chore(monorepo): update pnpm.catalog.default astro to ^5.14.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
astro (source)	^5.13.5 -> ^5.14.3

GitHub Vulnerability Alerts

CVE-2025-61925

Summary

When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an X-Forwarded-Host header that is reflected when using the recommended Astro.url property as there is no validation that the value is safe.

Details

Astro reflects the value in X-Forwarded-Host in output when using Astro.url without any validation.

It is common for web servers such as nginx to route requests via the Host header, and forward on other request headers. As such as malicious request can be sent with both a Host header and an X-Forwarded-Host header where the values do not match and the X-Forwarded-Host header is malicious. Astro will then return the malicious value.

This could result in any usages of the Astro.url value in code being manipulated by a request. For example if a user follows guidance and uses Astro.url for a canonical link the canonical link can be manipulated to another site. It is not impossible to imagine that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party.

As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users.

Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues.

PoC

• Check out the minimal Astro example found here: https://github.com/Chisnet/minimal_dynamic_astro_server
• nvm use
• yarn run build
• node ./dist/server/entry.mjs
• curl --location 'http://localhost:4321/' --header 'X-Forwarded-Host: www.evil.com' --header 'Host: www.example.com'
• Observe that the response reflects the malicious X-Forwarded-Host header

For the more advanced / dangerous attack vector deploy the application behind a caching proxy, e.g. Cloudflare, set a non-zero cache time, perform the above curl request a few times to establish a cache, then perform the request without the malicious headers and observe that the malicious data is persisted.

Impact

This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy.

---

Release Notes

withastro/astro (astro)

v5.14.3

Compare Source

Patch Changes

• #​14505 28b2a1d Thanks @​matthewp! - Fixes Cannot set property manifest error in test utilities by adding a protected setter for the manifest property

• #​14235 c4d84bb Thanks @​toxeeec! - Fixes a bug where the "tap" prefetch strategy worked only on the first clicked link with view transitions enabled

v5.14.1

Compare Source

Patch Changes

• #​14440 a3e16ab Thanks @​florian-lefebvre! - Fixes a case where the URLs generated by the experimental Fonts API would be incorrect in dev

v5.14.0

Compare Source

Minor Changes

• #​13520 a31edb8 Thanks @​openscript! - Adds a new property routePattern available to GetStaticPathsOptions

  This provides the original, dynamic segment definition in a routing file path (e.g. /[...locale]/[files]/[slug]) from the Astro render context that would not otherwise be available within the scope of getStaticPaths(). This can be useful to calculate the params and props for each page route.

  For example, you can now localize your route segments and return an array of static paths by passing routePattern to a custom getLocalizedData() helper function. The params object will be set with explicit values for each route segment (e.g. locale, files, and slug). Then, these values will be used to generate the routes and can be used in your page template via Astro.params.

v5.13.11

Compare Source

Patch Changes

• #​14409 250a595 Thanks @​louisescher! - Fixes an issue where astro info would log errors to console in certain cases.

• #​14398 a7df80d Thanks @​idawnlight! - Fixes an unsatisfiable type definition when calling addServerRenderer on an experimental container instance

• #​13747 120866f Thanks @​jp-knj! - Adds automatic request signal abortion when the underlying socket closes in the Node.js adapter

  The Node.js adapter now automatically aborts the request.signal when the client connection is terminated. This enables better resource management and allows applications to properly handle client disconnections through the standard AbortSignal API.

• #​14428 32a8acb Thanks @​drfuzzyness! - Force sharpService to return a Uint8Array if Sharp returns a SharedArrayBuffer

• #​14411 a601186 Thanks @​GameRoMan! - Fixes relative links to docs that could not be opened in the editor.

v5.13.10

Compare Source

Patch Changes

• Updated dependencies [1e2499e]:
  • @​astrojs/internal-helpers@​0.7.3
  • @​astrojs/markdown-remark@​6.3.7

v5.13.9

Compare Source

Patch Changes

• #​14402 54dcd04 Thanks @​FredKSchott! - Removes warning that caused unexpected console spam when using Bun

v5.13.8

Compare Source

Patch Changes

• #​14300 bd4a70b Thanks @​louisescher! - Adds Vite version & integration versions to output of astro info

• #​14341 f75fd99 Thanks @​delucis! - Fixes support for declarative Shadow DOM when using the <ClientRouter> component

• #​14350 f59581f Thanks @​ascorbic! - Improves error reporting for content collections by adding logging for configuration errors that had previously been silently ignored. Also adds a new error that is thrown if a live collection is used in content.config.ts rather than live.config.ts.

• #​14343 13f7d36 Thanks @​florian-lefebvre! - Fixes a regression in non node runtimes

v5.13.7

Compare Source

Patch Changes

• #​14330 72e14ab Thanks @​ascorbic! - Removes pinned package that is no longer needed.

• #​14335 17c7b03 Thanks @​florian-lefebvre! - Bumps sharp minimal version to 0.34.0

v5.13.6

Compare Source

Patch Changes

• #​14294 e005855 Thanks @​martrapp! - Restores the ability to use Google Analytics History change trigger with the <ClientRouter />.

• #​14326 c24a8f4 Thanks @​jsparkdev! - Updates vite version to fix CVE

• #​14108 218e070 Thanks @​JusticeMatthew! - Updates dynamic route split regex to avoid infinite retries/exponential complexity

• #​14327 c1033be Thanks @​ascorbic! - Pins simple-swizzle to avoid compromised version

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

[deepsource-io]

Here's the code health analysis summary for commits 242a5a8..d65ebdf. View details on DeepSource ↗.

Analysis Summary

Analyzer	Status	Summary	Link
JavaScript	✅ Success		View Check ↗
Shell	✅ Success		View Check ↗

---

💡 If you’re a repository administrator, you can configure the quality gates from the settings.

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report