• types: Add file extensions to types (02c7bf6), closes #4097
• types: Export shape option types from main entry point (#4109) (f4a236a), closes #4104
• util: camelCase SVG tag/attribute matching in sanitizer (631ddc5), closes #4078 #4106
• util: update sanitization function (#4105) (d492644)
• zoom: fix drag zoom boundary release and circle transition desync (00f6859), closes #4131

• canvas: add canvas rendering mode (200c99e), #4134
• esm: tree-shakable grid, regions, category modules (678e761), #4132

• esm: chart.export() and chart.flow() are no longer included automatically in the ESM build. Explicit import required:

import bb, { bar, exportApi, flow } from "billboard.js";

bb.generate({
 ...bar(),
 ...exportApi(),
 ...flow(),
 data: { ... } 
});

UMD bundle users are not affected.

This release includes fixes for the following security issues:

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

Affects: hono/aws-lambda. Fixes multiple Set-Cookie response headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xf

Affects: hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such as X-Forwarded-For reached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8p

• docs: clarify next-env.d.ts regeneration: #94232
• docs: add updateTag example to cacheTag page: #94508
• Remove experimental.useNodeStreams flag as it's enabled: #93938
• Remove dead cacheComponents web streams path: #93944
• [ci] Disable on-call notification if manual deploy e2e tests failed: #94554
• Reduce new test concurrency to five: #94552
• fix(dev-overlay): Tidy up issues/insight menu and tab overlay: #94549
• [turbopack] Remove WebAssembly helpers from the default runtime: #94373
• docs: clarify use cache persistence across deploys: #93554
• enable eviction by default: #94452
• docs: fix onRequestError error type example: #94518
• docs: move insight error pages from vercel/front to canary: #94564

Huge thanks to @SJvaca30, @aurorascharff, @timneutkens, @eps1lon, @sampoder, @icyJoseph, @lukesandberg, and @danyalahmed1995 for helping!

Note: This is a beta release. Please file new issues for any bugs you find in it.

This release is published to npm under the beta tag and can be installed via npm install electron@beta, or npm install electron@43.0.0-beta.2.

• Fixed an issue where the "Toggle Developer Tools" menu item failed to function correctly with BaseWindow. #51901 ^{(Also in 41, 42)}

• Updated Node.js to v24.16.0. #51865

• [@mantine/notifications] Fix stale DOM nodes references not being cleaned up when notifications is closed (#8955)
• [@mantine/dates] DateInput: Add presets support (#8954)
• [@mantine/core] Collapse: Fix keepMounted prop not being set correctly (#8949)
• [@mantine/core] Menu: Add controlled state support for Menu.Sub opened state
• [@mantine/schedule] Fix incorrect current time indicator position when time does not divide evenly with interval minutes in DayView and WeekView (#8945)
• [@mantine/core] Popover: Fix context menu not working on iOS touch devices (#8942)
• [@mantine/core] SegemntedControl: Fix incorrect indicator border-radius calculation (#8904)
• [@mantine/core] PinInput: Fix incorrect placeholder text centering (#8943)
• [@mantine/core] Tree: Fix arrow key navigation focusing hidden nodes when keepMounted is set (#8939)
• [@mantine/core] MaskInput: Fix compatibility issues with uncontrolled use-form (#8947)
• [@mantine/hooks] use-id: Fix id changing to new value with Activity (#8925)

• @spokodev made their first contribution in https://github.com/mantinedev/mantine/pull/8925
• @cyphercodes made their first contribution in https://github.com/mantinedev/mantine/pull/8947
• @KasperiP made their first contribution in https://github.com/mantinedev/mantine/pull/8939

Full Changelog: https://github.com/mantinedev/mantine/compare/9.3.0...9.3.1

• #16969 4a31f90 Thanks @Princesseuh! - Adds support for Prism syntax highlighting to the Sätteri Markdown and MDX processors. Setting markdown.syntaxHighlight to 'prism' now highlights your code blocks with Prism.

  // astro.config.mjs
  import { satteri } from '@astrojs/markdown-satteri';
  
  export default defineConfig({
    markdown: {
      processor: satteri(),
      syntaxHighlight: 'prism',
    },
  });

• #16969 4a31f90 Thanks @Princesseuh! - Adds support for Prism syntax highlighting to the Sätteri Markdown and MDX processors. Setting markdown.syntaxHighlight to 'prism' now highlights your code blocks with Prism.

  // astro.config.mjs
  import { satteri } from '@astrojs/markdown-satteri';
  
  export default defineConfig({
    markdown: {
      processor: satteri(),
      syntaxHighlight: 'prism',
    },
  });

• Updated dependencies [4a31f90]:

  • @astrojs/markdown-satteri@0.3.0-alpha.0

• #16990 ebeb830 Thanks @ocavue! - Fixes a build crash when using experimental.advancedRouting with a custom fetchFile that statically imports cf from @astrojs/cloudflare/fetch. The circular dependency between @astrojs/cloudflare/fetch and astro/app/entrypoint caused createApp or createGetEnv to be undefined at module evaluation time. Initialization is now deferred to the first cf() call, breaking the cycle.

• #16671 fd926fd Thanks @alexanderniebuhr! - Removes deprecations warnings added in Astro v6 for Cloudflare specific Astro.locals properties.

• Updated dependencies [1f07343, 1e000e2, c63e7e4, ebeb830, 10229f7]:

  • astro@7.0.0-alpha.2
  • @astrojs/underscore-redirects@1.0.3

• #16610 c63e7e4 Thanks @matthewp! - Adds background dev server management for AI coding agents.

  When an AI coding agent is detected, astro dev now automatically starts the dev server as a detached background process. This prevents the dev server from blocking the agent's terminal and allows it to continue working while the server runs.

  A lock file (.astro/dev.json) is written when the dev server starts, recording the server's URL, port, and PID. This prevents duplicate servers from being started for the same project.

  New flag and subcommands

  • astro dev --background — Start the dev server as a background process (this is what runs automatically when an agent is detected).
  • astro dev stop — Stop a running background dev server.
  • astro dev status — Check if a dev server is running and display its URL, PID, and uptime.
  • astro dev logs — View logs from a background dev server. Use --follow (-f) to stream new output as it's written.

  These allow you to start and manage dev servers programmatically and were designed with AI coding agents in mind.

  What should I do?

  No action is required. If you are not using an AI coding agent, astro dev behaves exactly as before. If you are using an agent, background mode is enabled automatically — the agent will receive the server URL and PID, and can use astro dev stop to shut it down.

  To opt out of automatic background mode when an agent is detected, set the environment variable ASTRO_DEV_BACKGROUND=0 before running astro dev.

• #16725 10229f7 Thanks @ArmandPhilippot! - Removes deprecated APIs exported from astro:transitions.

  In Astro 6.x, some helpers available in astro:transitions and astro:transitions/client were deprecated.

  In Astro 7.0, the following APIs can no longer be used in your project:

  • TRANSITION_BEFORE_PREPARATION
  • TRANSITION_AFTER_PREPARATION
  • TRANSITION_BEFORE_SWAP
  • TRANSITION_AFTER_SWAP
  • TRANSITION_PAGE_LOAD
  • isTransitionBeforePreparationEvent()
  • isTransitionBeforeSwapEvent()
  • createAnimationScope()

  What should I do?

  Remove any occurrence of createAnimationScope():

  -import { createAnimationScope } from 'astro:transitions';

  Replace any occurrence of the other APIs using the lifecycle event names directly:

  -import {
  -	TRANSITION_AFTER_SWAP,
  -	isTransitionBeforePreparationEvent,
  -} from 'astro:transitions/client';
  
  -console.log(isTransitionBeforePreparationEvent(event));
  +console.log(event.type === 'astro:before-preparation');
  
  -console.log(TRANSITION_AFTER_SWAP);
  +console.log('astro:after-swap');

  Learn more about all utilities available in the View Transitions Router API Reference.

• #16980 1f07343 Thanks @matthewp! - Removes state.provide(), state.resolve(), state.finalizeAll(), and App.Providers from the public advanced routing API. These context provider extension points are now internal-only. If you were using them in an integration, use locals to share per-request state instead.

• #16982 1e000e2 Thanks @matthewp! - Improves the warning when accessing Astro.session without session storage configured. The session property is now always defined on the context object, and accessing it without configuration logs a helpful message instead of silently returning undefined.

• #16990 ebeb830 Thanks @ocavue! - Fixes Astro.request.url not reflecting validated X-Forwarded-Proto/X-Forwarded-Host headers when security.allowedDomains is configured. Previously, only Astro.url was updated with the forwarded origin while Astro.request.url retained the socket-derived URL, causing the two to diverge behind TLS-terminating proxies.

• #16549 9d9d516 Thanks @ocavue! - Updates @sveltejs/vite-plugin-svelte to v7. No user action is necessary.