Astro CLI

by Astronomerv1.42.1

Last updated Jun 8, 2026

To build and run Airflow DAGs locally and interact with the Astronomer API

Install with winget

$ winget install --id Astronomer.Astro --exact --version 1.42.1

Run in Command Prompt, PowerShell, or Windows Terminal. Prompts for any agreements.

Built by Pckgr

For Intune admins

Stop chasing app updates. Pckgr patches them for you.

Automated application patching for Microsoft Intune. Pckgr keeps a curated library of 1,000+ apps continuously up-to-date in your tenant via Microsoft Graph - no manual repackaging, no chasing vendor sites.

Start free 30-day trial

No credit card required.

Installers · v1.42.1

Architecture	Type	Scope	Install	Download
x64	Portable	-		Direct

Copy a command tailored to that specific architecture, type, and scope - useful when winget would otherwise pick a different default.

Security

17 known CVEs via NVD

medium6.1Fix in v6.1.10CVE-2026-45028affects before 6.1.10May 13, 2026
Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one co...
Patch Vendor advisory
medium6.1Fix in v6.1.6CVE-2026-41067affects before 6.1.6Apr 24, 2026
Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /<\/script>/g to sanitize values injected into inline <script> tags via the define:vars directive. HTML parsers close <script> elements c...
Vendor advisory
medium5.3Patched in wingetCVE-2026-33769affects before 5.18.1Mar 24, 2026
Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a...
Vendor advisory
medium6.5Fix in v5.15.8CVE-2025-66202affects before 5.15.8Dec 8, 2025
Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was...
Patch Vendor advisory
medium5.4Fix in v5.15.9CVE-2025-65019affects before 5.15.9Nov 19, 2025
Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: p...
Patch
medium5.3Fix in v5.15.8CVE-2025-64765affects before 5.15.8Nov 19, 2025
Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to rende...
Patch
high7.1Fix in v5.15.8CVE-2025-64764affects before 5.15.8Nov 19, 2025
Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8.
Patch Vendor advisory
low3.5Fix in v5.14.3CVE-2025-64757affects before 5.14.3Nov 19, 2025
Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and a...
Patch Vendor advisory

Showing 8 of 17. Source: NVD, updated 4h ago. Patch status is best-effort: NVD's fix version is compared against the latest version in winget, but the two version formats don't always align. Confirm with the vendor advisory before treating any specific build as safe.

See a CVE that affects your fleet? Push the patched version to Intune in one click with Pckgr - automated patching is the only way to keep up.

Frequently asked questions

How do I install Astro CLI on Windows?

Open Windows Terminal, PowerShell, or Command Prompt and run: winget install --id Astronomer.Astro --exact --version 1.42.1. winget downloads the installer from Astronomer and runs it. Requires Windows 10 (1809+) or Windows 11.

How do I install Astro CLI silently for unattended deployment?

Add --silent and accept the agreements upfront: winget install --id Astronomer.Astro --exact 1.42.1 --silent --accept-package-agreements --accept-source-agreements. This is the variant Intune, Configuration Manager, and other deployment tools should use.

How do I uninstall Astro CLI via winget?

Run: winget uninstall --id Astronomer.Astro --exact. Add --silent for unattended uninstalls. winget will use the registered uninstaller from Astro CLI's Apps & Features entry.

Is Astro CLI free?

Astro CLI is distributed under Apache 2.0. Refer to the publisher (https://github.com/astronomer/astro-cli) for the full license terms - Wingetly itself does not charge for installation.

Does Astro CLI work on Windows 10?

Yes, as long as your Windows 10 build supports winget (1809 or newer). winget ships with App Installer on Windows 10/11 and pulls Astro CLI directly from the publisher.

How do I keep Astro CLI up to date?

Run winget upgrade --id Astronomer.Astro --exact, or winget upgrade --all to update everything winget tracks. We index 10 versions of Astro CLI from microsoft/winget-pkgs.

Recent versions

1.42.1latest
1.42.0
1.41.0
1.40.1
1.39.0
1.38.1
1.38.0
1.37.0
1.36.0
1.35.1