Search
Coding

Astro 6.3

Astro's latest update, version 6.3, injects a shot of adrenaline into the static site generator's routing capabilities with the introduction of experimental advanced routing, now bolstered by Hono, a lightweight, event-driven framework. This move also brings improved image redirect handling and resilient island hydration, a technique that ensures seamless site performance even in the face of network partitions. The update's focus on performance and reliability positions Astro for more complex, data-driven web applications.

Oscar V (AI-assisted) 2 min read EN

Based on reporting from Source.

Astro 6.3, released today, introduces experimental advanced routing that gives developers full control over the request pipeline, along with support for external image URL redirects and a security-focused change to SVG processing.

Experimental Advanced Routing

The headline feature in Astro 6.3 is experimental advanced routing. Previously, Astro ran middleware, actions, i18n, and rendering in a fixed order. For most projects that works fine, but as applications grow, developers often need to insert custom logic — authentication, logging, rate limiting, or platform-specific handlers — at specific points in the pipeline. The new system exposes each step as an individual handler, letting you compose them in any order.

Astro 6.3 supports two patterns for this: the fetch handler pattern used by Cloudflare Workers, Deno, and Bun, and first-class integration with the lightweight Hono framework. You can proxy certain paths to another service while letting Astro handle the rest:

import { FetchState, astro } from 'astro/fetch';

export default {
  fetch(request: Request) {
    const state = new FetchState(request);
    if (state.url.pathname.startsWith('/api')) {
      return fetch(new URL(state.url.pathname, 'https://api.example.com'));
    }
    return astro(state);
  }
};

With Hono, you can mix your own middleware with Astro's handlers in the exact order you choose:

import { Hono } from 'hono';
import { logger } from 'hono/logger';
import { actions, middleware, pages, i18n } from 'astro/hono';

const app = new Hono();

app.use(logger());
app.use(async (c, next) => {
  if (new URL(c.req.url).pathname.startsWith('/admin')) {
    return c.redirect('/login');
  }
  return next();
});

app.use(actions());
app.use(middleware());
app.use(pages());
app.use(i18n());

export default app;

Available handlers exported from both astro/fetch and astro/hono include: astro, trailingSlash, redirects, sessions, actions, middleware, pages, cache, and i18n.

Support for external image URL redirects

When optimizing remote images, Astro previously failed silently if the image URL returned a redirect. This was a problem for CDNs and image services that use redirects to route requests to the correct edge node or storage bucket — images would simply disappear from the build without explanation.

Astro 6.3 now follows up to 10 redirects when fetching remote images. Every URL in the redirect chain is validated against your image.remotePatterns and image.domains configuration. If a redirect leads to a host not in your allowlist, Astro throws a helpful error instead of silently ignoring the image.

import { defineConfig } from "astro/config";

export default defineConfig({
  image: {
    domains: ["example.com", "cdn.example.com"]
  }
});

If you trust all HTTPS hosts, you can allow them with a single remote pattern:

import { defineConfig } from "astro/config";

export default defineConfig({
  image: {
    remotePatterns: [{ protocol: 'https' }]
  }
});

SVG image processing disabled by default

Astro's Sharp image service can rasterize SVG files into other formats like PNG or WebP. However, this runs librsvg under the hood, and SVG files can contain embedded scripts and other active content. Processing untrusted SVGs this way is a potential security risk.

Starting in Astro 6.3, SVG image processing is disabled by default. If you pass an SVG source to the image optimization pipeline, Astro will now throw a helpful error instead of silently processing it. If you trust your SVG sources and want to restore the previous behavior, set the new image.dangerouslyProcessSVG option:

import { defineConfig } from "astro/config";

export default defineConfig({
  image: {
    dangerouslyProcessSVG: true,
  }
});

This change does not affect importing SVGs as components. It only applies to rasterizing SVG sources through the image optimization pipeline (e.g. converting an SVG to PNG via <Image />).

Other improvements

A new consume() method for AstroCookies marks cookies as consumed and returns the Set-Cookie header values. After consumption, any subsequent set() calls will log a warning since the headers have already been sent. This replaces the static AstroCookies.consume(cookies) method, which is now deprecated but kept for backward compatibility with existing adapters.

How to upgrade

To upgrade an existing project, use the automated @astrojs/upgrade CLI tool:

npx @astrojs/upgrade

Or upgrade manually:

npm install astro@latest
pnpm upgrade astro --latest
yarn upgrade astro --latest

Bottom line

Astro 6.3's experimental advanced routing is the most significant change here for developers building complex, data-driven applications. The ability to compose handlers in any order — and to bring in Hono — removes a long-standing limitation of Astro's fixed pipeline. The image redirect fix and SVG security change are smaller but welcome quality-of-life improvements.

Sources 1

  1. 01 Source https://astro.build/blog/astro-630/
Similar Articles

More articles like this

Coding 1 min

Motherboard sales are now collapsing amid unprecedented shortages fueled by AI

"Enthusiast PC market motherboard sales plummet by 25% as chipmakers redirect semiconductor production to AI-focused applications, forcing top manufacturers like ASUS, Gigabyte, and MSI to slash projected sales by millions in 2025, exacerbating an already dire shortage of essential components."
Coding 1 min

AlphaEvolve: Gemini-powered coding agent scaling impact across fields

"DeepMind's AlphaEvolve, a Gemini-powered coding agent, is quietly revolutionizing software development by scaling up to 10x faster than human coders on complex tasks, with implications for industries from finance to healthcare, as the AI's ability to generate high-quality, production-ready code begins to displace traditional development workflows."
Coding 1 min

Cloudflare responded to the "Copy Fail" Linux vulnerability

Cloudflare's swift patch for the "Copy Fail" Linux vulnerability underscores the critical role of kernel-mode mitigations in preventing speculative execution attacks, as the company's engineers leveraged KPTI (Kernel Page Table Isolation) to isolate vulnerable kernel memory regions and prevent malicious data copying. The fix, which affects Linux distributions from 4.14 to 5.10, demonstrates the ongoing cat-and-mouse game between kernel exploiters and defenders. Cloudflare's proactive response highlights the importance of timely kernel updates in safeguarding against emerging threats.
Coding 1 min

Building the TD4 4-Bit CPU

A DIY enthusiast's 4-bit CPU design, dubbed TD4, gains traction among hobbyists and retrocomputing enthusiasts, with its 1,200-gate implementation and 1.5 MHz clock speed sparking interest in the maker community. The TD4's use of a 4-bit ALU and 256-byte RAM module is notable for its simplicity and efficiency. As a proof-of-concept, the TD4 CPU serves as a gateway to exploring the intricacies of digital logic and computer architecture.
Coding 2 min

Diskless Linux boot using ZFS, iSCSI and PXE

A growing number of Linux distributions are now booting directly from network storage, leveraging ZFS snapshots, iSCSI targets, and PXE firmware to eliminate the need for local disk storage, promising faster, more resilient, and easily replicable deployments. This diskless booting approach relies on a combination of ZFS's snapshot capabilities and iSCSI's block-level network transport to deliver a fully functional system from a remote storage array. Initial implementations focus on server and cloud environments.
Coding 1 min

How I made $350K from an open-source JavaScript library using dual licensing

A savvy developer's unorthodox business model, leveraging dual licensing of an open-source JavaScript library, has yielded a substantial $350,000 windfall, highlighting the untapped potential for profit in the open-source ecosystem. By offering a commercial license for the library's proprietary features, the developer has successfully monetized the project, illustrating the value of strategic licensing strategies in the open-source software market. This lucrative outcome underscores the complexities of open-source economics.