fix(deps): update dependency astro to v4.16.1 [security] #790
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.0.0
->4.16.1
GitHub Vulnerability Alerts
CVE-2024-47885
Summary
A DOM Clobbering gadget has been discoverd in Astro's client-side router. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has stored attacker-controlled scriptless HTML elements (i.e.,
iframe
tags with unsanitizedname
attributes) on the destination pages.Details
Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:
[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/
Gadgets found in Astro
We identified a DOM Clobbering gadget in Astro's client-side routing module, specifically in the
<ViewTransitions />
component. When integrated, this component introduces the following vulnerable code, which is executed during page transitions (e.g., clicking an<a>
link):https://github.com/withastro/astro/blob/7814a6cad15f06931f963580176d9b38aa7819f2/packages/astro/src/transitions/router.ts#L135-L156
However, this implementation is vulnerable to a DOM Clobbering attack. The
document.scripts
lookup can be shadowed by an attacker injected non-script HTML elements (e.g.,<img name="scripts"><img name="scripts">
) via the browser's named DOM access mechanism. This manipulation allows an attacker to replace the intended script elements with an array of attacker-controlled scriptless HTML elements.The condition
script.dataset.astroExec === ''
on line 138 can be bypassed because the attacker-controlled element does not have a data-astroExec attribute. Similarly, the check on line 134 can be bypassed as the element does not require atype
attribute.Finally, the
innerHTML
of an attacker-injected non-script HTML elements, which is plain text content before, will be set to the.innerHTML
of an script element that leads to XSS.PoC
Consider a web application using Astro as the framework with client-side routing enabled and allowing users to embed certain scriptless HTML elements (e.g.,
form
oriframe
). This can be done through a bunch of website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.For PoC website, please refer to:
https://stackblitz.com/edit/github-4xgj2d
. Clicking the "about" button in the menu will trigger analert(1)
from an attacker-injectedform
element.Impact
This vulnerability can result in cross-site scripting (XSS) attacks on websites that built with Astro that enable the client-side routing with
ViewTransitions
and store the user-inserted scriptless HTML tags without properly sanitizing thename
attributes on the page.Patch
We recommend replacing
document.scripts
withdocument.getElementsByTagName('script')
for referring to script elements. This will mitigate the possibility of DOM Clobbering attacks leveraging thename
attribute.Reference
Similar issues for reference:
Release Notes
withastro/astro (astro)
v4.16.1
Compare Source
Patch Changes
#12177
a4ffbfa
Thanks @matthewp! - Ensure we target scripts for execution in the routerUsing
document.scripts
is unsafe because if the application has aname="scripts"
this will shadow the built-indocument.scripts
. Fix is to usegetElementsByTagName
to ensure we're only grabbing real scripts.#12173
2d10de5
Thanks @ematipico! - Fixes a bug where Astro Actions couldn't redirect to the correct pathname when there was a rewrite involved.v4.16.0
Compare Source
Minor Changes
#12039
710a1a1
Thanks @ematipico! - Adds amarkdown.shikiConfig.langAlias
option that allows aliasing a non-supported code language to a known language. This is useful when the language of your code samples is not a built-in Shiki language, but you want your Markdown source to contain an accurate language while also displaying syntax highlighting.The following example configures Shiki to highlight
cjs
code blocks using thejavascript
syntax highlighter:Then in your Markdown, you can use the alias as the language for a code block for syntax highlighting:
#11984
3ac2263
Thanks @chaegumi! - Adds a newbuild.concurreny
configuration option to specify the number of pages to build in parallelIn most cases, you should not change the default value of
1
.Use this option only when other attempts to reduce the overall rendering time (e.g. batch or cache long running tasks like fetch calls or data access) are not possible or are insufficient.
Use this option only if the refactors are not possible. If the number is set too high, the page rendering may slow down due to insufficient memory resources and because JS is single-threaded.
Patch Changes
#12160
c6fd1df
Thanks @louisescher! - Fixes a bug whereastro.config.mts
andastro.config.cts
weren't reloading the dev server upon modifications.#12130
e96bcae
Thanks @thehansys! - Fixes a bug in the parsing ofx-forwarded-\*
Request
headers, where multiple values assigned to those headers were not correctly parsed.Now, headers like
x-forwarded-proto: https,http
are correctly parsed.#12147
9db755a
Thanks @ascorbic! - Skips setting statusMessage header for HTTP/2 responseHTTP/2 doesn't support status message, so setting this was logging a warning.
#12151
bb6d37f
Thanks @ematipico! - Fixes an issue whereAstro.currentLocale
wasn't incorrectly computed when thedefaultLocale
belonged to a custom locale path.Updated dependencies [
710a1a1
]:v4.15.12
Compare Source
Patch Changes
#12121
2490ceb
Thanks @ascorbic! - Support passing the valuesInfinity
and-Infinity
as island props.#12118
f47b347
Thanks @Namchee! - Removes thestrip-ansi
dependency in favor of the native Node API#12126
6e1dfeb
Thanks @ascorbic! - Clear content layer cache when astro version changes#12117
a46839a
Thanks @ArmandPhilippot! - Updates Vite links to use their new domain#12124
499fbc9
Thanks @ascorbic! - Allows special characters in Action names#12123
b8673df
Thanks @Princesseuh! - Fixes missingbody
property on CollectionEntry types for content layer entries#12132
de35daa
Thanks @jcayzac! - Updates thecookie
dependency to avoid the CVE 2024-47764 vulnerability.#12113
a54e520
Thanks @ascorbic! - Adds a helpful error when attempting to render an undefined collection entryv4.15.11
Compare Source
Patch Changes
#12097
11d447f
Thanks @ascorbic! - Fixes error where references in content layer schemas sometimes incorrectly report as missing#12108
918953b
Thanks @lameuler! - Fixes a bug where data URL images were not correctly handled. The bug resulted in anENAMETOOLONG
error.#12105
42037f3
Thanks @ascorbic! - Returns custom statusText that has been set in a Response#12109
ea22558
Thanks @ematipico! - Fixes a regression that was introduced by an internal refactor of how the middleware is loaded by the Astro application. The regression was introduced by #11550.When the edge middleware feature is opted in, Astro removes the middleware function from the SSR manifest, and this wasn't taken into account during the refactor.
#12106
d3a74da
Thanks @ascorbic! - Handles case where an immutable Response object is returned from an endpoint#12090
d49a537
Thanks @markjaquith! - Server islands: changes the server island HTML placeholder comment so that it is much less likely to get removed by HTML minifiers.v4.15.10
Compare Source
Patch Changes
#12084
12dae50
Thanks @Princesseuh! - Adds missing filePath property on content layer entries#12046
d7779df
Thanks @martrapp! - View transitions: Fixes Astro's fade animation to prevent flashing during morph transitions.#12043
1720c5b
Thanks @bluwy! - Fixes injected endpointprerender
option detection#12095
76c5fbd
Thanks @TheOtterlord! - Fix installing non-stable versions of integrations withastro add
v4.15.9
Compare Source
Patch Changes
#12034
5b3ddfa
Thanks @ematipico! - Fixes an issue where the middleware wasn't called when a project uses404.astro
.#12042
243ecb6
Thanks @ematipico! - Fixes a problem in the Container API, where a polyfill wasn't correctly applied. This caused an issue in some environments wherecrypto
isn't supported.#12038
26ea5e8
Thanks @ascorbic! - Resolves image paths in content layer with initial slash as project-relativeWhen using the
image()
schema helper, previously paths with an initial slash were treated as public URLs. This was to match the behavior of markdown images. However this is a change from before, where paths with an initial slash were treated as project-relative. This change restores the previous behavior, so that paths with an initial slash are treated as project-relative.v4.15.8
Compare Source
Patch Changes
#12014
53cb41e
Thanks @ascorbic! - Fixes an issue where component styles were not correctly included in rendered MDX#12031
8c0cae6
Thanks @ematipico! - Fixes a bug where the rewrite vianext(/*..*/)
inside a middleware didn't compute the newAPIContext.params
#12026
40e7a1b
Thanks @bluwy! - Initializes the Markdown processor only when there's.md
files#12028
d3bd673
Thanks @bluwy! - Handles route collision detection only if it matchesgetStaticPaths
#12027
dd3b753
Thanks @fviolette! - Addselected
to the list of boolean attributes#12001
9be3e1b
Thanks @uwej711! - Remove dependency on path-to-regexpv4.15.7
Compare Source
Patch Changes
#12000
a2f8c5d
Thanks @ArmandPhilippot! - Fixes an outdated link used to document Content Layer API#11915
0b59fe7
Thanks @azhirov! - Fix: prevent island from re-rendering when using transition:persist (#11854)v4.15.6
Compare Source
Patch Changes
#11993
ffba5d7
Thanks @matthewp! - Fix getStaticPaths regressionThis reverts a previous change meant to remove a dependency, to fix a regression with multiple nested spread routes.
#11964
06eff60
Thanks @TheOtterlord! - Add wayland (wl-copy) support toastro info
v4.15.5
Compare Source
Patch Changes
#11939
7b09c62
Thanks @bholmesdev! - Adds support for Zod discriminated unions on Action form inputs. This allows forms with different inputs to be submitted to the same action, using a given input to decide which object should be used for validation.This example accepts either a
create
orupdate
form submission, and uses thetype
field to determine which object to validate against.The corresponding
create
andupdate
forms may look like this:v4.15.4
Compare Source
Patch Changes
#11879
bd1d4aa
Thanks @matthewp! - Allow passing a cryptography key via ASTRO_KEYFor Server islands Astro creates a cryptography key in order to hash props for the islands, preventing accidental leakage of secrets.
If you deploy to an environment with rolling updates then there could be multiple instances of your app with different keys, causing potential key mismatches.
To fix this you can now pass the
ASTRO_KEY
environment variable to your build in order to reuse the same key.To generate a key use:
This will print out an environment variable to set like:
#11935
c58193a
Thanks @Princesseuh! - Fixesastro add
not using the proper export point when adding certain adaptersv4.15.3
Compare Source
Patch Changes
#11902
d63bc50
Thanks @ascorbic! - Fixes case where content layer did not update during clean dev builds on Linux and Windows#11886
7ff7134
Thanks @matthewp! - Fixes a missing error message when actions throws duringastro sync
#11904
ca54e3f
Thanks @wtchnm! - perf(assets): avoid downloading original image when using cachev4.15.2
Compare Source
Patch Changes
#11870
8e5257a
Thanks @ArmandPhilippot! - Fixes typo in documenting thefallbackType
property in i18n routing#11884
e450704
Thanks @ascorbic! - Correctly handles content layer data where the transformed value does not match the input schema#11900
80b4a18
Thanks @delucis! - Fixes the user-facing type of the newi18n.routing.fallbackType
option to be optionalv4.15.1
Compare Source
Patch Changes
#11872
9327d56
Thanks @bluwy! - Fixesastro add
importing adapters and integrations#11767
d1bd1a1
Thanks @ascorbic! - Refactors content layer sync to use a queuev4.15.0
Compare Source
Minor Changes
#11729
1c54e63
Thanks @ematipico! - Adds a new variantsync
for theastro:config:setup
hook'scommand
property. This value is set when calling the commandastro sync
.If your integration previously relied on knowing how many variants existed for the
command
property, you must update your logic to account for this new option.#11743
cce0894
Thanks @ph1p! - Adds a new, optional propertytimeout
for theclient:idle
directive.This value allows you to specify a maximum time to wait, in milliseconds, before hydrating a UI framework component, even if the page is not yet done with its initial load. This means you can delay hydration for lower-priority UI elements with more control to ensure your element is interactive within a specified time frame.
#11677
cb356a5
Thanks @ematipico! - Adds a new optionfallbackType
toi18n.routing
configuration that allows you to control how fallback pages are handled.When
i18n.fallback
is configured, this new routing option controls whether to redirect to the fallback page, or to rewrite the fallback page's content in place.The
"redirect"
option is the default value and matches the current behavior of the existing fallback system.The option
"rewrite"
uses the new rewriting system to create fallback pages that render content on the original, requested URL without a browser refresh.For example, the following configuration will generate a page
/fr/index.html
that will contain the same HTML rendered by the page/en/index.html
whensrc/pages/fr/index.astro
does not exist.#11708
62b0d20
Thanks @martrapp! - Adds a new objectswapFunctions
to expose the necessary utility functions onastro:transitions/client
that allow you to build custom swap functions to be used with view transitions.The example below uses these functions to replace Astro's built-in default
swap
function with one that only swaps the<main>
part of the page:See the view transitions guide for more information about hooking into the
astro:before-swap
lifecycle event and adding a custom swap implementation.#11843
5b4070e
Thanks @bholmesdev! - Exposesz
from the newastro:schema
module. This is the new recommended import source for all Zod utilities when using Astro Actions.v4.14.6
Compare Source
Patch Changes
#11847
45b599c
Thanks @ascorbic! - Fixes a case where Vite would be imported by the SSR runtime, causing bundling errors and bloat.#11822
6fcaab8
Thanks @bluwy! - Marks internalvite-plugin-fileurl
plugin withenforce: 'pre'
#11713
497324c
Thanks @voidfill! - Prevents prefetching of the same urls with different hashes.#11814
2bb72c6
Thanks @eduardocereto! - Updates the documentation for experimental Content Layer API with a corrected code example#11842
1ffaae0
Thanks @stephan281094! - Fixes a typo in theMissingImageDimension
error message#11828
20d47aa
Thanks @bholmesdev! - Improves error message when invalid data is returned by an Action.v4.14.5
Compare Source
Patch Changes
#11809
62e97a2
Thanks @bholmesdev! - Fixes usage of.transform()
,.refine()
,.passthrough()
, and other effects on Action form inputs.#11812
260c4be
Thanks @bholmesdev! - ExposesActionAPIContext
type from theastro:actions
module.#11813
3f7630a
Thanks @bholmesdev! - Fixes unexpectedundefined
value when calling an action from the client without a return value.v4.14.4
Compare Source
Patch Changes
#11794
3691a62
Thanks @bholmesdev! - Fixes unexpected warning log when using Actions on "hybrid" rendered projects.#11801
9f943c1
Thanks @delucis! - Fixes a bug where thefilePath
property was not available on content collection entries when using the content layerfile()
loader with a JSON file that contained an object instead of an array. This was breaking use of theimage()
schema utility among other things.v4.14.3
Compare Source
Patch Changes
#11780
c6622ad
Thanks @Princesseuh! - Deprecates the Squoosh image service, to be removed in Astro 5.0. We recommend migrating to the default Sharp service.#11790
41c3fcb
Thanks @sarah11918! - Updates the documentation for experimentalastro:env
with a corrected link to the RFC proposal#11773
86a3391
Thanks @ematipico! - Changes messages logged when using unsupported, deprecated, or experimental adapter features for clarity#11745
89bab1e
Thanks @bluwy! - Prints prerender dynamic value usage warning only if it's used#11774
c6400ab
Thanks @florian-lefebvre! - Fixes the path returned byinjectTypes
#11730
2df49a6
Thanks @florian-lefebvre! - Simplifies path operations ofastro sync
#11771
49650a4
Thanks @florian-lefebvre! - Fixes an error thrown byastro sync
when anastro:env
virtual module is imported inside the Content Collections config#11744
b677429
Thanks @bluwy! - Disables the WebSocket server when creating a Vite server for loading config filesv4.14.2
Compare Source
Patch Changes
391324d
Thanks @bluwy! - Reverts back toyargs-parser
package for CLI argument parsingv4.14.1
Compare Source
Patch Changes
#11725
6c1560f
Thanks @ascorbic! - Prevents content layer importing node builtins in runtime#11692
35af73a
Thanks @matthewp! - Prevent errant HTML from crashing server islandsWhen an HTML minifier strips away the server island comment, the script can't correctly know where the end of the fallback content is. This makes it so that it simply doesn't remove any DOM in that scenario. This means the fallback isn't removed, but it also doesn't crash the browser.
#11727
3c2f93b
Thanks @florian-lefebvre! - Fixes a type issue when using the Content Layer in devv4.14.0
Compare Source
Minor Changes
#11657
a23c69d
Thanks @bluwy! - Deprecates the option for route-generating files to export a dynamic value forprerender
. Only static values are now supported (e.g.export const prerender = true
or= false
). This allows for better treeshaking and bundling configuration in the future.Adds a new
"astro:route:setup"
hook to the Integrations API to allow you to dynamically set options for a route at build or request time through an integration, such as enabling on-demand server rendering.To migrate from a dynamic export to the new hook, update or remove any dynamic
prerender
exports from individual routing files:// src/pages/blog/[slug].astro - export const prerender = import.meta.env.PRERENDER
Instead, create an integration with the
"astro:route:setup"
hook and update the route'sprerender
option:#11360
a79a8b0
Thanks @ascorbic! - Adds a newinjectTypes()
utility to the Integration API and refactors how type generation worksUse
injectTypes()
in theastro:config:done
hook to inject types into your user's project by adding a new a*.d.ts
file.The
filename
property will be used to generate a file at/.astro/integrations/<normalized_integration_name>/<normalized_filename>.d.ts
and must end with".d.ts"
.The
content
property will create the body of the file, and must be valid TypeScript.Additionally,
injectTypes()
returns a URL to the normalized path so you can overwrite its content later on, or manipulate it in any way you want.Codegen has been refactored. Although
src/env.d.ts
will continue to work as is, we recommend you update it:#11605
d3d99fb
Thanks @jcayzac! - Adds a new propertymeta
to Astro's built-in<Code />
component.This allows you to provide a value for Shiki's
meta
attribute to pass options to transformers.The following example passes an option to highlight lines 1 and 3 to Shiki's
tranformerMetaHighlight
:v4.13.4
Compare Source
Patch Changes
#11678
34da907
Thanks @ematipico! - Fixes a case where omitting a semicolon and line ending with carriage return - CRLF - in theprerender
option could throw an error.#11535
932bd2e
Thanks @matthewp! - Encrypt server island propsServer island props are now encrypted with a key generated at build-time. This is intended to prevent accidentally leaking secrets caused by exposing secrets through prop-passing. This is not intended to allow a server island to be trusted to skip authentication, or to protect against any other vulnerabilities other than secret leakage.
See the RFC for an explanation: https://github.com/withastro/roadmap/blob/server-islands/proposals/server-islands.md#props-serialization
#11655
dc0a297
Thanks @billy-le! - Fixes Astro Actionsinput
validation when usingdefault
values with a form input.#11689
c7bda4c
Thanks @ematipico! - Fixes an issue in the Astro actions, where the size of the generated cookie was exceeding the size permitted by theSet-Cookie
header.v4.13.3
Compare Source
Patch Changes
#11653
32be549
Thanks @florian-lefebvre! - Updatesastro:env
docs to reflect current developments and usage guidance#11658
13b912a
Thanks @bholmesdev! - FixesorThrow()
type when calling an Action without aninput
validator.#11603
f31d466
Thanks @bholmesdev! - Improves user experience when render an Action result from a form POST request:?_astroAction=NAME
flag when a result is rendered.Also improves the DX of directing to a new route on success. Actions will now redirect to the route specified in your
action
string on success, and redirect back to the previous page on error. This follows the routing convention of established backend frameworks like Laravel.For example, say you want to redirect to a
/success
route whenactions.signup
succeeds. You can add/success
to youraction
string like so:/success
.You can retrieve the action result from either page using the
Astro.getActionResult()
function.Note on security
This uses a temporary cookie to forward the action result to the next page. The cookie will be deleted when that page is rendered.
⚠ The action result is not encrypted. In general, we recommend returning minimal data from an action handler to a) avoid leaking sensitive information, and b) avoid unexpected render issues once the temporary cookie is deleted. For example, a
login
function may return a user's session id to retrieve from your Astro frontmatter, rather than the entire user object.v4.13.2
Compare Source
Patch Changes
#11648
589d351
Thanks @bholmesdev! - Fixes unexpected error when refreshing a POST request from a form using Actions.#11600
09ec2ca
Thanks @ArmandPhilippot! - DeprecatesgetEntryBySlug
andgetDataEntryById
functions exported byastro:content
in favor ofgetEntry
.#11593
81d7150
Thanks @bholmesdev! - Adds support forDate()
,Map()
, andSet()
from action results. See devalue for a complete list of supported values.Also fixes serialization exceptions when deploying Actions with edge middleware on Netlify and Vercel.
#11617
196092a
Thanks @abubakriz! - Fix toolbar audit incorrectly flagging images as above the fold.#11634
2716f52
Thanks @bholmesdev! - Fixes internal server error when calling an Astro Action without arguments on Vercel.#11628
9aaf58c
Thanks @madbook! - Ensures consistent CSS chunk hashes across different environmentsv4.13.1
Compare Source
Patch Changes
#11584
a65ffe3
Thanks @bholmesdev! - Removes async local storage dependency from Astro Actions. This allows Actions to run in Cloudflare and Stackblitz without opt-in flags or other configuration.This also introduces a new convention for calling actions from server code. Instead of calling actions directly, you must wrap function calls with the new
Astro.callAction()
utility.v4.13.0
Compare Source
Minor Changes
#11507
a62345f
Thanks @ematipico! - Adds color-coding to the console output during the build to highlight slow pages.Pages that take more than 500 milliseconds to render will have their build time logged in red. This change can help you discover pages of your site that are not performant and may need attention.
#11379
e5e2d3e
Thanks @alexanderniebuhr! - Theexperimental.contentCollectionJsonSchema
feature introduced behind a flag in v4.5.0 is no longer experimental and is available for general use.If you are working with collections of type
data
, Astro will now auto-generate JSON schema files for your editor to get IntelliSense and type-checking. A separate file will be created for each data collection in your project based on your collections defined insrc/content/config.ts
using a library calledzod-to-json-schema
.This feature requires you to manually set your schema's file path as the value for
$schema
in each data entrConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.