astro 7.0.0-beta.4 → 7.0.0-beta.5

package/dist/cli/infra/build-time-astro-version-provider.js

@@ -1,6 +1,6 @@
 class BuildTimeAstroVersionProvider {
   // Injected during the build through esbuild define
-  version = "7.0.0-beta.4";
+  version = "7.0.0-beta.5";
 }
 export {
   BuildTimeAstroVersionProvider

package/dist/content/content-layer.js

@@ -197,7 +197,7 @@ ${contentConfig.error.message}`
       logger.info("Content config changed");
       shouldClear = true;
     }
-    if (previousAstroVersion && previousAstroVersion !== "7.0.0-beta.4") {
+    if (previousAstroVersion && previousAstroVersion !== "7.0.0-beta.5") {
       logger.info("Astro version changed");
       shouldClear = true;
     }
@@ -205,8 +205,8 @@ ${contentConfig.error.message}`
       logger.info("Clearing content store");
       this.#store.clearAll();
     }
-    if ("7.0.0-beta.4") {
-      this.#store.metaStore().set("astro-version", "7.0.0-beta.4");
+    if ("7.0.0-beta.5") {
+      this.#store.metaStore().set("astro-version", "7.0.0-beta.5");
     }
     if (currentConfigDigest) {
       this.#store.metaStore().set("content-config-digest", currentConfigDigest);

package/dist/core/app/prepare-response.d.ts

@@ -1,7 +1,6 @@
 /**
- * Strips internal-only headers from the response before sending it to the
- * user agent, and optionally appends cookies written via `Astro.cookie.set()`
- * to the `Set-Cookie` header.
+ * Appends cookies written via `Astro.cookie.set()` to the `Set-Cookie` header
+ * and marks the response as sent.
  *
  * This is a pure function with no dependencies on the app; it is shared by
  * `AstroHandler` and the various error handlers.

package/dist/core/app/prepare-response.js

@@ -1,11 +1,6 @@
-import { INTERNAL_RESPONSE_HEADERS, responseSentSymbol } from "../constants.js";
+import { responseSentSymbol } from "../constants.js";
 import { getSetCookiesFromResponse } from "../cookies/index.js";
 function prepareResponse(response, { addCookieHeader }) {
-  for (const headerName of INTERNAL_RESPONSE_HEADERS) {
-    if (response.headers.has(headerName)) {
-      response.headers.delete(headerName);
-    }
-  }
   if (addCookieHeader) {
     for (const setCookieHeaderValue of getSetCookiesFromResponse(response)) {
       response.headers.append("set-cookie", setCookieHeaderValue);

package/dist/core/build/generate.js

@@ -267,7 +267,7 @@ async function renderPath({
       relativeLocation: locationSite,
       from: fromPath
     });
-    if (config.compressHTML === true) {
+    if (config.compressHTML) {
       body = body.replaceAll("\n", "");
     }
     if (route.type !== "redirect") {

package/dist/core/config/schemas/base.d.ts

@@ -49,7 +49,7 @@ export declare const ASTRO_CONFIG_DEFAULTS: {
     devToolbar: {
         enabled: true;
     };
-    compressHTML: true;
+    compressHTML: "jsx";
     server: {
         host: false;
         port: number;

package/dist/core/config/schemas/base.js

@@ -38,7 +38,7 @@ const ASTRO_CONFIG_DEFAULTS = {
   devToolbar: {
     enabled: true
   },
-  compressHTML: true,
+  compressHTML: "jsx",
   server: {
     host: false,
     port: 4321,

package/dist/core/constants.d.ts

@@ -1,46 +1,5 @@
 export declare const ASTRO_VERSION: string;
 export declare const ASTRO_GENERATOR: string;
-/**
- * The name for the header used to help rerouting behavior.
- * When set to "no", astro will NOT try to reroute an error response to the corresponding error page, which is the default behavior that can sometimes lead to loops.
- *
- * ```ts
- * const response = new Response("keep this content as-is", {
- *     status: 404,
- *     headers: {
- *         // note that using a variable name as the key of an object needs to be wrapped in square brackets in javascript
- *         // without them, the header name will be interpreted as "REROUTE_DIRECTIVE_HEADER" instead of "X-Astro-Reroute"
- *         [REROUTE_DIRECTIVE_HEADER]: 'no',
- *     }
- * })
- * ```
- * Alternatively...
- * ```ts
- * response.headers.set(REROUTE_DIRECTIVE_HEADER, 'no');
- * ```
- */
-export declare const REROUTE_DIRECTIVE_HEADER = "X-Astro-Reroute";
-/**
- * Header and value that are attached to a Response object when a **user rewrite** occurs.
- *
- * This metadata is used to determine the origin of a Response. If a rewrite has occurred, it should be prioritised over other logic.
- */
-export declare const REWRITE_DIRECTIVE_HEADER_KEY = "X-Astro-Rewrite";
-export declare const REWRITE_DIRECTIVE_HEADER_VALUE = "yes";
-/**
- * This header is set by the no-op Astro middleware.
- */
-export declare const NOOP_MIDDLEWARE_HEADER = "X-Astro-Noop";
-/**
- * The name for the header used to help i18n middleware, which only needs to act on "page" and "fallback" route types.
- */
-export declare const ROUTE_TYPE_HEADER = "X-Astro-Route-Type";
-/**
- * Internal headers that should be stripped from the response before
- * sending it to the user agent. Add new internal headers here so
- * `prepareResponse` removes them automatically.
- */
-export declare const INTERNAL_RESPONSE_HEADERS: readonly ["X-Astro-Reroute", "X-Astro-Rewrite", "X-Astro-Noop", "X-Astro-Route-Type"];
 /**
  * Set by internal handlers (e.g. PagesHandler) to signal that a
  * response should be replaced with the corresponding error page.

package/dist/core/constants.js

@@ -1,16 +1,5 @@
-const ASTRO_VERSION = "7.0.0-beta.4";
+const ASTRO_VERSION = "7.0.0-beta.5";
 const ASTRO_GENERATOR = `Astro v${ASTRO_VERSION}`;
-const REROUTE_DIRECTIVE_HEADER = "X-Astro-Reroute";
-const REWRITE_DIRECTIVE_HEADER_KEY = "X-Astro-Rewrite";
-const REWRITE_DIRECTIVE_HEADER_VALUE = "yes";
-const NOOP_MIDDLEWARE_HEADER = "X-Astro-Noop";
-const ROUTE_TYPE_HEADER = "X-Astro-Route-Type";
-const INTERNAL_RESPONSE_HEADERS = [
-  REROUTE_DIRECTIVE_HEADER,
-  REWRITE_DIRECTIVE_HEADER_KEY,
-  NOOP_MIDDLEWARE_HEADER,
-  ROUTE_TYPE_HEADER
-];
 const ASTRO_ERROR_HEADER = "X-Astro-Error";
 const DEFAULT_404_COMPONENT = "astro-default-404.astro";
 const REDIRECT_STATUS_CODES = [301, 302, 303, 307, 308, 300, 304];
@@ -57,15 +46,9 @@ export {
   ASTRO_VERSION,
   ASTRO_VITE_ENVIRONMENT_NAMES,
   DEFAULT_404_COMPONENT,
-  INTERNAL_RESPONSE_HEADERS,
   MIDDLEWARE_PATH_SEGMENT_NAME,
-  NOOP_MIDDLEWARE_HEADER,
   REDIRECT_STATUS_CODES,
   REROUTABLE_STATUS_CODES,
-  REROUTE_DIRECTIVE_HEADER,
-  REWRITE_DIRECTIVE_HEADER_KEY,
-  REWRITE_DIRECTIVE_HEADER_VALUE,
-  ROUTE_TYPE_HEADER,
   SUPPORTED_MARKDOWN_FILE_EXTENSIONS,
   appSymbol,
   clientAddressSymbol,

package/dist/core/dev/dev.js

@@ -26,7 +26,7 @@ async function dev(inlineConfig) {
   await telemetry.record([]);
   const restart = await createContainerWithAutomaticRestart({ inlineConfig, fs });
   const logger = restart.container.logger;
-  const currentVersion = "7.0.0-beta.4";
+  const currentVersion = "7.0.0-beta.5";
   const isPrerelease = currentVersion.includes("-");
   if (!isPrerelease) {
     try {

package/dist/core/errors/default-handler.js

@@ -79,6 +79,7 @@ class DefaultErrorHandler {
           return this.renderError(request, {
             ...resolvedRenderOptions,
             status,
+            error,
             response: originalResponse,
             skipMiddleware: true,
             pathname: resolvedPathname

package/dist/core/fetch/fetch-state.d.ts

@@ -108,6 +108,12 @@ export declare class FetchState implements AstroFetchState {
     status: number;
     /** Whether user middleware should be skipped for this request. */
     skipMiddleware: boolean;
+    /**
+     * Set to `true` when the request path was encoded too many times to fully
+     * decode (see {@link validateAndDecodePathname}). These requests are
+     * rejected with a `400` before middleware or routing run.
+     */
+    invalidEncoding: boolean;
     /** A flag that tells the render content if the rewriting was triggered. */
     isRewriting: boolean;
     /** A safety net in case of loops (rewrite counter). */
@@ -122,6 +128,10 @@ export declare class FetchState implements AstroFetchState {
     clientAddress: string | undefined;
     /** Whether this is a partial render (container API). */
     partial: boolean | undefined;
+    /** Internal metadata about the current response route type. */
+    responseRouteType: 'page' | 'fallback' | undefined;
+    /** Internal flag to prevent rerouting this response to an error page. */
+    skipErrorReroute: boolean;
     /** Whether to inject CSP meta tags. */
     shouldInjectCspMetaTags: boolean | undefined;
     /** Request-scoped locals object, shared with user middleware. */
@@ -227,4 +237,5 @@ export declare class FetchState implements AstroFetchState {
      * after an in-flight rewrite swaps the route / request / params.
      */
     invalidateContexts(): void;
+    resetResponseMetadata(): void;
 }

package/dist/core/fetch/fetch-state.js

@@ -29,7 +29,7 @@ import { getParams, getProps } from "../render/index.js";
 import { Rewrites } from "../rewrites/handler.js";
 import { isRoute404or500, isRouteServerIsland } from "../routing/match.js";
 import { normalizeUrl } from "../util/normalized-url.js";
-import { validateAndDecodePathname } from "../util/pathname.js";
+import { MultiLevelEncodingError, validateAndDecodePathname } from "../util/pathname.js";
 import { getOriginPathname, setOriginPathname } from "../routing/rewrite.js";
 import { computePathnameFromDomain } from "../i18n/domain.js";
 import { getCustom404Route, routeHasHtmlExtension } from "../routing/helpers.js";
@@ -88,6 +88,12 @@ class FetchState {
   status = 200;
   /** Whether user middleware should be skipped for this request. */
   skipMiddleware = false;
+  /**
+   * Set to `true` when the request path was encoded too many times to fully
+   * decode (see {@link validateAndDecodePathname}). These requests are
+   * rejected with a `400` before middleware or routing run.
+   */
+  invalidEncoding = false;
   /** A flag that tells the render content if the rewriting was triggered. */
   isRewriting = false;
   /** A safety net in case of loops (rewrite counter). */
@@ -111,6 +117,10 @@ class FetchState {
   clientAddress;
   /** Whether this is a partial render (container API). */
   partial;
+  /** Internal metadata about the current response route type. */
+  responseRouteType;
+  /** Internal flag to prevent rerouting this response to an error page. */
+  skipErrorReroute = false;
   /** Whether to inject CSP meta tags. */
   shouldInjectCspMetaTags;
   /** Request-scoped locals object, shared with user middleware. */
@@ -697,6 +707,10 @@ class FetchState {
     try {
       return validateAndDecodePathname(pathname);
     } catch (e) {
+      if (e instanceof MultiLevelEncodingError) {
+        this.invalidEncoding = true;
+        return pathname;
+      }
       this.pipeline.logger.error(null, e.toString());
       return pathname;
     }
@@ -876,6 +890,10 @@ class FetchState {
     this.actionApiContext = null;
     this.apiContext = null;
   }
+  resetResponseMetadata() {
+    this.responseRouteType = void 0;
+    this.skipErrorReroute = false;
+  }
 }
 export {
   FetchState,

package/dist/core/fetch/index.d.ts

@@ -13,13 +13,18 @@ export declare function astro(state: FetchState): Promise<Response>;
 export declare function trailingSlash(state: FetchState): Response | undefined;
 /**
  * Runs Astro's middleware chain for the given state, calling `next` at
- * the bottom of the chain to produce the response. Lazily creates
- * the render context if needed.
+ * the bottom of the chain to produce the response. Lazily creates the
+ * render context if needed. Unmatched routes render the 404 error page;
+ * errors thrown by user middleware are logged and render the 500 error
+ * page; errors surfaced through `next` (the host framework's downstream
+ * chain) propagate to the host instead.
  */
 export declare function middleware(state: FetchState, next: (state: FetchState) => Promise<Response>): Promise<Response>;
 /**
  * Dispatches the request to the matched route (endpoint, page, redirect,
- * or fallback). Lazily creates the render context if needed.
+ * or fallback). Lazily creates the render context if needed. Unmatched
+ * routes render the 404 error page; render-time errors are logged and
+ * render the 500 error page.
  */
 export declare function pages(state: FetchState): Promise<Response>;
 /**

package/dist/core/fetch/index.js

@@ -51,7 +51,7 @@ function middleware(state, next) {
     mw = new AstroMiddleware(app.pipeline);
     middlewareInstances.set(app, mw);
   }
-  return mw.handle(state, (s, _ctx) => next(s));
+  return mw.handleWithErrorFallback(app, state, (s, _ctx) => next(s));
 }
 const pagesHandlers = /* @__PURE__ */ new WeakMap();
 function pages(state) {
@@ -61,7 +61,7 @@ function pages(state) {
     handler = new PagesHandler(app.pipeline);
     pagesHandlers.set(app, handler);
   }
-  return handler.handle(state, state.getAPIContext());
+  return handler.handleWithErrorFallback(app, state);
 }
 function sessions(state) {
   return provideSession(state);

package/dist/core/i18n/handler.js

@@ -3,7 +3,6 @@ import { computeFallbackRoute } from "../../i18n/fallback.js";
 import { I18nRouter } from "../../i18n/router.js";
 import { PipelineFeatures } from "../base-pipeline.js";
 import { shouldAppendForwardSlash } from "../build/util.js";
-import { REROUTE_DIRECTIVE_HEADER, ROUTE_TYPE_HEADER } from "../constants.js";
 class I18n {
   #i18n;
   #base;
@@ -36,25 +35,20 @@ class I18n {
   async finalize(state, response) {
     state.pipeline.usedFeatures |= PipelineFeatures.i18n;
     const i18n = this.#i18n;
-    const typeHeader = response.headers.get(ROUTE_TYPE_HEADER);
-    if (typeHeader) {
-      response.headers.delete(ROUTE_TYPE_HEADER);
-    }
-    const isReroute = response.headers.get(REROUTE_DIRECTIVE_HEADER);
-    if (isReroute === "no" && typeof i18n.fallback === "undefined") {
+    if (state.skipErrorReroute && typeof i18n.fallback === "undefined") {
       return response;
     }
-    if (typeHeader !== "page" && typeHeader !== "fallback") {
+    if (state.responseRouteType !== "page" && state.responseRouteType !== "fallback") {
       return response;
     }
-    const url = new URL(state.request.url);
+    const url = state.url;
     const currentLocale = state.computeCurrentLocale();
     const isPrerendered = state.routeData.prerender;
     const routerContext = {
       currentLocale,
       currentDomain: url.hostname,
-      routeType: typeHeader,
-      isReroute: isReroute === "yes"
+      routeType: state.responseRouteType,
+      isReroute: false
     };
     const routeDecision = this.#router.match(url.pathname, routerContext);
     switch (routeDecision.type) {
@@ -74,7 +68,7 @@ class I18n {
             status: 404,
             headers: response.headers
           });
-          prerenderedRes.headers.set(REROUTE_DIRECTIVE_HEADER, "no");
+          state.skipErrorReroute = true;
           if (routeDecision.location) {
             prerenderedRes.headers.set("Location", routeDecision.location);
           }
@@ -90,7 +84,7 @@ class I18n {
         break;
     }
     if (i18n.fallback && i18n.fallbackType) {
-      const effectiveStatus = typeHeader === "fallback" ? 404 : response.status;
+      const effectiveStatus = state.responseRouteType === "fallback" ? 404 : response.status;
       const fallbackDecision = computeFallbackRoute({
         pathname: url.pathname,
         responseStatus: effectiveStatus,

package/dist/core/messages/runtime.js

@@ -269,7 +269,7 @@ function printHelp({
     message.push(
       linebreak(),
       `  ${bgGreen(black(` ${commandName} `))} ${green(
-        `v${"7.0.0-beta.4"}`
+        `v${"7.0.0-beta.5"}`
       )} ${headline}`
     );
   }

package/dist/core/middleware/astro-middleware.d.ts

@@ -1,5 +1,6 @@
 import type { FetchState } from '../fetch/fetch-state.js';
 import type { APIContext } from '../../types/public/context.js';
+import type { BaseApp } from '../app/base.js';
 import { type Pipeline } from '../base-pipeline.js';
 /**
  * Callback invoked at the bottom of the middleware chain to dispatch the
@@ -24,4 +25,22 @@ export declare class AstroMiddleware {
     #private;
     constructor(pipeline: Pipeline);
     handle(state: FetchState, renderRouteCallback: RenderRouteCallback): Promise<Response>;
+    /**
+     * Like `handle`, but mirrors the app-level error handling that
+     * `AstroHandler` provides on the standard path, the same way
+     * `PagesHandler.handleWithErrorFallback` does for `pages()`. When no
+     * route matched it returns a 404 marked with `X-Astro-Error` for the
+     * app's post-check; when Astro's own middleware chain throws it logs the
+     * error and renders the custom `500.astro`.
+     *
+     * Errors surfaced through `renderRouteCallback` (the host framework's
+     * `next`, e.g. host middleware mounted below `middleware()`) are
+     * re-thrown instead, so the host's own error handling still runs rather
+     * than being swallowed into Astro's 500 page. A sentinel tells the two
+     * apart.
+     *
+     * Used by the composable `astro/fetch` `middleware()` entry point, where
+     * there is no surrounding `AstroHandler` to supply this fallback.
+     */
+    handleWithErrorFallback(app: BaseApp<Pipeline>, state: FetchState, renderRouteCallback: RenderRouteCallback): Promise<Response>;
 }

package/dist/core/middleware/astro-middleware.js

@@ -1,4 +1,5 @@
 import { PipelineFeatures } from "../base-pipeline.js";
+import { ASTRO_ERROR_HEADER } from "../constants.js";
 import { attachCookiesToResponse } from "../cookies/index.js";
 import { applyRewriteToState } from "../rewrites/handler.js";
 import { callMiddleware } from "./callMiddleware.js";
@@ -41,6 +42,48 @@ class AstroMiddleware {
     state.response = response;
     return response;
   }
+  /**
+   * Like `handle`, but mirrors the app-level error handling that
+   * `AstroHandler` provides on the standard path, the same way
+   * `PagesHandler.handleWithErrorFallback` does for `pages()`. When no
+   * route matched it returns a 404 marked with `X-Astro-Error` for the
+   * app's post-check; when Astro's own middleware chain throws it logs the
+   * error and renders the custom `500.astro`.
+   *
+   * Errors surfaced through `renderRouteCallback` (the host framework's
+   * `next`, e.g. host middleware mounted below `middleware()`) are
+   * re-thrown instead, so the host's own error handling still runs rather
+   * than being swallowed into Astro's 500 page. A sentinel tells the two
+   * apart.
+   *
+   * Used by the composable `astro/fetch` `middleware()` entry point, where
+   * there is no surrounding `AstroHandler` to supply this fallback.
+   */
+  async handleWithErrorFallback(app, state, renderRouteCallback) {
+    if (!state.routeData) {
+      return new Response(null, { status: 404, headers: { [ASTRO_ERROR_HEADER]: "true" } });
+    }
+    let nextError;
+    try {
+      return await this.handle(state, async (s, ctx) => {
+        try {
+          return await renderRouteCallback(s, ctx);
+        } catch (err) {
+          nextError = err;
+          throw err;
+        }
+      });
+    } catch (err) {
+      if (err === nextError) throw err;
+      app.logger.error(null, err.stack || err.message || String(err));
+      return app.renderError(state.request, {
+        ...state.renderOptions,
+        status: 500,
+        error: err,
+        pathname: state.pathname
+      });
+    }
+  }
   #finalize(state, response) {
     attachCookiesToResponse(response, state.cookies);
     return response;

package/dist/core/middleware/noop-middleware.js

@@ -1,7 +1,5 @@
-import { NOOP_MIDDLEWARE_HEADER } from "../constants.js";
 const NOOP_MIDDLEWARE_FN = async (_ctx, next) => {
   const response = await next();
-  response.headers.set(NOOP_MIDDLEWARE_HEADER, "true");
   return response;
 };
 export {

package/dist/core/pages/handler.d.ts

@@ -1,4 +1,5 @@
 import type { APIContext } from '../../types/public/context.js';
+import type { BaseApp } from '../app/base.js';
 import type { FetchState } from '../fetch/fetch-state.js';
 import type { Pipeline } from '../base-pipeline.js';
 /**
@@ -17,4 +18,16 @@ export declare class PagesHandler {
     #private;
     constructor(pipeline: Pipeline);
     handle(state: FetchState, ctx: APIContext): Promise<Response>;
+    /**
+     * Like `handle`, but mirrors the app-level error handling that
+     * `AstroHandler` provides on the standard path: unmatched routes
+     * return a 404 marked with `X-Astro-Error` for the app's post-check
+     * to render the 404 error page, and render-time errors are logged
+     * and render the 500 error page instead of propagating to the host
+     * framework.
+     *
+     * Used by the composable `astro/fetch` `pages()` entry point, where
+     * there is no surrounding `AstroHandler` to supply this fallback.
+     */
+    handleWithErrorFallback(app: BaseApp<Pipeline>, state: FetchState): Promise<Response>;
 }

package/dist/core/pages/handler.js

@@ -1,12 +1,6 @@
 import { renderEndpoint } from "../../runtime/server/endpoint.js";
 import { renderPage } from "../../runtime/server/index.js";
-import {
-  ASTRO_ERROR_HEADER,
-  REROUTE_DIRECTIVE_HEADER,
-  REWRITE_DIRECTIVE_HEADER_KEY,
-  REWRITE_DIRECTIVE_HEADER_VALUE,
-  ROUTE_TYPE_HEADER
-} from "../constants.js";
+import { ASTRO_ERROR_HEADER } from "../constants.js";
 import { getCookiesFromResponse } from "../cookies/response.js";
 const EMPTY_SLOTS = Object.freeze({});
 class PagesHandler {
@@ -17,6 +11,7 @@ class PagesHandler {
   async handle(state, ctx) {
     const pipeline = this.#pipeline;
     const { logger, streaming } = pipeline;
+    state.resetResponseMetadata();
     let response;
     const componentInstance = await state.loadComponentInstance();
     switch (state.routeData.type) {
@@ -25,7 +20,8 @@ class PagesHandler {
           componentInstance,
           ctx,
           state.routeData.prerender,
-          logger
+          logger,
+          state
         );
         break;
       }
@@ -46,12 +42,9 @@ class PagesHandler {
           result.cancelled = true;
           throw e;
         }
-        response.headers.set(ROUTE_TYPE_HEADER, "page");
+        state.responseRouteType = "page";
         if (state.routeData.route === "/404" || state.routeData.route === "/500") {
-          response.headers.set(REROUTE_DIRECTIVE_HEADER, "no");
-        }
-        if (state.isRewriting) {
-          response.headers.set(REWRITE_DIRECTIVE_HEADER_KEY, REWRITE_DIRECTIVE_HEADER_VALUE);
+          state.skipErrorReroute = true;
         }
         break;
       }
@@ -59,7 +52,8 @@ class PagesHandler {
         return new Response(null, { status: 404, headers: { [ASTRO_ERROR_HEADER]: "true" } });
       }
       case "fallback": {
-        return new Response(null, { status: 500, headers: { [ROUTE_TYPE_HEADER]: "fallback" } });
+        state.responseRouteType = "fallback";
+        return new Response(null, { status: 500 });
       }
     }
     const responseCookies = getCookiesFromResponse(response);
@@ -69,6 +63,33 @@ class PagesHandler {
     state.response = response;
     return response;
   }
+  /**
+   * Like `handle`, but mirrors the app-level error handling that
+   * `AstroHandler` provides on the standard path: unmatched routes
+   * return a 404 marked with `X-Astro-Error` for the app's post-check
+   * to render the 404 error page, and render-time errors are logged
+   * and render the 500 error page instead of propagating to the host
+   * framework.
+   *
+   * Used by the composable `astro/fetch` `pages()` entry point, where
+   * there is no surrounding `AstroHandler` to supply this fallback.
+   */
+  async handleWithErrorFallback(app, state) {
+    if (!state.routeData) {
+      return new Response(null, { status: 404, headers: { [ASTRO_ERROR_HEADER]: "true" } });
+    }
+    try {
+      return await this.handle(state, state.getAPIContext());
+    } catch (err) {
+      app.logger.error(null, err.stack || err.message || String(err));
+      return app.renderError(state.request, {
+        ...state.renderOptions,
+        status: 500,
+        error: err,
+        pathname: state.pathname
+      });
+    }
+  }
 }
 export {
   PagesHandler

package/dist/core/routing/handler.js

@@ -1,9 +1,5 @@
 import { ActionHandler } from "../../actions/handler.js";
-import {
-  REROUTABLE_STATUS_CODES,
-  REROUTE_DIRECTIVE_HEADER,
-  REWRITE_DIRECTIVE_HEADER_KEY
-} from "../constants.js";
+import { REROUTABLE_STATUS_CODES } from "../constants.js";
 import { TrailingSlashHandler } from "./trailing-slash-handler.js";
 import { CacheHandler, provideCache } from "../cache/handler.js";
 import { I18n } from "../i18n/handler.js";
@@ -65,6 +61,9 @@ class AstroHandler {
   }
   async handle(state) {
     state.pipeline.usedFeatures |= ALL_PIPELINE_FEATURES;
+    if (state.invalidEncoding) {
+      return new Response(null, { status: 400, statusText: "Bad Request" });
+    }
     const trailingSlashRedirect = this.#trailingSlashHandler.handle(state);
     if (trailingSlashRedirect) {
       return trailingSlashRedirect;
@@ -128,12 +127,11 @@ class AstroHandler {
         };
         response = await this.#cacheHandler.handle(state, runPipeline);
       }
-      const isRewrite = response.headers.has(REWRITE_DIRECTIVE_HEADER_KEY);
       this.#app.logThisRequest({
         pathname,
         method: request.method,
         statusCode: response.status,
-        isRewrite,
+        isRewrite: state.isRewriting,
         timeStart: state.timeStart
       });
     } catch (err) {
@@ -150,7 +148,7 @@ class AstroHandler {
     }
     if (REROUTABLE_STATUS_CODES.includes(response.status) && // If the body isn't null, that means the user sets the 404 status
     // but uses the current route to handle the 404
-    response.body === null && response.headers.get(REROUTE_DIRECTIVE_HEADER) !== "no") {
+    response.body === null && !state.skipErrorReroute) {
       return this.#app.renderError(request, {
         ...state.renderOptions,
         response,

package/dist/core/routing/rewrite.js

@@ -10,6 +10,7 @@ import {
   trimSlashes
 } from "../path.js";
 import { createRequest } from "../request.js";
+import { validateAndDecodePathname } from "../util/pathname.js";
 import { DEFAULT_404_ROUTE } from "./internal/astro-designed-error-pages.js";
 import { isRoute404, isRoute500 } from "./internal/route-errors.js";
 function findRouteToRewrite({
@@ -36,7 +37,7 @@ function findRouteToRewrite({
     buildFormat
   );
   newUrl.pathname = resolvedUrlPathname;
-  const decodedPathname = decodeURI(pathname);
+  const decodedPathname = validateAndDecodePathname(pathname);
   if (isRoute404(decodedPathname)) {
     const errorRoute = routes.find((route) => route.route === "/404");
     if (errorRoute) {

package/dist/core/util/pathname.d.ts

@@ -1,25 +1,26 @@
 /**
- * Error thrown when multi-level URL encoding is detected in a pathname.
- * This is a distinct error type so callers can handle it specifically
- * (e.g., returning a 400 response) rather than falling back to partial decoding.
- *
- * @deprecated No longer thrown internally — multi-level encoding is now
- * decoded iteratively instead of rejected. Kept for backwards compatibility
- * in case third-party code references the class.
+ * Thrown when a URL path is encoded so many times that we give up decoding it
+ * (see {@link validateAndDecodePathname}). When this happens we reject the
+ * request with a `400` instead of guessing the path. If we let a half-decoded
+ * path through, your middleware might check one path while Astro routes to a
+ * different one.
  */
 export declare class MultiLevelEncodingError extends Error {
     constructor();
 }
 /**
- * Decodes a pathname iteratively until stable, collapsing all levels of
- * percent-encoding into a single canonical form. This prevents
- * double/triple encoding from bypassing middleware authorization checks
- * (CVE-2025-66202) — instead of rejecting multi-level encoding, we
- * fully resolve it so middleware always sees the true decoded path.
+ * Decodes a URL path over and over until it stops changing, so a path that was
+ * encoded several times ends up as a single, final path. This stops someone
+ * from sneaking a path like `/admin` past middleware by encoding it multiple
+ * times — middleware always sees the real, decoded path.
  *
- * @param pathname - The pathname to decode
- * @returns The fully decoded pathname
- * @throws Error if the pathname contains invalid URL encoding that
- *   cannot be decoded at all (e.g., a bare `%` not followed by hex digits)
+ * @param pathname - The path to decode
+ * @returns The final, fully decoded path
+ * @throws Error if the path has broken encoding that can't be decoded at all
+ *   (for example a lone `%` that isn't followed by two hex digits)
+ * @throws MultiLevelEncodingError if the path is still changing after
+ *   {@link MAX_DECODE_ITERATIONS} tries (it was encoded too many times).
+ *   Handing back a half-decoded path here would bring back the security hole
+ *   this function exists to close.
  */
 export declare function validateAndDecodePathname(pathname: string): string;

package/dist/core/util/pathname.js

@@ -1,9 +1,10 @@
 class MultiLevelEncodingError extends Error {
   constructor() {
-    super("Multi-level URL encoding is not allowed");
+    super("URL encoding depth exceeded the maximum number of decode iterations");
     this.name = "MultiLevelEncodingError";
   }
 }
+const MAX_DECODE_ITERATIONS = 10;
 function validateAndDecodePathname(pathname) {
   let decoded;
   try {
@@ -12,7 +13,10 @@ function validateAndDecodePathname(pathname) {
     throw new Error("Invalid URL encoding");
   }
   let iterations = 0;
-  while (decoded !== pathname && iterations < 10) {
+  while (decoded !== pathname) {
+    if (iterations >= MAX_DECODE_ITERATIONS) {
+      throw new MultiLevelEncodingError();
+    }
     pathname = decoded;
     try {
       decoded = decodeURI(pathname);

package/dist/i18n/index.js

@@ -4,7 +4,7 @@ import {
   removeTrailingForwardSlash
 } from "@astrojs/internal-helpers/path";
 import { shouldAppendForwardSlash } from "../core/build/util.js";
-import { REROUTE_DIRECTIVE_HEADER } from "../core/constants.js";
+import { getFetchStateFromAPIContext } from "../core/fetch/fetch-state.js";
 import { i18nNoLocaleFoundInPath, MissingLocale } from "../core/errors/errors-data.js";
 import { AstroError } from "../core/errors/index.js";
 import { createI18nMiddleware } from "./middleware.js";
@@ -200,24 +200,22 @@ function redirectToDefaultLocale({
 }
 function notFound({ base, locales, fallback }) {
   return function(context, response) {
-    if (response?.headers.get(REROUTE_DIRECTIVE_HEADER) === "no" && typeof fallback === "undefined") {
+    const fetchState = getFetchStateFromAPIContext(context);
+    if (fetchState.skipErrorReroute && typeof fallback === "undefined") {
       return response;
     }
     const url = context.url;
     const isRoot = url.pathname === base + "/" || url.pathname === base;
     if (!(isRoot || pathHasLocale(url.pathname, locales))) {
+      fetchState.skipErrorReroute = true;
       if (response) {
-        response.headers.set(REROUTE_DIRECTIVE_HEADER, "no");
         return new Response(response.body, {
           status: 404,
           headers: response.headers
         });
       } else {
         return new Response(null, {
-          status: 404,
-          headers: {
-            [REROUTE_DIRECTIVE_HEADER]: "no"
-          }
+          status: 404
         });
       }
     }

package/dist/runtime/server/endpoint.d.ts

@@ -1,7 +1,8 @@
+import type { FetchState } from '../../core/fetch/fetch-state.js';
 import type { AstroLogger } from '../../core/logger/core.js';
 import type { APIRoute } from '../../types/public/common.js';
 import type { APIContext } from '../../types/public/context.js';
 /** Renders an endpoint request to completion, returning the body. */
 export declare function renderEndpoint(mod: {
     [method: string]: APIRoute;
-}, context: APIContext, isPrerendered: boolean, logger: AstroLogger): Promise<Response>;
+}, context: APIContext, isPrerendered: boolean, logger: AstroLogger, state?: FetchState): Promise<Response>;

package/dist/runtime/server/endpoint.js

@@ -1,8 +1,8 @@
 import colors from "piccolore";
-import { REROUTABLE_STATUS_CODES, REROUTE_DIRECTIVE_HEADER } from "../../core/constants.js";
+import { REROUTABLE_STATUS_CODES } from "../../core/constants.js";
 import { AstroError } from "../../core/errors/errors.js";
 import { EndpointDidNotReturnAResponse } from "../../core/errors/errors-data.js";
-async function renderEndpoint(mod, context, isPrerendered, logger) {
+async function renderEndpoint(mod, context, isPrerendered, logger, state) {
   const { request, url } = context;
   const method = request.method.toUpperCase();
   let handler = mod[method] ?? mod["ALL"];
@@ -38,17 +38,8 @@ Found handlers: ${Object.keys(mod).map((exp) => JSON.stringify(exp)).join(", ")}
   if (!response || response instanceof Response === false) {
     throw new AstroError(EndpointDidNotReturnAResponse);
   }
-  if (REROUTABLE_STATUS_CODES.includes(response.status)) {
-    try {
-      response.headers.set(REROUTE_DIRECTIVE_HEADER, "no");
-    } catch (err) {
-      if (err.message?.includes("immutable")) {
-        response = new Response(response.body, response);
-        response.headers.set(REROUTE_DIRECTIVE_HEADER, "no");
-      } else {
-        throw err;
-      }
-    }
+  if (state && REROUTABLE_STATUS_CODES.includes(response.status)) {
+    state.skipErrorReroute = true;
   }
   if (method === "HEAD") {
     return new Response(null, response);

package/dist/types/public/config.d.ts

@@ -420,22 +420,22 @@ export interface AstroUserConfig<TLocales extends Locales = never, TDriver exten
      * @docs
      * @name compressHTML
      * @type {boolean | "jsx"}
-     * @default `true`
+     * @default `'jsx'`
      * @description
      *
      * Controls how Astro handles whitespace in your HTML. This affects both development mode and the final build output.
      *
-     * By default, Astro removes whitespace from your HTML, including line breaks, in a lossless manner from `.astro` components. Some whitespace may be preserved as needed to maintain the visual rendering of your HTML.
+     * Since v7.0,  Astro applies by default the JSX whitespace rules used by frameworks like React. This removes whitespace and line breaks around elements, collapses multi-line text onto a single line, and preserves whitespace within a single line (e.g. a space between two inline elements). To keep a space that would otherwise be removed, include it explicitly in the source through constructs such as `{" "}`.
      *
-     * Since 6.2.0, this option can also be set to `"jsx"`, Astro will apply the JSX whitespace stripping rules used by frameworks like React. Leading and trailing whitespace is only preserved when explicitly included in the source code through constructs such as `{" "}`, and is otherwise removed entirely.
+     * Setting this option to `true` instead removes whitespace, including line breaks, in a lossless manner from `.astro` components. Some whitespace may be preserved as needed to maintain the visual rendering of your HTML.
      *
-     * Setting this option to false disables HTML compression and preserves all whitespace.
+     * Setting this option to `false` disables HTML compression and preserves all whitespace.
      *
      * ```js
      * {
-     *   compressHTML: false
+     *   compressHTML: true
      *   // or:
-     *   // compressHTML: 'jsx'
+     *   // compressHTML: false
      * }
      * ```
      */

package/dist/virtual-modules/container.d.ts

@@ -4,7 +4,7 @@ import type { SSRLoadedRenderer } from '../types/public/internal.js';
  * Use this function to provide renderers to the `AstroContainer`:
  *
  * ```js
- * import { getContainerRenderer } from "@astrojs/react";
+ * import { getContainerRenderer } from "@astrojs/react/container-renderer";
  * import { experimental_AstroContainer as AstroContainer } from "astro/container";
  * import { loadRenderers } from "astro:container"; // use this only when using vite/vitest
  *

package/dist/vite-plugin-head/index.js

@@ -1,9 +1,9 @@
-import { hasHeadPropagationCall } from "../core/head-propagation/hint.js";
 import {
   buildImporterGraphFromModuleInfo,
   computeInTreeAncestors
 } from "../core/head-propagation/graph.js";
 import { getTopLevelPageModuleInfos } from "../core/build/graph.js";
+import { PROPAGATED_ASSET_FLAG } from "../content/consts.js";
 import { getAstroMetadata } from "../vite-plugin-astro/index.js";
 import { ASTRO_VITE_ENVIRONMENT_NAMES } from "../core/constants.js";
 const VIRTUAL_COMPONENT_METADATA = "virtual:astro:component-metadata";
@@ -127,12 +127,12 @@ function configHeadVitePlugin() {
         });
       }
     },
-    transform(source, id) {
+    transform(_source, id) {
       let info = this.getModuleInfo(id);
       if (info && getAstroMetadata(info)?.containsHead) {
         propagateMetadata.call(this, id, "containsHead", true);
       }
-      if (hasHeadPropagationCall(source)) {
+      if (id.includes(PROPAGATED_ASSET_FLAG)) {
         propagateMetadata.call(this, id, "propagation", "in-tree");
       }
       invalidateComponentMetadataModule();
@@ -140,17 +140,11 @@ function configHeadVitePlugin() {
   };
 }
 function astroHeadBuildPlugin(internals) {
-  const headPropagationModuleIds = /* @__PURE__ */ new Set();
   return {
     name: "astro:head-metadata-build",
     applyToEnvironment(environment) {
       return environment.name === ASTRO_VITE_ENVIRONMENT_NAMES.ssr || environment.name === ASTRO_VITE_ENVIRONMENT_NAMES.prerender;
     },
-    transform(source, id) {
-      if (hasHeadPropagationCall(source)) {
-        headPropagationModuleIds.add(id);
-      }
-    },
     generateBundle(_opts, bundle) {
       const map = internals.componentMetadata;
       const moduleIds = /* @__PURE__ */ new Set();
@@ -167,7 +161,7 @@ function astroHeadBuildPlugin(internals) {
       }
       for (const [, output] of Object.entries(bundle)) {
         if (output.type !== "chunk") continue;
-        for (const [id, mod] of Object.entries(output.modules)) {
+        for (const [id] of Object.entries(output.modules)) {
           moduleIds.add(id);
           const modinfo = this.getModuleInfo(id);
           if (modinfo) {
@@ -182,7 +176,7 @@ function astroHeadBuildPlugin(internals) {
               selfPropagationSeeds.add(id);
             }
           }
-          if (mod.code && hasHeadPropagationCall(mod.code) || headPropagationModuleIds.has(id)) {
+          if (id.includes(PROPAGATED_ASSET_FLAG)) {
             commentPropagationSeeds.add(id);
           }
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "astro",
-  "version": "7.0.0-beta.4",
+  "version": "7.0.0-beta.5",
   "description": "Astro is a modern site builder with web best practices, performance, and DX front-of-mind.",
   "type": "module",
   "author": "withastro",
@@ -112,7 +112,7 @@
     "README.md"
   ],
   "dependencies": {
-    "@astrojs/compiler-rs": "^0.1.10",
+    "@astrojs/compiler-rs": "^0.2.2",
     "@capsizecss/unpack": "^4.0.0",
     "@clack/prompts": "^1.1.0",
     "@oslojs/encoding": "^1.1.0",
@@ -166,8 +166,8 @@
     "yargs-parser": "^22.0.0",
     "zod": "^4.3.6",
     "@astrojs/internal-helpers": "0.10.0",
-    "@astrojs/telemetry": "3.3.2",
-    "@astrojs/markdown-satteri": "0.3.1-beta.1"
+    "@astrojs/markdown-satteri": "0.3.1-beta.1",
+    "@astrojs/telemetry": "3.3.2"
   },
   "optionalDependencies": {
     "sharp": "^0.34.0"
@@ -208,8 +208,8 @@
     "unified": "^11.0.5",
     "vitest": "^4.1.0",
     "@astrojs/check": "0.9.9",
-    "astro-scripts": "0.0.14",
-    "@astrojs/markdown-remark": "7.2.0"
+    "@astrojs/markdown-remark": "7.2.0",
+    "astro-scripts": "0.0.14"
   },
   "engines": {
     "node": ">=22.12.0",

package/templates/content/module.mjs

@@ -1,4 +1,3 @@
-'use astro:head-inject';
 import {
 	createDeprecatedFunction,
 	createGetCollection,

package/dist/core/head-propagation/hint.d.ts

@@ -1,4 +0,0 @@
-/**
- * Returns true when source contains the `"use astro:head-inject"` directive.
- */
-export declare function hasHeadPropagationCall(source: string): boolean;

package/dist/core/head-propagation/hint.js

@@ -1,7 +0,0 @@
-const HEAD_PROPAGATION_HINT = '"use astro:head-inject"';
-function hasHeadPropagationCall(source) {
-  return source.includes(HEAD_PROPAGATION_HINT);
-}
-export {
-  hasHeadPropagationCall
-};