Astro 6.1.8 dropped on April 18 with two fixes that developers deploying to Netlify or Vercel should apply immediately, plus a handful of smaller improvements.
The Filename Bug That Breaks Netlify Deploys
The most impactful fix in this release addresses a regression introduced in earlier 6.x versions: build output filenames could contain special characters (!, ~, {, }, and others) that are invalid or stripped on certain deployment platforms.
The issue surfaces on Netlify specifically. Netlify's skew protection mechanism β which ensures deployed assets match the build output β strips characters it considers unsafe from filenames before deploying. If your built HTML references chunk.abc123!~{x}.js and Netlify serves it as chunk.abc123.js, the file reference breaks and the page fails to load.
The Astro team confirmed this affected builds where dynamic imports or certain code-splitting patterns produced chunks with hash-like segments containing these characters. Version 6.1.8 normalizes the output filenames to avoid the problematic characters before the build artifacts are written.
If you've been debugging mysterious blank pages on Netlify deploys with no build errors, this is likely the cause.
/_image Endpoint Content-Type Confusion
The second notable fix closes a security gap in Astro's built-in image optimization endpoint (/_image). The endpoint accepted an arbitrary f=svg query parameter and would serve whatever content was returned from the upstream URL as image/svg+xml β without checking that the content was actually SVG.
An attacker could potentially use this for content-type confusion attacks, cache poisoning, or social engineering if they could convince a victim to load a crafted image URL pointing at an internal endpoint. The Astro team notes that the endpoint requires allowedDomains to be configured, which limits the blast radius, but the fix is still the right call: the endpoint now validates that the source is actually SVG before setting the image/svg+xml content type.
This is a defense-in-depth fix in the same category as the H3 redirectBack() protection in this week's Nitro update β not a critical remote code execution, but a real security gap that should be closed.
Performance: Dev Server Dependency Caching
On the non-security side, the dev server gains a small but measurable performance improvement: the internal crawling of project dependencies is now cached between requests. In projects with many routes and a deep dependency graph, this reduces redundant file-system traversal on each page refresh.
Other Fixes in 6.1.8
- Fixes dynamic import chunks receiving fresh hashes on every build, making HMR and cache behavior more predictable
allowedDomainsare now correctly propagated to the dev server- Vue scoped styles behave correctly during client-side router navigation in dev mode
/_imageendpoint now validates that the source is actually SVG before serving asimage/svg+xml- Fixes build errors on Vercel and Netlify for inter-chunk JavaScript using dynamic imports
Upgrade
Run px @astrojs/upgrade or npm install astro@latest to update. If you're on Netlify or Vercel, check that your most recent deploy is actually loading all assets correctly β the filename bug could have silently produced broken production deploys.
