astro 6.3.1 → 6.3.3

package/dist/assets/endpoint/dev.js

@@ -38,7 +38,7 @@ async function loadLocalImage(src, url) {
   } else {
     const sourceUrl = new URL(src, url.origin);
     if (sourceUrl.origin !== url.origin) {
-      returnValue = void 0;
+      return void 0;
     }
     return loadRemoteImage(sourceUrl);
   }

package/dist/cli/infra/build-time-astro-version-provider.js

@@ -1,6 +1,6 @@
 class BuildTimeAstroVersionProvider {
   // Injected during the build through esbuild define
-  version = "6.3.1";
+  version = "6.3.3";
 }
 export {
   BuildTimeAstroVersionProvider

package/dist/content/content-layer.js

@@ -191,7 +191,7 @@ ${contentConfig.error.message}`
       logger.info("Content config changed");
       shouldClear = true;
     }
-    if (previousAstroVersion && previousAstroVersion !== "6.3.1") {
+    if (previousAstroVersion && previousAstroVersion !== "6.3.3") {
       logger.info("Astro version changed");
       shouldClear = true;
     }
@@ -199,8 +199,8 @@ ${contentConfig.error.message}`
       logger.info("Clearing content store");
       this.#store.clearAll();
     }
-    if ("6.3.1") {
-      this.#store.metaStore().set("astro-version", "6.3.1");
+    if ("6.3.3") {
+      this.#store.metaStore().set("astro-version", "6.3.3");
     }
     if (currentConfigDigest) {
       this.#store.metaStore().set("content-config-digest", currentConfigDigest);

package/dist/core/app/base.js

@@ -16,6 +16,7 @@ import { DefaultFetchHandler } from "../fetch/default-handler.js";
 import { appSymbol } from "../constants.js";
 import { DefaultErrorHandler } from "../errors/default-handler.js";
 import { setRenderOptions } from "./render-options.js";
+import { MultiLevelEncodingError } from "../util/pathname.js";
 class BaseApp {
   manifest;
   manifestData;
@@ -266,13 +267,20 @@ class BaseApp {
       waitUntil
     };
     let response;
-    if (this.#fetchHandler instanceof DefaultFetchHandler) {
-      Reflect.set(request, appSymbol, this);
-      response = await this.#fetchHandler.renderWithOptions(request, resolvedOptions);
-    } else {
-      setRenderOptions(request, resolvedOptions);
-      Reflect.set(request, appSymbol, this);
-      response = await this.#fetchHandler.fetch(request);
+    try {
+      if (this.#fetchHandler instanceof DefaultFetchHandler) {
+        Reflect.set(request, appSymbol, this);
+        response = await this.#fetchHandler.renderWithOptions(request, resolvedOptions);
+      } else {
+        setRenderOptions(request, resolvedOptions);
+        Reflect.set(request, appSymbol, this);
+        response = await this.#fetchHandler.fetch(request);
+      }
+    } catch (err) {
+      if (err instanceof MultiLevelEncodingError) {
+        return new Response("Bad Request", { status: 400 });
+      }
+      throw err;
     }
     this.#warnMissingFeatures();
     if (response.headers.get(ASTRO_ERROR_HEADER)) {

package/dist/core/build/index.js

@@ -151,7 +151,6 @@ class AstroBuilder {
       runtimeMode: this.runtimeMode,
       origin: this.origin,
       pageNames,
-      teardownCompiler: this.teardownCompiler,
       viteConfig,
       key: keyPromise
     };
@@ -203,6 +202,13 @@ class AstroBuilder {
     } finally {
       this.settings.timer.end("Total build");
       this.settings.timer.writeStats();
+      if (this.teardownCompiler) {
+        try {
+          const { teardown } = await import("@astrojs/compiler");
+          teardown();
+        } catch {
+        }
+      }
     }
   }
   validateConfig() {

package/dist/core/build/types.d.ts

@@ -37,7 +37,6 @@ export interface StaticBuildOptions {
     origin: string;
     pageNames: string[];
     viteConfig: InlineConfig;
-    teardownCompiler: boolean;
     key: Promise<CryptoKey>;
 }
 type ImportComponentInstance = () => Promise<ComponentInstance>;

package/dist/core/constants.js

@@ -1,4 +1,4 @@
-const ASTRO_VERSION = "6.3.1";
+const ASTRO_VERSION = "6.3.3";
 const ASTRO_GENERATOR = `Astro v${ASTRO_VERSION}`;
 const REROUTE_DIRECTIVE_HEADER = "X-Astro-Reroute";
 const REWRITE_DIRECTIVE_HEADER_KEY = "X-Astro-Rewrite";

package/dist/core/csp/config.js

@@ -37,13 +37,25 @@ const ALLOWED_DIRECTIVES = [
   "upgrade-insecure-requests",
   "worker-src"
 ];
-const allowedDirectivesSchema = z.custom((value) => {
-  if (typeof value !== "string") {
-    return false;
-  }
-  return ALLOWED_DIRECTIVES.some((allowedValue) => {
+const allowedDirectivesSchema = z.custom((v) => typeof v === "string").superRefine((value, ctx) => {
+  const isAllowed = ALLOWED_DIRECTIVES.some((allowedValue) => {
     return value.startsWith(allowedValue);
   });
+  if (!isAllowed) {
+    if (value.startsWith("script-src") || value.startsWith("style-src")) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: `Directives \`script-src\` and \`style-src\` are not allowed in \`security.csp.directives\`. Please use \`security.csp.scriptDirective\` and \`security.csp.styleDirective\` instead.`,
+        fatal: true
+      });
+    } else {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: `Invalid directive: "${value}". Allowed directives are: ${ALLOWED_DIRECTIVES.join(", ")}`,
+        fatal: true
+      });
+    }
+  }
 });
 export {
   ALGORITHMS,

package/dist/core/dev/dev.js

@@ -37,7 +37,7 @@ async function dev(inlineConfig) {
   await telemetry.record([]);
   const restart = await createContainerWithAutomaticRestart({ inlineConfig, fs });
   const logger = restart.container.logger;
-  const currentVersion = "6.3.1";
+  const currentVersion = "6.3.3";
   const isPrerelease = currentVersion.includes("-");
   if (!isPrerelease) {
     try {

package/dist/core/errors/zod-error-map.js

@@ -44,7 +44,9 @@ const errorMap = (issue) => {
             return errorMap(_issue);
           }
           const relativePath = flattenErrorPath(_issue.path).replace(baseErrorPath, "").replace(leadingPeriod, "");
-          if ("expected" in _issue && typeof _issue.expected === "string") {
+          if (_issue.code === "custom" && _issue.message && _issue.message.includes("security.csp")) {
+            expectedShape.push(_issue.message);
+          } else if ("expected" in _issue && typeof _issue.expected === "string") {
             expectedShape.push(
               relativePath ? `${relativePath}: ${_issue.expected}` : _issue.expected
             );

package/dist/core/messages/runtime.js

@@ -276,7 +276,7 @@ function printHelp({
     message.push(
       linebreak(),
       `  ${bgGreen(black(` ${commandName} `))} ${green(
-        `v${"6.3.1"}`
+        `v${"6.3.3"}`
       )} ${headline}`
     );
   }

package/dist/core/routing/handler.js

@@ -94,11 +94,9 @@ class AstroHandler {
     state.status = defaultStatus;
     let response;
     try {
-      if (this.#hasSession || this.#app.pipeline.cacheConfig) {
-        const sessionP = this.#hasSession ? provideSession(state) : void 0;
-        const cacheP = this.#app.pipeline.cacheConfig ? provideCache(state) : void 0;
-        if (sessionP || cacheP) await Promise.all([sessionP, cacheP]);
-      }
+      const sessionP = this.#hasSession ? provideSession(state) : void 0;
+      const cacheP = provideCache(state);
+      if (sessionP || cacheP) await Promise.all([sessionP, cacheP]);
       state.pipeline.usedFeatures |= PipelineFeatures.sessions;
       if (routeData.type === "redirect") {
         const redirectResponse = await renderRedirect(state);

package/dist/core/util/normalized-url.js

@@ -1,12 +1,15 @@
 import { collapseDuplicateSlashes } from "@astrojs/internal-helpers/path";
-import { validateAndDecodePathname } from "./pathname.js";
+import { MultiLevelEncodingError, validateAndDecodePathname } from "./pathname.js";
 function createNormalizedUrl(requestUrl) {
   return normalizeUrl(new URL(requestUrl));
 }
 function normalizeUrl(url) {
   try {
     url.pathname = validateAndDecodePathname(url.pathname);
-  } catch {
+  } catch (e) {
+    if (e instanceof MultiLevelEncodingError) {
+      throw e;
+    }
     try {
       url.pathname = decodeURI(url.pathname);
     } catch {

package/dist/core/util/pathname.d.ts

@@ -1,3 +1,11 @@
+/**
+ * Error thrown when multi-level URL encoding is detected in a pathname.
+ * This is a distinct error type so callers can handle it specifically
+ * (e.g., returning a 400 response) rather than falling back to partial decoding.
+ */
+export declare class MultiLevelEncodingError extends Error {
+    constructor();
+}
 /**
  * Validates that a pathname is not multi-level encoded.
  * Detects if a pathname contains encoding that was encoded again (e.g., %2561dmin where %25 decodes to %).
@@ -5,6 +13,7 @@
  *
  * @param pathname - The pathname to validate
  * @returns The decoded pathname if valid
- * @throws Error if multi-level encoding is detected
+ * @throws MultiLevelEncodingError if multi-level encoding is detected
+ * @throws Error if the pathname contains invalid URL encoding
  */
 export declare function validateAndDecodePathname(pathname: string): string;

package/dist/core/util/pathname.js

@@ -1,3 +1,9 @@
+class MultiLevelEncodingError extends Error {
+  constructor() {
+    super("Multi-level URL encoding is not allowed");
+    this.name = "MultiLevelEncodingError";
+  }
+}
 function validateAndDecodePathname(pathname) {
   let decoded;
   try {
@@ -8,10 +14,11 @@ function validateAndDecodePathname(pathname) {
   const hasDecoding = decoded !== pathname;
   const decodedStillHasEncoding = /%[0-9a-fA-F]{2}/.test(decoded);
   if (hasDecoding && decodedStillHasEncoding) {
-    throw new Error("Multi-level URL encoding is not allowed");
+    throw new MultiLevelEncodingError();
   }
   return decoded;
 }
 export {
+  MultiLevelEncodingError,
   validateAndDecodePathname
 };

package/dist/environments.js

@@ -1,6 +1,6 @@
 import { ASTRO_VITE_ENVIRONMENT_NAMES } from "./core/constants.js";
 function isAstroServerEnvironment(environment) {
-  return environment.name === ASTRO_VITE_ENVIRONMENT_NAMES.ssr || environment.name === ASTRO_VITE_ENVIRONMENT_NAMES.prerender;
+  return environment.name === ASTRO_VITE_ENVIRONMENT_NAMES.ssr || environment.name === ASTRO_VITE_ENVIRONMENT_NAMES.prerender || environment.name === ASTRO_VITE_ENVIRONMENT_NAMES.astro;
 }
 function isAstroClientEnvironment(environment) {
   return environment.name === ASTRO_VITE_ENVIRONMENT_NAMES.client;

package/dist/manifest/virtual-module.js

@@ -100,6 +100,7 @@ const build = {
   server: new URL(manifest.buildServerDir),
   client: new URL(manifest.buildClientDir),
   format: manifest.buildFormat,
+  assetsPrefix: manifest.assetsPrefix,
 };
 
 const cacheDir = new URL(manifest.cacheDir);

package/dist/runtime/server/render/component.js

@@ -1,6 +1,6 @@
 import { clsx } from "clsx";
 import { AstroError, AstroErrorData } from "../../../core/errors/index.js";
-import { markHTMLString } from "../escape.js";
+import { escapeHTML, markHTMLString } from "../escape.js";
 import { extractDirectives, generateHydrateScript } from "../hydration.js";
 import { serializeProps } from "../serialize.js";
 import { shorthash } from "../shorthash.js";
@@ -287,7 +287,7 @@ ${serializeProps(
     if (Object.keys(children).length > 0) {
       for (const key of Object.keys(children)) {
         let tagName = renderer?.ssr?.supportsAstroStaticSlot ? !!metadata.hydrate ? "astro-slot" : "astro-static-slot" : "astro-slot";
-        let expectedHTML = key === "default" ? `<${tagName}>` : `<${tagName} name="${key}">`;
+        let expectedHTML = key === "default" ? `<${tagName}>` : `<${tagName} name="${escapeHTML(key)}">`;
         if (!html.includes(expectedHTML)) {
           unrenderedSlots.push(key);
         }
@@ -297,7 +297,7 @@ ${serializeProps(
     unrenderedSlots = Object.keys(children);
   }
   const template = unrenderedSlots.length > 0 ? unrenderedSlots.map(
-    (key) => `<template data-astro-template${key !== "default" ? `="${key}"` : ""}>${children[key]}</template>`
+    (key) => `<template data-astro-template${key !== "default" ? `="${escapeHTML(key)}"` : ""}>${children[key]}</template>`
   ).join("") : "";
   island.children = `${html ?? ""}${template}`;
   if (island.children) {

package/dist/runtime/server/render/util.js

@@ -10,7 +10,7 @@ const toIdent = (k) => k.trim().replace(/(?!^)\b\w|\s+|\W+/g, (match, index) =>
   if (/\W/.test(match)) return "";
   return index === 0 ? match : match.toUpperCase();
 });
-const toAttributeString = (value, shouldEscape = true) => shouldEscape ? String(value).replace(AMPERSAND_REGEX, "&").replace(DOUBLE_QUOTE_REGEX, """) : value;
+const toAttributeString = (value, shouldEscape = true) => shouldEscape ? String(value).replace(AMPERSAND_REGEX, "&").replace(DOUBLE_QUOTE_REGEX, """) : value;
 const kebab = (k) => k.toLowerCase() === k ? k : k.replace(/[A-Z]/g, (match) => `-${match.toLowerCase()}`);
 const toStyleString = (obj) => Object.entries(obj).filter(([_, v]) => typeof v === "string" && v.trim() || typeof v === "number").map(([k, v]) => {
   if (k[0] !== "-" && k[1] !== "-") return `${kebab(k)}:${v}`;

package/dist/types/public/config.d.ts

@@ -1628,19 +1628,6 @@ export interface AstroUserConfig<TLocales extends Locales = never, TDriver exten
          * ```
          */
         service?: ImageServiceConfig;
-        /**
-         * @docs
-         * @name image.dangerouslyProcessSVG
-         * @type {boolean}
-         * @default `false`
-         * @version 6.3.0
-         * @description
-         *
-         * Allows SVG source images to be processed by the image optimization pipeline.
-         *
-         * This is disabled by default as specifically formed SVGs can be prohibitively expensive to process and used by malicious actors to execute denial of service attacks. Only enable this option if you trust the source of your SVG images and understand the risks of processing them.
-         */
-        dangerouslyProcessSVG?: boolean;
         /**
          * @docs
          * @name image.service.config.limitInputPixels
@@ -1723,6 +1710,19 @@ export interface AstroUserConfig<TLocales extends Locales = never, TDriver exten
          * This can be used for options such as `compressionLevel`, `effort`, `palette`, or a default `quality`.
          * Per-image `quality` values from `<Image />`, `<Picture />`, and `getImage()` still take precedence.
          */
+        /**
+         * @docs
+         * @name image.dangerouslyProcessSVG
+         * @type {boolean}
+         * @default `false`
+         * @version 6.3.0
+         * @description
+         *
+         * Allows SVG source images to be processed by the image optimization pipeline.
+         *
+         * This is disabled by default as specifically formed SVGs can be prohibitively expensive to process and used by malicious actors to execute denial of service attacks. Only enable this option if you trust the source of your SVG images and understand the risks of processing them.
+         */
+        dangerouslyProcessSVG?: boolean;
         /**
          * @docs
          * @name image.domains

package/dist/types/public/manifest.d.ts

@@ -13,7 +13,7 @@ type Dirs = Pick<SSRManifest, 'cacheDir' | 'outDir' | 'publicDir' | 'srcDir'>;
 type DeserializedDirs = Extend<Dirs, URL>;
 export type ServerDeserializedManifest = Pick<SSRManifest, 'base' | 'trailingSlash' | 'compressHTML' | 'site'> & DeserializedDirs & {
     i18n: AstroConfig['i18n'];
-    build: Pick<AstroConfig['build'], 'server' | 'client' | 'format'>;
+    build: Pick<AstroConfig['build'], 'server' | 'client' | 'format' | 'assetsPrefix'>;
     root: URL;
     image: Pick<AstroConfig['image'], 'objectFit' | 'objectPosition' | 'layout'>;
 };

package/dist/vite-plugin-app/app.d.ts

@@ -33,7 +33,13 @@ export declare class AstroServerApp extends BaseApp<RunnablePipeline> {
     devMatch(pathname: string): Promise<DevMatch | undefined>;
     static create(manifest: SSRManifest, routesList: RoutesList, logger: AstroLogger, loader: ModuleLoader, settings: AstroSettings, getDebugInfo: () => Promise<string>): Promise<AstroServerApp>;
     createPipeline(_streaming: boolean, manifest: SSRManifest, settings: AstroSettings, logger: AstroLogger, loader: ModuleLoader, manifestData: RoutesList, getDebugInfo: () => Promise<string>): RunnablePipeline;
-    handleRequest({ controller, incomingRequest, incomingResponse, isHttps, }: HandleRequest): Promise<void>;
+    /**
+     * Handle a request.
+     * @returns The return value indicates whether or not the request was handled
+     * by this handler. If the result is not `true`, then the request has not
+     * been handled yet and other handlers can be run.
+     */
+    handleRequest({ controller, incomingRequest, incomingResponse, isHttps, prerenderOnly, }: HandleRequest): Promise<boolean>;
     match(request: Request, _allowPrerenderedRoutes: boolean): RouteData | undefined;
     protected createErrorHandler(): ErrorHandler;
     logRequest({ pathname, method, statusCode, isRewrite, reqTime }: LogRequestPayload): void;
@@ -43,5 +49,7 @@ type HandleRequest = {
     incomingRequest: http.IncomingMessage;
     incomingResponse: http.ServerResponse;
     isHttps: boolean;
+    /** When true, only handle prerendered routes. Returns false for SSR routes. */
+    prerenderOnly?: boolean;
 };
 export {};

package/dist/vite-plugin-app/app.js

@@ -92,11 +92,18 @@ class AstroServerApp extends BaseApp {
     });
     return pipeline;
   }
+  /**
+   * Handle a request.
+   * @returns The return value indicates whether or not the request was handled
+   * by this handler. If the result is not `true`, then the request has not
+   * been handled yet and other handlers can be run.
+   */
   async handleRequest({
     controller,
     incomingRequest,
     incomingResponse,
-    isHttps
+    isHttps,
+    prerenderOnly
   }) {
     const validated = validateForwardedHeaders(
       getFirstForwardedValue(incomingRequest.headers["x-forwarded-proto"]),
@@ -131,14 +138,23 @@ class AstroServerApp extends BaseApp {
     }
     const self = this;
     await self.#loadFetchHandler();
+    let handled = true;
     await runWithErrorHandling({
       controller,
       pathname,
       async run() {
         const matchedRoute = await self.devMatch(pathname);
         if (!matchedRoute) {
+          if (prerenderOnly) {
+            handled = false;
+            return;
+          }
           throw new Error("No route matched, and default 404 route was not found.");
         }
+        if (prerenderOnly && !matchedRoute.routeData.prerender) {
+          handled = false;
+          return;
+        }
         const request = createRequest({
           url,
           headers: incomingRequest.headers,
@@ -174,6 +190,7 @@ class AstroServerApp extends BaseApp {
         return error;
       }
     });
+    return handled;
   }
   match(request, _allowPrerenderedRoutes) {
     return super.match(request, true);

package/dist/vite-plugin-app/createAstroServerApp.d.ts

@@ -4,5 +4,7 @@ import type { ModuleLoader } from '../core/module-loader/index.js';
 import type { AstroSettings } from '../types/astro.js';
 import type { DevServerController } from '../vite-plugin-astro-server/controller.js';
 export default function createAstroServerApp(controller: DevServerController, settings: AstroSettings, loader: ModuleLoader, logger?: AstroLogger): Promise<{
-    handler(incomingRequest: http.IncomingMessage, incomingResponse: http.ServerResponse): void;
+    handler(incomingRequest: http.IncomingMessage, incomingResponse: http.ServerResponse, options?: {
+        prerenderOnly?: boolean;
+    }): Promise<boolean>;
 }>;

package/dist/vite-plugin-app/createAstroServerApp.js

@@ -60,12 +60,13 @@ async function createAstroServerApp(controller, settings, loader, logger) {
     });
   }
   return {
-    handler(incomingRequest, incomingResponse) {
-      app.handleRequest({
+    handler(incomingRequest, incomingResponse, options) {
+      return app.handleRequest({
         controller,
         incomingRequest,
         incomingResponse,
-        isHttps: loader?.isHttps() ?? false
+        isHttps: loader?.isHttps() ?? false,
+        prerenderOnly: options?.prerenderOnly
       });
     }
   };

package/dist/vite-plugin-astro-server/plugin.js

@@ -113,9 +113,14 @@ function createVitePluginAstroServer({
                 if (!matches.some((route) => route.prerender)) {
                   return next();
                 }
-                localStorage.run(request, () => {
-                  prerenderHandler.handler(request, response);
+                const handled = await new Promise((resolve) => {
+                  localStorage.run(request, () => {
+                    prerenderHandler.handler(request, response, { prerenderOnly: true }).then((result) => resolve(result)).catch(() => resolve(true));
+                  });
                 });
+                if (!handled) {
+                  return next();
+                }
               } catch (err) {
                 next(err);
               }

package/dist/vite-plugin-astro-server/route-guard.d.ts

@@ -1,5 +1,38 @@
 import type * as vite from 'vite';
 import type { AstroSettings } from '../types/astro.js';
+/**
+ * Outcome of the route guard evaluation for a dev-server request.
+ *
+ * - **`next`** — Allow the request through to downstream middleware.
+ * - **`block`** — The file exists at the project root but outside srcDir/publicDir.
+ *   Respond with a 404.
+ */
+export type RouteGuardDecision = {
+    action: 'next';
+} | {
+    action: 'block';
+    pathname: string;
+};
+/**
+ * Filesystem query results needed by the route guard decision function.
+ * Callers resolve these from the real filesystem; tests can provide them directly.
+ */
+export interface RouteGuardFsInfo {
+    /** Whether the resolved pathname exists inside the project's `publicDir` (e.g. `public/robots.txt`). */
+    existsInPublic: boolean;
+    /** Whether the resolved pathname exists inside the project's `srcDir` (e.g. `src/pages/index.astro`). */
+    existsInSrc: boolean;
+    /** Whether the resolved pathname exists at the project root as a **file** (not a directory). Directories are allowed through because they may share names with valid page routes. */
+    existsAtRootAsFile: boolean;
+}
+/**
+ * Pure decision function for the route guard middleware.
+ *
+ * Determines whether a request should be blocked (file exists at project root
+ * but outside srcDir/publicDir) or allowed through. The filesystem lookups are
+ * injected via `fsInfo` so this function remains pure and unit-testable.
+ */
+export declare function evaluateRouteGuard(url: string, acceptHeader: string, fsInfo: RouteGuardFsInfo): RouteGuardDecision;
 /**
  * Middleware that prevents Vite from serving files that exist outside
  * of srcDir and publicDir when accessed via direct URL navigation.

package/dist/vite-plugin-astro-server/route-guard.js

@@ -10,6 +10,30 @@ const VITE_INTERNAL_PREFIXES = [
   "/node_modules/",
   "/.astro/"
 ];
+function evaluateRouteGuard(url, acceptHeader, fsInfo) {
+  if (!acceptHeader.includes("text/html")) {
+    return { action: "next" };
+  }
+  let pathname;
+  try {
+    pathname = decodeURI(new URL(url, "http://localhost").pathname);
+  } catch {
+    return { action: "next" };
+  }
+  if (VITE_INTERNAL_PREFIXES.some((prefix) => pathname.startsWith(prefix))) {
+    return { action: "next" };
+  }
+  if (url.includes("?")) {
+    return { action: "next" };
+  }
+  if (fsInfo.existsInPublic || fsInfo.existsInSrc) {
+    return { action: "next" };
+  }
+  if (fsInfo.existsAtRootAsFile) {
+    return { action: "block", pathname };
+  }
+  return { action: "next" };
+}
 function routeGuardMiddleware(settings) {
   const { config } = settings;
   return function devRouteGuard(req, res, next) {
@@ -18,41 +42,36 @@ function routeGuardMiddleware(settings) {
       return next();
     }
     const accept = req.headers.accept || "";
-    if (!accept.includes("text/html")) {
-      return next();
-    }
     let pathname;
     try {
       pathname = decodeURI(new URL(url, "http://localhost").pathname);
     } catch {
       return next();
     }
-    if (VITE_INTERNAL_PREFIXES.some((prefix) => pathname.startsWith(prefix))) {
-      return next();
-    }
-    if (url.includes("?")) {
-      return next();
-    }
-    const publicFilePath = new URL("." + pathname, config.publicDir);
-    if (fs.existsSync(publicFilePath)) {
-      return next();
-    }
-    const srcFilePath = new URL("." + pathname, config.srcDir);
-    if (fs.existsSync(srcFilePath)) {
-      return next();
+    const fsInfo = {
+      existsInPublic: fs.existsSync(new URL("." + pathname, config.publicDir)),
+      existsInSrc: fs.existsSync(new URL("." + pathname, config.srcDir)),
+      existsAtRootAsFile: false
+    };
+    if (accept.includes("text/html") && !url.includes("?") && !VITE_INTERNAL_PREFIXES.some((prefix) => pathname.startsWith(prefix))) {
+      try {
+        const stat = fs.statSync(new URL("." + pathname, config.root));
+        fsInfo.existsAtRootAsFile = stat.isFile();
+      } catch {
+      }
     }
-    const rootFilePath = new URL("." + pathname, config.root);
-    try {
-      const stat = fs.statSync(rootFilePath);
-      if (stat.isFile()) {
-        const html = notFoundTemplate(pathname);
+    const decision = evaluateRouteGuard(url, accept, fsInfo);
+    switch (decision.action) {
+      case "block": {
+        const html = notFoundTemplate(decision.pathname);
         return writeHtmlResponse(res, 404, html);
       }
-    } catch {
+      case "next":
+        return next();
     }
-    return next();
   };
 }
 export {
+  evaluateRouteGuard,
   routeGuardMiddleware
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "astro",
-  "version": "6.3.1",
+  "version": "6.3.3",
   "description": "Astro is a modern site builder with web best practices, performance, and DX front-of-mind.",
   "type": "module",
   "author": "withastro",
@@ -164,8 +164,8 @@
     "xxhash-wasm": "^1.1.0",
     "yargs-parser": "^22.0.0",
     "zod": "^4.3.6",
-    "@astrojs/internal-helpers": "0.9.0",
-    "@astrojs/markdown-remark": "7.1.1",
+    "@astrojs/markdown-remark": "7.1.2",
+    "@astrojs/internal-helpers": "0.9.1",
     "@astrojs/telemetry": "3.3.2"
   },
   "optionalDependencies": {