#510 by @bobsingor – Fix redact annotations leaving orphan indirect objects in the PDF cross-reference table. EPDFAnnot_ApplyRedaction and EPDFPage_ApplyRedactions now call DeleteIndirectObject after removing each annotation from the /Annots array, ensuring the underlying PDF object is fully removed from the xref rather than left as an unreachable orphan.

Thanks to @JanSlabon for reporting this bug.

#509 by @bobsingor – Implement noZoom and noRotate annotation flag rendering. Annotations with noZoom now maintain a constant screen-pixel size regardless of zoom level, and annotations with noRotate stay visually upright regardless of page rotation.

#495 by @bobsingor – Added "Insert Text" and "Replace Text" annotation tools. Added renderer for Caret annotations. Added support for grouped annotations in selectors (e.g. for Replace Text where a Caret and Strikeout are grouped).

#509 by @bobsingor – Add Text (comment) annotation tool with handler, tool definition, and renderer support. thanks to @JoackimPennerup

#502 by @danielbayerlein – Add dashed stroke support to Polyline component for React, Vue and Svelte frameworks. Thanks @danielbayerlein!

#495 by @bobsingor – Fix markup annotations (highlight, underline, strikethrough) not being created on PDFs that lack CopyContents permission. Annotations are now created without extracted text metadata when text extraction is denied.

#495 by @bobsingor – Add isRotatable: false to text markup annotation tools (highlight, underline, strikeout, squiggly) to explicitly prevent rotation on these text-anchored annotations.

#495 by @bobsingor – Fix marquee selection selecting non-rendered annotation types (e.g. POPUP, TEXT, WIDGET). Only annotations with a visual renderer are now included in marquee selection results.

#508 by @bobsingor – Fix newly created annotations showing their appearance stream instead of dict-based rendering. New annotations now consistently start with dictMode: true across all framework wrappers (React, Vue, Svelte).

#509 by @bobsingor – Fix group selection box outline when selected annotations use noZoom and/or noRotate flags. The multi-select group outline now correctly encloses mixed selections (flagged + normal annotations), including rotated pages and non-square noRotate annotations.

#495 by @bobsingor – Remove redundant onTouchStart handlers from annotation renderers. onPointerDown already covers touch input on all modern browsers, so the duplicate handler caused non-passive event listener violations and double-fired on touch devices.

#495 by @bobsingor – Added UI controls and commands for "Insert Text" and "Replace Text" tools. Added support for rendering Caret annotations and grouped annotations (like Replace Text) in the comment sidebar.

#509 by @bobsingor – Add comment annotation toolbar button with message icon, command, and UI schema entry.

#504 by @danielbayerlein – Support shift-key to temporarily lock aspect ratio during resize across all framework adapters (React, Preact, Vue, Svelte). Thanks to @danielbayerlein

#495 by @bobsingor – Mark touchstart listener in CounterRotateContainer as passive to eliminate Chrome scroll-blocking violation.

• getFirstForwardedValue: retrieves the first value of a multi-value header.
• isValidIpAddress: checks whether a string contains only characters valid in IPv4/IPv6 addresses.
• getValidatedIpFromHeader: extracts the first value from a header and validates it as an IP address.
• getClientIpAddress: retrieves and validates the first IP from the x-forwarded-for header.

• @astrojs/internal-helpers@0.8.0-beta.3
• @astrojs/markdown-remark@7.0.0-beta.11

#15700 4e7f3e8 Thanks @ocavue! - Updates the internal logic during SSR by providing additional metadata for UI framework integrations.

#15781 2de969d Thanks @ematipico! - Adds a new clientAddress option to the createContext() function

Providing this value gives adapter and middleware authors explicit control over the client IP address. When not provided, accessing clientAddress throws an error consistent with other contexts where it is not set by the adapter.

Additionally, both of the official Netlify and Vercel adapters have been updated to provide this information in their edge middleware.

import { createContext } from 'astro/middleware';

createContext({
  clientAddress: context.headers.get('x-real-ip'),
});

#15755 f9ee868 Thanks @matthewp! - Adds a new security.serverIslandBodySizeLimit configuration option

Server island POST endpoints now enforce a body size limit, similar to the existing security.actionBodySizeLimit for Actions. The new option defaults to 1048576 (1 MB) and can be configured independently.

Requests exceeding the limit are rejected with a 413 response. You can customize the limit in your Astro config:

export default defineConfig({
  security: {
    serverIslandBodySizeLimit: 2097152, // 2 MB
  },
});

#15712 7ac43c7 Thanks @florian-lefebvre! - Improves astro info by supporting more operating systems when copying the information to the clipboard.

#15780 e0ac125 Thanks @ematipico! - Prevents vite.envPrefix misconfiguration from exposing access: "secret" environment variables in client-side bundles. Astro now throws a clear error at startup if any vite.envPrefix entry matches a variable declared with access: "secret" in env.schema.

For example, the following configuration will throw an error for API_SECRET because it's defined as secret its name matches ['PUBLIC_', 'API_'] defined in env.schema:

// astro.config.mjs
import { defineConfig } from 'astro/config';

export default defineConfig({
  env: {
    schema: {
      API_SECRET: envField.string({ context: 'server', access: 'secret', optional: true }),
      API_URL: envField.string({ context: 'server', access: 'public', optional: true }),
    },
  },
  vite: {
    envPrefix: ['PUBLIC_', 'API_'],
  },
});

#15778 4ebc1e3 Thanks @ematipico! - Fixes an issue where the computed clientAddress was incorrect in cases of a Request header with multiple values. The clientAddress is now also validated to contain only characters valid in IP addresses, rejecting injection payloads.

#15776 e9a9cc6 Thanks @matthewp! - Hardens error page response merging to ensure framing headers from the original response are not carried over to the rendered error page

#15759 39ff2a5 Thanks @matthewp! - Adds a new bodySizeLimit option to the @astrojs/node adapter

You can now configure a maximum allowed request body size for your Node.js standalone server. The default limit is 1 GB. Set the value in bytes, or pass 0 to disable the limit entirely:

import node from '@astrojs/node';
import { defineConfig } from 'astro/config';

export default defineConfig({
  adapter: node({
    mode: 'standalone',
    bodySizeLimit: 1024 * 1024 * 100, // 100 MB
  }),
});

#15777 02e24d9 Thanks @matthewp! - Fixes CSRF origin check mismatch by passing the actual server listening port to createRequest, ensuring the constructed URL origin includes the correct port (e.g., http://localhost:4321 instead of http://localhost). Also restricts X-Forwarded-Proto to only be trusted when allowedDomains is configured.

#15768 6328f1a Thanks @matthewp! - Hardens internal cookie parsing to use a null-prototype object consistently for the fallback path, aligning with how the cookie library handles parsed values

#15757 631aaed Thanks @matthewp! - Hardens URL pathname normalization to consistently handle backslash characters after decoding, ensuring middleware and router see the same canonical pathname

#15761 8939751 Thanks @ematipico! - Fixes an issue where it wasn't possible to set experimental.queuedRendering.poolSize to 0.

#15764 44daecf Thanks @matthewp! - Fixes form actions incorrectly auto-executing during error page rendering. When an error page (e.g. 404) is rendered, form actions from the original request are no longer executed, since the full request handling pipeline is not active.

#15788 a91da9f Thanks @florian-lefebvre! - Reverts changes made to TSConfig templates

Updated dependencies [4ebc1e3, 4e7f3e8]:

• @astrojs/internal-helpers@0.8.0-beta.3
• @astrojs/markdown-remark@7.0.0-beta.11

#15759 39ff2a5 Thanks @matthewp! - Adds a new bodySizeLimit option to the @astrojs/node adapter

You can now configure a maximum allowed request body size for your Node.js standalone server. The default limit is 1 GB. Set the value in bytes, or pass 0 to disable the limit entirely:

import node from '@astrojs/node';
import { defineConfig } from 'astro/config';

export default defineConfig({
  adapter: node({
    mode: 'standalone',
    bodySizeLimit: 1024 * 1024 * 100, // 100 MB
  }),
});

#15777 02e24d9 Thanks @matthewp! - Fixes CSRF origin check mismatch by passing the actual server listening port to createRequest, ensuring the constructed URL origin includes the correct port (e.g., http://localhost:4321 instead of http://localhost). Also restricts X-Forwarded-Proto to only be trusted when allowedDomains is configured.

#15763 1567e8c Thanks @matthewp! - Normalizes static file paths before evaluating dotfile access rules for improved consistency

Updated dependencies [4ebc1e3, 4e7f3e8]:

• @astrojs/internal-helpers@0.8.0-beta.3

#15700 4e7f3e8 Thanks @ocavue! - Improves how Preact components are identified when setting the include and/or exclude options in projects where multiple JSX frameworks are used together

Updated dependencies [4ebc1e3, 4e7f3e8]:

• @astrojs/internal-helpers@0.8.0-beta.3

• @astrojs/markdown-remark@7.0.0-beta.11

#15781 2de969d Thanks @ematipico! - Adds a new clientAddress option to the createContext() function

Providing this value gives adapter and middleware authors explicit control over the client IP address. When not provided, accessing clientAddress throws an error consistent with other contexts where it is not set by the adapter.

Additionally, both of the official Netlify and Vercel adapters have been updated to provide this information in their edge middleware.

import { createContext } from 'astro/middleware';

createContext({
  clientAddress: context.headers.get('x-real-ip'),
});

Updated dependencies [4ebc1e3, 4e7f3e8]:

• @astrojs/internal-helpers@0.8.0-beta.3
• @astrojs/underscore-redirects@1.0.0

#15781 2de969d Thanks @ematipico! - Adds a new clientAddress option to the createContext() function

Providing this value gives adapter and middleware authors explicit control over the client IP address. When not provided, accessing clientAddress throws an error consistent with other contexts where it is not set by the adapter.

Additionally, both of the official Netlify and Vercel adapters have been updated to provide this information in their edge middleware.

import { createContext } from 'astro/middleware';

createContext({
  clientAddress: context.headers.get('x-real-ip'),
});

#15778 4ebc1e3 Thanks @ematipico! - Fixes an issue where the computed clientAddress was incorrect in cases of a Request header with multiple values. The clientAddress is now also validated to contain only characters valid in IP addresses, rejecting injection payloads.

Updated dependencies [4ebc1e3, 4e7f3e8]:

• @astrojs/internal-helpers@0.8.0-beta.3

#15700 4e7f3e8 Thanks @ocavue! - Improves how React components are identified when setting the include and/or exclude options in projects where multiple JSX frameworks are used together

Updated dependencies [4ebc1e3, 4e7f3e8]:

• @astrojs/internal-helpers@0.8.0-beta.3