astro 5.17.2 → 5.18.0

package/dist/actions/runtime/server.js

@@ -159,10 +159,14 @@ function getActionContext(context) {
           }
           throw error;
         }
+        const bodySizeLimit = pipeline.manifest.actionBodySizeLimit;
         let input;
         try {
-          input = await parseRequestBody(context.request);
+          input = await parseRequestBody(context.request, bodySizeLimit);
         } catch (e) {
+          if (e instanceof ActionError) {
+            return { data: void 0, error: e };
+          }
           if (e instanceof TypeError) {
             return { data: void 0, error: new ActionError({ code: "UNSUPPORTED_MEDIA_TYPE" }) };
           }
@@ -206,18 +210,73 @@ function getCallerInfo(ctx) {
   }
   return void 0;
 }
-async function parseRequestBody(request) {
+async function parseRequestBody(request, bodySizeLimit) {
   const contentType = request.headers.get("content-type");
-  const contentLength = request.headers.get("Content-Length");
+  const contentLengthHeader = request.headers.get("content-length");
+  const contentLength = contentLengthHeader ? Number.parseInt(contentLengthHeader, 10) : void 0;
+  const hasContentLength = typeof contentLength === "number" && Number.isFinite(contentLength);
   if (!contentType) return void 0;
+  if (hasContentLength && contentLength > bodySizeLimit) {
+    throw new ActionError({
+      code: "CONTENT_TOO_LARGE",
+      message: `Request body exceeds ${bodySizeLimit} bytes`
+    });
+  }
   if (hasContentType(contentType, formContentTypes)) {
+    if (!hasContentLength) {
+      const body = await readRequestBodyWithLimit(request.clone(), bodySizeLimit);
+      const formRequest = new Request(request.url, {
+        method: request.method,
+        headers: request.headers,
+        body: toArrayBuffer(body)
+      });
+      return await formRequest.formData();
+    }
     return await request.clone().formData();
   }
   if (hasContentType(contentType, ["application/json"])) {
-    return contentLength === "0" ? void 0 : await request.clone().json();
+    if (contentLength === 0) return void 0;
+    if (!hasContentLength) {
+      const body = await readRequestBodyWithLimit(request.clone(), bodySizeLimit);
+      if (body.byteLength === 0) return void 0;
+      return JSON.parse(new TextDecoder().decode(body));
+    }
+    return await request.clone().json();
   }
   throw new TypeError("Unsupported content type");
 }
+async function readRequestBodyWithLimit(request, limit) {
+  if (!request.body) return new Uint8Array();
+  const reader = request.body.getReader();
+  const chunks = [];
+  let received = 0;
+  while (true) {
+    const { done, value } = await reader.read();
+    if (done) break;
+    if (value) {
+      received += value.byteLength;
+      if (received > limit) {
+        throw new ActionError({
+          code: "CONTENT_TOO_LARGE",
+          message: `Request body exceeds ${limit} bytes`
+        });
+      }
+      chunks.push(value);
+    }
+  }
+  const buffer = new Uint8Array(received);
+  let offset = 0;
+  for (const chunk of chunks) {
+    buffer.set(chunk, offset);
+    offset += chunk.byteLength;
+  }
+  return buffer;
+}
+function toArrayBuffer(buffer) {
+  const copy = new Uint8Array(buffer.byteLength);
+  copy.set(buffer);
+  return copy.buffer;
+}
 export {
   defineAction,
   formDataToObject,

package/dist/assets/build/remote.js

@@ -1,7 +1,10 @@
 import CachePolicy from "http-cache-semantics";
 async function loadRemoteImage(src) {
   const req = new Request(src);
-  const res = await fetch(req);
+  const res = await fetch(req, { redirect: "manual" });
+  if (res.status >= 300 && res.status < 400) {
+    throw new Error(`Failed to load remote image ${src}. The request was redirected.`);
+  }
   if (!res.ok) {
     throw new Error(
       `Failed to load remote image ${src}. The request did not return a 200 OK response. (received ${res.status}))`
@@ -22,7 +25,10 @@ async function revalidateRemoteImage(src, revalidationData) {
     ...revalidationData.lastModified && { "If-Modified-Since": revalidationData.lastModified }
   };
   const req = new Request(src, { headers, cache: "no-cache" });
-  const res = await fetch(req);
+  const res = await fetch(req, { redirect: "manual" });
+  if (res.status >= 300 && res.status < 400) {
+    throw new Error(`Failed to revalidate cached remote image ${src}. The request was redirected.`);
+  }
   if (!res.ok && res.status !== 304) {
     throw new Error(
       `Failed to revalidate cached remote image ${src}. The request did not return a 200 OK / 304 NOT MODIFIED response. (received ${res.status} ${res.statusText})`

package/dist/assets/endpoint/generic.js

@@ -8,8 +8,12 @@ async function loadRemoteImage(src, headers) {
   try {
     const res = await fetch(src, {
       // Forward all headers from the original request
-      headers
+      headers,
+      redirect: "manual"
     });
+    if (res.status >= 300 && res.status < 400) {
+      return void 0;
+    }
     if (!res.ok) {
       return void 0;
     }

package/dist/assets/endpoint/shared.js

@@ -6,7 +6,10 @@ import { getConfiguredImageService } from "../internal.js";
 import { etag } from "../utils/etag.js";
 async function loadRemoteImage(src) {
   try {
-    const res = await fetch(src);
+    const res = await fetch(src, { redirect: "manual" });
+    if (res.status >= 300 && res.status < 400) {
+      return void 0;
+    }
     if (!res.ok) {
       return void 0;
     }

package/dist/assets/internal.js

@@ -1,4 +1,5 @@
 import { isRemotePath } from "@astrojs/internal-helpers/path";
+import { isRemoteAllowed } from "@astrojs/internal-helpers/remote";
 import { AstroError, AstroErrorData } from "../core/errors/index.js";
 import { DEFAULT_HASH_PROPS } from "./consts.js";
 import {
@@ -58,13 +59,21 @@ async function getImage(options, imageConfig) {
   };
   let originalWidth;
   let originalHeight;
-  if (options.inferSize && isRemoteImage(resolvedOptions.src) && isRemotePath(resolvedOptions.src)) {
-    const result = await inferRemoteSize(resolvedOptions.src);
-    resolvedOptions.width ??= result.width;
-    resolvedOptions.height ??= result.height;
-    originalWidth = result.width;
-    originalHeight = result.height;
+  if (options.inferSize) {
     delete resolvedOptions.inferSize;
+    if (isRemoteImage(resolvedOptions.src) && isRemotePath(resolvedOptions.src)) {
+      if (!isRemoteAllowed(resolvedOptions.src, imageConfig)) {
+        throw new AstroError({
+          ...AstroErrorData.RemoteImageNotAllowed,
+          message: AstroErrorData.RemoteImageNotAllowed.message(resolvedOptions.src)
+        });
+      }
+      const result = await inferRemoteSize(resolvedOptions.src, imageConfig);
+      resolvedOptions.width ??= result.width;
+      resolvedOptions.height ??= result.height;
+      originalWidth = result.width;
+      originalHeight = result.height;
+    }
   }
   const originalFilePath = isESMImportedImage(resolvedOptions.src) ? resolvedOptions.src.fsPath : void 0;
   const clonedSrc = isESMImportedImage(resolvedOptions.src) ? (

package/dist/assets/utils/remoteProbe.d.ts

@@ -1,9 +1,13 @@
+import type { AstroConfig } from '../../types/public/config.js';
 import type { ImageMetadata } from '../types.js';
+type RemoteImageConfig = Pick<AstroConfig['image'], 'domains' | 'remotePatterns'>;
 /**
  * Infers the dimensions of a remote image by streaming its data and analyzing it progressively until sufficient metadata is available.
  *
  * @param {string} url - The URL of the remote image from which to infer size metadata.
+ * @param {RemoteImageConfig} [imageConfig] - Optional image config used to validate remote allowlists.
  * @return {Promise<Omit<ImageMetadata, 'src' | 'fsPath'>>} Returns a promise that resolves to an object containing the image dimensions metadata excluding `src` and `fsPath`.
  * @throws {AstroError} Thrown when the fetching fails or metadata cannot be extracted.
  */
-export declare function inferRemoteSize(url: string): Promise<Omit<ImageMetadata, 'src' | 'fsPath'>>;
+export declare function inferRemoteSize(url: string, imageConfig?: RemoteImageConfig): Promise<Omit<ImageMetadata, 'src' | 'fsPath'>>;
+export {};

package/dist/assets/utils/remoteProbe.js

@@ -1,7 +1,39 @@
+import { isRemoteAllowed } from "@astrojs/internal-helpers/remote";
 import { AstroError, AstroErrorData } from "../../core/errors/index.js";
 import { imageMetadata } from "./metadata.js";
-async function inferRemoteSize(url) {
-  const response = await fetch(url);
+async function inferRemoteSize(url, imageConfig) {
+  if (!URL.canParse(url)) {
+    throw new AstroError({
+      ...AstroErrorData.FailedToFetchRemoteImageDimensions,
+      message: AstroErrorData.FailedToFetchRemoteImageDimensions.message(url)
+    });
+  }
+  const allowlistConfig = imageConfig ? {
+    domains: imageConfig.domains ?? [],
+    remotePatterns: imageConfig.remotePatterns ?? []
+  } : void 0;
+  if (!allowlistConfig) {
+    const parsedUrl = new URL(url);
+    if (!["http:", "https:"].includes(parsedUrl.protocol)) {
+      throw new AstroError({
+        ...AstroErrorData.FailedToFetchRemoteImageDimensions,
+        message: AstroErrorData.FailedToFetchRemoteImageDimensions.message(url)
+      });
+    }
+  }
+  if (allowlistConfig && !isRemoteAllowed(url, allowlistConfig)) {
+    throw new AstroError({
+      ...AstroErrorData.RemoteImageNotAllowed,
+      message: AstroErrorData.RemoteImageNotAllowed.message(url)
+    });
+  }
+  const response = await fetch(url, { redirect: "manual" });
+  if (response.status >= 300 && response.status < 400) {
+    throw new AstroError({
+      ...AstroErrorData.FailedToFetchRemoteImageDimensions,
+      message: AstroErrorData.FailedToFetchRemoteImageDimensions.message(url)
+    });
+  }
   if (!response.body || !response.ok) {
     throw new AstroError({
       ...AstroErrorData.FailedToFetchRemoteImageDimensions,

package/dist/assets/vite-plugin-assets.js

@@ -101,11 +101,11 @@ function assets({ fs, settings, sync, logger }) {
         if (id === resolvedVirtualModuleId) {
           return {
             code: `
-							export { getConfiguredImageService, isLocalService } from "astro/assets";
-							import { getImage as getImageInternal } from "astro/assets";
-							export { default as Image } from "astro/components/${imageComponentPrefix}Image.astro";
-							export { default as Picture } from "astro/components/${imageComponentPrefix}Picture.astro";
-							export { inferRemoteSize } from "astro/assets/utils/inferRemoteSize.js";
+								export { getConfiguredImageService, isLocalService } from "astro/assets";
+								import { getImage as getImageInternal } from "astro/assets";
+								import { inferRemoteSize as inferRemoteSizeInternal } from "astro/assets/utils/inferRemoteSize.js";
+								export { default as Image } from "astro/components/${imageComponentPrefix}Image.astro";
+								export { default as Picture } from "astro/components/${imageComponentPrefix}Picture.astro";
 
 							export { default as Font } from "astro/components/Font.astro";
 							export * from "${RUNTIME_VIRTUAL_MODULE_ID}";
@@ -126,6 +126,9 @@ function assets({ fs, settings, sync, logger }) {
 								enumerable: false,
 								configurable: true,
 							});
+							export const inferRemoteSize = async (url) => {
+								return inferRemoteSizeInternal(url, imageConfig)
+							}
 							// This is used by the @astrojs/node integration to locate images.
 							// It's unused on other platforms, but on some platforms like Netlify (and presumably also Vercel)
 							// new URL("dist/...") is interpreted by the bundler as a signal to include that directory

package/dist/cli/infra/build-time-astro-version-provider.js

@@ -1,6 +1,6 @@
 class BuildTimeAstroVersionProvider {
   // Injected during the build through esbuild define
-  version = "5.17.2";
+  version = "5.18.0";
 }
 export {
   BuildTimeAstroVersionProvider

package/dist/container/index.js

@@ -45,6 +45,7 @@ function createManifest(manifest, renderers, middleware) {
     i18n: manifest?.i18n,
     checkOrigin: false,
     allowedDomains: manifest?.allowedDomains ?? [],
+    actionBodySizeLimit: 1024 * 1024,
     middleware: manifest?.middleware ?? middlewareInstance,
     key: createKey(),
     csp: manifest?.csp

package/dist/content/content-layer.js

@@ -164,7 +164,7 @@ ${contentConfig.error.message}`);
       logger.info("Content config changed");
       shouldClear = true;
     }
-    if (previousAstroVersion && previousAstroVersion !== "5.17.2") {
+    if (previousAstroVersion && previousAstroVersion !== "5.18.0") {
       logger.info("Astro version changed");
       shouldClear = true;
     }
@@ -172,8 +172,8 @@ ${contentConfig.error.message}`);
       logger.info("Clearing content store");
       this.#store.clearAll();
     }
-    if ("5.17.2") {
-      await this.#store.metaStore().set("astro-version", "5.17.2");
+    if ("5.18.0") {
+      await this.#store.metaStore().set("astro-version", "5.18.0");
     }
     if (currentConfigDigest) {
       await this.#store.metaStore().set("content-config-digest", currentConfigDigest);

package/dist/core/app/types.d.ts

@@ -71,6 +71,7 @@ export type SSRManifest = {
     actions?: () => Promise<SSRActions> | SSRActions;
     checkOrigin: boolean;
     allowedDomains?: Partial<RemotePattern>[];
+    actionBodySizeLimit: number;
     sessionConfig?: ResolvedSessionConfig<any>;
     cacheDir: string | URL;
     srcDir: string | URL;

package/dist/core/app/validate-headers.js

@@ -39,7 +39,9 @@ function validateForwardedHeaders(forwardedProtocol, forwardedHost, forwardedPor
       if (hasProtocolPatterns) {
         try {
           const testUrl = new URL(`${forwardedProtocol}://example.com`);
-          const isAllowed = allowedDomains.some((pattern) => matchPattern(testUrl, pattern));
+          const isAllowed = allowedDomains.some(
+            (pattern) => matchPattern(testUrl, { protocol: pattern.protocol })
+          );
           if (isAllowed) {
             result.protocol = forwardedProtocol;
           }

package/dist/core/build/generate.js

@@ -500,6 +500,7 @@ async function createBuildManifest(settings, internals, renderers, middleware, a
     },
     actions: () => actions,
     checkOrigin: (settings.config.security?.checkOrigin && settings.buildOutput === "server") ?? false,
+    actionBodySizeLimit: settings.config.security.actionBodySizeLimit,
     key,
     csp
   };

package/dist/core/build/plugins/plugin-manifest.js

@@ -300,6 +300,7 @@ async function buildManifest(opts, internals, staticFiles, encodedKey) {
     buildFormat: settings.config.build.format,
     checkOrigin: (settings.config.security?.checkOrigin && settings.buildOutput === "server") ?? false,
     allowedDomains: settings.config.security?.allowedDomains,
+    actionBodySizeLimit: settings.config.security.actionBodySizeLimit,
     serverIslandNameMap: Array.from(settings.serverIslandNameMap),
     key: encodedKey,
     sessionConfig: settings.config.session,

package/dist/core/config/schemas/base.d.ts

@@ -64,6 +64,7 @@ export declare const ASTRO_CONFIG_DEFAULTS: {
     security: {
         checkOrigin: true;
         allowedDomains: never[];
+        actionBodySizeLimit: number;
     };
     env: {
         schema: {};
@@ -456,6 +457,7 @@ export declare const AstroConfigSchema: z.ZodObject<{
             protocol?: string | undefined;
             hostname?: string | undefined;
         }>, "many">>>;
+        actionBodySizeLimit: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
     }, "strip", z.ZodTypeAny, {
         checkOrigin: boolean;
         allowedDomains: {
@@ -463,6 +465,7 @@ export declare const AstroConfigSchema: z.ZodObject<{
             protocol?: string | undefined;
             hostname?: string | undefined;
         }[];
+        actionBodySizeLimit: number;
     }, {
         checkOrigin?: boolean | undefined;
         allowedDomains?: {
@@ -470,6 +473,7 @@ export declare const AstroConfigSchema: z.ZodObject<{
             protocol?: string | undefined;
             hostname?: string | undefined;
         }[] | undefined;
+        actionBodySizeLimit?: number | undefined;
     }>>>;
     env: z.ZodDefault<z.ZodOptional<z.ZodObject<{
         schema: z.ZodDefault<z.ZodOptional<z.ZodRecord<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>, z.ZodIntersection<z.ZodEffects<z.ZodType<{
@@ -1097,6 +1101,7 @@ export declare const AstroConfigSchema: z.ZodObject<{
             protocol?: string | undefined;
             hostname?: string | undefined;
         }[];
+        actionBodySizeLimit: number;
     };
     experimental: {
         clientPrerender: boolean;
@@ -1344,6 +1349,7 @@ export declare const AstroConfigSchema: z.ZodObject<{
             protocol?: string | undefined;
             hostname?: string | undefined;
         }[] | undefined;
+        actionBodySizeLimit?: number | undefined;
     } | undefined;
     experimental?: {
         fonts?: {

package/dist/core/config/schemas/base.js

@@ -46,7 +46,8 @@ const ASTRO_CONFIG_DEFAULTS = {
   redirects: {},
   security: {
     checkOrigin: true,
-    allowedDomains: []
+    allowedDomains: [],
+    actionBodySizeLimit: 1024 * 1024
   },
   env: {
     schema: {},
@@ -252,7 +253,8 @@ const AstroConfigSchema = z.object({
         protocol: z.string().optional(),
         port: z.string().optional()
       })
-    ).optional().default(ASTRO_CONFIG_DEFAULTS.security.allowedDomains)
+    ).optional().default(ASTRO_CONFIG_DEFAULTS.security.allowedDomains),
+    actionBodySizeLimit: z.number().optional().default(ASTRO_CONFIG_DEFAULTS.security.actionBodySizeLimit)
   }).optional().default(ASTRO_CONFIG_DEFAULTS.security),
   env: z.object({
     schema: EnvSchema.optional().default(ASTRO_CONFIG_DEFAULTS.env.schema),

package/dist/core/config/schemas/relative.d.ts

@@ -301,6 +301,7 @@ export declare function createRelativeSchema(cmd: string, fileProtocolRoot: stri
             protocol?: string | undefined;
             hostname?: string | undefined;
         }>, "many">>>;
+        actionBodySizeLimit: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
     }, "strip", z.ZodTypeAny, {
         checkOrigin: boolean;
         allowedDomains: {
@@ -308,6 +309,7 @@ export declare function createRelativeSchema(cmd: string, fileProtocolRoot: stri
             protocol?: string | undefined;
             hostname?: string | undefined;
         }[];
+        actionBodySizeLimit: number;
     }, {
         checkOrigin?: boolean | undefined;
         allowedDomains?: {
@@ -315,6 +317,7 @@ export declare function createRelativeSchema(cmd: string, fileProtocolRoot: stri
             protocol?: string | undefined;
             hostname?: string | undefined;
         }[] | undefined;
+        actionBodySizeLimit?: number | undefined;
     }>>>;
     env: z.ZodDefault<z.ZodOptional<z.ZodObject<{
         schema: z.ZodDefault<z.ZodOptional<z.ZodRecord<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>, z.ZodIntersection<z.ZodEffects<z.ZodType<{
@@ -1020,6 +1023,7 @@ export declare function createRelativeSchema(cmd: string, fileProtocolRoot: stri
             protocol?: string | undefined;
             hostname?: string | undefined;
         }[];
+        actionBodySizeLimit: number;
     };
     experimental: {
         clientPrerender: boolean;
@@ -1267,6 +1271,7 @@ export declare function createRelativeSchema(cmd: string, fileProtocolRoot: stri
             protocol?: string | undefined;
             hostname?: string | undefined;
         }[] | undefined;
+        actionBodySizeLimit?: number | undefined;
     } | undefined;
     experimental?: {
         fonts?: {
@@ -1450,6 +1455,7 @@ export declare function createRelativeSchema(cmd: string, fileProtocolRoot: stri
             protocol?: string | undefined;
             hostname?: string | undefined;
         }[];
+        actionBodySizeLimit: number;
     };
     experimental: {
         clientPrerender: boolean;
@@ -1697,6 +1703,7 @@ export declare function createRelativeSchema(cmd: string, fileProtocolRoot: stri
             protocol?: string | undefined;
             hostname?: string | undefined;
         }[] | undefined;
+        actionBodySizeLimit?: number | undefined;
     } | undefined;
     experimental?: {
         fonts?: {

package/dist/core/constants.js

@@ -1,4 +1,4 @@
-const ASTRO_VERSION = "5.17.2";
+const ASTRO_VERSION = "5.18.0";
 const REROUTE_DIRECTIVE_HEADER = "X-Astro-Reroute";
 const REWRITE_DIRECTIVE_HEADER_KEY = "X-Astro-Rewrite";
 const REWRITE_DIRECTIVE_HEADER_VALUE = "yes";

package/dist/core/dev/dev.js

@@ -22,7 +22,7 @@ async function dev(inlineConfig) {
   await telemetry.record([]);
   const restart = await createContainerWithAutomaticRestart({ inlineConfig, fs });
   const logger = restart.container.logger;
-  const currentVersion = "5.17.2";
+  const currentVersion = "5.18.0";
   const isPrerelease = currentVersion.includes("-");
   if (!isPrerelease) {
     try {

package/dist/core/errors/errors-data.d.ts

@@ -491,6 +491,19 @@ export declare const FailedToFetchRemoteImageDimensions: {
     message: (imageURL: string) => string;
     hint: string;
 };
+/**
+ * @docs
+ * @message
+ * Remote image `IMAGE_URL` is not allowed by your image configuration.
+ * @description
+ * The remote image URL does not match your configured `image.domains` or `image.remotePatterns`.
+ */
+export declare const RemoteImageNotAllowed: {
+    name: string;
+    title: string;
+    message: (imageURL: string) => string;
+    hint: string;
+};
 /**
  * @docs
  * @description

package/dist/core/errors/errors-data.js

@@ -175,6 +175,12 @@ const FailedToFetchRemoteImageDimensions = {
   message: (imageURL) => `Failed to get the dimensions for ${imageURL}.`,
   hint: "Verify your remote image URL is accurate, and that you are not using `inferSize` with a file located in your `public/` folder."
 };
+const RemoteImageNotAllowed = {
+  name: "RemoteImageNotAllowed",
+  title: "Remote image is not allowed",
+  message: (imageURL) => `Remote image ${imageURL} is not allowed by your image configuration.`,
+  hint: "Update `image.domains` or `image.remotePatterns`, or remove `inferSize` for this image."
+};
 const UnsupportedImageFormat = {
   name: "UnsupportedImageFormat",
   title: "Unsupported image format",
@@ -832,6 +838,7 @@ export {
   PrerenderDynamicEndpointPathCollide,
   PrerenderRouteConflict,
   RedirectWithNoLocation,
+  RemoteImageNotAllowed,
   RenderUndefinedEntryError,
   ReservedSlotName,
   ResponseSentError,

package/dist/core/messages.js

@@ -38,7 +38,7 @@ function serverStart({
   host,
   base
 }) {
-  const version = "5.17.2";
+  const version = "5.18.0";
   const localPrefix = `${dim("\u2503")} Local    `;
   const networkPrefix = `${dim("\u2503")} Network  `;
   const emptyPrefix = " ".repeat(11);
@@ -275,7 +275,7 @@ function printHelp({
     message.push(
       linebreak(),
       `  ${bgGreen(black(` ${commandName} `))} ${green(
-        `v${"5.17.2"}`
+        `v${"5.18.0"}`
       )} ${headline}`
     );
   }

package/dist/types/public/config.d.ts

@@ -563,6 +563,30 @@ export interface AstroUserConfig<TLocales extends Locales = never, TSession exte
          * When not configured, `X-Forwarded-Host` headers are not trusted and will be ignored.
          */
         allowedDomains?: Partial<RemotePattern>[];
+        /**
+         * @docs
+         * @name security.actionBodySizeLimit
+         * @kind h4
+         * @type {number}
+         * @default `1048576` (1 MB)
+         * @version 5.18.0
+         * @description
+         *
+         * Sets the maximum size in bytes allowed for action request bodies.
+         *
+         * By default, action request bodies are limited to 1 MB (1048576 bytes) to prevent abuse.
+         * You can increase this limit if your actions need to accept larger payloads, for example when handling file uploads.
+         *
+         * ```js
+         * // astro.config.mjs
+         * export default defineConfig({
+         *   security: {
+         *     actionBodySizeLimit: 10 * 1024 * 1024 // 10 MB
+         *   }
+         * })
+         * ```
+         */
+        actionBodySizeLimit?: number;
     };
     /**
      * @docs

package/dist/vite-plugin-astro-server/plugin.js

@@ -106,6 +106,7 @@ function createVitePluginAstroServer({
         }
         warnMissingAdapter(logger, settings);
         pipeline.manifest.checkOrigin = settings.config.security.checkOrigin && settings.buildOutput === "server";
+        pipeline.manifest.actionBodySizeLimit = settings.config.security.actionBodySizeLimit;
         pipeline.setManifestData(routesList);
       }
       viteServer.watcher.on("add", rebuildManifest.bind(null, null));
@@ -251,6 +252,7 @@ function createDevelopmentManifest(settings) {
     inlinedScripts: /* @__PURE__ */ new Map(),
     i18n: i18nManifest,
     checkOrigin: (settings.config.security?.checkOrigin && settings.buildOutput === "server") ?? false,
+    actionBodySizeLimit: settings.config.security.actionBodySizeLimit,
     key: hasEnvironmentKey() ? getEnvironmentKey() : createKey(),
     middleware() {
       return {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "astro",
-  "version": "5.17.2",
+  "version": "5.18.0",
   "description": "Astro is a modern site builder with web best practices, performance, and DX front-of-mind.",
   "type": "module",
   "author": "withastro",
@@ -113,7 +113,7 @@
     "dlv": "^1.1.3",
     "dset": "^3.1.4",
     "es-module-lexer": "^1.7.0",
-    "esbuild": "^0.27.0",
+    "esbuild": "^0.27.3",
     "estree-walker": "^3.0.3",
     "flattie": "^1.1.1",
     "fontace": "~0.4.0",
@@ -193,8 +193,8 @@
     "undici": "^6.23.0",
     "unified": "^11.0.5",
     "vitest": "^3.2.4",
-    "@astrojs/check": "0.9.6",
-    "astro-scripts": "0.0.14"
+    "astro-scripts": "0.0.14",
+    "@astrojs/check": "0.9.6"
   },
   "engines": {
     "node": "18.20.8 || ^20.3.0 || >=22.0.0",