5 hours ago
lexical

v0.48.0

v0.48.0 is a maintenance release focused on bug fixes across Markdown, tables, lists, links, and selection. It's headlined by a fix for a v0.46.0 regression that broke native text drag-and-drop (#8842) and a couple of notable security hardening fixes. It also adds a handful of new features, including an MdastHtmlExtension with examples for authoring custom Markdown constructs (collapsibles, kbd, alerts, footnotes), a customizable Yjs shared-type root name for collaborative editing, and new table row manipulation helpers.

New APIs & Features

Notable Fixes

Drag & drop (fix for v0.46.0 regression)

  • Don't cancel dragover for text drags, so native drops work again (#8842)

Security

  • LinkNode.sanitizeUrl() now fails closed on unparseable URLs, preventing a potential XSS vector (#8846)
  • Fixed a serialize-javascript dependency vulnerability (#8803)

Markdown & code

  • Roundtrip overlapping inline formats correctly through mdast/Markdown (#8825)
  • Force re-tokenization after an async language load so highlighting appears once the grammar is ready (#8830)

Tables

  • Auto-scroll while drag-selecting cells past the visible edge (#8822)
  • Enable table copy in read-only mode (#8845)

Lists & character limit

  • Backspace at the start of a list item now outdents or converts to a paragraph (#8829)
  • Merge adjacent OverflowNodes in useCharacterLimit (#8831)
  • Count block separators when wrapping character-limit overflow (#8840)

Links & selection

  • Disable link opening for disabled autolinks (#8839)
  • Skip scrollIntoViewIfNeeded when the selection rect is above the editor, fixing a Safari RTL caret jump (#8848)

What's Changed

New Contributors

Full Changelog: https://github.com/facebook/lexical/compare/v0.47.0...v0.48.0

8 hours ago
router

Release 2026-07-16 15:05

Release 2026-07-16 15:05

Changes

Features

  • benchmarks: client-side CPU benchmark scenario suite (#7732) (208100b7c0) by @Sheraff
  • start-plugin-core: support Rsbuild preview SSR middleware (#7372) (e499164c72) by @elecmonkey

Fix

  • benchmarks: Solid v2 type fixes for new benchmark scenarios (2bb318bdcf) by @brenelz
  • benchmarks: adapt new solid benchmarks from main to Solid v2 (26d94d93fc) by @brenelz
  • lockfile: restore @rspack/binding@2.0.8 platform binaries (01dbb52d06) by @brenelz
  • ci: release workflow OOM increase node max-old-space (#7723) (8bdb21e062) by @Sheraff
  • ci: release workflow OOM during update-example-deps lockfile update (#7722) (572fb2b860) by @Sheraff
  • router-core: preserve percent-encoded URL-unsafe chars in decodeSegment (#7695) (9809a0619d) by @CDillinger

Performance

  • start-client-core: zero-copy frame payload extraction (#7662) (ba52d2b8f9) by @anonrig
  • router-core: cache lightweight route matches (#7601) (a415471437) by @Sheraff

Packages

  • @tanstack/react-router@1.170.17
  • @tanstack/react-start@1.168.27
  • @tanstack/react-start-client@1.168.15
  • @tanstack/react-start-rsc@0.1.26
  • @tanstack/react-start-server@1.167.21
  • @tanstack/router-cli@1.167.18
  • @tanstack/router-core@1.171.14
  • @tanstack/router-generator@1.167.18
  • @tanstack/router-plugin@1.168.19
  • @tanstack/router-vite-plugin@1.167.19
  • @tanstack/solid-router@2.0.0-beta.24
  • @tanstack/solid-router-devtools@2.0.0-beta.19
  • @tanstack/solid-router-ssr-query@2.0.0-beta.25
  • @tanstack/solid-start@2.0.0-beta.25
  • @tanstack/solid-start-client@2.0.0-beta.24
  • @tanstack/solid-start-server@2.0.0-beta.24
  • @tanstack/start-client-core@1.170.13
  • @tanstack/start-plugin-core@1.171.19
  • @tanstack/start-server-core@1.169.16
  • @tanstack/start-static-server-functions@1.167.18
  • @tanstack/start-storage-context@1.167.16
  • @tanstack/vue-router@1.170.16
  • @tanstack/vue-start@1.168.26
  • @tanstack/vue-start-client@1.167.18
  • @tanstack/vue-start-server@1.167.21
8 hours ago
router

@tanstack/solid-start@2.0.0-beta.25

Patch Changes

  • #7813 ebe104c - Upgrade solid-js and @solidjs/web to 2.0.0-beta.17

  • #7813 ebe104c - Upgrade solid-js and @solidjs/web to 2.0.0-beta.18

  • #7813 ebe104c - Upgrade solid-js and @solidjs/web to 2.0.0-beta.19 and vite-plugin-solid to 3.0.0-next.11

  • Updated dependencies [ebe104c, ebe104c, ebe104c, ebe104c]:

    • @tanstack/solid-router@2.0.0-beta.24
    • @tanstack/solid-start-client@2.0.0-beta.24
    • @tanstack/solid-start-server@2.0.0-beta.24
8 hours ago
router

@tanstack/solid-router@2.0.0-beta.24

Patch Changes

  • #7813 ebe104c - Upgrade solid-js and @solidjs/web to 2.0.0-beta.17

  • #7813 ebe104c - Upgrade solid-js and @solidjs/web to 2.0.0-beta.18

  • #7813 ebe104c - Upgrade solid-js and @solidjs/web to 2.0.0-beta.19 and vite-plugin-solid to 3.0.0-next.11

  • #7813 ebe104c - Suspend on the match loadPromise only during SSR. On the client, suspending on the pending match kept a live async source in the tree, which since solid-js@2.0.0-beta.16 routed signal writes into a transition hold and broke synchronous write-then-load flows such as invalidate() on a notFound match.

8 hours ago
router

@tanstack/solid-start-client@2.0.0-beta.24

Patch Changes

  • #7813 ebe104c - Upgrade solid-js and @solidjs/web to 2.0.0-beta.17

  • #7813 ebe104c - Upgrade solid-js and @solidjs/web to 2.0.0-beta.18

  • #7813 ebe104c - Upgrade solid-js and @solidjs/web to 2.0.0-beta.19 and vite-plugin-solid to 3.0.0-next.11

  • Updated dependencies [ebe104c, ebe104c, ebe104c, ebe104c]:

    • @tanstack/solid-router@2.0.0-beta.24
8 hours ago
router

@tanstack/solid-start-server@2.0.0-beta.24

Patch Changes

  • #7813 ebe104c - Upgrade solid-js and @solidjs/web to 2.0.0-beta.17

  • #7813 ebe104c - Upgrade solid-js and @solidjs/web to 2.0.0-beta.18

  • #7813 ebe104c - Upgrade solid-js and @solidjs/web to 2.0.0-beta.19 and vite-plugin-solid to 3.0.0-next.11

  • Updated dependencies [ebe104c, ebe104c, ebe104c, ebe104c]:

    • @tanstack/solid-router@2.0.0-beta.24
8 hours ago
router

@tanstack/solid-router-ssr-query@2.0.0-beta.25

Patch Changes

  • #7813 ebe104c - Upgrade solid-js and @solidjs/web to 2.0.0-beta.17

  • #7813 ebe104c - Upgrade solid-js and @solidjs/web to 2.0.0-beta.18

  • #7813 ebe104c - Upgrade solid-js and @solidjs/web to 2.0.0-beta.19 and vite-plugin-solid to 3.0.0-next.11

8 hours ago
router

@tanstack/solid-router-devtools@2.0.0-beta.19

Patch Changes

  • #7813 ebe104c - Upgrade solid-js and @solidjs/web to 2.0.0-beta.17

  • #7813 ebe104c - Upgrade solid-js and @solidjs/web to 2.0.0-beta.18

  • #7813 ebe104c - Upgrade solid-js and @solidjs/web to 2.0.0-beta.19 and vite-plugin-solid to 3.0.0-next.11

  • Updated dependencies [ebe104c, ebe104c, ebe104c, ebe104c]:

    • @tanstack/solid-router@2.0.0-beta.24
11 hours ago
astro

astro@7.1.0

Minor Changes

  • #17302 5f4dc03 Thanks @astrobot-houston! - Adds a new deferRender option to the glob() content loader

    When set to true, renderable entries (such as Markdown) are not rendered during content sync. Instead, rendering is deferred until the entry is actually rendered in a page, using the same on-demand path that .mdx files already use.

    This reduces memory usage during astro build for large collections whose rendered output is much larger than the source — for example, Markdown that uses heavy rehype plugins like rehype-katex. Such builds could previously run out of memory while storing the eagerly-rendered HTML for every entry.

    // src/content.config.ts
    import { defineCollection } from 'astro:content';
    import { glob } from 'astro/loaders';
    
    const docs = defineCollection({
      loader: glob({ pattern: '**/*.md', base: 'src/content/docs', deferRender: true }),
    });

    By default deferRender is false, preserving the existing behavior of rendering entries eagerly during sync so their rendered HTML can be cached across builds.

  • #17296 30698a2 Thanks @ematipico! - Adds a new experimental collectionStorage option for controlling how the content layer persists its data store

    By default, Astro serializes the entire content layer data store to a single file (.astro/data-store.json). For very large content collections, this file can grow large enough to hit platform file-size limits.

    Set experimental.collectionStorage: 'chunked' to instead split the data store across many smaller, content-addressed files inside a .astro/data-store/ directory, described by a manifest:

    // astro.config.mjs
    import { defineConfig } from 'astro/config';
    
    export default defineConfig({
      experimental: {
        collectionStorage: 'chunked',
      },
    });

    Because each part file is named by a hash of its contents, unchanged parts keep the same name across builds and are not rewritten, and identical parts are deduplicated. The default value is 'single-file', which preserves the current behavior.

  • #17214 44c4989 Thanks @ematipico! - Adds support for the more specific CSP directives script-src-elem, script-src-attr, style-src-elem, and style-src-attr through a new kind option.

    Previously, CSP was only scoped to generic script-src/style-src directives. Now each source or hash can be scoped to a narrower directive — for example, to allow inline style attributes (such as those from define:vars or Shiki) without loosening the policy for your <style> and <link> elements.

    Scoping sources and hashes in your config

    Each entry in resources and hashes can be an object with a kind property. Depending on whether you use scriptDirective or styleDirective, "element" targets script-src-elem or style-src-elem, "attribute" targets script-src-attr or style-src-attr, and "default" (the same as a bare string or hash) targets script-src or style-src.

    // astro.config.mjs
    import { defineConfig } from 'astro/config';
    
    export default defineConfig({
      security: {
        csp: {
          scriptDirective: {
            resources: [{ resource: 'https://cdn.example.com', kind: 'element' }],
          },
          styleDirective: {
            resources: [{ resource: "'unsafe-inline'", kind: 'attribute' }],
          },
        },
      },
    });

    Scoping at runtime

    The same kind option is available on the runtime CSP API, where the existing methods now also accept an object:

    ctx.csp.insertScriptResource({ resource: 'https://cdn.example.com', kind: 'element' });
    ctx.csp.insertStyleResource({ resource: "'unsafe-inline'", kind: 'attribute' });
  • #17258 84814d4 Thanks @astrobot-houston! - Adds a new format() option to the paginate utility. The format() option is a function that accepts the current URL of the page, and returns a new URL.

    For example, when your host only supports URLs using the .html extension, you can use format() to add it to the generated URLs:

    ---
    export async function getStaticPaths({ paginate }) {
      // Load your data with fetch(), getCollection(), etc.
      const response = await fetch(`https://pokeapi.co/api/v2/pokemon?limit=150`);
      const result = await response.json();
      const allPokemon = result.results;
    
      // Return a paginated collection of paths for all items
      return paginate(allPokemon, {
        pageSize: 10,
        format: (url) => `${url}.html`,
      });
    }
    
    const { page } = Astro.props;
    ---
  • #17331 7db6420 Thanks @matthewp! - Adds a --ignore-lock flag to astro dev for starting a dev server without checking or writing the lock file, so it can run alongside an already-running dev server for the same project.

    The new instance is not tracked by astro dev stop, astro dev status, or astro dev logs. --ignore-lock cannot be combined with --background (or an auto-detected AI agent environment, which runs dev servers in the background automatically) or --force, since those rely on the lock file.

    astro dev --ignore-lock
  • #17389 16de021 Thanks @florian-lefebvre! - Allows passing URL entrypoints when configuring the logger

    Matching other APIs like session drivers or font providers, the logger entrypoint can now be a URL:

    import { defineConfig } from 'astro/config';
    
    export default defineConfig({
      logger: {
        entrypoint: new URL('./logger.js', import.meta.url),
      },
    });

Patch Changes

  • #17332 4407483 Thanks @astrobot-houston! - Fixes the JSON logger crashing with process is not defined in non-Node runtimes like Cloudflare's workerd. The JSON logger now uses console.log/console.error instead of process.stdout/process.stderr, matching the pattern already used by the console logger.

  • #17391 186a1e7 Thanks @florian-lefebvre! - Fixes a case where an integration could not update the logger with updateConfig()

  • #17394 d9f99e1 Thanks @matthewp! - Fixes element-specific CSP directives to preserve the existing behavior of configured script and style resources

  • #17374 b2d1b3e Thanks @astrobot-houston! - Fixes dev server returning 404 for ?url imported assets when accessed via browser navigation

  • #17390 ed71eaf Thanks @florian-lefebvre! - Removes an unused and undocumented generic from the AstroLoggerDestination type

  • #17393 092da56 Thanks @matthewp! - Hardens generated transition styles, development metadata, and server island URLs when embedding dynamic values

11 hours ago
drawio