v0.32.0
This release backports a comprehensive set of security and hardening fixes from the v1.x branch into v0.x, covering prototype-pollution protections, default error redaction, stricter proxy/cookie/socket handling, and one breaking change to merged config and header object prototypes.
- Null-prototype merged objects: mergeConfig and header merging now return objects with a null prototype to block prototype-pollution gadgets. Consumers must use Object.prototype.hasOwnProperty.call(obj, key) and avoid implicit string coercion against merged config or header objects. (#10838)
- Default error redaction: AxiosError.toJSON() now redacts sensitive keys by default to prevent credential leaks in logs. The behavior is configurable via config.redact, with defaults exposed on defaults.redact. (#10838)
- Cookie & XSRF handling: Cookie names are read literally rather than via regex, and only own properties are respected when evaluating withXSRFToken. (#10838)
- Proxy bypass IPv6 parity: NO_PROXY matching now handles canonical IPv4-mapped IPv6 forms such as ::ffff:127.0.0.1 and ::ffff:7f00:1. (#10838)
- Node http adapter hardening: Strips Proxy-Authorization when no proxy is in use and gates socketPath behind a new allowedSocketPaths allowlist (string or array, normalized) to reduce accidental Unix socket exposure. (#10838)
- Browser xhr adapter: Stricter own-property checks when reading config and headers. (#10838)
- URL parameters: AxiosURLSearchParams keeps %00 encoded and applies consistent encoding throughout. (#10838)
- Public type surface: Adds formDataHeaderPolicy, redact, and allowedSocketPaths to the TypeScript declarations alongside their runtime defaults. (#10838)
- Repo hygiene: Updates README.md and CHANGELOG.md, adds AGENTS.md, and refreshes the issue and PR templates. (#10838)
mobx@6.15.1
-
df81c144fb148b64140d761aa61f032a7f429e12#4523 Thanks @exzos28! - MakeFlowCancellationErrora properErrorinstance while preserving its previous string representation. -
21fc4de6c09a77caf115aedd2fe6df972637412b#4626 Thanks @kubk! - ExportCancellablePromisefrom the publicmobxentrypoint.
astro@6.2.2
-
#16292
00f48eeThanks @p-linnane! - Fixes head metadata propagation in dev for adapters that load modules in theprerenderVite environment, such as@astrojs/cloudflare. Theastro:head-metadataplugin previously only tracked thessrenvironment, somaybeRenderHead()could fire inside an unrelated component's<template>element, trapping subsequent hoisted<style>blocks. -
#16451
778865fThanks @maximslo! - Fixes build crash when processing animated AVIF images. Sharp now gracefully passes through unsupported image formats instead of crashing during the build. -
#16548
7214d3eThanks @senutpal! - Fixes scoped styles applying to the wrong element whenvite.css.transformeris set to'lightningcss'and a selector uses a nested&inside:where(...), such as Tailwind v4'sspace-x-*,space-y-*, anddivide-*utilities. -
#16566
9ac96b4Thanks @web-dev0521! - Fixesdata-astro-prefetch="tap"not triggering when clicking nested elements (e.g.<span>,<img>,<svg>) inside an anchor tag. -
#15994
1e70d18Thanks @ossaidqadri! - Fix<style>compilation failure when importing Astro components via tsconfig path aliases -
#16144
1cd6650Thanks @fkatsuhiro! - Fixed a regression where.htmlwas unexpectedly stripped from dynamic route parameters on non-page routes (.tsendpoints and redirects). This caused endpoints like/some/[...id].tsreturningid: 'file.html'ongetStaticPathsto not serve that file because the generated route (/some/file.html) would get matched asid: filethat is not part of the list returned bygetStaticPaths. -
#16415
559c0fdThanks @0xbejaxer! - Fix CSS traversal boundaries so pages withexport const partial = truestill contribute styles when imported as components by other pages. -
#16516
17f1867Thanks @fkatsuhiro! - Fixes an issue where the index route would return a 404 error when using a custombasepath combined withtrailingSlash: 'never'. This ensures that the home page and internal rewrites are correctly matched under these configurations. -
#16515
280ec88Thanks @jp-knj! - Fixes an issue wherei18n.fallbackpages withfallbackType: 'rewrite'were emitted with empty bodies duringastro build. -
#16565
7959798Thanks @enjoyandlove! - Fixes session persistence whensession.delete()is the first mutation in a request (no priorget,set,has, orkeys). The session was marked dirty in memory, but persistence skipped the save because#datastayedundefined, so the backing store could still return the deleted key on the next request. -
#16527
86fd80dThanks @enjoyandlove! - Prevents script deduplication state from being consumed while rendering inert<template>contexts. -
#16540
e59c637Thanks @ascorbic! - Skips session storage reads when no session cookie is present. Previously, callingsession.get()on a request without a session cookie would initialize the storage driver and make a read that was guaranteed to miss. On network-backed drivers this added latency and resource usage to every anonymous request. -
#16517
6ab0b3cThanks @adamchal! - Removes inline CSS for prerendered routes from the SSR manifest. The static HTML on disk already inlines those styles, and the SSR worker never renders prerendered routes, so the data was dead weight. Builds with many prerendered routes andbuild.inlineStylesheets: "always"(or"auto"with small stylesheets) will see a smaller SSR entry chunk, which reduces cold-start parse time on platforms like Cloudflare Workers. -
#16509
d3d3557Thanks @cyphercodes! - Fix conditional named slot callbacks receiving arguments fromAstro.slots.render(). -
#16236
c6b068eThanks @fkatsuhiro! - Fixes thepositionprop on<Image />and<Picture />components to correctly applyobject-positionstyles -
#16018
d14f47cThanks @felmonon! - FixdefineLiveCollection()soLiveLoaderdata types declared as interfaces are accepted.
@astrojs/cloudflare@13.3.1
-
#16552
409f6efThanks @web-dev0521! - Fixes an issue where existing KV namespace bindings were silently removed when session support was enabled. -
#16277
7666bcdThanks @Calvin-LL! - Fix static assets and prerendered pages 404ing whenbaseis configured. -
Updated dependencies []:
- @astrojs/underscore-redirects@1.0.3
v52.15.1
- Import error on recording.ts - by @toreis-up in https://github.com/slidevjs/slidev/issues/2574 (de8eb)
- Restore Windows virtual style globs - by @cyphercodes and cyphercodes in https://github.com/slidevjs/slidev/issues/2573 (ac6e5)
- client: Make drawing stroke-width control click-triggered - by @enieuwy in https://github.com/slidevjs/slidev/issues/2565 (9b93d)
- create-slidev: Only scaffold pnpm npmrc for pnpm - by @hrithik18k in https://github.com/slidevjs/slidev/issues/2564 (0e814)
- export: Pass timeout to frame.waitForLoadState() - by @andreas-taranetz and Claude Sonnet 4.6 in https://github.com/slidevjs/slidev/issues/2578 (36f8a)
1.9.8
See Changelog:
1.9.8 (2026-05-04)
- Cursor: Fix multi-movement pieces not isolating repetitions between movements, affecting cursor movement for repetitions in later movements (ef19c11)
- Lyrics: Fix error for old samples: noteDuration NaN when MusicXML exporter places divisions after first notes of measure, erroring in calculateLyricExtend (048d4a5)
- Octave Bracket: Fix octave shift not applied to grace notes before stop direction (PR #1649) (c0f4a3f)
- Wavy-Line: Fix a rare error with wavy-lines on certain screen widths for a sample where the end note could not be found (PR #1653, #657) (c758794)