This release backports a comprehensive set of security and hardening fixes from the v1.x branch into v0.x, covering prototype-pollution protections, default error redaction, stricter proxy/cookie/socket handling, and one breaking change to merged config and header object prototypes.

• Null-prototype merged objects: mergeConfig and header merging now return objects with a null prototype to block prototype-pollution gadgets. Consumers must use Object.prototype.hasOwnProperty.call(obj, key) and avoid implicit string coercion against merged config or header objects. (#10838)

• Default error redaction: AxiosError.toJSON() now redacts sensitive keys by default to prevent credential leaks in logs. The behavior is configurable via config.redact, with defaults exposed on defaults.redact. (#10838)
• Cookie & XSRF handling: Cookie names are read literally rather than via regex, and only own properties are respected when evaluating withXSRFToken. (#10838)
• Proxy bypass IPv6 parity: NO_PROXY matching now handles canonical IPv4-mapped IPv6 forms such as ::ffff:127.0.0.1 and ::ffff:7f00:1. (#10838)
• Node http adapter hardening: Strips Proxy-Authorization when no proxy is in use and gates socketPath behind a new allowedSocketPaths allowlist (string or array, normalized) to reduce accidental Unix socket exposure. (#10838)
• Browser xhr adapter: Stricter own-property checks when reading config and headers. (#10838)
• URL parameters: AxiosURLSearchParams keeps %00 encoded and applies consistent encoding throughout. (#10838)
• Public type surface: Adds formDataHeaderPolicy, redact, and allowedSocketPaths to the TypeScript declarations alongside their runtime defaults. (#10838)

• Repo hygiene: Updates README.md and CHANGELOG.md, adds AGENTS.md, and refreshes the issue and PR templates. (#10838)

Full Changelog

• df81c144fb148b64140d761aa61f032a7f429e12 #4523 Thanks @exzos28! - Make FlowCancellationError a proper Error instance while preserving its previous string representation.

• 21fc4de6c09a77caf115aedd2fe6df972637412b #4626 Thanks @kubk! - Export CancellablePromise from the public mobx entrypoint.

• #16292 00f48ee Thanks @p-linnane! - Fixes head metadata propagation in dev for adapters that load modules in the prerender Vite environment, such as @astrojs/cloudflare. The astro:head-metadata plugin previously only tracked the ssr environment, so maybeRenderHead() could fire inside an unrelated component's <template> element, trapping subsequent hoisted <style> blocks.

• #16451 778865f Thanks @maximslo! - Fixes build crash when processing animated AVIF images. Sharp now gracefully passes through unsupported image formats instead of crashing during the build.

• #16548 7214d3e Thanks @senutpal! - Fixes scoped styles applying to the wrong element when vite.css.transformer is set to 'lightningcss' and a selector uses a nested & inside :where(...), such as Tailwind v4's space-x-*, space-y-*, and divide-* utilities.

• #16566 9ac96b4 Thanks @web-dev0521! - Fixes data-astro-prefetch="tap" not triggering when clicking nested elements (e.g. <span>, <img>, <svg>) inside an anchor tag.

• #15994 1e70d18 Thanks @ossaidqadri! - Fix <style> compilation failure when importing Astro components via tsconfig path aliases

• #16144 1cd6650 Thanks @fkatsuhiro! - Fixed a regression where .html was unexpectedly stripped from dynamic route parameters on non-page routes (.ts endpoints and redirects). This caused endpoints like /some/[...id].ts returning id: 'file.html' on getStaticPaths to not serve that file because the generated route (/some/file.html) would get matched as id: file that is not part of the list returned by getStaticPaths.

• #16415 559c0fd Thanks @0xbejaxer! - Fix CSS traversal boundaries so pages with export const partial = true still contribute styles when imported as components by other pages.

• #16516 17f1867 Thanks @fkatsuhiro! - Fixes an issue where the index route would return a 404 error when using a custom base path combined with trailingSlash: 'never'. This ensures that the home page and internal rewrites are correctly matched under these configurations.

• #16515 280ec88 Thanks @jp-knj! - Fixes an issue where i18n.fallback pages with fallbackType: 'rewrite' were emitted with empty bodies during astro build.

• #16565 7959798 Thanks @enjoyandlove! - Fixes session persistence when session.delete() is the first mutation in a request (no prior get, set, has, or keys). The session was marked dirty in memory, but persistence skipped the save because #data stayed undefined, so the backing store could still return the deleted key on the next request.

• #16527 86fd80d Thanks @enjoyandlove! - Prevents script deduplication state from being consumed while rendering inert <template> contexts.

• #16540 e59c637 Thanks @ascorbic! - Skips session storage reads when no session cookie is present. Previously, calling session.get() on a request without a session cookie would initialize the storage driver and make a read that was guaranteed to miss. On network-backed drivers this added latency and resource usage to every anonymous request.

• #16517 6ab0b3c Thanks @adamchal! - Removes inline CSS for prerendered routes from the SSR manifest. The static HTML on disk already inlines those styles, and the SSR worker never renders prerendered routes, so the data was dead weight. Builds with many prerendered routes and build.inlineStylesheets: "always" (or "auto" with small stylesheets) will see a smaller SSR entry chunk, which reduces cold-start parse time on platforms like Cloudflare Workers.

• #16509 d3d3557 Thanks @cyphercodes! - Fix conditional named slot callbacks receiving arguments from Astro.slots.render().

• #16236 c6b068e Thanks @fkatsuhiro! - Fixes the position prop on <Image /> and <Picture /> components to correctly apply object-position styles

• #16018 d14f47c Thanks @felmonon! - Fix defineLiveCollection() so LiveLoader data types declared as interfaces are accepted.

• #16552 409f6ef Thanks @web-dev0521! - Fixes an issue where existing KV namespace bindings were silently removed when session support was enabled.

• #16277 7666bcd Thanks @Calvin-LL! - Fix static assets and prerendered pages 404ing when base is configured.

• Updated dependencies []:

  • @astrojs/underscore-redirects@1.0.3

• Import error on recording.ts  -  by @toreis-up in https://github.com/slidevjs/slidev/issues/2574 (de8eb)
• Restore Windows virtual style globs  -  by @cyphercodes and cyphercodes in https://github.com/slidevjs/slidev/issues/2573 (ac6e5)
• client: Make drawing stroke-width control click-triggered  -  by @enieuwy in https://github.com/slidevjs/slidev/issues/2565 (9b93d)
• create-slidev: Only scaffold pnpm npmrc for pnpm  -  by @hrithik18k in https://github.com/slidevjs/slidev/issues/2564 (0e814)
• export: Pass timeout to frame.waitForLoadState()  -  by @andreas-taranetz and Claude Sonnet 4.6 in https://github.com/slidevjs/slidev/issues/2578 (36f8a)

• UI: check if ad is linear before updating mute label and icon (#10044) (11ad3eb)

• DASH: lazy segment reference creation (#10050) (2227133)
• Remove unnecessary Uint8ArrayUtils.concat calls in Mp4Generator (#10047) (004ff8d)
• transmuxer: Merge consecutive Uint8Arrays in h265 transmuxer (#10046) (270f7ea)

• UI: check if ad is linear before updating mute label and icon (#10044) (cb8724a)

• DASH: lazy segment reference creation (#10050) (24c9c99)
• Remove unnecessary Uint8ArrayUtils.concat calls in Mp4Generator (#10047) (4bcc188)
• transmuxer: Merge consecutive Uint8Arrays in h265 transmuxer (#10046) (d9075a7)

• DASH: lazy segment reference creation (#10050) (90452d6)
• Remove unnecessary Uint8ArrayUtils.concat calls in Mp4Generator (#10047) (bbaaaf8)
• transmuxer: Merge consecutive Uint8Arrays in h265 transmuxer (#10046) (3112814)

• DASH: lazy segment reference creation (#10050) (6a3e89e)
• Remove unnecessary Uint8ArrayUtils.concat calls in Mp4Generator (#10047) (5a0ec3e)

See Changelog:

• Cursor: Fix multi-movement pieces not isolating repetitions between movements, affecting cursor movement for repetitions in later movements (ef19c11)
• Lyrics: Fix error for old samples: noteDuration NaN when MusicXML exporter places divisions after first notes of measure, erroring in calculateLyricExtend (048d4a5)
• Octave Bracket: Fix octave shift not applied to grace notes before stop direction (PR #1649) (c0f4a3f)
• Wavy-Line: Fix a rare error with wavy-lines on certain screen widths for a sample where the end note could not be found (PR #1653, #657) (c758794)

• Metronome Mark: Implement swing metronome mark and other complex metronome marks (PR #1655, #1654) (742a0f6)
• Migrate ESLint to v9/10 with flat config (needs node v20+) (#1662) (01cddff)
• Wavy Line: Implement wavy-line (e.g. after trill) (merge from audio player) (PR #1653) (cde49c7), closes #1651