diff --git a/.changeset/harden-dev-server-sec-fetch.md b/.changeset/harden-dev-server-sec-fetch.md
new file mode 100644
index 000000000000..9360ae6cf0a0
--- /dev/null
+++ b/.changeset/harden-dev-server-sec-fetch.md
@@ -0,0 +1,5 @@
+---
+'astro': patch
+---
+
+Hardens the dev server by validating Sec-Fetch metadata headers to restrict cross-origin subresource requests
diff --git a/.changeset/pre.json b/.changeset/pre.json
index 0f8a73227f0e..a87f5bc6248b 100644
--- a/.changeset/pre.json
+++ b/.changeset/pre.json
@@ -95,6 +95,7 @@
     "dull-mangos-travel",
     "eager-owls-stare",
     "early-badgers-pull",
+    "early-times-drop",
     "emit-client-asset-api",
     "encoding-static-builds",
     "every-carpets-grin",
@@ -105,10 +106,13 @@
     "fast-bushes-fall",
     "fast-wolves-render",
     "fifty-dingos-study",
+    "fix-action-prototype-traversal",
+    "fix-cloudflare-static-output",
     "fix-content-hmr",
     "fix-create-astro-registry-hang",
     "fix-font-head-swap",
     "fix-forwarded-proto-allowed-domains",
+    "fix-i18n-fallback-redirect",
     "fix-large-static-build-promise-all",
     "fix-large-static-routes-stack-overflow",
     "fix-markdoc-table-attributes",
@@ -118,8 +122,11 @@
     "fix-preact-cloudflare-hooks",
     "fix-rewrite-non-ascii-paths",
     "fix-serve-files-outside-srcdir",
+    "fix-server-island-dev-build-output",
+    "fix-session-regenerate-dirty",
     "fix-ssr-prerendered-image-deletion",
     "fix-store-race-condition",
+    "fix-svg-content-collection-component",
     "fix-svg-content-collection-deadlock",
     "fix-vite-runner-closed",
     "flat-lions-care",
@@ -145,6 +152,9 @@
     "green-zebras-lick",
     "grumpy-tables-serve",
     "happy-falcons-show",
+    "harden-attribute-escaping",
+    "harden-merge-responses-cookies",
+    "harden-xff-allowed-domains",
     "heavy-beers-unite",
     "heavy-cats-own",
     "heavy-parts-throw",
@@ -152,6 +162,7 @@
     "hojze-jglnm-ggfbv",
     "honest-deer-add",
     "hot-eyes-sink",
+    "humble-humans-sink",
     "hungry-jars-pump",
     "icy-pigs-smile",
     "internal-helpers-normalize-pathname",
@@ -160,6 +171,7 @@
     "khaki-bushes-stop",
     "khaki-toys-think",
     "kind-emus-relate",
+    "kind-hairs-report",
     "kind-pears-behave",
     "large-ears-ask",
     "large-keys-see",
@@ -170,10 +182,12 @@
     "legacy-collections-backwards-compat-docs",
     "light-parrots-find",
     "little-goats-poke",
+    "long-bushes-rest",
     "long-chefs-tie",
     "long-trams-see",
     "lovely-mice-sniff",
     "lowercase-style-tags",
+    "major-lights-kiss",
     "many-banks-hammer",
     "many-cars-hope",
     "markdoc-emit-client-asset",
@@ -191,7 +205,9 @@
     "open-monkeys-boil",
     "optional-wrangler-config",
     "orange-boats-refuse",
+    "polite-balloons-rhyme",
     "polite-terms-shop",
+    "preserve-directory-structure",
     "pretty-forks-smash",
     "proud-pans-change",
     "public-files-priority",
@@ -203,6 +219,8 @@
     "quiet-owls-jump",
     "ready-eagles-wink",
     "ready-tigers-try",
+    "red-quail-bite",
+    "redirect-catch-all-hardening",
     "remove-cloudflare-modules",
     "render-markdown-file-url",
     "render-markdown-frontmatter",
@@ -213,6 +231,7 @@
     "sad-lines-hear",
     "sad-teams-end",
     "server-island-slot-scripts",
+    "shiki-v4",
     "short-pears-hammer",
     "shy-cats-grin",
     "silly-eels-remain",
@@ -221,13 +240,16 @@
     "slick-plums-remain",
     "slimy-fans-sing",
     "slimy-queens-punch",
+    "slow-coins-write",
     "slow-laws-marry",
     "small-ghosts-sort",
     "smart-mammals-stop",
+    "smart-pillows-chew",
     "smooth-kids-tease",
     "social-jeans-mix",
     "social-kings-swim",
     "social-maps-shine",
+    "soft-vans-ask",
     "solid-fans-jam",
     "solid-sloths-call",
     "some-olives-march",
@@ -252,6 +274,7 @@
     "tender-bats-tan",
     "tender-moose-help",
     "thin-hands-find",
+    "thirty-experts-tickle",
     "three-sheep-burn",
     "tiny-books-scream",
     "tired-eels-cough",
@@ -264,6 +287,7 @@
     "vite-environments-breaking",
     "vite-plugin-react-v5",
     "vite-plugin-vue-v6",
+    "warm-comics-pump",
     "warm-donuts-learn",
     "warm-dots-glow",
     "wet-lines-wear",
diff --git a/.changeset/purple-steaks-begin.md b/.changeset/purple-steaks-begin.md
new file mode 100644
index 000000000000..e4f2236b3ca5
--- /dev/null
+++ b/.changeset/purple-steaks-begin.md
@@ -0,0 +1,5 @@
+---
+'astro': patch
+---
+
+Fixes a bug where some requests to the dev server didn't start with the leading `/`.
diff --git a/examples/basics/package.json b/examples/basics/package.json
index 089324517991..6577738f03b1 100644
--- a/examples/basics/package.json
+++ b/examples/basics/package.json
@@ -13,6 +13,6 @@
     "astro": "astro"
   },
   "dependencies": {
-    "astro": "^6.0.0-beta.17"
+    "astro": "^6.0.0-beta.18"
   }
 }
diff --git a/examples/blog/package.json b/examples/blog/package.json
index 8816b7b3cd53..f2fe6aafebea 100644
--- a/examples/blog/package.json
+++ b/examples/blog/package.json
@@ -13,10 +13,10 @@
     "astro": "astro"
   },
   "dependencies": {
-    "@astrojs/mdx": "^5.0.0-beta.9",
+    "@astrojs/mdx": "^5.0.0-beta.10",
     "@astrojs/rss": "^4.0.15-beta.4",
     "@astrojs/sitemap": "^3.6.1-beta.3",
-    "astro": "^6.0.0-beta.17",
+    "astro": "^6.0.0-beta.18",
     "sharp": "^0.34.3"
   }
 }
diff --git a/examples/component/package.json b/examples/component/package.json
index 6a544eb47985..66a9ff5f2551 100644
--- a/examples/component/package.json
+++ b/examples/component/package.json
@@ -18,7 +18,7 @@
   ],
   "scripts": {},
   "devDependencies": {
-    "astro": "^6.0.0-beta.17"
+    "astro": "^6.0.0-beta.18"
   },
   "peerDependencies": {
     "astro": "^5.0.0 || ^6.0.0"
diff --git a/examples/container-with-vitest/package.json b/examples/container-with-vitest/package.json
index 878afcaf09a6..1c8b0fcdf6c0 100644
--- a/examples/container-with-vitest/package.json
+++ b/examples/container-with-vitest/package.json
@@ -15,7 +15,7 @@
   },
   "dependencies": {
     "@astrojs/react": "^5.0.0-beta.3",
-    "astro": "^6.0.0-beta.17",
+    "astro": "^6.0.0-beta.18",
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
     "vitest": "^3.2.4"
diff --git a/examples/framework-alpine/package.json b/examples/framework-alpine/package.json
index a4e6c6f85d1b..d786b6c21c82 100644
--- a/examples/framework-alpine/package.json
+++ b/examples/framework-alpine/package.json
@@ -16,6 +16,6 @@
     "@astrojs/alpinejs": "^0.5.0-beta.1",
     "@types/alpinejs": "^3.13.11",
     "alpinejs": "^3.15.8",
-    "astro": "^6.0.0-beta.17"
+    "astro": "^6.0.0-beta.18"
   }
 }
diff --git a/examples/framework-multiple/package.json b/examples/framework-multiple/package.json
index 666f4d1998f0..aa14e791aa22 100644
--- a/examples/framework-multiple/package.json
+++ b/examples/framework-multiple/package.json
@@ -20,7 +20,7 @@
     "@astrojs/vue": "^6.0.0-beta.1",
     "@types/react": "^18.3.28",
     "@types/react-dom": "^18.3.7",
-    "astro": "^6.0.0-beta.17",
+    "astro": "^6.0.0-beta.18",
     "preact": "^10.28.4",
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
diff --git a/examples/framework-preact/package.json b/examples/framework-preact/package.json
index cac6b7e114b7..f89d75a41969 100644
--- a/examples/framework-preact/package.json
+++ b/examples/framework-preact/package.json
@@ -15,7 +15,7 @@
   "dependencies": {
     "@astrojs/preact": "^5.0.0-beta.4",
     "@preact/signals": "^2.8.1",
-    "astro": "^6.0.0-beta.17",
+    "astro": "^6.0.0-beta.18",
     "preact": "^10.28.4"
   }
 }
diff --git a/examples/framework-react/package.json b/examples/framework-react/package.json
index 6a3c48f9ef04..be59dfc0b627 100644
--- a/examples/framework-react/package.json
+++ b/examples/framework-react/package.json
@@ -16,7 +16,7 @@
     "@astrojs/react": "^5.0.0-beta.3",
     "@types/react": "^18.3.28",
     "@types/react-dom": "^18.3.7",
-    "astro": "^6.0.0-beta.17",
+    "astro": "^6.0.0-beta.18",
     "react": "^18.3.1",
     "react-dom": "^18.3.1"
   }
diff --git a/examples/framework-solid/package.json b/examples/framework-solid/package.json
index 446682d44915..0adc50679cf7 100644
--- a/examples/framework-solid/package.json
+++ b/examples/framework-solid/package.json
@@ -14,7 +14,7 @@
   },
   "dependencies": {
     "@astrojs/solid-js": "^6.0.0-beta.2",
-    "astro": "^6.0.0-beta.17",
+    "astro": "^6.0.0-beta.18",
     "solid-js": "^1.9.11"
   }
 }
diff --git a/examples/framework-svelte/package.json b/examples/framework-svelte/package.json
index a57a592464a2..34e44e9b1345 100644
--- a/examples/framework-svelte/package.json
+++ b/examples/framework-svelte/package.json
@@ -14,7 +14,7 @@
   },
   "dependencies": {
     "@astrojs/svelte": "^8.0.0-beta.3",
-    "astro": "^6.0.0-beta.17",
+    "astro": "^6.0.0-beta.18",
     "svelte": "^5.53.5"
   }
 }
diff --git a/examples/framework-vue/package.json b/examples/framework-vue/package.json
index 587abc886c7e..4c0de677fc52 100644
--- a/examples/framework-vue/package.json
+++ b/examples/framework-vue/package.json
@@ -14,7 +14,7 @@
   },
   "dependencies": {
     "@astrojs/vue": "^6.0.0-beta.1",
-    "astro": "^6.0.0-beta.17",
+    "astro": "^6.0.0-beta.18",
     "vue": "^3.5.29"
   }
 }
diff --git a/examples/hackernews/package.json b/examples/hackernews/package.json
index b5019572b4d6..4bfb774d04ea 100644
--- a/examples/hackernews/package.json
+++ b/examples/hackernews/package.json
@@ -13,7 +13,7 @@
     "astro": "astro"
   },
   "dependencies": {
-    "@astrojs/node": "^10.0.0-beta.6",
-    "astro": "^6.0.0-beta.17"
+    "@astrojs/node": "^10.0.0-beta.7",
+    "astro": "^6.0.0-beta.18"
   }
 }
diff --git a/examples/integration/package.json b/examples/integration/package.json
index 74da1874298d..7327cf3a637b 100644
--- a/examples/integration/package.json
+++ b/examples/integration/package.json
@@ -18,7 +18,7 @@
   ],
   "scripts": {},
   "devDependencies": {
-    "astro": "^6.0.0-beta.17"
+    "astro": "^6.0.0-beta.18"
   },
   "peerDependencies": {
     "astro": "^4.0.0"
diff --git a/examples/minimal/package.json b/examples/minimal/package.json
index 18f4714fab05..1c5d7d525809 100644
--- a/examples/minimal/package.json
+++ b/examples/minimal/package.json
@@ -13,6 +13,6 @@
     "astro": "astro"
   },
   "dependencies": {
-    "astro": "^6.0.0-beta.17"
+    "astro": "^6.0.0-beta.18"
   }
 }
diff --git a/examples/portfolio/package.json b/examples/portfolio/package.json
index 3189a474dec1..828e904a8c1a 100644
--- a/examples/portfolio/package.json
+++ b/examples/portfolio/package.json
@@ -13,6 +13,6 @@
     "astro": "astro"
   },
   "dependencies": {
-    "astro": "^6.0.0-beta.17"
+    "astro": "^6.0.0-beta.18"
   }
 }
diff --git a/examples/ssr/package.json b/examples/ssr/package.json
index de1905e3c1e9..8e6a32b827ae 100644
--- a/examples/ssr/package.json
+++ b/examples/ssr/package.json
@@ -14,9 +14,9 @@
     "server": "node dist/server/entry.mjs"
   },
   "dependencies": {
-    "@astrojs/node": "^10.0.0-beta.6",
+    "@astrojs/node": "^10.0.0-beta.7",
     "@astrojs/svelte": "^8.0.0-beta.3",
-    "astro": "^6.0.0-beta.17",
+    "astro": "^6.0.0-beta.18",
     "svelte": "^5.53.5"
   }
 }
diff --git a/examples/starlog/package.json b/examples/starlog/package.json
index f11da4f42517..de305ae40dfd 100644
--- a/examples/starlog/package.json
+++ b/examples/starlog/package.json
@@ -9,7 +9,7 @@
     "astro": "astro"
   },
   "dependencies": {
-    "astro": "^6.0.0-beta.17",
+    "astro": "^6.0.0-beta.18",
     "sass": "^1.97.3",
     "sharp": "^0.34.3"
   },
diff --git a/examples/toolbar-app/package.json b/examples/toolbar-app/package.json
index 5273c8819a10..1856e6cdad9d 100644
--- a/examples/toolbar-app/package.json
+++ b/examples/toolbar-app/package.json
@@ -16,7 +16,7 @@
   },
   "devDependencies": {
     "@types/node": "^18.17.8",
-    "astro": "^6.0.0-beta.17"
+    "astro": "^6.0.0-beta.18"
   },
   "engines": {
     "node": ">=22.12.0"
diff --git a/examples/with-markdoc/package.json b/examples/with-markdoc/package.json
index 0bbfdb06ff47..e4c3b09effce 100644
--- a/examples/with-markdoc/package.json
+++ b/examples/with-markdoc/package.json
@@ -13,7 +13,7 @@
     "astro": "astro"
   },
   "dependencies": {
-    "@astrojs/markdoc": "^1.0.0-beta.12",
-    "astro": "^6.0.0-beta.17"
+    "@astrojs/markdoc": "^1.0.0-beta.13",
+    "astro": "^6.0.0-beta.18"
   }
 }
diff --git a/examples/with-mdx/package.json b/examples/with-mdx/package.json
index 14bfefccf386..73f889680e39 100644
--- a/examples/with-mdx/package.json
+++ b/examples/with-mdx/package.json
@@ -13,9 +13,9 @@
     "astro": "astro"
   },
   "dependencies": {
-    "@astrojs/mdx": "^5.0.0-beta.9",
+    "@astrojs/mdx": "^5.0.0-beta.10",
     "@astrojs/preact": "^5.0.0-beta.4",
-    "astro": "^6.0.0-beta.17",
+    "astro": "^6.0.0-beta.18",
     "preact": "^10.28.4"
   }
 }
diff --git a/examples/with-nanostores/package.json b/examples/with-nanostores/package.json
index d31e628cf9a0..4a5536d3931f 100644
--- a/examples/with-nanostores/package.json
+++ b/examples/with-nanostores/package.json
@@ -15,7 +15,7 @@
   "dependencies": {
     "@astrojs/preact": "^5.0.0-beta.4",
     "@nanostores/preact": "^1.0.0",
-    "astro": "^6.0.0-beta.17",
+    "astro": "^6.0.0-beta.18",
     "nanostores": "^1.1.1",
     "preact": "^10.28.4"
   }
diff --git a/examples/with-tailwindcss/package.json b/examples/with-tailwindcss/package.json
index 71b29a8c3638..f09645e978c7 100644
--- a/examples/with-tailwindcss/package.json
+++ b/examples/with-tailwindcss/package.json
@@ -13,10 +13,10 @@
     "astro": "astro"
   },
   "dependencies": {
-    "@astrojs/mdx": "^5.0.0-beta.9",
+    "@astrojs/mdx": "^5.0.0-beta.10",
     "@tailwindcss/vite": "^4.2.1",
     "@types/canvas-confetti": "^1.9.0",
-    "astro": "^6.0.0-beta.17",
+    "astro": "^6.0.0-beta.18",
     "canvas-confetti": "^1.9.4",
     "tailwindcss": "^4.2.1"
   }
diff --git a/examples/with-vitest/package.json b/examples/with-vitest/package.json
index 338345a2f410..ff8f1e55cc02 100644
--- a/examples/with-vitest/package.json
+++ b/examples/with-vitest/package.json
@@ -14,7 +14,7 @@
     "test": "vitest"
   },
   "dependencies": {
-    "astro": "^6.0.0-beta.17",
+    "astro": "^6.0.0-beta.18",
     "vitest": "^3.2.4"
   }
 }
diff --git a/packages/astro/CHANGELOG.md b/packages/astro/CHANGELOG.md
index 70a77fe62c7c..49786be75e72 100644
--- a/packages/astro/CHANGELOG.md
+++ b/packages/astro/CHANGELOG.md
@@ -1,5 +1,215 @@
 # astro
 
+## 6.0.0-beta.18
+
+### Major Changes
+
+- [#15668](https://github.com/withastro/astro/pull/15668) [`1118ac4`](https://github.com/withastro/astro/commit/1118ac4f299341e15061e8a4e6e8423071c4d41c) Thanks [@florian-lefebvre](https://github.com/florian-lefebvre)! - Changes TypeScript configuration - ([v6 upgrade guidance](https://v6.docs.astro.build/en/guides/upgrade-to/v6/#changed-typescript-configuration))
+
+- [#15726](https://github.com/withastro/astro/pull/15726) [`6f19ecc`](https://github.com/withastro/astro/commit/6f19ecc35adfb2ddaabbba2269630f95c13f5a57) Thanks [@ocavue](https://github.com/ocavue)! - Updates dependency `shiki` to v4
+
+  Check [Shiki's upgrade guide](https://shiki.style/blog/v4).
+
+### Minor Changes
+
+- [#15694](https://github.com/withastro/astro/pull/15694) [`66449c9`](https://github.com/withastro/astro/commit/66449c930e73e9a58ce547b9c32635a98a310966) Thanks [@matthewp](https://github.com/matthewp)! - Adds `preserveBuildClientDir` option to adapter features
+
+  Adapters can now opt in to preserving the client/server directory structure for static builds by setting `preserveBuildClientDir: true` in their adapter features. When enabled, static builds will output files to `build.client` instead of directly to `outDir`.
+
+  This is useful for adapters that require a consistent directory structure regardless of the build output type, such as deploying to platforms with specific file organization requirements.
+
+  ```js
+  // my-adapter/index.js
+  export default function myAdapter() {
+    return {
+      name: 'my-adapter',
+      hooks: {
+        'astro:config:done': ({ setAdapter }) => {
+          setAdapter({
+            name: 'my-adapter',
+            adapterFeatures: {
+              buildOutput: 'static',
+              preserveBuildClientDir: true,
+            },
+          });
+        },
+      },
+    };
+  }
+  ```
+
+- [#15579](https://github.com/withastro/astro/pull/15579) [`08437d5`](https://github.com/withastro/astro/commit/08437d531e31b79a42333a9f7aabaa9fe646ce4f) Thanks [@ascorbic](https://github.com/ascorbic)! - Adds two new experimental flags for a Route Caching API and further configuration-level Route Rules for controlling SSR response caching.
+
+  Route caching gives you a platform-agnostic way to cache server-rendered responses, based on web standard cache headers. You set caching directives in your routes using `Astro.cache` (in `.astro` pages) or `context.cache` (in API routes and middleware), and Astro translates them into the appropriate headers or runtime behavior depending on your adapter. You can also define cache rules for routes declaratively in your config using `experimental.routeRules`, without modifying route code.
+
+  This feature requires on-demand rendering. Prerendered pages are already static and do not use route caching.
+
+  #### Getting started
+
+  Enable the feature by configuring `experimental.cache` with a cache provider in your Astro config:
+
+  ```js
+  // astro.config.mjs
+  import { defineConfig } from 'astro/config';
+  import node from '@astrojs/node';
+  import { memoryCache } from 'astro/config';
+
+  export default defineConfig({
+    adapter: node({ mode: 'standalone' }),
+    experimental: {
+      cache: {
+        provider: memoryCache(),
+      },
+    },
+  });
+  ```
+
+  #### Using `Astro.cache` and `context.cache`
+
+  In `.astro` pages, use `Astro.cache.set()` to control caching:
+
+  ```astro
+  ---
+  // src/pages/index.astro
+  Astro.cache.set({
+    maxAge: 120, // Cache for 2 minutes
+    swr: 60, // Serve stale for 1 minute while revalidating
+    tags: ['home'], // Tag for targeted invalidation
+  });
+  ---
+
+  <html><body>Cached page</body></html>
+  ```
+
+  In API routes and middleware, use `context.cache`:
+
+  ```ts
+  // src/pages/api/data.ts
+  export function GET(context) {
+    context.cache.set({
+      maxAge: 300,
+      tags: ['api', 'data'],
+    });
+    return Response.json({ ok: true });
+  }
+  ```
+
+  #### Cache options
+
+  `cache.set()` accepts the following options:
+  - **`maxAge`** (number): Time in seconds the response is considered fresh.
+  - **`swr`** (number): Stale-while-revalidate window in seconds. During this window, stale content is served while a fresh response is generated in the background.
+  - **`tags`** (string[]): Cache tags for targeted invalidation. Tags accumulate across multiple `set()` calls within a request.
+  - **`lastModified`** (Date): When multiple `set()` calls provide `lastModified`, the most recent date wins.
+  - **`etag`** (string): Entity tag for conditional requests.
+
+  Call `cache.set(false)` to explicitly opt out of caching for a request.
+
+  Multiple calls to `cache.set()` within a single request are merged: scalar values use last-write-wins, `lastModified` uses most-recent-wins, and tags accumulate.
+
+  #### Invalidation
+
+  Purge cached entries by tag or path using `cache.invalidate()`:
+
+  ```ts
+  // Invalidate all entries tagged 'data'
+  await context.cache.invalidate({ tags: ['data'] });
+
+  // Invalidate a specific path
+  await context.cache.invalidate({ path: '/api/data' });
+  ```
+
+  #### Config-level route rules
+
+  Use `experimental.routeRules` to set default cache options for routes without modifying route code. Supports Nitro-style shortcuts for ergonomic configuration:
+
+  ```js
+  import { memoryCache } from 'astro/config';
+
+  export default defineConfig({
+    experimental: {
+      cache: {
+        provider: memoryCache(),
+      },
+      routeRules: {
+        // Shortcut form (Nitro-style)
+        '/api/*': { swr: 600 },
+
+        // Full form with nested cache
+        '/products/*': { cache: { maxAge: 3600, tags: ['products'] } },
+      },
+    },
+  });
+  ```
+
+  Route patterns support static paths, dynamic parameters (`[slug]`), and rest parameters (`[...path]`). Per-route `cache.set()` calls merge with (and can override) the config-level defaults.
+
+  You can also read the current cache state via `cache.options`:
+
+  ```ts
+  const { maxAge, swr, tags } = context.cache.options;
+  ```
+
+  #### Cache providers
+
+  Cache behavior is determined by the configured **cache provider**. There are two types:
+  - **CDN providers** set response headers (e.g. `CDN-Cache-Control`, `Cache-Tag`) and let the CDN handle caching. Astro strips these headers before sending the response to the client.
+  - **Runtime providers** implement `onRequest()` to intercept and cache responses in-process, adding an `X-Astro-Cache` header (HIT/MISS/STALE) for observability.
+
+  #### Built-in memory cache provider
+
+  Astro includes a built-in, in-memory LRU runtime cache provider. Import `memoryCache` from `astro/config` to configure it.
+
+  Features:
+  - In-memory LRU cache with configurable max entries (default: 1000)
+  - Stale-while-revalidate support
+  - Tag-based and path-based invalidation
+  - `X-Astro-Cache` response header: `HIT`, `MISS`, or `STALE`
+  - Query parameter sorting for better hit rates (`?b=2&a=1` and `?a=1&b=2` hit the same entry)
+  - Common tracking parameters (`utm_*`, `fbclid`, `gclid`, etc.) excluded from cache keys by default
+  - `Vary` header support — responses that set `Vary` automatically get separate cache entries per variant
+  - Configurable query parameter filtering via `query.exclude` (glob patterns) and `query.include` (allowlist)
+
+  For more information on enabling and using this feature in your project, see the [Experimental Route Caching docs](https://docs.astro.build/en/reference/experimental-flags/route-caching/).
+  For a complete overview and to give feedback on this experimental API, see the [Route Caching RFC](https://github.com/withastro/roadmap/pull/1245).
+
+### Patch Changes
+
+- [#15721](https://github.com/withastro/astro/pull/15721) [`e6e146c`](https://github.com/withastro/astro/commit/e6e146cb0ac535e21c26f6b1c3d2f65be9dbdb4c) Thanks [@matthewp](https://github.com/matthewp)! - Fixes action route handling to return 404 for requests to prototype method names like `constructor` or `toString` used as action paths
+
+- [#15704](https://github.com/withastro/astro/pull/15704) [`862d77b`](https://github.com/withastro/astro/commit/862d77bd6c3e05e20fd58293f9577ae685a9b8c9) Thanks [@umutkeltek](https://github.com/umutkeltek)! - Fixes i18n fallback middleware intercepting non-404 responses
+
+  The fallback middleware was triggering for all responses with status >= 300, including legitimate 3xx redirects, 403 forbidden, and 5xx server errors. This broke auth flows and form submissions on localized server routes. The fallback now correctly only triggers for 404 (page not found) responses.
+
+- [#15703](https://github.com/withastro/astro/pull/15703) [`829182b`](https://github.com/withastro/astro/commit/829182bbdfc307a005aea00ac8c00923f76efb08) Thanks [@matthewp](https://github.com/matthewp)! - Fixes server islands returning a 500 error in dev mode for adapters that do not set `adapterFeatures.buildOutput` (e.g. `@astrojs/netlify`)
+
+- [#15749](https://github.com/withastro/astro/pull/15749) [`573d188`](https://github.com/withastro/astro/commit/573d188de9a7e6635f24004291c3e71e0ddc7a7a) Thanks [@ascorbic](https://github.com/ascorbic)! - Fixes a bug that caused `session.regenerate()` to silently lose session data
+
+  Previously, regenerated session data was not saved under the new session ID unless `set()` was also called.
+
+- [#15685](https://github.com/withastro/astro/pull/15685) [`1a323e5`](https://github.com/withastro/astro/commit/1a323e5c64c7c23212ed80546f593d930115d55c) Thanks [@jcayzac](https://github.com/jcayzac)! - Fix regression where SVG images in content collection `image()` fields could not be rendered as inline components. This behavior is now restored while preserving the TLA deadlock fix.
+
+- [#15740](https://github.com/withastro/astro/pull/15740) [`c5016fc`](https://github.com/withastro/astro/commit/c5016fc86c4928a26b49dbe144b5569d5d89ac04) Thanks [@matthewp](https://github.com/matthewp)! - Removes an escape hatch that skipped attribute escaping for URL values containing `&`, ensuring all dynamic attribute values are consistently escaped
+
+- [#15744](https://github.com/withastro/astro/pull/15744) [`fabb710`](https://github.com/withastro/astro/commit/fabb710c2514c5a1298e002dd961a1d79686f021) Thanks [@matthewp](https://github.com/matthewp)! - Fixes cookie handling during error page rendering to ensure cookies set by middleware are consistently included in the response
+
+- [#15742](https://github.com/withastro/astro/pull/15742) [`9d9699c`](https://github.com/withastro/astro/commit/9d9699c04aba7524bd3c8e1b8303691db19fa5bd) Thanks [@matthewp](https://github.com/matthewp)! - Hardens `clientAddress` resolution to respect `security.allowedDomains` for `X-Forwarded-For`, consistent with the existing handling of `X-Forwarded-Host`, `X-Forwarded-Proto`, and `X-Forwarded-Port`. The `X-Forwarded-For` header is now only used to determine `Astro.clientAddress` when the request's host has been validated against an `allowedDomains` entry. Without a matching domain, `clientAddress` falls back to the socket's remote address.
+
+- [#15696](https://github.com/withastro/astro/pull/15696) [`a9fd221`](https://github.com/withastro/astro/commit/a9fd221bda99db4660c241c494b6d3225eb4e51d) Thanks [@Princesseuh](https://github.com/Princesseuh)! - Fixes images not working in MDX when using the Cloudflare adapter in certain cases
+
+- [#15693](https://github.com/withastro/astro/pull/15693) [`4db2089`](https://github.com/withastro/astro/commit/4db2089a8e01cdb298c49f61817daf240ae07fa5) Thanks [@ArmandPhilippot](https://github.com/ArmandPhilippot)! - Fixes the links to Astro Docs to match the v6 structure.
+
+- [#15717](https://github.com/withastro/astro/pull/15717) [`4000aaa`](https://github.com/withastro/astro/commit/4000aaa2d361cbfc9bbf280a9b0e78e6db167945) Thanks [@matthewp](https://github.com/matthewp)! - Ensures that URLs with multiple leading slashes (e.g. `//admin`) are normalized to a single slash before reaching middleware, so that pathname checks like `context.url.pathname.startsWith('/admin')` work consistently regardless of the request URL format
+
+- [#15752](https://github.com/withastro/astro/pull/15752) [`918d394`](https://github.com/withastro/astro/commit/918d3949f3b92b1ae46dadd77cfb1404869c50bd) Thanks [@ascorbic](https://github.com/ascorbic)! - Fixes an issue where a session ID from a cookie with no matching server-side data was accepted as-is. The session now generates a new ID when the cookie value has no corresponding storage entry.
+
+- [#15743](https://github.com/withastro/astro/pull/15743) [`3b4252a`](https://github.com/withastro/astro/commit/3b4252a82a937fccbfd433d90a93ad524a7a6f7b) Thanks [@matthewp](https://github.com/matthewp)! - Hardens config-based redirects with catch-all parameters to prevent producing protocol-relative URLs (e.g. `//example.com`) in the `Location` header
+
+- [#15718](https://github.com/withastro/astro/pull/15718) [`14f37b8`](https://github.com/withastro/astro/commit/14f37b80aa2bd086cf31feccd5016c73a09822ae) Thanks [@florian-lefebvre](https://github.com/florian-lefebvre)! - Fixes a case where internal headers may leak when rendering error pages
+
+- Updated dependencies [[`6f19ecc`](https://github.com/withastro/astro/commit/6f19ecc35adfb2ddaabbba2269630f95c13f5a57), [`f94d3c5`](https://github.com/withastro/astro/commit/f94d3c5313e5a7576cf2cb316a85d68d335a188f)]:
+  - @astrojs/markdown-remark@7.0.0-beta.9
+
 ## 6.0.0-beta.17
 
 ### Minor Changes
diff --git a/packages/astro/package.json b/packages/astro/package.json
index 29f211728d85..fd482524d5f1 100644
--- a/packages/astro/package.json
+++ b/packages/astro/package.json
@@ -1,6 +1,6 @@
 {
   "name": "astro",
-  "version": "6.0.0-beta.17",
+  "version": "6.0.0-beta.18",
   "description": "Astro is a modern site builder with web best practices, performance, and DX front-of-mind.",
   "type": "module",
   "author": "withastro",
diff --git a/packages/astro/src/vite-plugin-astro-server/base.ts b/packages/astro/src/vite-plugin-astro-server/base.ts
index 23e04690fc2b..aea2a29f9865 100644
--- a/packages/astro/src/vite-plugin-astro-server/base.ts
+++ b/packages/astro/src/vite-plugin-astro-server/base.ts
@@ -1,6 +1,6 @@
 import * as fs from 'node:fs';
 import path from 'node:path';
-import { appendForwardSlash } from '@astrojs/internal-helpers/path';
+import { appendForwardSlash, prependForwardSlash } from '@astrojs/internal-helpers/path';
 import colors from 'piccolore';
 import type * as vite from 'vite';
 import type { Logger } from '../core/logger/core.js';
@@ -32,6 +32,7 @@ export function baseMiddleware(
 
 		if (pathname.startsWith(devRoot)) {
 			req.url = url.replace(devRoot, devRootReplacement);
+			if (!req.url.startsWith('/')) req.url = prependForwardSlash(req.url);
 			return next();
 		}
 
diff --git a/packages/astro/src/vite-plugin-astro-server/plugin.ts b/packages/astro/src/vite-plugin-astro-server/plugin.ts
index f2e5a8793461..50a0f04fc41b 100644
--- a/packages/astro/src/vite-plugin-astro-server/plugin.ts
+++ b/packages/astro/src/vite-plugin-astro-server/plugin.ts
@@ -31,6 +31,7 @@ import { createController } from './controller.js';
 import { recordServerError } from './error.js';
 import { setRouteError } from './server-state.js';
 import { routeGuardMiddleware } from './route-guard.js';
+import { secFetchMiddleware } from './sec-fetch.js';
 import { trailingSlashMiddleware } from './trailing-slash.js';
 import { sessionConfigToManifest } from '../core/session/utils.js';
 
@@ -108,6 +109,11 @@ export default function createVitePluginAstroServer({
 					route: '',
 					handle: routeGuardMiddleware(settings),
 				});
+				// Validate Sec-Fetch metadata headers to restrict cross-origin subresource requests
+				viteServer.middlewares.stack.unshift({
+					route: '',
+					handle: secFetchMiddleware(logger, settings.config.security?.allowedDomains),
+				});
 
 				// Note that this function has a name so other middleware can find it.
 				viteServer.middlewares.use(async function astroDevHandler(request, response) {
diff --git a/packages/astro/src/vite-plugin-astro-server/sec-fetch.ts b/packages/astro/src/vite-plugin-astro-server/sec-fetch.ts
new file mode 100644
index 000000000000..aa1630fd4640
--- /dev/null
+++ b/packages/astro/src/vite-plugin-astro-server/sec-fetch.ts
@@ -0,0 +1,82 @@
+import type { RemotePattern } from '@astrojs/internal-helpers/remote';
+import type * as vite from 'vite';
+import { BaseApp } from '../core/app/base.js';
+import type { Logger } from '../core/logger/core.js';
+
+/**
+ * Middleware that validates Sec-Fetch metadata headers on incoming requests
+ * to block cross-origin subresource requests (e.g. `<script>` tags from
+ * another origin loading dev server modules).
+ *
+ * Navigation requests (`Sec-Fetch-Mode: navigate`) are always allowed through
+ * because browsers enforce their own security model for top-level navigations.
+ *
+ * Requests without `Sec-Fetch-Site` (e.g. from non-browser clients like curl,
+ * or older browsers that don't send Fetch Metadata) are also allowed through
+ * to avoid breaking legitimate development workflows.
+ *
+ * When `security.allowedDomains` is configured, requests whose `Origin` header
+ * matches one of the allowed patterns are also permitted. This supports proxied
+ * dev server setups (e.g. ngrok, Cloudflare Tunnel) where the browser sees a
+ * different origin than the dev server itself.
+ */
+export function secFetchMiddleware(
+	logger: Logger,
+	allowedDomains?: Partial<RemotePattern>[],
+): vite.Connect.NextHandleFunction {
+	return function devSecFetch(req, res, next) {
+		const secFetchSite = req.headers['sec-fetch-site'];
+		const secFetchMode = req.headers['sec-fetch-mode'];
+
+		// If the browser didn't send Sec-Fetch-Site, allow the request through.
+		// This covers non-browser clients (curl, Postman, etc.) and older browsers.
+		if (!secFetchSite) {
+			return next();
+		}
+
+		// Same-origin, same-site, and "none" (e.g. direct address-bar navigation)
+		// are always safe.
+		if (secFetchSite === 'same-origin' || secFetchSite === 'same-site' || secFetchSite === 'none') {
+			return next();
+		}
+
+		// Cross-site or cross-origin requests:
+		// Allow top-level navigation (clicking a link, typing in the address bar).
+		// The browser will handle any security concerns for navigations.
+		if (secFetchMode === 'navigate' || secFetchMode === 'nested-navigate') {
+			return next();
+		}
+
+		// Allow WebSocket upgrade requests (used by HMR).
+		if (secFetchMode === 'websocket') {
+			return next();
+		}
+
+		// If allowedDomains is configured, check whether the request's Origin
+		// matches one of the allowed patterns. This allows proxied setups where
+		// the browser's origin differs from the dev server.
+		const origin = req.headers['origin'];
+		if (typeof origin === 'string') {
+			try {
+				const originUrl = new URL(origin);
+				const protocol = originUrl.protocol.slice(0, -1); // remove trailing ':'
+				if (BaseApp.validateForwardedHost(originUrl.host, allowedDomains, protocol)) {
+					return next();
+				}
+			} catch {
+				// Invalid origin URL, fall through to block
+			}
+		}
+
+		// Block all other cross-site/cross-origin subresource requests.
+		// This prevents `<script src="http://localhost:4321/...">` from another
+		// origin from loading transformed source code.
+		logger.warn(
+			'router',
+			`Blocked cross-origin request to ${req.url} (Sec-Fetch-Site: ${secFetchSite}, Sec-Fetch-Mode: ${secFetchMode}). Cross-origin subresource requests are not allowed on the dev server for security reasons.`,
+		);
+		res.statusCode = 403;
+		res.setHeader('Content-Type', 'text/plain');
+		res.end('Cross-origin request blocked');
+	};
+}
diff --git a/packages/astro/test/units/dev/sec-fetch.test.js b/packages/astro/test/units/dev/sec-fetch.test.js
new file mode 100644
index 000000000000..21de0902c69e
--- /dev/null
+++ b/packages/astro/test/units/dev/sec-fetch.test.js
@@ -0,0 +1,201 @@
+import * as assert from 'node:assert/strict';
+import { describe, it } from 'node:test';
+import { secFetchMiddleware } from '../../../dist/vite-plugin-astro-server/sec-fetch.js';
+import { createRequestAndResponse, defaultLogger } from '../test-utils.js';
+
+/**
+ * Helper to run a request through the secFetchMiddleware and return whether
+ * it was blocked (response ended with 403) or allowed (next() was called).
+ */
+function runMiddleware(headers, allowedDomains) {
+	const middleware = secFetchMiddleware(defaultLogger, allowedDomains);
+	const { req, res, done } = createRequestAndResponse({
+		method: 'GET',
+		url: '/src/pages/index.astro',
+		headers,
+	});
+
+	let nextCalled = false;
+	middleware(req, res, () => {
+		nextCalled = true;
+		res.statusCode = 200;
+		res.end();
+	});
+
+	return done.then(() => ({
+		nextCalled,
+		statusCode: res.statusCode,
+	}));
+}
+
+describe('secFetchMiddleware', () => {
+	describe('allows same-origin requests', () => {
+		it('allows requests with Sec-Fetch-Site: same-origin', async () => {
+			const result = await runMiddleware({
+				'sec-fetch-site': 'same-origin',
+				'sec-fetch-mode': 'cors',
+			});
+			assert.equal(result.nextCalled, true);
+		});
+
+		it('allows requests with Sec-Fetch-Site: same-site', async () => {
+			const result = await runMiddleware({
+				'sec-fetch-site': 'same-site',
+				'sec-fetch-mode': 'cors',
+			});
+			assert.equal(result.nextCalled, true);
+		});
+
+		it('allows requests with Sec-Fetch-Site: none (direct navigation)', async () => {
+			const result = await runMiddleware({
+				'sec-fetch-site': 'none',
+				'sec-fetch-mode': 'navigate',
+			});
+			assert.equal(result.nextCalled, true);
+		});
+	});
+
+	describe('allows requests without Sec-Fetch headers', () => {
+		it('allows requests with no Sec-Fetch headers (non-browser clients)', async () => {
+			const result = await runMiddleware({});
+			assert.equal(result.nextCalled, true);
+		});
+	});
+
+	describe('allows cross-origin navigation requests', () => {
+		it('allows cross-site navigate requests', async () => {
+			const result = await runMiddleware({
+				'sec-fetch-site': 'cross-site',
+				'sec-fetch-mode': 'navigate',
+			});
+			assert.equal(result.nextCalled, true);
+		});
+
+		it('allows cross-origin navigate requests', async () => {
+			const result = await runMiddleware({
+				'sec-fetch-site': 'cross-site',
+				'sec-fetch-mode': 'nested-navigate',
+			});
+			assert.equal(result.nextCalled, true);
+		});
+	});
+
+	describe('allows websocket requests', () => {
+		it('allows cross-site websocket upgrades (HMR)', async () => {
+			const result = await runMiddleware({
+				'sec-fetch-site': 'cross-site',
+				'sec-fetch-mode': 'websocket',
+			});
+			assert.equal(result.nextCalled, true);
+		});
+	});
+
+	describe('blocks cross-origin subresource requests', () => {
+		it('blocks cross-site no-cors requests (script tag from another origin)', async () => {
+			const result = await runMiddleware({
+				'sec-fetch-site': 'cross-site',
+				'sec-fetch-mode': 'no-cors',
+				'sec-fetch-dest': 'script',
+			});
+			assert.equal(result.nextCalled, false);
+			assert.equal(result.statusCode, 403);
+		});
+
+		it('blocks cross-site cors requests', async () => {
+			const result = await runMiddleware({
+				'sec-fetch-site': 'cross-site',
+				'sec-fetch-mode': 'cors',
+				'sec-fetch-dest': 'script',
+			});
+			assert.equal(result.nextCalled, false);
+			assert.equal(result.statusCode, 403);
+		});
+
+		it('blocks cross-origin no-cors requests', async () => {
+			const result = await runMiddleware({
+				'sec-fetch-site': 'cross-site',
+				'sec-fetch-mode': 'no-cors',
+				'sec-fetch-dest': 'empty',
+			});
+			assert.equal(result.nextCalled, false);
+			assert.equal(result.statusCode, 403);
+		});
+
+		it('blocks cross-site requests with no Sec-Fetch-Mode', async () => {
+			const result = await runMiddleware({
+				'sec-fetch-site': 'cross-site',
+			});
+			assert.equal(result.nextCalled, false);
+			assert.equal(result.statusCode, 403);
+		});
+	});
+
+	describe('allowedDomains support', () => {
+		const allowedDomains = [
+			{ hostname: 'myproxy.example.com', protocol: 'https' },
+			{ hostname: '*.ngrok.io', protocol: 'https' },
+		];
+
+		it('allows cross-site request when Origin matches an allowed domain', async () => {
+			const result = await runMiddleware(
+				{
+					'sec-fetch-site': 'cross-site',
+					'sec-fetch-mode': 'cors',
+					origin: 'https://myproxy.example.com',
+				},
+				allowedDomains,
+			);
+			assert.equal(result.nextCalled, true);
+		});
+
+		it('allows cross-site request when Origin matches a wildcard allowed domain', async () => {
+			const result = await runMiddleware(
+				{
+					'sec-fetch-site': 'cross-site',
+					'sec-fetch-mode': 'cors',
+					origin: 'https://abc123.ngrok.io',
+				},
+				allowedDomains,
+			);
+			assert.equal(result.nextCalled, true);
+		});
+
+		it('blocks cross-site request when Origin does not match allowed domains', async () => {
+			const result = await runMiddleware(
+				{
+					'sec-fetch-site': 'cross-site',
+					'sec-fetch-mode': 'cors',
+					origin: 'https://evil.example.com',
+				},
+				allowedDomains,
+			);
+			assert.equal(result.nextCalled, false);
+			assert.equal(result.statusCode, 403);
+		});
+
+		it('blocks cross-site request when no Origin header is present', async () => {
+			const result = await runMiddleware(
+				{
+					'sec-fetch-site': 'cross-site',
+					'sec-fetch-mode': 'cors',
+				},
+				allowedDomains,
+			);
+			assert.equal(result.nextCalled, false);
+			assert.equal(result.statusCode, 403);
+		});
+
+		it('blocks cross-site request when allowedDomains is empty', async () => {
+			const result = await runMiddleware(
+				{
+					'sec-fetch-site': 'cross-site',
+					'sec-fetch-mode': 'cors',
+					origin: 'https://myproxy.example.com',
+				},
+				[],
+			);
+			assert.equal(result.nextCalled, false);
+			assert.equal(result.statusCode, 403);
+		});
+	});
+});
diff --git a/packages/integrations/cloudflare/CHANGELOG.md b/packages/integrations/cloudflare/CHANGELOG.md
index 220e6df953d0..410c97ba87da 100644
--- a/packages/integrations/cloudflare/CHANGELOG.md
+++ b/packages/integrations/cloudflare/CHANGELOG.md
@@ -1,5 +1,18 @@
 # @astrojs/cloudflare
 
+## 13.0.0-beta.12
+
+### Patch Changes
+
+- [#15696](https://github.com/withastro/astro/pull/15696) [`a9fd221`](https://github.com/withastro/astro/commit/a9fd221bda99db4660c241c494b6d3225eb4e51d) Thanks [@Princesseuh](https://github.com/Princesseuh)! - Fixes duplicate logging showing up in some cases when prerendering pages
+
+- [#15694](https://github.com/withastro/astro/pull/15694) [`66449c9`](https://github.com/withastro/astro/commit/66449c930e73e9a58ce547b9c32635a98a310966) Thanks [@matthewp](https://github.com/matthewp)! - Fixes deployment of static sites with the Cloudflare adapter
+
+  Fixes an issue with detecting and building fully static sites that caused deployment errors when using `output: 'static'` with the Cloudflare adapter
+
+- Updated dependencies []:
+  - @astrojs/underscore-redirects@1.0.0
+
 ## 13.0.0-beta.11
 
 ### Patch Changes
diff --git a/packages/integrations/cloudflare/package.json b/packages/integrations/cloudflare/package.json
index c50cbbac13a5..137169e8eea7 100644
--- a/packages/integrations/cloudflare/package.json
+++ b/packages/integrations/cloudflare/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@astrojs/cloudflare",
   "description": "Deploy your site to Cloudflare Workers",
-  "version": "13.0.0-beta.11",
+  "version": "13.0.0-beta.12",
   "type": "module",
   "types": "./dist/index.d.ts",
   "author": "withastro",
diff --git a/packages/integrations/markdoc/CHANGELOG.md b/packages/integrations/markdoc/CHANGELOG.md
index 6629c5f1753e..a4549323299a 100644
--- a/packages/integrations/markdoc/CHANGELOG.md
+++ b/packages/integrations/markdoc/CHANGELOG.md
@@ -1,5 +1,12 @@
 # @astrojs/markdoc
 
+## 1.0.0-beta.13
+
+### Patch Changes
+
+- Updated dependencies [[`6f19ecc`](https://github.com/withastro/astro/commit/6f19ecc35adfb2ddaabbba2269630f95c13f5a57), [`f94d3c5`](https://github.com/withastro/astro/commit/f94d3c5313e5a7576cf2cb316a85d68d335a188f)]:
+  - @astrojs/markdown-remark@7.0.0-beta.9
+
 ## 1.0.0-beta.12
 
 ### Patch Changes
diff --git a/packages/integrations/markdoc/package.json b/packages/integrations/markdoc/package.json
index f1efa7638ac9..ea303ca9f8c7 100644
--- a/packages/integrations/markdoc/package.json
+++ b/packages/integrations/markdoc/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@astrojs/markdoc",
   "description": "Add support for Markdoc in your Astro site",
-  "version": "1.0.0-beta.12",
+  "version": "1.0.0-beta.13",
   "type": "module",
   "types": "./dist/index.d.ts",
   "author": "withastro",
diff --git a/packages/integrations/mdx/CHANGELOG.md b/packages/integrations/mdx/CHANGELOG.md
index 0401f88f76e2..e8f2e239f2df 100644
--- a/packages/integrations/mdx/CHANGELOG.md
+++ b/packages/integrations/mdx/CHANGELOG.md
@@ -1,5 +1,12 @@
 # @astrojs/mdx
 
+## 5.0.0-beta.10
+
+### Patch Changes
+
+- Updated dependencies [[`6f19ecc`](https://github.com/withastro/astro/commit/6f19ecc35adfb2ddaabbba2269630f95c13f5a57), [`f94d3c5`](https://github.com/withastro/astro/commit/f94d3c5313e5a7576cf2cb316a85d68d335a188f)]:
+  - @astrojs/markdown-remark@7.0.0-beta.9
+
 ## 5.0.0-beta.9
 
 ### Patch Changes
diff --git a/packages/integrations/mdx/package.json b/packages/integrations/mdx/package.json
index 147ab4a22cdf..0797dd1e7526 100644
--- a/packages/integrations/mdx/package.json
+++ b/packages/integrations/mdx/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@astrojs/mdx",
   "description": "Add support for MDX pages in your Astro site",
-  "version": "5.0.0-beta.9",
+  "version": "5.0.0-beta.10",
   "type": "module",
   "types": "./dist/index.d.ts",
   "author": "withastro",
diff --git a/packages/integrations/node/CHANGELOG.md b/packages/integrations/node/CHANGELOG.md
index 9c163e574947..ba8dac78dec3 100644
--- a/packages/integrations/node/CHANGELOG.md
+++ b/packages/integrations/node/CHANGELOG.md
@@ -1,5 +1,53 @@
 # @astrojs/node
 
+## 10.0.0-beta.7
+
+### Major Changes
+
+- [#15654](https://github.com/withastro/astro/pull/15654) [`a32aee6`](https://github.com/withastro/astro/commit/a32aee6eb8bb9ae46caf2249ff56df27db2d4e2a) Thanks [@florian-lefebvre](https://github.com/florian-lefebvre)! - Removes the `experimentalErrorPageHost` option
+
+  This option allowed fetching a prerendered error page from a different host than the server is currently running on.
+
+  However, there can be security implications with prefetching from other hosts, and often more customization was required to do this safely. This has now been removed as a built-in option so that you can implement your own secure solution as needed and appropriate for your project via middleware.
+
+  #### What should I do?
+
+  If you were previously using this feature, you must remove the option from your adapter configuration as it no longer exists:
+
+  ```diff
+  // astro.config.mjs
+  import { defineConfig } from 'astro/config'
+  import node from '@astrojs/node'
+
+  export default defineConfig({
+    adapter: node({
+      mode: 'standalone',
+  -    experimentalErrorPageHost: 'http://localhost:4321'
+    })
+  })
+  ```
+
+  You can replicate the previous behavior by checking the response status in a middleware and fetching the prerendered page yourself:
+
+  ```ts
+  // src/middleware.ts
+  import { defineMiddleware } from 'astro:middleware';
+
+  export const onRequest = defineMiddleware(async (ctx, next) => {
+    const response = await next();
+    if (response.status === 404 || response.status === 500) {
+      return fetch(`http://localhost:4321/${response.status}.html`);
+    }
+    return response;
+  });
+  ```
+
+### Patch Changes
+
+- [#15714](https://github.com/withastro/astro/pull/15714) [`9a2c949`](https://github.com/withastro/astro/commit/9a2c949a2527cc921cfc80803f1bf49e9d945a37) Thanks [@ematipico](https://github.com/ematipico)! - Fixes an issue where static headers weren't correctly applied when the website uses `base`.
+
+- [#15745](https://github.com/withastro/astro/pull/15745) [`20b05c0`](https://github.com/withastro/astro/commit/20b05c042bde561f53d47348fd4cb2ec478bca23) Thanks [@matthewp](https://github.com/matthewp)! - Hardens static file handler path resolution to ensure resolved paths stay within the client directory
+
 ## 10.0.0-beta.6
 
 ### Patch Changes
diff --git a/packages/integrations/node/package.json b/packages/integrations/node/package.json
index c36afe483b3a..7cf5dfcfd4c5 100644
--- a/packages/integrations/node/package.json
+++ b/packages/integrations/node/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@astrojs/node",
   "description": "Deploy your site to a Node.js server",
-  "version": "10.0.0-beta.6",
+  "version": "10.0.0-beta.7",
   "type": "module",
   "types": "./dist/index.d.ts",
   "author": "withastro",
diff --git a/packages/markdown/remark/CHANGELOG.md b/packages/markdown/remark/CHANGELOG.md
index 9f88aa2839b9..e90ad46fb245 100644
--- a/packages/markdown/remark/CHANGELOG.md
+++ b/packages/markdown/remark/CHANGELOG.md
@@ -1,5 +1,17 @@
 # @astrojs/markdown-remark
 
+## 7.0.0-beta.9
+
+### Major Changes
+
+- [#15726](https://github.com/withastro/astro/pull/15726) [`6f19ecc`](https://github.com/withastro/astro/commit/6f19ecc35adfb2ddaabbba2269630f95c13f5a57) Thanks [@ocavue](https://github.com/ocavue)! - Updates dependency `shiki` to v4
+
+  Check [Shiki's upgrade guide](https://shiki.style/blog/v4).
+
+### Patch Changes
+
+- [#15651](https://github.com/withastro/astro/pull/15651) [`f94d3c5`](https://github.com/withastro/astro/commit/f94d3c5313e5a7576cf2cb316a85d68d335a188f) Thanks [@ocavue](https://github.com/ocavue)! - Reuses cached Shiki highlighter instances across languages.
+
 ## 7.0.0-beta.8
 
 ### Patch Changes
diff --git a/packages/markdown/remark/package.json b/packages/markdown/remark/package.json
index dbe85d202662..7561b17f0eb3 100644
--- a/packages/markdown/remark/package.json
+++ b/packages/markdown/remark/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@astrojs/markdown-remark",
-  "version": "7.0.0-beta.8",
+  "version": "7.0.0-beta.9",
   "type": "module",
   "author": "withastro",
   "license": "MIT",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 314340bafad6..d7a07a90f37c 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -184,13 +184,13 @@ importers:
   examples/basics:
     dependencies:
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
 
   examples/blog:
     dependencies:
       '@astrojs/mdx':
-        specifier: ^5.0.0-beta.9
+        specifier: ^5.0.0-beta.10
         version: link:../../packages/integrations/mdx
       '@astrojs/rss':
         specifier: ^4.0.15-beta.4
@@ -199,7 +199,7 @@ importers:
         specifier: ^3.6.1-beta.3
         version: link:../../packages/integrations/sitemap
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
       sharp:
         specifier: ^0.34.3
@@ -208,7 +208,7 @@ importers:
   examples/component:
     devDependencies:
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
 
   examples/container-with-vitest:
@@ -217,7 +217,7 @@ importers:
         specifier: ^5.0.0-beta.3
         version: link:../../packages/integrations/react
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
       react:
         specifier: ^18.3.1
@@ -248,7 +248,7 @@ importers:
         specifier: ^3.15.8
         version: 3.15.8
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
 
   examples/framework-multiple:
@@ -275,7 +275,7 @@ importers:
         specifier: ^18.3.7
         version: 18.3.7(@types/react@18.3.28)
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
       preact:
         specifier: ^10.28.4
@@ -305,7 +305,7 @@ importers:
         specifier: ^2.8.1
         version: 2.8.1(preact@10.28.4)
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
       preact:
         specifier: ^10.28.4
@@ -323,7 +323,7 @@ importers:
         specifier: ^18.3.7
         version: 18.3.7(@types/react@18.3.28)
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
       react:
         specifier: ^18.3.1
@@ -338,7 +338,7 @@ importers:
         specifier: ^6.0.0-beta.2
         version: link:../../packages/integrations/solid
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
       solid-js:
         specifier: ^1.9.11
@@ -350,7 +350,7 @@ importers:
         specifier: ^8.0.0-beta.3
         version: link:../../packages/integrations/svelte
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
       svelte:
         specifier: ^5.53.5
@@ -362,7 +362,7 @@ importers:
         specifier: ^6.0.0-beta.1
         version: link:../../packages/integrations/vue
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
       vue:
         specifier: ^3.5.29
@@ -371,40 +371,40 @@ importers:
   examples/hackernews:
     dependencies:
       '@astrojs/node':
-        specifier: ^10.0.0-beta.6
+        specifier: ^10.0.0-beta.7
         version: link:../../packages/integrations/node
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
 
   examples/integration:
     devDependencies:
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
 
   examples/minimal:
     dependencies:
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
 
   examples/portfolio:
     dependencies:
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
 
   examples/ssr:
     dependencies:
       '@astrojs/node':
-        specifier: ^10.0.0-beta.6
+        specifier: ^10.0.0-beta.7
         version: link:../../packages/integrations/node
       '@astrojs/svelte':
         specifier: ^8.0.0-beta.3
         version: link:../../packages/integrations/svelte
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
       svelte:
         specifier: ^5.53.5
@@ -413,7 +413,7 @@ importers:
   examples/starlog:
     dependencies:
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
       sass:
         specifier: ^1.97.3
@@ -428,28 +428,28 @@ importers:
         specifier: ^18.17.8
         version: 18.19.130
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
 
   examples/with-markdoc:
     dependencies:
       '@astrojs/markdoc':
-        specifier: ^1.0.0-beta.12
+        specifier: ^1.0.0-beta.13
         version: link:../../packages/integrations/markdoc
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
 
   examples/with-mdx:
     dependencies:
       '@astrojs/mdx':
-        specifier: ^5.0.0-beta.9
+        specifier: ^5.0.0-beta.10
         version: link:../../packages/integrations/mdx
       '@astrojs/preact':
         specifier: ^5.0.0-beta.4
         version: link:../../packages/integrations/preact
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
       preact:
         specifier: ^10.28.4
@@ -464,7 +464,7 @@ importers:
         specifier: ^1.0.0
         version: 1.0.0(nanostores@1.1.1)(preact@10.28.4)
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
       nanostores:
         specifier: ^1.1.1
@@ -476,7 +476,7 @@ importers:
   examples/with-tailwindcss:
     dependencies:
       '@astrojs/mdx':
-        specifier: ^5.0.0-beta.9
+        specifier: ^5.0.0-beta.10
         version: link:../../packages/integrations/mdx
       '@tailwindcss/vite':
         specifier: ^4.2.1
@@ -485,7 +485,7 @@ importers:
         specifier: ^1.9.0
         version: 1.9.0
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
       canvas-confetti:
         specifier: ^1.9.4
@@ -497,7 +497,7 @@ importers:
   examples/with-vitest:
     dependencies:
       astro:
-        specifier: ^6.0.0-beta.17
+        specifier: ^6.0.0-beta.18
         version: link:../../packages/astro
       vitest:
         specifier: ^3.2.4
@@ -3398,12 +3398,6 @@ importers:
         specifier: workspace:*
         version: link:../../..
 
-  packages/astro/test/fixtures/html-escape-complex:
-    dependencies:
-      astro:
-        specifier: workspace:*
-        version: link:../../..
-
   packages/astro/test/fixtures/html-page:
     dependencies:
       astro: