Skip to content

chore(deps): update dependency @astrojs/node to v9.4.1 [security] #9570

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency @astrojs/node to v9.4.1 [security] #9570

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 15, 2025

This PR contains the following updates:

Package Change Age Confidence
@astrojs/node (source) 9.1.3 -> 9.4.1 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-55207

Summary

Following GHSA-cq8c-xv66-36gw, there's still an Open Redirect vulnerability in a subset of Astro deployment scenarios.

Details

Astro 5.12.8 fixed a case where https://example.com//astro.build/press would redirect to the external origin //astro.build/press. However, with the Node deployment adapter in standalone mode and trailingSlash set to "always" in the Astro configuration, https://example.com//astro.build/press still redirects to //astro.build/press.

Proof of Concept

  1. Create a new minimal Astro project ([email protected])
  2. Configure it to use the Node adapter (@astrojs/[email protected]) and force trailing slashes: 
    // astro.config.mjs
import { defineConfig } from 'astro/config';
import node from '@​astrojs/node';

export default defineConfig({
  trailingSlash: 'always',
  adapter: node({ mode: 'standalone' }),
});
  3. Build the site by running astro build.
  4. Run the server, e.g. with astro preview.
  5. Append //astro.build/press to the preview URL, e.g. http://localhost:4321//astro.build/press
  6. The site will redirect to the external Astro Build origin.

Example reproduction

  1. Open this StackBlitz reproduction.
  2. Open the preview in a separate window so the StackBlitz embed doesn't cause security errors.
  3. Append //astro.build/press to the preview URL, e.g. https://x.local-corp.webcontainer.io//astro.build/press.
  4. See it redirect to the external Astro Build origin.

Impact

This is classified as an Open Redirection vulnerability (CWE-601). It affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks.

No authentication is required to exploit this vulnerability. Any unauthenticated user can trigger the redirect by clicking a malicious link.

Release Notes

withastro/astro (@​astrojs/node)

v9.4.1

Compare Source

Patch Changes
  • 5fc3c59 Thanks @​ematipico! - Fixes a routing bug in standalone mode with trailingSlash set to "always".

v9.4.0

Compare Source

Minor Changes

  • #​14188 e3422aa Thanks @​ascorbic! - Adds support for specifying a host to load prerendered error pages

    By default, if a user defines a custom error page that is prerendered, Astro will load it from the same host as the one that the request is made to. This change allows users to specify a different host for loading prerendered error pages. This can be useful in scenarios such as where the server is running behind a reverse proxy or when prerendered pages are hosted on a different domain.

    To use this feature, set the experimentalErrorPageHost adapter option in your Astro configuration to the desired host URL. For example, if your server is running on localhost and served via a proxy, you can ensure the prerendered error pages are fetched via the localhost URL:

    import { defineConfig } from 'astro/config';
import node from '@​astrojs/node';
export default defineConfig({
  adapter: node({
    // If your server is running on localhost and served via a proxy, set the host like this to ensure prerendered error pages are fetched via the localhost URL
    experimentalErrorPageHost: 'http://localhost:4321',
  }),
});

    For more information on enabling and using this experimental feature, see the @astrojs/node adapter docs.

v9.3.3

Compare Source

Patch Changes

v9.3.2

Compare Source

Patch Changes

v9.3.1

Compare Source

Patch Changes

v9.3.0

Compare Source

Minor Changes

  • #​14012 a125a14 Thanks @​florian-lefebvre! - Adds a new experimental configuration option experimentalDisableStreaming to allow you to opt out of Astro's default HTML streaming for pages rendered on demand.

    HTML streaming helps with performance and generally provides a better visitor experience. In most cases, disabling streaming is not recommended.

    However, when you need to disable HTML streaming (e.g. your host only supports non-streamed HTML caching at the CDN level), you can now opt out of the default behavior:

    import { defineConfig } from 'astro/config';
import node from '@​astrojs/node';

export default defineConfig({
  adapter: node({
    mode: 'standalone',
+    experimentalDisableStreaming: true,
  }),
});

  • #​13972 db8f8be Thanks @​ematipico! - Adds support for the experimental static headers Astro feature.

    When the feature is enabled via the option experimentalStaticHeaders, and experimental Content Security Policy is enabled, the adapter will generate Response headers for static pages, which allows support for CSP directives that are not supported inside a <meta> tag (e.g. frame-ancestors).

    import { defineConfig } from 'astro/config';
import node from '@&#8203;astrojs/node';

export default defineConfig({
  adapter: node({
    mode: 'standalone',
    experimentalStaticHeaders: true,
  }),
  experimental: {
    cps: true,
  },
});

v9.2.2

Compare Source

Patch Changes

v9.2.1

Compare Source

Patch Changes

v9.2.0

Compare Source

Minor Changes

  • #​13527 2fd6a6b Thanks @​ascorbic! - The experimental session API introduced in Astro 5.1 is now stable and ready for production use.

    Sessions are used to store user state between requests for on-demand rendered pages. You can use them to store user data, such as authentication tokens, shopping cart contents, or any other data that needs to persist across requests:

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Aug 15, 2025
@nx-cloud Nx Cloud
Copy link

nx-cloud bot commented Aug 15, 2025
edited
Loading

🤖 Nx Cloud AI Fix Eligible

An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.

To disable these notifications, a workspace admin can disable them in workspace settings.

View your CI Pipeline Execution ↗ for commit e74d3a9

Command Status Duration Result
nx affected --targets=test:sherif,test:knip,tes... ❌ Failed 2m 9s View ↗
nx run-many --target=build --exclude=examples/*... ❌ Failed 1m 21s View ↗

☁️ Nx Cloud last updated this comment at 2025-08-15 17:46:10 UTC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants