Astro 6.3 lands one headline feature for people who write server logic plus three smaller changes to image and cookie behavior. The big one is experimental advanced routing, and it comes with first-class Hono support. The rest tighten defaults around security.
What advanced routing actually changes
Experimental advanced routing hands you full control over the request flow. You compose handlers yourself and decide the order they run in, and the release adds first-class Hono support so a Hono app slots straight into that flow instead of sitting behind a shim. That's the shift: routing stops being a fixed pipeline you work around and becomes something you assemble.
First-class means the integration isn't a bolt-on. A Hono instance becomes part of how requests get dispatched, so the middleware and route patterns you already know carry over. If you've been reaching for Hono inside a catch-all route to get the control you wanted, that workaround goes away.
Deciding execution order
The part that matters in real apps is ordering. You compose handlers and choose what runs when, which is exactly what auth gates, rewrites, and per-route logic need when they have to fire in sequence. The feature is experimental, so expect the surface to move before it stabilizes. Pin your version and read the changelog before you upgrade a production app that leans on it.
SVG processing is off by default now
Astro 6.3 disables SVG image processing by default. This is a security measure: an SVG can carry embedded scripts, and processing untrusted SVGs is a way to get those scripts somewhere they shouldn't be. The safe default trades a feature for a smaller attack surface, the right call for the common case.
If you control your SVGs and need processing back, set dangerouslyProcessSVG: true. The name is a warning, not decoration. Only flip it for SVG sources you trust, because the danger is real when the files come from users or third parties.
Remote images can now follow redirects
Astro 6.3 follows redirects on external image URLs, up to 10 hops. A remote image that 301s to its real location now resolves instead of failing. The redirects are validated against your allowlists, so a chain can't quietly bounce a request to a host you never approved. That guardrail keeps a convenience feature from becoming an open redirect.
Cookies get a real consume() method
There's a new consume() instance method on AstroCookies. It marks cookies as consumed and returns the Set-Cookie value, and it replaces the deprecated static method. The instance method is the cleaner API: it removes the ambiguity of operating on cookies without a clear owner. Update your call sites while you're touching the upgrade.
Two of these four changes are safe defaults; one deprecation is worth a quick search-and-replace. Advanced routing is the release to watch, because first-class Hono inside the request flow points at where the 6.4 cf() runtime helpers take Astro's server story next. For how this fits the wider generation, read Astro 6, feature by feature, browse every Astro 6 release, and test the experimental routing on a branch before it reaches anything your users hit.