astro 5.17.3 → 5.18.0

package/dist/actions/runtime/server.js

@@ -159,9 +159,10 @@ function getActionContext(context) {
           }
           throw error;
         }
+        const bodySizeLimit = pipeline.manifest.actionBodySizeLimit;
         let input;
         try {
-          input = await parseRequestBody(context.request);
+          input = await parseRequestBody(context.request, bodySizeLimit);
         } catch (e) {
           if (e instanceof ActionError) {
             return { data: void 0, error: e };
@@ -209,22 +210,21 @@ function getCallerInfo(ctx) {
   }
   return void 0;
 }
-const DEFAULT_ACTION_BODY_SIZE_LIMIT = 1024 * 1024;
-async function parseRequestBody(request) {
+async function parseRequestBody(request, bodySizeLimit) {
   const contentType = request.headers.get("content-type");
   const contentLengthHeader = request.headers.get("content-length");
   const contentLength = contentLengthHeader ? Number.parseInt(contentLengthHeader, 10) : void 0;
   const hasContentLength = typeof contentLength === "number" && Number.isFinite(contentLength);
   if (!contentType) return void 0;
-  if (hasContentLength && contentLength > DEFAULT_ACTION_BODY_SIZE_LIMIT) {
+  if (hasContentLength && contentLength > bodySizeLimit) {
     throw new ActionError({
       code: "CONTENT_TOO_LARGE",
-      message: `Request body exceeds ${DEFAULT_ACTION_BODY_SIZE_LIMIT} bytes`
+      message: `Request body exceeds ${bodySizeLimit} bytes`
     });
   }
   if (hasContentType(contentType, formContentTypes)) {
     if (!hasContentLength) {
-      const body = await readRequestBodyWithLimit(request.clone(), DEFAULT_ACTION_BODY_SIZE_LIMIT);
+      const body = await readRequestBodyWithLimit(request.clone(), bodySizeLimit);
       const formRequest = new Request(request.url, {
         method: request.method,
         headers: request.headers,
@@ -237,7 +237,7 @@ async function parseRequestBody(request) {
   if (hasContentType(contentType, ["application/json"])) {
     if (contentLength === 0) return void 0;
     if (!hasContentLength) {
-      const body = await readRequestBodyWithLimit(request.clone(), DEFAULT_ACTION_BODY_SIZE_LIMIT);
+      const body = await readRequestBodyWithLimit(request.clone(), bodySizeLimit);
       if (body.byteLength === 0) return void 0;
       return JSON.parse(new TextDecoder().decode(body));
     }

package/dist/cli/infra/build-time-astro-version-provider.js

@@ -1,6 +1,6 @@
 class BuildTimeAstroVersionProvider {
   // Injected during the build through esbuild define
-  version = "5.17.3";
+  version = "5.18.0";
 }
 export {
   BuildTimeAstroVersionProvider

package/dist/container/index.js

@@ -45,6 +45,7 @@ function createManifest(manifest, renderers, middleware) {
     i18n: manifest?.i18n,
     checkOrigin: false,
     allowedDomains: manifest?.allowedDomains ?? [],
+    actionBodySizeLimit: 1024 * 1024,
     middleware: manifest?.middleware ?? middlewareInstance,
     key: createKey(),
     csp: manifest?.csp

package/dist/content/content-layer.js

@@ -164,7 +164,7 @@ ${contentConfig.error.message}`);
       logger.info("Content config changed");
       shouldClear = true;
     }
-    if (previousAstroVersion && previousAstroVersion !== "5.17.3") {
+    if (previousAstroVersion && previousAstroVersion !== "5.18.0") {
       logger.info("Astro version changed");
       shouldClear = true;
     }
@@ -172,8 +172,8 @@ ${contentConfig.error.message}`);
       logger.info("Clearing content store");
       this.#store.clearAll();
     }
-    if ("5.17.3") {
-      await this.#store.metaStore().set("astro-version", "5.17.3");
+    if ("5.18.0") {
+      await this.#store.metaStore().set("astro-version", "5.18.0");
     }
     if (currentConfigDigest) {
       await this.#store.metaStore().set("content-config-digest", currentConfigDigest);

package/dist/core/app/types.d.ts

@@ -71,6 +71,7 @@ export type SSRManifest = {
     actions?: () => Promise<SSRActions> | SSRActions;
     checkOrigin: boolean;
     allowedDomains?: Partial<RemotePattern>[];
+    actionBodySizeLimit: number;
     sessionConfig?: ResolvedSessionConfig<any>;
     cacheDir: string | URL;
     srcDir: string | URL;

package/dist/core/app/validate-headers.js

@@ -39,7 +39,9 @@ function validateForwardedHeaders(forwardedProtocol, forwardedHost, forwardedPor
       if (hasProtocolPatterns) {
         try {
           const testUrl = new URL(`${forwardedProtocol}://example.com`);
-          const isAllowed = allowedDomains.some((pattern) => matchPattern(testUrl, pattern));
+          const isAllowed = allowedDomains.some(
+            (pattern) => matchPattern(testUrl, { protocol: pattern.protocol })
+          );
           if (isAllowed) {
             result.protocol = forwardedProtocol;
           }

package/dist/core/build/generate.js

@@ -500,6 +500,7 @@ async function createBuildManifest(settings, internals, renderers, middleware, a
     },
     actions: () => actions,
     checkOrigin: (settings.config.security?.checkOrigin && settings.buildOutput === "server") ?? false,
+    actionBodySizeLimit: settings.config.security.actionBodySizeLimit,
     key,
     csp
   };

package/dist/core/build/plugins/plugin-manifest.js

@@ -300,6 +300,7 @@ async function buildManifest(opts, internals, staticFiles, encodedKey) {
     buildFormat: settings.config.build.format,
     checkOrigin: (settings.config.security?.checkOrigin && settings.buildOutput === "server") ?? false,
     allowedDomains: settings.config.security?.allowedDomains,
+    actionBodySizeLimit: settings.config.security.actionBodySizeLimit,
     serverIslandNameMap: Array.from(settings.serverIslandNameMap),
     key: encodedKey,
     sessionConfig: settings.config.session,

package/dist/core/config/schemas/base.d.ts

@@ -64,6 +64,7 @@ export declare const ASTRO_CONFIG_DEFAULTS: {
     security: {
         checkOrigin: true;
         allowedDomains: never[];
+        actionBodySizeLimit: number;
     };
     env: {
         schema: {};
@@ -456,6 +457,7 @@ export declare const AstroConfigSchema: z.ZodObject<{
             protocol?: string | undefined;
             hostname?: string | undefined;
         }>, "many">>>;
+        actionBodySizeLimit: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
     }, "strip", z.ZodTypeAny, {
         checkOrigin: boolean;
         allowedDomains: {
@@ -463,6 +465,7 @@ export declare const AstroConfigSchema: z.ZodObject<{
             protocol?: string | undefined;
             hostname?: string | undefined;
         }[];
+        actionBodySizeLimit: number;
     }, {
         checkOrigin?: boolean | undefined;
         allowedDomains?: {
@@ -470,6 +473,7 @@ export declare const AstroConfigSchema: z.ZodObject<{
             protocol?: string | undefined;
             hostname?: string | undefined;
         }[] | undefined;
+        actionBodySizeLimit?: number | undefined;
     }>>>;
     env: z.ZodDefault<z.ZodOptional<z.ZodObject<{
         schema: z.ZodDefault<z.ZodOptional<z.ZodRecord<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>, z.ZodIntersection<z.ZodEffects<z.ZodType<{
@@ -1097,6 +1101,7 @@ export declare const AstroConfigSchema: z.ZodObject<{
             protocol?: string | undefined;
             hostname?: string | undefined;
         }[];
+        actionBodySizeLimit: number;
     };
     experimental: {
         clientPrerender: boolean;
@@ -1344,6 +1349,7 @@ export declare const AstroConfigSchema: z.ZodObject<{
             protocol?: string | undefined;
             hostname?: string | undefined;
         }[] | undefined;
+        actionBodySizeLimit?: number | undefined;
     } | undefined;
     experimental?: {
         fonts?: {

package/dist/core/config/schemas/base.js

@@ -46,7 +46,8 @@ const ASTRO_CONFIG_DEFAULTS = {
   redirects: {},
   security: {
     checkOrigin: true,
-    allowedDomains: []
+    allowedDomains: [],
+    actionBodySizeLimit: 1024 * 1024
   },
   env: {
     schema: {},
@@ -252,7 +253,8 @@ const AstroConfigSchema = z.object({
         protocol: z.string().optional(),
         port: z.string().optional()
       })
-    ).optional().default(ASTRO_CONFIG_DEFAULTS.security.allowedDomains)
+    ).optional().default(ASTRO_CONFIG_DEFAULTS.security.allowedDomains),
+    actionBodySizeLimit: z.number().optional().default(ASTRO_CONFIG_DEFAULTS.security.actionBodySizeLimit)
   }).optional().default(ASTRO_CONFIG_DEFAULTS.security),
   env: z.object({
     schema: EnvSchema.optional().default(ASTRO_CONFIG_DEFAULTS.env.schema),

package/dist/core/config/schemas/relative.d.ts

@@ -301,6 +301,7 @@ export declare function createRelativeSchema(cmd: string, fileProtocolRoot: stri
             protocol?: string | undefined;
             hostname?: string | undefined;
         }>, "many">>>;
+        actionBodySizeLimit: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
     }, "strip", z.ZodTypeAny, {
         checkOrigin: boolean;
         allowedDomains: {
@@ -308,6 +309,7 @@ export declare function createRelativeSchema(cmd: string, fileProtocolRoot: stri
             protocol?: string | undefined;
             hostname?: string | undefined;
         }[];
+        actionBodySizeLimit: number;
     }, {
         checkOrigin?: boolean | undefined;
         allowedDomains?: {
@@ -315,6 +317,7 @@ export declare function createRelativeSchema(cmd: string, fileProtocolRoot: stri
             protocol?: string | undefined;
             hostname?: string | undefined;
         }[] | undefined;
+        actionBodySizeLimit?: number | undefined;
     }>>>;
     env: z.ZodDefault<z.ZodOptional<z.ZodObject<{
         schema: z.ZodDefault<z.ZodOptional<z.ZodRecord<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>, z.ZodIntersection<z.ZodEffects<z.ZodType<{
@@ -1020,6 +1023,7 @@ export declare function createRelativeSchema(cmd: string, fileProtocolRoot: stri
             protocol?: string | undefined;
             hostname?: string | undefined;
         }[];
+        actionBodySizeLimit: number;
     };
     experimental: {
         clientPrerender: boolean;
@@ -1267,6 +1271,7 @@ export declare function createRelativeSchema(cmd: string, fileProtocolRoot: stri
             protocol?: string | undefined;
             hostname?: string | undefined;
         }[] | undefined;
+        actionBodySizeLimit?: number | undefined;
     } | undefined;
     experimental?: {
         fonts?: {
@@ -1450,6 +1455,7 @@ export declare function createRelativeSchema(cmd: string, fileProtocolRoot: stri
             protocol?: string | undefined;
             hostname?: string | undefined;
         }[];
+        actionBodySizeLimit: number;
     };
     experimental: {
         clientPrerender: boolean;
@@ -1697,6 +1703,7 @@ export declare function createRelativeSchema(cmd: string, fileProtocolRoot: stri
             protocol?: string | undefined;
             hostname?: string | undefined;
         }[] | undefined;
+        actionBodySizeLimit?: number | undefined;
     } | undefined;
     experimental?: {
         fonts?: {

package/dist/core/constants.js

@@ -1,4 +1,4 @@
-const ASTRO_VERSION = "5.17.3";
+const ASTRO_VERSION = "5.18.0";
 const REROUTE_DIRECTIVE_HEADER = "X-Astro-Reroute";
 const REWRITE_DIRECTIVE_HEADER_KEY = "X-Astro-Rewrite";
 const REWRITE_DIRECTIVE_HEADER_VALUE = "yes";

package/dist/core/dev/dev.js

@@ -22,7 +22,7 @@ async function dev(inlineConfig) {
   await telemetry.record([]);
   const restart = await createContainerWithAutomaticRestart({ inlineConfig, fs });
   const logger = restart.container.logger;
-  const currentVersion = "5.17.3";
+  const currentVersion = "5.18.0";
   const isPrerelease = currentVersion.includes("-");
   if (!isPrerelease) {
     try {

package/dist/core/messages.js

@@ -38,7 +38,7 @@ function serverStart({
   host,
   base
 }) {
-  const version = "5.17.3";
+  const version = "5.18.0";
   const localPrefix = `${dim("\u2503")} Local    `;
   const networkPrefix = `${dim("\u2503")} Network  `;
   const emptyPrefix = " ".repeat(11);
@@ -275,7 +275,7 @@ function printHelp({
     message.push(
       linebreak(),
       `  ${bgGreen(black(` ${commandName} `))} ${green(
-        `v${"5.17.3"}`
+        `v${"5.18.0"}`
       )} ${headline}`
     );
   }

package/dist/types/public/config.d.ts

@@ -563,6 +563,30 @@ export interface AstroUserConfig<TLocales extends Locales = never, TSession exte
          * When not configured, `X-Forwarded-Host` headers are not trusted and will be ignored.
          */
         allowedDomains?: Partial<RemotePattern>[];
+        /**
+         * @docs
+         * @name security.actionBodySizeLimit
+         * @kind h4
+         * @type {number}
+         * @default `1048576` (1 MB)
+         * @version 5.18.0
+         * @description
+         *
+         * Sets the maximum size in bytes allowed for action request bodies.
+         *
+         * By default, action request bodies are limited to 1 MB (1048576 bytes) to prevent abuse.
+         * You can increase this limit if your actions need to accept larger payloads, for example when handling file uploads.
+         *
+         * ```js
+         * // astro.config.mjs
+         * export default defineConfig({
+         *   security: {
+         *     actionBodySizeLimit: 10 * 1024 * 1024 // 10 MB
+         *   }
+         * })
+         * ```
+         */
+        actionBodySizeLimit?: number;
     };
     /**
      * @docs

package/dist/vite-plugin-astro-server/plugin.js

@@ -106,6 +106,7 @@ function createVitePluginAstroServer({
         }
         warnMissingAdapter(logger, settings);
         pipeline.manifest.checkOrigin = settings.config.security.checkOrigin && settings.buildOutput === "server";
+        pipeline.manifest.actionBodySizeLimit = settings.config.security.actionBodySizeLimit;
         pipeline.setManifestData(routesList);
       }
       viteServer.watcher.on("add", rebuildManifest.bind(null, null));
@@ -251,6 +252,7 @@ function createDevelopmentManifest(settings) {
     inlinedScripts: /* @__PURE__ */ new Map(),
     i18n: i18nManifest,
     checkOrigin: (settings.config.security?.checkOrigin && settings.buildOutput === "server") ?? false,
+    actionBodySizeLimit: settings.config.security.actionBodySizeLimit,
     key: hasEnvironmentKey() ? getEnvironmentKey() : createKey(),
     middleware() {
       return {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "astro",
-  "version": "5.17.3",
+  "version": "5.18.0",
   "description": "Astro is a modern site builder with web best practices, performance, and DX front-of-mind.",
   "type": "module",
   "author": "withastro",
@@ -154,8 +154,8 @@
     "zod-to-json-schema": "^3.25.1",
     "zod-to-ts": "^1.2.0",
     "@astrojs/internal-helpers": "0.7.5",
-    "@astrojs/telemetry": "3.3.0",
-    "@astrojs/markdown-remark": "6.3.10"
+    "@astrojs/markdown-remark": "6.3.10",
+    "@astrojs/telemetry": "3.3.0"
   },
   "optionalDependencies": {
     "sharp": "^0.34.0"
@@ -193,8 +193,8 @@
     "undici": "^6.23.0",
     "unified": "^11.0.5",
     "vitest": "^3.2.4",
-    "@astrojs/check": "0.9.6",
-    "astro-scripts": "0.0.14"
+    "astro-scripts": "0.0.14",
+    "@astrojs/check": "0.9.6"
   },
   "engines": {
     "node": "18.20.8 || ^20.3.0 || >=22.0.0",