astro 6.0.0-beta.10 → 6.0.0-beta.11

package/dist/assets/services/service.js

@@ -64,7 +64,7 @@ function verifyOptions(options) {
     if (options.widths && options.densities) {
       throw new AstroError(AstroErrorData.IncompatibleDescriptorOptions);
     }
-    if (options.src.format === "svg" && options.format !== "svg" || options.src.format !== "svg" && options.format === "svg") {
+    if (options.src.format !== "svg" && options.format === "svg") {
       throw new AstroError(AstroErrorData.UnsupportedImageConversion);
     }
   }
@@ -72,12 +72,13 @@ function verifyOptions(options) {
 const baseService = {
   propertiesToHash: DEFAULT_HASH_PROPS,
   validateOptions(options) {
-    if (isESMImportedImage(options.src) && options.src.format === "svg") {
-      options.format = "svg";
-    }
     verifyOptions(options);
     if (!options.format) {
-      options.format = DEFAULT_OUTPUT_FORMAT;
+      if (isESMImportedImage(options.src) && options.src.format === "svg") {
+        options.format = "svg";
+      } else {
+        options.format = DEFAULT_OUTPUT_FORMAT;
+      }
     }
     if (options.width) options.width = Math.round(options.width);
     if (options.height) options.height = Math.round(options.height);

package/dist/cli/infra/build-time-astro-version-provider.js

@@ -1,6 +1,6 @@
 class BuildTimeAstroVersionProvider {
   // Injected during the build through esbuild define
-  version = "6.0.0-beta.10";
+  version = "6.0.0-beta.11";
 }
 export {
   BuildTimeAstroVersionProvider

package/dist/content/content-layer.js

@@ -181,7 +181,7 @@ ${contentConfig.error.message}`
       logger.info("Content config changed");
       shouldClear = true;
     }
-    if (previousAstroVersion && previousAstroVersion !== "6.0.0-beta.10") {
+    if (previousAstroVersion && previousAstroVersion !== "6.0.0-beta.11") {
       logger.info("Astro version changed");
       shouldClear = true;
     }
@@ -189,8 +189,8 @@ ${contentConfig.error.message}`
       logger.info("Clearing content store");
       this.#store.clearAll();
     }
-    if ("6.0.0-beta.10") {
-      await this.#store.metaStore().set("astro-version", "6.0.0-beta.10");
+    if ("6.0.0-beta.11") {
+      await this.#store.metaStore().set("astro-version", "6.0.0-beta.11");
     }
     if (currentConfigDigest) {
       await this.#store.metaStore().set("content-config-digest", currentConfigDigest);

package/dist/content/mutable-data-store.js

@@ -22,6 +22,8 @@ class MutableDataStore extends ImmutableDataStore {
   #modulesDirty = false;
   #assetImports = /* @__PURE__ */ new Set();
   #moduleImports = /* @__PURE__ */ new Map();
+  #writeInProgress = false;
+  #writeQueued = false;
   set(collectionName, key, value) {
     const collection = this._collections.get(collectionName) ?? /* @__PURE__ */ new Map();
     collection.set(String(key), value);
@@ -121,7 +123,7 @@ ${lines.join(",\n")}]);
     this.#modulesDirty = false;
   }
   #maybeResolveSavePromise() {
-    if (!this.#saveTimeout && !this.#assetsSaveTimeout && !this.#modulesSaveTimeout && this.#savePromiseResolve) {
+    if (!this.#saveTimeout && !this.#assetsSaveTimeout && !this.#modulesSaveTimeout && !this.#writeQueued && !this.#writeInProgress && this.#savePromiseResolve) {
       this.#savePromiseResolve();
       this.#savePromiseResolve = void 0;
       this.#savePromise = void 0;
@@ -317,11 +319,22 @@ ${lines.join(",\n")}]);
     if (!this.#file) {
       throw new AstroError(AstroErrorData.UnknownFilesystemError);
     }
+    if (this.#writeInProgress) {
+      this.#writeQueued = true;
+      return;
+    }
     try {
       this.#dirty = false;
+      this.#writeInProgress = true;
       await this.#writeFileAtomic(this.#file, this.toString());
     } catch (err) {
       throw new AstroError(AstroErrorData.UnknownFilesystemError, { cause: err });
+    } finally {
+      this.#writeInProgress = false;
+      if (this.#writeQueued) {
+        this.#writeQueued = false;
+        await this.writeToDisk();
+      }
     }
   }
   /**

package/dist/core/app/node.js

@@ -4,7 +4,7 @@ import { clientAddressSymbol, nodeRequestAbortControllerCleanupSymbol } from "..
 import { deserializeManifest } from "./manifest.js";
 import { createOutgoingHttpHeaders } from "./createOutgoingHttpHeaders.js";
 import { App } from "./index.js";
-import { sanitizeHost, validateForwardedHeaders } from "./validate-forwarded-headers.js";
+import { validateForwardedHeaders, validateHost } from "./validate-headers.js";
 class NodeApp extends App {
   headersMap = void 0;
   setHeadersMap(headers) {
@@ -50,7 +50,7 @@ class NodeApp extends App {
       return multiValueHeader?.toString()?.split(",").map((e) => e.trim())?.[0];
     };
     const providedProtocol = isEncrypted ? "https" : "http";
-    const providedHostname = req.headers.host ?? req.headers[":authority"];
+    const untrustedHostname = req.headers.host ?? req.headers[":authority"];
     const validated = validateForwardedHeaders(
       getFirstForwardedValue(req.headers["x-forwarded-proto"]),
       getFirstForwardedValue(req.headers["x-forwarded-host"]),
@@ -58,18 +58,20 @@ class NodeApp extends App {
       allowedDomains
     );
     const protocol = validated.protocol ?? providedProtocol;
-    const sanitizedProvidedHostname = sanitizeHost(
-      typeof providedHostname === "string" ? providedHostname : void 0
+    const validatedHostname = validateHost(
+      typeof untrustedHostname === "string" ? untrustedHostname : void 0,
+      protocol,
+      allowedDomains
     );
-    const hostname = validated.host ?? sanitizedProvidedHostname;
+    const hostname = validated.host ?? validatedHostname ?? "localhost";
     const port = validated.port;
     let url;
     try {
       const hostnamePort = getHostnamePort(hostname, port);
       url = new URL(`${protocol}://${hostnamePort}${req.url}`);
     } catch {
-      const hostnamePort = getHostnamePort(providedHostname, port);
-      url = new URL(`${providedProtocol}://${hostnamePort}`);
+      const hostnamePort = getHostnamePort(hostname, port);
+      url = new URL(`${protocol}://${hostnamePort}`);
     }
     const options = {
       method: req.method || "GET",

package/dist/core/app/{validate-forwarded-headers.d.ts → validate-headers.d.ts}

@@ -1,9 +1,10 @@
 import { type RemotePattern } from '@astrojs/internal-helpers/remote';
 /**
- * Validate a hostname by rejecting any with path separators.
- * Prevents path injection attacks. Invalid hostnames return undefined.
+ * Validate a host against allowedDomains.
+ * Returns the host only if it matches an allowed pattern, otherwise undefined.
+ * This prevents SSRF attacks by ensuring the Host header is trusted.
  */
-export declare function sanitizeHost(hostname: string | undefined): string | undefined;
+export declare function validateHost(host: string | undefined, protocol: string, allowedDomains?: Partial<RemotePattern>[]): string | undefined;
 /**
  * Validate forwarded headers (proto, host, port) against allowedDomains.
  * Returns validated values or undefined for rejected headers.

package/dist/core/app/{validate-forwarded-headers.js → validate-headers.js}

@@ -4,6 +4,33 @@ function sanitizeHost(hostname) {
   if (/[/\\]/.test(hostname)) return void 0;
   return hostname;
 }
+function parseHost(host) {
+  const parts = host.split(":");
+  return {
+    hostname: parts[0],
+    port: parts[1]
+  };
+}
+function matchesAllowedDomains(hostname, protocol, port, allowedDomains) {
+  const hostWithPort = port ? `${hostname}:${port}` : hostname;
+  const urlString = `${protocol}://${hostWithPort}`;
+  if (!URL.canParse(urlString)) {
+    return false;
+  }
+  const testUrl = new URL(urlString);
+  return allowedDomains.some((pattern) => matchPattern(testUrl, pattern));
+}
+function validateHost(host, protocol, allowedDomains) {
+  if (!host || host.length === 0) return void 0;
+  if (!allowedDomains || allowedDomains.length === 0) return void 0;
+  const sanitized = sanitizeHost(host);
+  if (!sanitized) return void 0;
+  const { hostname, port } = parseHost(sanitized);
+  if (matchesAllowedDomains(hostname, protocol, port, allowedDomains)) {
+    return sanitized;
+  }
+  return void 0;
+}
 function validateForwardedHeaders(forwardedProtocol, forwardedHost, forwardedPort, allowedDomains) {
   const result = {};
   if (forwardedProtocol) {
@@ -38,23 +65,16 @@ function validateForwardedHeaders(forwardedProtocol, forwardedHost, forwardedPor
     const protoForValidation = result.protocol || "https";
     const sanitized = sanitizeHost(forwardedHost);
     if (sanitized) {
-      try {
-        const hostnameOnly = sanitized.split(":")[0];
-        const portFromHost = sanitized.includes(":") ? sanitized.split(":")[1] : void 0;
-        const portForValidation = result.port || portFromHost;
-        const hostWithPort = portForValidation ? `${hostnameOnly}:${portForValidation}` : hostnameOnly;
-        const testUrl = new URL(`${protoForValidation}://${hostWithPort}`);
-        const isAllowed = allowedDomains.some((pattern) => matchPattern(testUrl, pattern));
-        if (isAllowed) {
-          result.host = sanitized;
-        }
-      } catch {
+      const { hostname, port: portFromHost } = parseHost(sanitized);
+      const portForValidation = result.port || portFromHost;
+      if (matchesAllowedDomains(hostname, protoForValidation, portForValidation, allowedDomains)) {
+        result.host = sanitized;
       }
     }
   }
   return result;
 }
 export {
-  sanitizeHost,
-  validateForwardedHeaders
+  validateForwardedHeaders,
+  validateHost
 };

package/dist/core/build/static-build.js

@@ -84,6 +84,19 @@ async function buildEnvironments(opts, internals) {
   let currentRollupInput = void 0;
   plugins.push({
     name: "astro:resolve-input",
+    // When the rollup input is safe to update, we normalize it to always be an object
+    // so we can reliably identify which entrypoint corresponds to the adapter
+    enforce: "post",
+    config(config) {
+      if (typeof config.build?.rollupOptions?.input === "string") {
+        config.build.rollupOptions.input = { index: config.build.rollupOptions.input };
+      } else if (Array.isArray(config.build?.rollupOptions?.input)) {
+        config.build.rollupOptions.input = Object.fromEntries(
+          config.build.rollupOptions.input.map((v, i) => [`index_${i}`, v])
+        );
+      }
+    },
+    // We save the rollup input to be able to check later on
     configResolved(config) {
       currentRollupInput = config.build.rollupOptions.input;
     }
@@ -113,10 +126,7 @@ async function buildEnvironments(opts, internals) {
     }
   });
   function isRollupInput(moduleName) {
-    if (!currentRollupInput) {
-      return false;
-    }
-    if (!moduleName) {
+    if (!currentRollupInput || !moduleName) {
       return false;
     }
     if (typeof currentRollupInput === "string") {

package/dist/core/constants.js

@@ -1,4 +1,4 @@
-const ASTRO_VERSION = "6.0.0-beta.10";
+const ASTRO_VERSION = "6.0.0-beta.11";
 const ASTRO_GENERATOR = `Astro v${ASTRO_VERSION}`;
 const REROUTE_DIRECTIVE_HEADER = "X-Astro-Reroute";
 const REWRITE_DIRECTIVE_HEADER_KEY = "X-Astro-Rewrite";

package/dist/core/dev/dev.js

@@ -22,7 +22,7 @@ async function dev(inlineConfig) {
   await telemetry.record([]);
   const restart = await createContainerWithAutomaticRestart({ inlineConfig, fs });
   const logger = restart.container.logger;
-  const currentVersion = "6.0.0-beta.10";
+  const currentVersion = "6.0.0-beta.11";
   const isPrerelease = currentVersion.includes("-");
   if (!isPrerelease) {
     try {

package/dist/core/messages.js

@@ -28,7 +28,7 @@ function serverStart({
   host,
   base
 }) {
-  const version = "6.0.0-beta.10";
+  const version = "6.0.0-beta.11";
   const localPrefix = `${dim("\u2503")} Local    `;
   const networkPrefix = `${dim("\u2503")} Network  `;
   const emptyPrefix = " ".repeat(11);
@@ -265,7 +265,7 @@ function printHelp({
     message.push(
       linebreak(),
       `  ${bgGreen(black(` ${commandName} `))} ${green(
-        `v${"6.0.0-beta.10"}`
+        `v${"6.0.0-beta.11"}`
       )} ${headline}`
     );
   }

package/dist/types/public/integrations.d.ts

@@ -103,6 +103,7 @@ interface AdapterSelfProperties {
      * @default 'legacy-dynamic'
      */
     entryType: 'self';
+    serverEntrypoint?: string | URL;
 }
 export type AstroAdapter = {
     name: string;

package/dist/vite-plugin-adapter-config/index.js

@@ -1,9 +1,24 @@
 import { isAstroServerEnvironment } from "../environments.js";
+import { fileURLToPath } from "node:url";
 const VIRTUAL_CLIENT_ID = "virtual:astro:adapter-config/client";
 const RESOLVED_VIRTUAL_CLIENT_ID = "\0" + VIRTUAL_CLIENT_ID;
 function vitePluginAdapterConfig(settings) {
   return {
     name: "astro:adapter-config",
+    config() {
+      const { adapter } = settings;
+      if (adapter && adapter.entryType === "self" && adapter.serverEntrypoint) {
+        return {
+          build: {
+            rollupOptions: {
+              input: {
+                index: typeof adapter.serverEntrypoint === "string" ? adapter.serverEntrypoint : fileURLToPath(adapter.serverEntrypoint)
+              }
+            }
+          }
+        };
+      }
+    },
     resolveId: {
       filter: {
         id: new RegExp(`^${VIRTUAL_CLIENT_ID}$`)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "astro",
-  "version": "6.0.0-beta.10",
+  "version": "6.0.0-beta.11",
   "description": "Astro is a modern site builder with web best practices, performance, and DX front-of-mind.",
   "type": "module",
   "author": "withastro",
@@ -156,8 +156,8 @@
     "yocto-spinner": "^1.0.0",
     "zod": "^4.3.6",
     "@astrojs/internal-helpers": "0.8.0-beta.1",
-    "@astrojs/markdown-remark": "7.0.0-beta.6",
-    "@astrojs/telemetry": "3.3.0"
+    "@astrojs/telemetry": "3.3.0",
+    "@astrojs/markdown-remark": "7.0.0-beta.6"
   },
   "optionalDependencies": {
     "sharp": "^0.34.0"