[pull] main from withastro:main

.changeset/chubby-plums-rule.md

@@ -0,0 +1,9 @@
+---
+'@astrojs/internal-helpers': minor
+---
+
+Added a new entry point called `/request`, which exposes utilities to work with the `Request` type: 
+- `getFirstForwardedValue`: retrieves the first value of a multi-value header.
+- `isValidIpAddress`: checks whether a string contains only characters valid in IPv4/IPv6 addresses.
+- `getValidatedIpFromHeader`: extracts the first value from a header and validates it as an IP address.
+- `getClientIpAddress`: retrieves and validates the first IP from the `x-forwarded-for` header.

.changeset/clean-planets-flow.md

@@ -2,4 +2,4 @@
 'astro': patch
 ---
 
-Improves rendering by preserving `hidden="until-found"` value in attribues
+Improves rendering by preserving `hidden="until-found"` value in attributes

.changeset/fix-envprefix-secret-leak.md

@@ -0,0 +1,24 @@
+---
+'astro': patch
+---
+
+Prevents `vite.envPrefix` misconfiguration from exposing `access: "secret"` environment variables in client-side bundles. Astro now throws a clear error at startup if any `vite.envPrefix` entry matches a variable declared with `access: "secret"` in `env.schema`.
+
+For example, the following configuration will throw an error for `API_SECRET` because it's defined as `secret` its name matches `['PUBLIC_', 'API_']` defined in `env.schema`:
+
+```js
+// astro.config.mjs
+import { defineConfig } from "astro/config";
+
+export default defineConfig({
+  env: {
+    schema: {
+      API_SECRET: envField.string({ context: 'server', access: 'secret', optional: true }),
+      API_URL: envField.string({ context: 'server', access: 'public', optional: true }),
+    }
+  },
+  vite: {
+    envPrefix: ['PUBLIC_', 'API_'],
+  },
+})
+```

.changeset/full-poems-divide.md

@@ -3,4 +3,4 @@
 'astro': patch
 ---
 
-Fixes a bug where the Astro, with the Cloudlfare integration, couldn't correctly serve certain routes in the development server.
+Fixes a bug where the Astro, with the Cloudflare integration, couldn't correctly serve certain routes in the development server.

.changeset/green-clowns-change.md

@@ -0,0 +1,7 @@
+---
+'@astrojs/cloudflare': patch
+'@astrojs/vercel': patch
+'astro': patch
+---
+
+Fixes an issue where the computed `clientAddress` was incorrect in cases of a Request header with multiple values. The `clientAddress` is now also validated to contain only characters valid in IP addresses, rejecting injection payloads.

.changeset/harden-merge-responses-framing.md

@@ -0,0 +1,5 @@
+---
+'astro': patch
+---
+
+Hardens error page response merging to ensure framing headers from the original response are not carried over to the rendered error page

.changeset/harden-node-server-defaults.md

@@ -0,0 +1,20 @@
+---
+'astro': patch
+'@astrojs/node': minor
+---
+
+Adds a new `bodySizeLimit` option to the `@astrojs/node` adapter
+
+You can now configure a maximum allowed request body size for your Node.js standalone server. The default limit is 1 GB. Set the value in bytes, or pass `0` to disable the limit entirely:
+
+```js
+import node from '@astrojs/node';
+import { defineConfig } from 'astro/config';
+
+export default defineConfig({
+  adapter: node({
+    mode: 'standalone',
+    bodySizeLimit: 1024 * 1024 * 100, // 100 MB
+  }),
+});
+```

.changeset/moody-owls-refuse.md

@@ -2,4 +2,4 @@
 '@astrojs/cloudflare': patch
 ---
 
-Removes unneccessary warning about sharp from being printed at start of dev server and build
+Removes unnecessary warning about sharp from being printed at start of dev server and build

.changeset/normalize-backslash-pathname.md

@@ -0,0 +1,5 @@
+---
+'astro': patch
+---
+
+Hardens URL pathname normalization to consistently handle backslash characters after decoding, ensuring middleware and router see the same canonical pathname

.changeset/normalize-dotfile-pathname.md

@@ -0,0 +1,5 @@
+---
+'@astrojs/node': patch
+---
+
+Normalizes static file paths before evaluating dotfile access rules for improved consistency

.changeset/social-kings-swim.md

@@ -2,4 +2,4 @@
 'astro': patch
 ---
 
-Fixes an issue where the internal perfomance timers weren't correctly updated to reflect new build pipeline.
+Fixes an issue where the internal performance timers weren't correctly updated to reflect new build pipeline.

.changeset/warm-pens-glow.md

@@ -0,0 +1,5 @@
+---
+'astro': patch
+---
+
+Fixes form actions incorrectly auto-executing during error page rendering. When an error page (e.g. 404) is rendered, form actions from the original request are no longer executed, since the full request handling pipeline is not active.

CONTRIBUTING.md

@@ -116,7 +116,7 @@ pnpm run test
 pnpm run test:match "$STRING_MATCH"
 # run tests on another package
 # (example - `pnpm --filter @astrojs/rss run test` runs `packages/astro-rss/test/rss.test.js`)
-pnpm --filter $STRING_MATCH run test
+pnpm --filter "$STRING_MATCH" run test
 ```
 
 Most tests use [`mocha`](https://mochajs.org) as the test runner. We're slowly migrating to use [`node:test`](https://nodejs.org/api/test.html) instead through the custom [`astro-scripts test`](./scripts/cmd/test.js) command. For packages that use `node:test`, you can run these commands in their directories:
@@ -165,7 +165,7 @@ node --test --test-only test/astro-basic.test.js
 
 #### Debugging tests in CI
 
-There might be occasions where some tests fail in certain CI runs due to some timeout issue. If this happens, it will be very difficult to understand which file cause the timeout. That's caused by come quirks of the Node.js test runner combined with our architecture.
+There might be occasions where some tests fail in certain CI runs due to some timeout issue. If this happens, it will be very difficult to understand which file cause the timeout. That's caused by some quirks of the Node.js test runner combined with our architecture.
 
 To understand which file causes the issue, you can modify the `test` script inside the `package.json` by adding the `--parallel` option:
 
@@ -176,7 +176,7 @@ To understand which file causes the issue, you can modify the `test` script insi
 }
 ```
 
-Save the change and **push it** to your PR. This change will make the test CI slower, but it will allow to see which files causes the timeout. Once you fixed the issue **revert the change and push it**.
+Save the change and **push it** to your PR. This change will make the test CI slower, but it will allow to see which files cause the timeout. Once you fixed the issue **revert the change and push it**.
 
 #### E2E tests
 
@@ -194,7 +194,7 @@ pnpm run test:e2e:match "$STRING_MATCH"
 
 Any tests for `astro build` output should use the main `mocha` tests rather than E2E - these tests will run faster than having Playwright start the `astro preview` server.
 
-If a test needs to validate what happens on the page after it's loading in the browser, that's a perfect use for E2E dev server tests, i.e. to verify that hot-module reloading works in `astro dev` or that components were client hydrated and are interactive.
+If a test needs to validate what happens on the page after it's loaded in the browser, that's a perfect use for E2E dev server tests, i.e. to verify that hot-module reloading works in `astro dev` or that components were client hydrated and are interactive.
 
 #### Creating tests
 
@@ -203,8 +203,8 @@ When creating new tests, it's best to reference other existing test files and re
 - When re-using a fixture multiple times with different configurations, you should also configure unique `outDir`, `build.client`, and `build.server` values so the build output runtime isn't cached and shared by ESM between test runs.
 
 > [!IMPORTANT]
-> If tests start to fail for no apparent reason, the first thing to look at the `outDir` configuration. As build cache artifacts between runs, different tests might end up sharing some of the emitted modules.
-> To avoid this possible overlap, **make sure to add a custom `outDir` to your test case**
+> If tests start to fail for no apparent reason, the first thing to look at the `outDir` configuration. As build caches artifacts between runs, different tests might end up sharing some of the emitted modules.
+> To avoid this possible overlap, **make sure to add a custom `outDir` to your test case**.
 >
 > ```js
 > await loadFixture({
@@ -259,7 +259,7 @@ To run only a specific benchmark on CI, add its name after the command in your c
 
 ## For maintainers
 
-This paragraph provides some guidance to the maintainers of the monorepo. The guidelines explained here aren't necessarily followed by other repositories of the same GitHub organisation.
+This paragraph provides some guidance to the maintainers of the monorepo. The guidelines explained here aren't necessarily followed by other repositories of the GitHub organisation.
 
 ### Issue triaging workflow
 
@@ -301,7 +301,7 @@ The Astro project has five levels of priority to issues, where `p5` is the highe
 - `p4`: the bug impacts _many_ Astro projects, it doesn't have a workaround but Astro is still stable/usable.
 - `p3`: any bug that doesn't fall in the `p4` or `p5` category. If the documentation doesn't cover
   the case reported by the user, it's useful to initiate a discussion via the `"needs discussion"` label. Seek opinions from OP and other maintainers.
-- `p2`: all the bugs that have workarounds.
+- `p2`: all bugs that have workarounds.
 - `p1`: very minor bug, that impacts a small amount of users. Sometimes it's an edge case and it's easy to fix. Very useful if you want to assign the fix to a first-time contributor.
 
 > [!IMPORTANT]
@@ -312,7 +312,7 @@ Assigning labels isn't always easy and many times the distinction between the di
 - When assigning a `p2`, **always** add a comment that explains the workaround. If a workaround isn't provided, ping the person that assigned the label and ask them to provide one.
 - Astro has **many** features, but there are some that have a larger impact than others: development server, build command, HMR (TBD, we don't have a page that explains expectations of HMR in Astro), **evident** regressions in performance.
 - In case the number of reactions of an issue grows, the number of users affected grows, or a discussion uncovers some insights that weren't clear before, it's OK to change the priority of the issue. The maintainer **should** provide an explanation when assigning a different label.
-  As with any other contribution, triaging is voluntary and best-efforts. We welcome and appreciate all the help you're happy to give (including reading this!) and nothing more. If you are not confident about an issue, you are welcome to leave an issue untriaged for someone who would have more context, or to bring it to their attention.
+  As with any other contribution, triaging is voluntary and best-effort. We welcome and appreciate all the help you're happy to give (including reading this!) and nothing more. If you are not confident about an issue, you are welcome to leave an issue untriaged for someone who would have more context, or to bring it to their attention.
 
 ### Preview releases
 
@@ -348,7 +348,7 @@ Understanding in which environment code runs, and at which stage in the process,
 
 To make it easier to test code, try decoupling **business logic** from **infrastructure**:
 
-- **Infrastucture** is code that depends on external systems and/or requires aspecial environment to run. For example: DB calls, file system, randomness etc...
+- **Infrastructure** is code that depends on external systems and/or requires a special environment to run. For example: DB calls, file system, randomness etc...
 - **Business logic** (or _core logic_ or _domain_) is the rest. It's pure logic that's easy to run from anywhere.
 
 That means avoiding side-effects by making external dependencies explicit. This often means passing more things as arguments.

STYLE_GUIDE.md

@@ -45,7 +45,7 @@ For example: "This is clean code" is a subjective point and should have limited
 
 In contrast: "Tabs are more accessible than spaces" is an objective point and should be strongly considered in a theoretical style discussion on tabs vs. spaces. (Fred: Believe me, I write this as someone who personally prefers spaces over tabs in my own code!)
 
-Sometimes, not everyone will agree on style changes and 100% consensus is impossible. This is a condition commonly referred to as bike-shedding. If consensus can not be reached, a simple majority vote among core contributors (L3) will suffice.
+Sometimes, not everyone will agree on style changes and 100% consensus is impossible. This is a condition commonly referred to as bike-shedding. If consensus cannot be reached, a simple majority vote among core contributors (L3) will suffice.
 
 _Note: This process is new, we are still figuring it out! This process will be moved into GOVERNANCE.md when finalized._
 

examples/blog/README.md

@@ -24,7 +24,7 @@ Features:
 
 - ✅ Minimal styling (make it your own!)
 - ✅ 100/100 Lighthouse performance
-- ✅ SEO-friendly with canonical URLs and OpenGraph data
+- ✅ SEO-friendly with canonical URLs and Open Graph data
 - ✅ Sitemap support
 - ✅ RSS Feed support
 - ✅ Markdown & MDX support

examples/ssr/src/components/AddToCart.svelte

@@ -34,7 +34,7 @@ button:hover {
   transform:scale(1.1);
 }
 
-.pretext {
+.pre-text {
   color:#fff;
   background:#0652DD;
   position:absolute;
@@ -50,5 +50,5 @@ button:hover {
 }
 </style>
 <button click={addToCart}>
-	<span class="pretext">Add to cart</span>
+	<span class="pre-text">Add to cart</span>
 </button>

examples/starlog/src/components/Header.astro

@@ -42,7 +42,7 @@ import { SiteTitle } from '../consts';
 			</a>
 		</h2>
 		<div class="links">
-			<a href="mailto:contactus@yourwebsite.com">Contact</a>
+			<a href="mailto:contactus@yourwebsite.example">Contact</a>
 		</div>
 	</nav>
 </header>

examples/starlog/src/components/SEO.astro

@@ -69,7 +69,7 @@ function normalizeImageUrl(image: string | ImageMetadata) {
 <link rel="canonical" href={canonicalURL} />
 <meta name="description" content={description} />
 
-<!-- OpenGraph Tags -->
+<!-- Open Graph Tags -->
 <meta property="og:title" content={og.title} />
 <meta property="og:type" content={og.type} />
 <meta property="og:url" content={canonicalURL} />

packages/astro-rss/CHANGELOG.md

@@ -250,7 +250,7 @@
 
 ### Patch Changes
 
-- [#6614](https://github.com/withastro/astro/pull/6614) [`b1b9b1390`](https://github.com/withastro/astro/commit/b1b9b1390f95c6ae91389eba55f7563b911bccc7) Thanks [@aivarsliepa](https://github.com/aivarsliepa)! - Fixes `RSSOptions` type error when using `strictest` Typescript tsconfig
+- [#6614](https://github.com/withastro/astro/pull/6614) [`b1b9b1390`](https://github.com/withastro/astro/commit/b1b9b1390f95c6ae91389eba55f7563b911bccc7) Thanks [@aivarsliepa](https://github.com/aivarsliepa)! - Fixes `RSSOptions` type error when using `strictest` TypeScript tsconfig
 
 ## 2.3.1
 

packages/astro-rss/README.md

@@ -49,7 +49,7 @@ An `RSSFeedItem` is a single item in the list of items in your feed. An example
 ```js
 const item = {
   title: 'Alpha Centauri: so close you can touch it',
-  link: '/blog/alpha-centuari',
+  link: '/blog/alpha-centauri',
   pubDate: new Date('2023-06-04'),
   description:
     'Alpha Centauri is a triple star system, containing Proxima Centauri, the closest star to our sun at only 4.24 light-years away.',
@@ -116,7 +116,7 @@ An object that defines the `title` and `url` of the original feed for items that
 ```js
 const item = {
   title: 'Alpha Centauri: so close you can touch it',
-  link: '/blog/alpha-centuari',
+  link: '/blog/alpha-centauri',
   pubDate: new Date('2023-06-04'),
   description:
     'Alpha Centauri is a triple star system, containing Proxima Centauri, the closest star to our sun at only 4.24 light-years away.',

packages/astro-rss/test/rss.test.js

@@ -105,7 +105,7 @@ describe('getRssString', () => {
 		assertXmlDeepEqual(str, validXmlWithContentResult);
 	});
 
-	it('should generate on valid RSSFeedItem array with missing date', async () => {
+	it('should generate on valid RSSFeedItem array that is missing date', async () => {
 		const str = await getRssString({
 			title,
 			description,

packages/astro/CHANGELOG-v1.md

@@ -815,7 +815,7 @@
 
 ### Patch Changes
 
-- [#4768](https://github.com/withastro/astro/pull/4768) [`9a59e24e0`](https://github.com/withastro/astro/commit/9a59e24e0250617333c1a0fd89b7d52fd1c829de) Thanks [@matthewp](https://github.com/matthewp)! - nsure before-hydration is only loaded when used
+- [#4768](https://github.com/withastro/astro/pull/4768) [`9a59e24e0`](https://github.com/withastro/astro/commit/9a59e24e0250617333c1a0fd89b7d52fd1c829de) Thanks [@matthewp](https://github.com/matthewp)! - Ensure before-hydration is only loaded when used
 
 - [#4759](https://github.com/withastro/astro/pull/4759) [`fc885eaea`](https://github.com/withastro/astro/commit/fc885eaea1f08429599c0ab4697ab6382f3d7fa4) Thanks [@matthewp](https://github.com/matthewp)! - Read jsxImportSource from tsconfig