astro 6.4.6 → 6.4.7

package/dist/assets/build/generate.js

@@ -1,11 +1,11 @@
 import fs, { readFileSync } from "node:fs";
 import { basename } from "node:path/posix";
 import colors from "piccolore";
-import { getOutDirWithinCwd } from "../../core/build/common.js";
 import { getTimeStat } from "../../core/build/util.js";
 import { AstroError } from "../../core/errors/errors.js";
 import { AstroErrorData } from "../../core/errors/index.js";
 import { isRemotePath, removeLeadingForwardSlash } from "../../core/path.js";
+import { getClientOutputDirectory } from "../../prerender/utils.js";
 import { getConfiguredImageService } from "../internal.js";
 import { isESMImportedImage } from "../utils/imageKind.js";
 import { loadRemoteImage, revalidateRemoteImage } from "./remote.js";
@@ -29,8 +29,9 @@ async function prepareAssetsGenerationEnv(options, totalCount) {
     serverRoot = new URL(".prerender/", settings.config.build.server);
     clientRoot = settings.config.build.client;
   } else {
-    serverRoot = getOutDirWithinCwd(settings.config.outDir);
-    clientRoot = settings.config.outDir;
+    const clientOutputDir = getClientOutputDirectory(settings);
+    serverRoot = clientOutputDir;
+    clientRoot = clientOutputDir;
   }
   return {
     logger,

package/dist/cli/add/index.js

@@ -62,6 +62,7 @@ export default async function seed() {
 }
 `,
   CLOUDFLARE_WRANGLER_CONFIG: (name, compatibilityDate) => `{
+	"$schema": "./node_modules/wrangler/config-schema.json",
 	"compatibility_date": ${JSON.stringify(compatibilityDate)},
 	"compatibility_flags": ["global_fetch_strictly_public"],
 	"name": ${JSON.stringify(name)},

package/dist/cli/infra/build-time-astro-version-provider.js

@@ -1,6 +1,6 @@
 class BuildTimeAstroVersionProvider {
   // Injected during the build through esbuild define
-  version = "6.4.6";
+  version = "6.4.7";
 }
 export {
   BuildTimeAstroVersionProvider

package/dist/container/index.d.ts

@@ -67,7 +67,7 @@ export type ContainerRenderOptions = {
      */
     routeType?: RouteType;
     /**
-     * Allows to pass `Astro.props` to an Astro component:
+     * Allows passing `Astro.props` to an Astro component:
      *
      * ```js
      * container.renderToString(Endpoint, { props: { "lorem": "ipsum" } });
@@ -75,9 +75,9 @@ export type ContainerRenderOptions = {
      */
     props?: Props;
     /**
-     * When `false`, it forces to render the component as it was a full-fledged page.
+     * When `false`, it forces the component to render as if it were a full-fledged page.
      *
-     * By default, the container API render components as [partials](https://docs.astro.build/en/basics/astro-pages/#page-partials).
+     * By default, the container API renders components as [partials](https://docs.astro.build/en/basics/astro-pages/#page-partials).
      *
      */
     partial?: boolean;

package/dist/content/content-layer.js

@@ -197,7 +197,7 @@ ${contentConfig.error.message}`
       logger.info("Content config changed");
       shouldClear = true;
     }
-    if (previousAstroVersion && previousAstroVersion !== "6.4.6") {
+    if (previousAstroVersion && previousAstroVersion !== "6.4.7") {
       logger.info("Astro version changed");
       shouldClear = true;
     }
@@ -205,8 +205,8 @@ ${contentConfig.error.message}`
       logger.info("Clearing content store");
       this.#store.clearAll();
     }
-    if ("6.4.6") {
-      this.#store.metaStore().set("astro-version", "6.4.6");
+    if ("6.4.7") {
+      this.#store.metaStore().set("astro-version", "6.4.7");
     }
     if (currentConfigDigest) {
       this.#store.metaStore().set("content-config-digest", currentConfigDigest);

package/dist/content/runtime.d.ts

@@ -70,7 +70,7 @@ type RenderResult = {
 };
 export declare function updateImageReferencesInData<T extends Record<string, unknown>>(data: T, fileName?: string, imageAssetMap?: Map<string, ImageMetadata>): T;
 export declare function renderEntry(entry: DataEntry): Promise<RenderResult>;
-export declare function createReference(): (collection: string) => z.ZodPipe<z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
+export declare function createReference(): (collection: string) => z.ZodPipe<z.ZodUnion<readonly [z.ZodPipe<z.ZodNumber, z.ZodTransform<string, number>>, z.ZodString, z.ZodObject<{
     id: z.ZodString;
     collection: z.ZodString;
 }, z.core.$strip>, z.ZodObject<{

package/dist/content/runtime.js

@@ -484,6 +484,7 @@ async function render({
 function createReference() {
   return function reference(collection) {
     return z.union([
+      z.number().transform((num) => num.toString(10)),
       z.string(),
       z.object({
         id: z.string(),

package/dist/core/app/base.js

@@ -14,7 +14,6 @@ import { DefaultFetchHandler } from "../fetch/default-handler.js";
 import { appSymbol } from "../constants.js";
 import { DefaultErrorHandler } from "../errors/default-handler.js";
 import { setRenderOptions } from "./render-options.js";
-import { MultiLevelEncodingError } from "../util/pathname.js";
 class BaseApp {
   manifest;
   manifestData;
@@ -237,20 +236,13 @@ class BaseApp {
       waitUntil
     };
     let response;
-    try {
-      if (this.#fetchHandler instanceof DefaultFetchHandler) {
-        Reflect.set(request, appSymbol, this);
-        response = await this.#fetchHandler.renderWithOptions(request, resolvedOptions);
-      } else {
-        setRenderOptions(request, resolvedOptions);
-        Reflect.set(request, appSymbol, this);
-        response = await this.#fetchHandler.fetch(request);
-      }
-    } catch (err) {
-      if (err instanceof MultiLevelEncodingError) {
-        return new Response("Bad Request", { status: 400 });
-      }
-      throw err;
+    if (this.#fetchHandler instanceof DefaultFetchHandler) {
+      Reflect.set(request, appSymbol, this);
+      response = await this.#fetchHandler.renderWithOptions(request, resolvedOptions);
+    } else {
+      setRenderOptions(request, resolvedOptions);
+      Reflect.set(request, appSymbol, this);
+      response = await this.#fetchHandler.fetch(request);
     }
     this.#warnMissingFeatures();
     if (response.headers.get(ASTRO_ERROR_HEADER)) {

package/dist/core/build/plugins/plugin-css.js

@@ -107,6 +107,7 @@ function rollupPluginAstroBuildCSS(options) {
         if (meta.importedCss.size < 1) continue;
         if (this.environment?.name === ASTRO_VITE_ENVIRONMENT_NAMES.client) {
           for (const id of Object.keys(chunk.modules)) {
+            if (!isCSSRequest(id)) continue;
             for (const pageData of getParentClientOnlys(id, this, internals)) {
               for (const importedCssImport of meta.importedCss) {
                 const cssToInfoRecord = pagesToCss[pageData.moduleSpecifier] ??= {};

package/dist/core/constants.js

@@ -1,4 +1,4 @@
-const ASTRO_VERSION = "6.4.6";
+const ASTRO_VERSION = "6.4.7";
 const ASTRO_GENERATOR = `Astro v${ASTRO_VERSION}`;
 const REROUTE_DIRECTIVE_HEADER = "X-Astro-Reroute";
 const REWRITE_DIRECTIVE_HEADER_KEY = "X-Astro-Rewrite";

package/dist/core/dev/dev.js

@@ -37,7 +37,7 @@ async function dev(inlineConfig) {
   await telemetry.record([]);
   const restart = await createContainerWithAutomaticRestart({ inlineConfig, fs });
   const logger = restart.container.logger;
-  const currentVersion = "6.4.6";
+  const currentVersion = "6.4.7";
   const isPrerelease = currentVersion.includes("-");
   if (!isPrerelease) {
     try {

package/dist/core/fetch/fetch-state.js

@@ -29,6 +29,7 @@ import { getParams, getProps } from "../render/index.js";
 import { Rewrites } from "../rewrites/handler.js";
 import { isRoute404or500, isRouteServerIsland } from "../routing/match.js";
 import { normalizeUrl } from "../util/normalized-url.js";
+import { validateAndDecodePathname } from "../util/pathname.js";
 import { getOriginPathname, setOriginPathname } from "../routing/rewrite.js";
 import { computePathnameFromDomain } from "../i18n/domain.js";
 import { getCustom404Route, routeHasHtmlExtension } from "../routing/helpers.js";
@@ -678,7 +679,7 @@ class FetchState {
     }
     pathname = prependForwardSlash(pathname);
     try {
-      return decodeURI(pathname);
+      return validateAndDecodePathname(pathname);
     } catch (e) {
       this.pipeline.logger.error(null, e.toString());
       return pathname;

package/dist/core/messages/runtime.js

@@ -276,7 +276,7 @@ function printHelp({
     message.push(
       linebreak(),
       `  ${bgGreen(black(` ${commandName} `))} ${green(
-        `v${"6.4.6"}`
+        `v${"6.4.7"}`
       )} ${headline}`
     );
   }

package/dist/core/middleware/vite-plugin.d.ts

@@ -3,6 +3,7 @@ import type { AstroSettings } from '../../types/astro.js';
 import type { BuildInternals } from '../build/internal.js';
 import type { StaticBuildOptions } from '../build/types.js';
 export declare const MIDDLEWARE_MODULE_ID = "virtual:astro:middleware";
+export declare function isMiddlewarePath(relativePath: string): boolean;
 export declare function vitePluginMiddleware({ settings }: {
     settings: AstroSettings;
 }): VitePlugin;

package/dist/core/middleware/vite-plugin.js

@@ -11,6 +11,9 @@ import { normalizePath } from "../viteUtils.js";
 const MIDDLEWARE_MODULE_ID = "virtual:astro:middleware";
 const MIDDLEWARE_RESOLVED_MODULE_ID = "\0" + MIDDLEWARE_MODULE_ID;
 const NOOP_MIDDLEWARE = "\0noop-middleware";
+function isMiddlewarePath(relativePath) {
+  return relativePath.startsWith(`${MIDDLEWARE_PATH_SEGMENT_NAME}.`) || relativePath.startsWith(`${MIDDLEWARE_PATH_SEGMENT_NAME}/`);
+}
 function vitePluginMiddleware({ settings }) {
   let resolvedMiddlewareId = void 0;
   const hasIntegrationMiddleware = settings.middlewares.pre.length > 0 || settings.middlewares.post.length > 0;
@@ -26,7 +29,7 @@ function vitePluginMiddleware({ settings }) {
         const normalizedPath = viteNormalizePath(path);
         if (!normalizedPath.startsWith(normalizedSrcDir)) return;
         const relativePath = normalizedPath.slice(normalizedSrcDir.length);
-        if (!relativePath.startsWith(`${MIDDLEWARE_PATH_SEGMENT_NAME}.`)) return;
+        if (!isMiddlewarePath(relativePath)) return;
         for (const name of [
           ASTRO_VITE_ENVIRONMENT_NAMES.ssr,
           ASTRO_VITE_ENVIRONMENT_NAMES.astro
@@ -135,6 +138,7 @@ function vitePluginMiddlewareBuild(opts, internals) {
 }
 export {
   MIDDLEWARE_MODULE_ID,
+  isMiddlewarePath,
   vitePluginMiddleware,
   vitePluginMiddlewareBuild
 };

package/dist/core/util/normalized-url.js

@@ -1,15 +1,12 @@
 import { collapseDuplicateSlashes } from "@astrojs/internal-helpers/path";
-import { MultiLevelEncodingError, validateAndDecodePathname } from "./pathname.js";
+import { validateAndDecodePathname } from "./pathname.js";
 function createNormalizedUrl(requestUrl) {
   return normalizeUrl(new URL(requestUrl));
 }
 function normalizeUrl(url) {
   try {
     url.pathname = validateAndDecodePathname(url.pathname);
-  } catch (e) {
-    if (e instanceof MultiLevelEncodingError) {
-      throw e;
-    }
+  } catch {
     try {
       url.pathname = decodeURI(url.pathname);
     } catch {

package/dist/core/util/pathname.d.ts

@@ -2,18 +2,24 @@
  * Error thrown when multi-level URL encoding is detected in a pathname.
  * This is a distinct error type so callers can handle it specifically
  * (e.g., returning a 400 response) rather than falling back to partial decoding.
+ *
+ * @deprecated No longer thrown internally — multi-level encoding is now
+ * decoded iteratively instead of rejected. Kept for backwards compatibility
+ * in case third-party code references the class.
  */
 export declare class MultiLevelEncodingError extends Error {
     constructor();
 }
 /**
- * Validates that a pathname is not multi-level encoded.
- * Detects if a pathname contains encoding that was encoded again (e.g., %2561dmin where %25 decodes to %).
- * This prevents double/triple encoding bypasses of security checks.
+ * Decodes a pathname iteratively until stable, collapsing all levels of
+ * percent-encoding into a single canonical form. This prevents
+ * double/triple encoding from bypassing middleware authorization checks
+ * (CVE-2025-66202) — instead of rejecting multi-level encoding, we
+ * fully resolve it so middleware always sees the true decoded path.
  *
- * @param pathname - The pathname to validate
- * @returns The decoded pathname if valid
- * @throws MultiLevelEncodingError if multi-level encoding is detected
- * @throws Error if the pathname contains invalid URL encoding
+ * @param pathname - The pathname to decode
+ * @returns The fully decoded pathname
+ * @throws Error if the pathname contains invalid URL encoding that
+ *   cannot be decoded at all (e.g., a bare `%` not followed by hex digits)
  */
 export declare function validateAndDecodePathname(pathname: string): string;

package/dist/core/util/pathname.js

@@ -4,19 +4,22 @@ class MultiLevelEncodingError extends Error {
     this.name = "MultiLevelEncodingError";
   }
 }
-const ENCODING_REGEX = /%25[0-9a-fA-F]{2}/;
 function validateAndDecodePathname(pathname) {
-  if (ENCODING_REGEX.test(pathname)) {
-    throw new MultiLevelEncodingError();
-  }
   let decoded;
   try {
     decoded = decodeURI(pathname);
   } catch (_e) {
     throw new Error("Invalid URL encoding");
   }
-  if (ENCODING_REGEX.test(decoded)) {
-    throw new MultiLevelEncodingError();
+  let iterations = 0;
+  while (decoded !== pathname && iterations < 10) {
+    pathname = decoded;
+    try {
+      decoded = decodeURI(pathname);
+    } catch {
+      break;
+    }
+    iterations++;
   }
   return decoded;
 }

package/dist/i18n/index.js

@@ -1,4 +1,8 @@
-import { appendForwardSlash, joinPaths } from "@astrojs/internal-helpers/path";
+import {
+  appendForwardSlash,
+  joinPaths,
+  removeTrailingForwardSlash
+} from "@astrojs/internal-helpers/path";
 import { shouldAppendForwardSlash } from "../core/build/util.js";
 import { REROUTE_DIRECTIVE_HEADER } from "../core/constants.js";
 import { i18nNoLocaleFoundInPath, MissingLocale } from "../core/errors/errors-data.js";
@@ -55,7 +59,7 @@ function getLocaleRelativeUrl({
   if (shouldAppendForwardSlash(trailingSlash, format)) {
     relativePath = appendForwardSlash(joinPaths(...pathsToJoin));
   } else {
-    relativePath = joinPaths(...pathsToJoin);
+    relativePath = removeTrailingForwardSlash(joinPaths(...pathsToJoin));
   }
   if (relativePath === "") {
     return "/";

package/dist/runtime/server/jsx.js

@@ -87,7 +87,7 @@ Did you forget to import the component or is it possible there is a typo?`);
           _slots.default.push(child);
           return;
         }
-        if ("slot" in child.props) {
+        if ("slot" in child.props && !isCustomElement) {
           _slots[child.props.slot] = [..._slots[child.props.slot] ?? [], child];
           delete child.props.slot;
           return;
@@ -116,6 +116,7 @@ Did you forget to import the component or is it possible there is a typo?`);
       const _slots = {
         default: []
       };
+      const isCustomElement = typeof vnode.type === "string" && vnode.type.includes("-");
       extractSlots2(children);
       for (const [key, value] of Object.entries(props)) {
         if (value?.["$$slot"]) {

package/dist/runtime/server/render/head.js

@@ -51,7 +51,8 @@ function renderAllHeadContent(result) {
   const links = deduplicateElements(Array.from(result.links)).map(
     (link) => renderElement("link", link, false)
   );
-  content += styles.join("\n") + links.join("\n") + scripts.join("\n");
+  const sep = result.compressHTML === true || result.compressHTML === "jsx" ? "" : "\n";
+  content += styles.join(sep) + links.join(sep) + scripts.join(sep);
   content += result._metadata.extraHead.join("");
   return markHTMLString(content);
 }

package/dist/vite-plugin-hmr-reload/index.js

@@ -1,15 +1,17 @@
 import { isRunnableDevEnvironment } from "vite";
 import { VIRTUAL_PAGE_RESOLVED_MODULE_ID } from "../vite-plugin-pages/const.js";
+import { RESOLVED_MODULE_DEV_CSS_PREFIX } from "../vite-plugin-css/const.js";
 import { getDevCssModuleNameFromPageVirtualModuleName } from "../vite-plugin-css/util.js";
 import { isAstroServerEnvironment } from "../environments.js";
 const STYLE_EXT_REGEX = /\.(?:css|scss|sass|less|styl|pcss)$/i;
+const RAW_QUERY_REGEX = /(?:\?|&)raw(?:&|$)/;
+function hasStyleExtension(id) {
+  return STYLE_EXT_REGEX.test(id.split("?")[0]);
+}
 function isStyleModule(mod) {
-  if (mod.file && STYLE_EXT_REGEX.test(mod.file)) return true;
-  if (mod.id) {
-    const idPath = mod.id.split("?")[0];
-    if (STYLE_EXT_REGEX.test(idPath)) return true;
-  }
-  return false;
+  if (mod.id && RAW_QUERY_REGEX.test(mod.id) && hasStyleExtension(mod.id)) return false;
+  if (mod.file && hasStyleExtension(mod.file)) return true;
+  return mod.id ? hasStyleExtension(mod.id) : false;
 }
 function hmrReload() {
   return {
@@ -65,6 +67,17 @@ function hmrReload() {
           return [];
         }
         if (hasSkippedStyleModules) {
+          for (const [id, mod] of this.environment.moduleGraph.idToModuleMap) {
+            if (id.startsWith(RESOLVED_MODULE_DEV_CSS_PREFIX)) {
+              this.environment.moduleGraph.invalidateModule(mod, void 0, timestamp, true);
+              if (isRunnableDevEnvironment(this.environment)) {
+                const runnerMod = this.environment.runner.evaluatedModules.getModuleById(id);
+                if (runnerMod) {
+                  this.environment.runner.evaluatedModules.invalidateModule(runnerMod);
+                }
+              }
+            }
+          }
           return [];
         }
         if (modules.length > 0) {

package/dist/vite-plugin-pages/pages.d.ts

@@ -1,8 +1,19 @@
 import type { Plugin as VitePlugin } from 'vite';
 import type { RoutesList } from '../types/astro.js';
+import type { RouteData } from '../types/public/internal.js';
 export declare const VIRTUAL_PAGES_MODULE_ID = "virtual:astro:pages";
 interface PagesPluginOptions {
     routesList: RoutesList;
 }
+/**
+ * Filters routes for a specific build environment.
+ *
+ * Redirect target routes do not need special handling here: they already
+ * appear in the routes list with their own `prerender` flag and are
+ * included when it matches `isPrerender`. At SSR runtime, redirect
+ * responses are generated from route metadata alone (no component is
+ * loaded), so the target's component is never needed in the SSR page map.
+ */
+export declare function getRoutesForEnvironment(routes: RouteData[], isPrerender: boolean): Set<RouteData>;
 export declare function pluginPages({ routesList }: PagesPluginOptions): VitePlugin;
 export {};

package/dist/vite-plugin-pages/pages.js

@@ -11,9 +11,6 @@ function getRoutesForEnvironment(routes, isPrerender) {
     if (route.prerender === isPrerender) {
       result.add(route);
     }
-    if (route.redirectRoute) {
-      result.add(route.redirectRoute);
-    }
   }
   return result;
 }
@@ -75,5 +72,6 @@ export { pageMap };`;
 }
 export {
   VIRTUAL_PAGES_MODULE_ID,
+  getRoutesForEnvironment,
   pluginPages
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "astro",
-  "version": "6.4.6",
+  "version": "6.4.7",
   "description": "Astro is a modern site builder with web best practices, performance, and DX front-of-mind.",
   "type": "module",
   "author": "withastro",
@@ -166,14 +166,14 @@
     "yargs-parser": "^22.0.0",
     "zod": "^4.3.6",
     "@astrojs/internal-helpers": "0.10.0",
-    "@astrojs/telemetry": "3.3.2",
-    "@astrojs/markdown-remark": "7.2.0"
+    "@astrojs/markdown-remark": "7.2.0",
+    "@astrojs/telemetry": "3.3.2"
   },
   "optionalDependencies": {
     "sharp": "^0.34.0"
   },
   "devDependencies": {
-    "@astrojs/compiler-rs": "^0.1.6",
+    "@astrojs/compiler-rs": "^0.2.2",
     "@playwright/test": "1.58.2",
     "@types/aria-query": "^5.0.4",
     "@types/hast": "^3.0.4",