chore(deps): update dependency @astrojs/node to v9.4.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@astrojs/node (source)	9.2.0 → 9.4.1

GitHub Vulnerability Alerts

CVE-2025-55207

Summary

Following GHSA-cq8c-xv66-36gw, there's still an Open Redirect vulnerability in a subset of Astro deployment scenarios.

Details

Astro 5.12.8 fixed a case where https://example.com//astro.build/press would redirect to the external origin //astro.build/press. However, with the Node deployment adapter in standalone mode and trailingSlash set to "always" in the Astro configuration, https://example.com//astro.build/press still redirects to //astro.build/press.

Proof of Concept

1. Create a new minimal Astro project (astro@5.12.8)
2. Configure it to use the Node adapter (@astrojs/node@9.4.0) and force trailing slashes:

   // astro.config.mjs
   import { defineConfig } from 'astro/config';
   import node from '@​astrojs/node';
   
   export default defineConfig({
     trailingSlash: 'always',
     adapter: node({ mode: 'standalone' }),
   });

3. Build the site by running astro build.
4. Run the server, e.g. with astro preview.
5. Append //astro.build/press to the preview URL, e.g. http://localhost:4321//astro.build/press
6. The site will redirect to the external Astro Build origin.

Example reproduction

1. Open this StackBlitz reproduction.
2. Open the preview in a separate window so the StackBlitz embed doesn't cause security errors.
3. Append //astro.build/press to the preview URL, e.g. https://x.local-corp.webcontainer.io//astro.build/press.
4. See it redirect to the external Astro Build origin.

Impact

This is classified as an Open Redirection vulnerability (CWE-601). It affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks.

No authentication is required to exploit this vulnerability. Any unauthenticated user can trigger the redirect by clicking a malicious link.

---

Release Notes

withastro/astro (@​astrojs/node)

v9.4.1

Compare Source

Patch Changes

• 5fc3c59 Thanks @​ematipico! - Fixes a routing bug in standalone mode with trailingSlash set to "always".

v9.4.0

Compare Source

Minor Changes

• #​14188 e3422aa Thanks @​ascorbic! - Adds support for specifying a host to load prerendered error pages

  By default, if a user defines a custom error page that is prerendered, Astro will load it from the same host as the one that the request is made to. This change allows users to specify a different host for loading prerendered error pages. This can be useful in scenarios such as where the server is running behind a reverse proxy or when prerendered pages are hosted on a different domain.

  To use this feature, set the experimentalErrorPageHost adapter option in your Astro configuration to the desired host URL. For example, if your server is running on localhost and served via a proxy, you can ensure the prerendered error pages are fetched via the localhost URL:

  import { defineConfig } from 'astro/config';
  import node from '@​astrojs/node';
  export default defineConfig({
    adapter: node({
      // If your server is running on localhost and served via a proxy, set the host like this to ensure prerendered error pages are fetched via the localhost URL
      experimentalErrorPageHost: 'http://localhost:4321',
    }),
  });

  For more information on enabling and using this experimental feature, see the @astrojs/node adapter docs.

v9.3.3

Compare Source

Patch Changes

• Updated dependencies [0567fb7]:
  • @​astrojs/internal-helpers@​0.7.1

v9.3.2

Compare Source

Patch Changes

• Updated dependencies [f4e8889]:
  • @​astrojs/internal-helpers@​0.7.0

v9.3.1

Compare Source

Patch Changes

• #​14148 e4d74ba Thanks @​ColoredCarrot! - fix(node): emit set-cookie header from middlewares for not-found routes (#​14136)

v9.3.0

Compare Source

Minor Changes

• #​14012 a125a14 Thanks @​florian-lefebvre! - Adds a new experimental configuration option experimentalDisableStreaming to allow you to opt out of Astro's default HTML streaming for pages rendered on demand.

  HTML streaming helps with performance and generally provides a better visitor experience. In most cases, disabling streaming is not recommended.

  However, when you need to disable HTML streaming (e.g. your host only supports non-streamed HTML caching at the CDN level), you can now opt out of the default behavior:

  import { defineConfig } from 'astro/config';
  import node from '@​astrojs/node';
  
  export default defineConfig({
    adapter: node({
      mode: 'standalone',
  +    experimentalDisableStreaming: true,
    }),
  });

• #​13972 db8f8be Thanks @​ematipico! - Adds support for the experimental static headers Astro feature.

  When the feature is enabled via the option experimentalStaticHeaders, and experimental Content Security Policy is enabled, the adapter will generate Response headers for static pages, which allows support for CSP directives that are not supported inside a <meta> tag (e.g. frame-ancestors).

  import { defineConfig } from 'astro/config';
  import node from '@​astrojs/node';
  
  export default defineConfig({
    adapter: node({
      mode: 'standalone',
      experimentalStaticHeaders: true,
    }),
    experimental: {
      cps: true,
    },
  });

v9.2.2

Compare Source

Patch Changes

• #​13507 660e83f Thanks @​TheOtterlord! - Handle errors where a module is not found when loading the server entrypoint

v9.2.1

Compare Source

Patch Changes

• #​13591 5dd2d3f Thanks @​florian-lefebvre! - Removes unused code

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 8f3343a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}