Harden URL pathname normalization to collapse multiple leading slashes

[matthewp]

Changes

• Collapses multiple leading slashes (e.g. //admin → /admin) in removeBase() and #createNormalizedUrl()
• Ensures middleware context.url.pathname always reflects the canonical single-slash form that the router uses for matching

Testing

New unit test suite in packages/astro/test/units/app/double-slash-bypass.test.js with 6 tests

Docs

N/A, bug fix

[changeset-bot]

🦋 Changeset detected

Latest commit: 1e4c8b5

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[codspeed-hq]

Merging this PR will not alter performance

✅ 18 untouched benchmarks

---

_{Comparing double-slash-a2 (1e4c8b5) with main (1118ac4)¹}

Footnotes

1. No successful run was found on main (4b54eb5) during the generation of this report, so 1118ac4 was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩

[ematipico]

We already have an utility for that

https://github.com/withastro/astro/blob/main/packages%2Finternal-helpers%2Fsrc%2Fpath.ts#L20-L25

[matthewp]

Oh nice, will update.

[matthewp]

@ematipico That's for trailing slashes, this is for leading. I'll add a similar utility.

[matthewp]

@ematipico added in 0fd0b2f

[ematipico]

Cheers!

[ematipico]

Please update this changeset so that it's more use-facing. What we fixed by showing a possible use case

[matthewp]

I wanted to avoid this coming across as alarmist; users should be checking these things in their own middleware, but it's good if we can prevent cases where they do not.

Happy to reword but not sure how to do so.

[matthewp]

I'll give it a try.