().set("content-config-digest", currentConfigDigest);

package/dist/core/constants.js

@@ -1,4 +1,4 @@
-const ASTRO_VERSION = "5.17.2";
+const ASTRO_VERSION = "5.17.3";
 const REROUTE_DIRECTIVE_HEADER = "X-Astro-Reroute";
 const REWRITE_DIRECTIVE_HEADER_KEY = "X-Astro-Rewrite";
 const REWRITE_DIRECTIVE_HEADER_VALUE = "yes";

package/dist/core/dev/dev.js

@@ -22,7 +22,7 @@ async function dev(inlineConfig) {
   await telemetry.record([]);
   const restart = await createContainerWithAutomaticRestart({ inlineConfig, fs });
   const logger = restart.container.logger;
-  const currentVersion = "5.17.2";
+  const currentVersion = "5.17.3";
   const isPrerelease = currentVersion.includes("-");
   if (!isPrerelease) {
     try {

package/dist/core/errors/errors-data.d.ts

@@ -491,6 +491,19 @@ export declare const FailedToFetchRemoteImageDimensions: {
     message: (imageURL: string) => string;
     hint: string;
 };
+/**
+ * @docs
+ * @message
+ * Remote image `IMAGE_URL` is not allowed by your image configuration.
+ * @description
+ * The remote image URL does not match your configured `image.domains` or `image.remotePatterns`.
+ */
+export declare const RemoteImageNotAllowed: {
+    name: string;
+    title: string;
+    message: (imageURL: string) => string;
+    hint: string;
+};
 /**
  * @docs
  * @description

package/dist/core/errors/errors-data.js

@@ -175,6 +175,12 @@ const FailedToFetchRemoteImageDimensions = {
   message: (imageURL) => `Failed to get the dimensions for ${imageURL}.`,
   hint: "Verify your remote image URL is accurate, and that you are not using `inferSize` with a file located in your `public/` folder."
 };
+const RemoteImageNotAllowed = {
+  name: "RemoteImageNotAllowed",
+  title: "Remote image is not allowed",
+  message: (imageURL) => `Remote image ${imageURL} is not allowed by your image configuration.`,
+  hint: "Update `image.domains` or `image.remotePatterns`, or remove `inferSize` for this image."
+};
 const UnsupportedImageFormat = {
   name: "UnsupportedImageFormat",
   title: "Unsupported image format",
@@ -832,6 +838,7 @@ export {
   PrerenderDynamicEndpointPathCollide,
   PrerenderRouteConflict,
   RedirectWithNoLocation,
+  RemoteImageNotAllowed,
   RenderUndefinedEntryError,
   ReservedSlotName,
   ResponseSentError,

package/dist/core/messages.js

@@ -38,7 +38,7 @@ function serverStart({
   host,
   base
 }) {
-  const version = "5.17.2";
+  const version = "5.17.3";
   const localPrefix = `${dim("\u2503")} Local    `;
   const networkPrefix = `${dim("\u2503")} Network  `;
   const emptyPrefix = " ".repeat(11);
@@ -275,7 +275,7 @@ function printHelp({
     message.push(
       linebreak(),
       `  ${bgGreen(black(` ${commandName} `))} ${green(
-        `v${"5.17.2"}`
+        `v${"5.17.3"}`
       )} ${headline}`
     );
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "astro",
-  "version": "5.17.2",
+  "version": "5.17.3",
   "description": "Astro is a modern site builder with web best practices, performance, and DX front-of-mind.",
   "type": "module",
   "author": "withastro",
@@ -113,7 +113,7 @@
     "dlv": "^1.1.3",
     "dset": "^3.1.4",
     "es-module-lexer": "^1.7.0",
-    "esbuild": "^0.27.0",
+    "esbuild": "^0.27.3",
     "estree-walker": "^3.0.3",
     "flattie": "^1.1.1",
     "fontace": "~0.4.0",
@@ -154,8 +154,8 @@
     "zod-to-json-schema": "^3.25.1",
     "zod-to-ts": "^1.2.0",
     "@astrojs/internal-helpers": "0.7.5",
-    "@astrojs/markdown-remark": "6.3.10",
-    "@astrojs/telemetry": "3.3.0"
+    "@astrojs/telemetry": "3.3.0",
+    "@astrojs/markdown-remark": "6.3.10"
   },
   "optionalDependencies": {
     "sharp": "^0.34.0"