Pro 9551 apos astro v2

.changeset/boozy-manual-severaltoms.md

@@ -0,0 +1,5 @@
+---
+"sanitize-html": patch
+---
+
+Security: added a number of new attributes to be protected against unsafe URLs, e.g. `javascript:` and similar. None of these are used in the default configuration of `sanitize-html` or `apostrophe` or likely to be used there, and some attributes, like an `action` for a `form`, are inherently unsafe to allow if XSS protection is your goal. Nevertheless it makes sense to block certain URL types where they are not appropriate. Some attributes are not supported at all by modern browsers but are included for completeness. Thanks to [crattack](https://github.com/crattack) for reporting the vulnerability.

.changeset/file-pretty-url-host-header-ssrf.md

@@ -0,0 +1,5 @@
+---
+"apostrophe": patch
+---
+
+Security: when `@apostrophecms/file` pretty URLs are enabled (`prettyUrls: true`), the upstream request used to serve the file is no longer built from the incoming `Host` header. The self-request is now resolved against the site's configured `baseUrl` (via `req.baseUrl`), falling back to the request host only when no `baseUrl` is configured. This closes a server-side request forgery (SSRF) vector in which the `Host` header could steer the proxied fetch at another host. The real-world risk was low: the path is constrained to an existing attachment's `/uploads/attachments/<cuid>-<slug>.<ext>`, and cuids are unique and immutable, so any reachable content was already public via the front door. Thanks to [EchoSkorJjj](https://github.com/EchoSkorJjj) for reporting the issue.

.changeset/jolly-zoos-fry.md

@@ -0,0 +1,5 @@
+---
+"@apostrophecms/redirect": minor
+---
+
+New `caseInsensitive` option. When enabled, "Old URL" values are stored in lowercase and incoming request URLs are matched case-insensitively. A migration lowercases existing redirects when the option is enabled. See the README for details, including a note on the non-reversible nature of this change.

.changeset/mighty-wasps-train.md

@@ -0,0 +1,5 @@
+---
+"create-apostrophe": patch
+---
+
+Fixes broken link

.changeset/new-doors-turn.md

@@ -0,0 +1,5 @@
+---
+"sanitize-html": patch
+---
+
+Address a potential vulnerability when nonTextTags is configured in a nonstandard way. While it is never a good idea to remove known non-text tags from the standard list e.g. script, styles, etc., this change ensures that doing so does not result in nested tags being passed through without sanitization when they are not expressly allowed. (ApostropheCMS would never trigger this situation.) Thanks to [Dipanshu singh](https://github.com/Dipanshusinghh) for pointing out the issue and contributing the fix.

.changeset/old-seals-accept.md

@@ -0,0 +1,5 @@
+---
+"@apostrophecms/apostrophe-astro": minor
+---
+
+Upgraded the `undici` HTTP client from v6 to v8, which requires Node.js 22.19 or newer, and fixed a connection leak in the Astro proxy where responses that are not streamed on to the browser — redirects (301/302/307/308) and bodyless responses (204/304) — now release their backend response body immediately instead of leaving it for garbage collection, which under load could hold connections open and exhaust the connection pool.

.changeset/proud-moons-guard.md

@@ -0,0 +1,5 @@
+---
+"apostrophe": patch
+---
+
+Security fix: server-side prototype pollution (CWE-1321) via dot-notation paths. `apos.util.set()` and `apos.util.get()` now refuse to traverse `__proto__`, `constructor` and `prototype` path segments. Previously an authenticated editor could send a PATCH REST API request whose patch operators (for example `$pullAll` with a key of `__proto__.publicApiProjection`) wrote to `Object.prototype`. A polluted `publicApiProjection` defeated the `publicApiCheck()` authorization gate on piece-type REST endpoints for subsequent unauthenticated requests, for the lifetime of the Node.js process. All users should update. Thanks to [tonghuaroot](https://github.com/tonghuaroot), [H3xV0rT3x](https://github.com/H3xV0rT3x), and [5h1kh4r](https://github.com/5h1kh4r) for reporting the vulnerability.

.changeset/seo-analytics-xss.md

@@ -0,0 +1,5 @@
+---
+"@apostrophecms/seo": patch
+---
+
+Security: the Google Analytics tracking ID (`seoGoogleTrackingId`) and Google Tag Manager ID (`seoGoogleTagManager`) global SEO fields were interpolated directly into the bodies of inline `<script>` tags without escaping. Any user permitted to edit the global document, including editors and contributors (if their submission were approved), could set these fields to a value that broke out of the surrounding script and executed arbitrary JavaScript for every visitor on every page (stored XSS). These values are now emitted as escaped `json` nodes, matching the JSON-LD handling, so they can no longer terminate the `<script>` element or escape the string literal they sit in. All projects using `@apostrophecms/seo` with untrusted editors should upgrade promptly to close this vulnerability. Thanks to [H3xV0rT3x](https://github.com/H3xV0rT3x) and [hibrian827](https://github.com/hibrian827) for reporting the issue.

.changeset/six-socks-design.md

@@ -0,0 +1,16 @@
+---
+"@apostrophecms/apostrophe-astro": minor
+---
+
+- Replace vite-plugin-apostrophe-config and vite-plugin-apostrophe-doctype with
+  vite/vite-plugin-apostrophe-generated-config.js, which writes real files to
+  node_modules/.apostrophe-astro-config/ (config.js, doctypes.js)
+- Register Vite aliases for apostrophe-astro-config/config and /doctypes
+- Update all internal virtual: imports to alias specifiers
+- Rename static build cache dir to node_modules/.apostrophe-astro-static/
+- Add helpers/server/ (aposFetch, getAposHost, isStaticBuild)
+- Add helpers/universal/ (URL, slug, styles, attachment helpers)
+- Keep lib/aposPageFetch.js as the internal implementation (starter kit entrypoint only)
+- Reduce lib/util.js, lib/aposSetQueryParameter.js, lib/static.js to deprecated shims
+- Add MIGRATION.md
+- Bump undici to ^7.x for Node.js 24+ compatibility

.changeset/sixty-hats-kneel.md

@@ -0,0 +1,5 @@
+---
+"apostrophe": patch
+---
+
+Fix invalid HTML output for <col> elements in sanitize-html (treat void elements correctly)

.changeset/smart-kids-rest.md

@@ -0,0 +1,5 @@
+---
+"apostrophe": patch
+---
+
+Selecting an item in a relationship "browse" dialog no longer scrolls the title and Cancel/Select buttons out of view when the item is far down the list.

.changeset/violet-windows-draw.md

@@ -0,0 +1,5 @@
+---
+"apostrophe": minor
+---
+
+JSX support for templates within ApostropheCMS. JSX is now co-equal with Nunjucks, with a gradual migration strategy. Anyone who is familiar with React will be very comfortable writing JSX templates, which also offer a superior debugging experience, and templates can be migrated gradually. JSX is a great option for those who don't wish to create parallel Astro and ApostropheCMS projects, but still prefer a modern syntax. For more information, see the new [JSX templates guide](https://apostrophecms.com/docs/guide/jsx-templates.html).

.github/workflows/monorepo.yml

@@ -4,7 +4,7 @@ permissions:
 
 env:
   # Define supported runtime versions for matrix expansion once for the workflow.
-  NODE_VERSIONS_JSON: "[20,22,24]"
+  NODE_VERSIONS_JSON: "[22,24,26]"
   MONGODB_VERSIONS_JSON: '["7","8"]'
   REDIS_VERSION: "7"
   POSTGRES_VERSION: "16"

packages/apostrophe-astro/.mocharc.yml

@@ -0,0 +1,4 @@
+loader: esmock
+file: test/setup.js
+spec: test/**/*.test.js
+timeout: 5000

packages/apostrophe-astro/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## 1.13.0 (2026-06-10)
+
+### Fixes
+
+- Adding or removing an area field from a schema no longer breaks documents on an external front such as Astro.
+- `AposArea` now renders only schema-backed areas. A missing area no longer throws, and an area orphaned by removing its field from the schema (while its content remains in the document) renders nothing instead of breaking sibling areas in edit mode. Logged-in editors get a diagnostic message in place of an orphaned area; anonymous visitors see nothing.
+- Editable documents sent to an external front now materialize empty area objects for schema area fields added after the document was created, so they can be edited in context.
+- `apos.util.getManagerOf` accepts a `{ log }` option to suppress its error log when probing objects that may not have a manager.
+
 ## 1.12.0
 
 ### Adds

packages/apostrophe-astro/MIGRATION.md

@@ -0,0 +1,62 @@
+# Migrating to @apostrophecms/apostrophe-astro v1.13
+
+## Astro v6 support
+
+v1.13 adds support for Astro v6 (Vite 7). Astro v5 continues to work.
+
+---
+
+## Astro v6: remove `security.allowedDomains` from static builds
+
+If your project uses `security.allowedDomains` in `astro.config.mjs` **and** runs static builds, guard it to SSR-only. In a static build Astro v6 reads `request.headers` to validate forwarded headers even during prerendering, producing a spurious warning for every page:
+
+```
+[WARN] `Astro.request.headers` was used when rendering the route `src/pages/[...slug].astro`
+```
+
+`allowedDomains` has no effect during prerendering (there are no real HTTP headers at build time), so the fix is straightforward:
+
+```js
+// astro.config.mjs
+const isStatic = process.env.APOS_BUILD === 'static'; // or however you detect it
+
+export default defineConfig({
+  output: isStatic ? 'static' : 'server',
+  // Only configure allowedDomains for SSR — it is meaningless during
+  // static prerendering and triggers a spurious headers warning in Astro v6.
+  ...(!isStatic && {
+    security: { allowedDomains }
+  }),
+  // ...
+});
+```
+
+---
+
+## Deprecated: direct `lib/` imports for public helpers
+
+Some `lib/` paths are deprecated in favour of the stable helper entry points. Note that `lib/aposPageFetch.js` is **not** deprecated — it is an internal function used by the starter kit's `[...slug].astro` entrypoint and is not part of the public API.
+
+| Old import | New import |
+|---|---|
+| `@apostrophecms/apostrophe-astro/lib/static.js` | `@apostrophecms/apostrophe-astro/helpers/server` (`getAllStaticPaths`, `getAllUrlMetadata`, `getLocales`) |
+| `@apostrophecms/apostrophe-astro/lib/aposSetQueryParameter.js` | `@apostrophecms/apostrophe-astro/helpers/universal` (`aposSetQueryParameter`) |
+| `@apostrophecms/apostrophe-astro/lib/util.js` | `@apostrophecms/apostrophe-astro/helpers/universal` (`slugify`, etc.) |
+| `@apostrophecms/apostrophe-astro/lib/aposStyles.js` | `@apostrophecms/apostrophe-astro/helpers/universal` (`stylesAttributes`, `stylesElements`) |
+| `@apostrophecms/apostrophe-astro/lib/attachment.js` | `@apostrophecms/apostrophe-astro/helpers/universal` (`getAttachmentUrl`, `getAttachmentSrcset`, etc.) |
+
+Example:
+
+```js
+// Before
+import { getAllStaticPaths } from '@apostrophecms/apostrophe-astro/lib/static.js';
+
+// After
+import { getAllStaticPaths } from '@apostrophecms/apostrophe-astro/helpers/server';
+```
+
+---
+
+## Removed: Vite virtual modules
+
+`virtual:apostrophe-config` and `virtual:apostrophe-doctypes` were private implementation details and are no longer available. If you were importing either of these directly, remove those imports — there is no public replacement, as they were never part of the supported API.

packages/apostrophe-astro/README.md

@@ -331,7 +331,7 @@ Your `[...slug].astro` component should look like this:
 
 ```js
 ---
-import aposPageFetch from '@apostrophecms/apostrophe-astro/lib/aposPageFetch.js';
+import { aposPageFetch } from '@apostrophecms/apostrophe-astro/helpers/server';
 import AposLayout from '@apostrophecms/apostrophe-astro/components/layouts/AposLayout.astro';
 import AposTemplate from '@apostrophecms/apostrophe-astro/components/AposTemplate.astro';
 
@@ -651,7 +651,7 @@ links to each page of blog posts:
 
 ```js
 ---
-import setParameter from '@apostrophecms/apostrophe-astro/lib/aposSetQueryParameter.js';
+import { aposSetQueryParameter as setParameter } from '@apostrophecms/apostrophe-astro/helpers/universal';
 
 const {
   pieces,

packages/apostrophe-astro/components/AposTemplate.astro

@@ -1,5 +1,5 @@
 ---
-import { templates } from 'virtual:apostrophe-doctypes';
+import { templates } from 'apostrophe-astro-config/doctypes';
 
 const { aposData } = Astro.props;
 

packages/apostrophe-astro/components/AposWidget.astro

@@ -1,5 +1,5 @@
 ---
-import { widgets } from "virtual:apostrophe-doctypes";
+import { widgets } from 'apostrophe-astro-config/doctypes';
 
 const { widget, options, ...props } = Astro.props;
 const isEdit = widget._edit && Astro.url.searchParams.get("aposEdit");

packages/apostrophe-astro/components/layouts/AposEditLayout.astro

@@ -1,5 +1,5 @@
 ---
-import config from "virtual:apostrophe-config";
+import config from 'apostrophe-astro-config/config';
 
 const { title, bodyClass, aposData } = Astro.props;
 const { viewTransitionWorkaround } = config;

packages/apostrophe-astro/components/layouts/AposLayout.astro

@@ -2,7 +2,7 @@
 import AposRunLayout from "./AposRunLayout.astro";
 import AposEditLayout from "./AposEditLayout.astro";
 import AposRefreshLayout from "./AposRefreshLayout.astro";
-import config from 'virtual:apostrophe-config';
+import config from 'apostrophe-astro-config/config';
 
 const { aposData } = Astro.props;
 
@@ -13,7 +13,10 @@ if (!headersToInclude && config.forwardHeaders) {
   headersToInclude = config.forwardHeaders;
 }
 
-if (headersToInclude && Array.isArray(headersToInclude)) {
+// Response headers are only meaningful in SSR — prerendered static pages
+// have no per-request HTTP response, and accessing Astro.response.headers
+// in that context triggers a warning in Astro v6.
+if (!config.staticBuild && headersToInclude && Array.isArray(headersToInclude)) {
   const headers = aposData.aposResponseHeaders;
   if (headers) {
     for (const header of headersToInclude) {