@eggjs/security 5.0.0-beta.19 → 5.0.0-beta.21

package/dist/lib/middlewares/referrerPolicy.js

@@ -1,31 +1,35 @@
 import { checkIfIgnore } from "../utils.js";
-
-//#region src/lib/middlewares/referrerPolicy.ts
+// https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Referrer-Policy
 const ALLOWED_POLICIES_ENUM = [
-	"no-referrer",
-	"no-referrer-when-downgrade",
-	"origin",
-	"origin-when-cross-origin",
-	"same-origin",
-	"strict-origin",
-	"strict-origin-when-cross-origin",
-	"unsafe-url",
-	""
+    'no-referrer',
+    'no-referrer-when-downgrade',
+    'origin',
+    'origin-when-cross-origin',
+    'same-origin',
+    'strict-origin',
+    'strict-origin-when-cross-origin',
+    'unsafe-url',
+    '',
 ];
-var referrerPolicy_default = (options) => {
-	return async function referrerPolicy(ctx, next) {
-		await next();
-		const opts = {
-			...options,
-			...ctx.securityOptions.refererPolicy,
-			...ctx.securityOptions.referrerPolicy
-		};
-		if (checkIfIgnore(opts, ctx)) return;
-		const policy = opts.value;
-		if (!ALLOWED_POLICIES_ENUM.includes(policy)) throw new Error(`"${policy}" is not available.`);
-		ctx.set("referrer-policy", policy);
-	};
+export default (options) => {
+    return async function referrerPolicy(ctx, next) {
+        await next();
+        const opts = {
+            ...options,
+            // check refererPolicy for backward compatibility
+            // typo on the old version
+            // @see https://github.com/eggjs/security/blob/e3408408adec5f8d009d37f75126ed082481d0ac/lib/middlewares/referrerPolicy.js#L21C59-L21C72
+            // @ts-expect-error alias for referrerPolicy
+            ...ctx.securityOptions.refererPolicy,
+            ...ctx.securityOptions.referrerPolicy,
+        };
+        if (checkIfIgnore(opts, ctx))
+            return;
+        const policy = opts.value;
+        if (!ALLOWED_POLICIES_ENUM.includes(policy)) {
+            throw new Error(`"${policy}" is not available.`);
+        }
+        ctx.set('referrer-policy', policy);
+    };
 };
-
-//#endregion
-export { referrerPolicy_default as default };
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicmVmZXJyZXJQb2xpY3kuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGliL21pZGRsZXdhcmVzL3JlZmVycmVyUG9saWN5LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUVBLE9BQU8sRUFBRSxhQUFhLEVBQUUsTUFBTSxhQUFhLENBQUM7QUFHNUMsNEVBQTRFO0FBQzVFLE1BQU0scUJBQXFCLEdBQUc7SUFDNUIsYUFBYTtJQUNiLDRCQUE0QjtJQUM1QixRQUFRO0lBQ1IsMEJBQTBCO0lBQzFCLGFBQWE7SUFDYixlQUFlO0lBQ2YsaUNBQWlDO0lBQ2pDLFlBQVk7SUFDWixFQUFFO0NBQ0gsQ0FBQztBQUVGLGVBQWUsQ0FBQyxPQUF5QyxFQUFrQixFQUFFO0lBQzNFLE9BQU8sS0FBSyxVQUFVLGNBQWMsQ0FBQyxHQUFHLEVBQUUsSUFBSTtRQUM1QyxNQUFNLElBQUksRUFBRSxDQUFDO1FBRWIsTUFBTSxJQUFJLEdBQUc7WUFDWCxHQUFHLE9BQU87WUFDVixpREFBaUQ7WUFDakQsMEJBQTBCO1lBQzFCLHVJQUF1STtZQUN2SSw0Q0FBNEM7WUFDNUMsR0FBRyxHQUFHLENBQUMsZUFBZSxDQUFDLGFBQWE7WUFDcEMsR0FBRyxHQUFHLENBQUMsZUFBZSxDQUFDLGNBQWM7U0FDdEMsQ0FBQztRQUNGLElBQUksYUFBYSxDQUFDLElBQUksRUFBRSxHQUFHLENBQUM7WUFBRSxPQUFPO1FBRXJDLE1BQU0sTUFBTSxHQUFHLElBQUksQ0FBQyxLQUFLLENBQUM7UUFDMUIsSUFBSSxDQUFDLHFCQUFxQixDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDO1lBQzVDLE1BQU0sSUFBSSxLQUFLLENBQUMsSUFBSSxNQUFNLHFCQUFxQixDQUFDLENBQUM7UUFDbkQsQ0FBQztRQUVELEdBQUcsQ0FBQyxHQUFHLENBQUMsaUJBQWlCLEVBQUUsTUFBTSxDQUFDLENBQUM7SUFDckMsQ0FBQyxDQUFDO0FBQ0osQ0FBQyxDQUFDIn0=

package/dist/lib/middlewares/xframe.d.ts

@@ -1,7 +1,4 @@
-import { SecurityConfig } from "../../config/config.default.js";
-import { MiddlewareFunc } from "egg";
-
-//#region src/lib/middlewares/xframe.d.ts
+import type { MiddlewareFunc } from 'egg';
+import type { SecurityConfig } from '../../config/config.default.ts';
 declare const _default: (options: SecurityConfig["xframe"]) => MiddlewareFunc;
-//#endregion
-export { _default as default };
+export default _default;

package/dist/lib/middlewares/xframe.js

@@ -1,18 +1,17 @@
 import { checkIfIgnore } from "../utils.js";
-
-//#region src/lib/middlewares/xframe.ts
-var xframe_default = (options) => {
-	return async function xframe(ctx, next) {
-		await next();
-		const opts = {
-			...options,
-			...ctx.securityOptions.xframe
-		};
-		if (checkIfIgnore(opts, ctx)) return;
-		const value = opts.value || "SAMEORIGIN";
-		ctx.set("x-frame-options", value);
-	};
+export default (options) => {
+    return async function xframe(ctx, next) {
+        await next();
+        const opts = {
+            ...options,
+            ...ctx.securityOptions.xframe,
+        };
+        if (checkIfIgnore(opts, ctx))
+            return;
+        // DENY, SAMEORIGIN, ALLOW-FROM
+        // https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options?redirectlocale=en-US&redirectslug=The_X-FRAME-OPTIONS_response_header
+        const value = opts.value || 'SAMEORIGIN';
+        ctx.set('x-frame-options', value);
+    };
 };
-
-//#endregion
-export { xframe_default as default };
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoieGZyYW1lLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2xpYi9taWRkbGV3YXJlcy94ZnJhbWUudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBRUEsT0FBTyxFQUFFLGFBQWEsRUFBRSxNQUFNLGFBQWEsQ0FBQztBQUc1QyxlQUFlLENBQUMsT0FBaUMsRUFBa0IsRUFBRTtJQUNuRSxPQUFPLEtBQUssVUFBVSxNQUFNLENBQUMsR0FBRyxFQUFFLElBQUk7UUFDcEMsTUFBTSxJQUFJLEVBQUUsQ0FBQztRQUViLE1BQU0sSUFBSSxHQUFHO1lBQ1gsR0FBRyxPQUFPO1lBQ1YsR0FBRyxHQUFHLENBQUMsZUFBZSxDQUFDLE1BQU07U0FDOUIsQ0FBQztRQUNGLElBQUksYUFBYSxDQUFDLElBQUksRUFBRSxHQUFHLENBQUM7WUFBRSxPQUFPO1FBRXJDLCtCQUErQjtRQUMvQixzSUFBc0k7UUFDdEksTUFBTSxLQUFLLEdBQUcsSUFBSSxDQUFDLEtBQUssSUFBSSxZQUFZLENBQUM7UUFDekMsR0FBRyxDQUFDLEdBQUcsQ0FBQyxpQkFBaUIsRUFBRSxLQUFLLENBQUMsQ0FBQztJQUNwQyxDQUFDLENBQUM7QUFDSixDQUFDLENBQUMifQ==

package/dist/lib/middlewares/xssProtection.d.ts

@@ -1,7 +1,4 @@
-import { SecurityConfig } from "../../config/config.default.js";
-import { MiddlewareFunc } from "egg";
-
-//#region src/lib/middlewares/xssProtection.d.ts
+import type { MiddlewareFunc } from 'egg';
+import type { SecurityConfig } from '../../config/config.default.ts';
 declare const _default: (options: SecurityConfig["xssProtection"]) => MiddlewareFunc;
-//#endregion
-export { _default as default };
+export default _default;

package/dist/lib/middlewares/xssProtection.js

@@ -1,17 +1,14 @@
 import { checkIfIgnore } from "../utils.js";
-
-//#region src/lib/middlewares/xssProtection.ts
-var xssProtection_default = (options) => {
-	return async function xssProtection(ctx, next) {
-		await next();
-		const opts = {
-			...options,
-			...ctx.securityOptions.xssProtection
-		};
-		if (checkIfIgnore(opts, ctx)) return;
-		ctx.set("x-xss-protection", opts.value);
-	};
+export default (options) => {
+    return async function xssProtection(ctx, next) {
+        await next();
+        const opts = {
+            ...options,
+            ...ctx.securityOptions.xssProtection,
+        };
+        if (checkIfIgnore(opts, ctx))
+            return;
+        ctx.set('x-xss-protection', opts.value);
+    };
 };
-
-//#endregion
-export { xssProtection_default as default };
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoieHNzUHJvdGVjdGlvbi5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9saWIvbWlkZGxld2FyZXMveHNzUHJvdGVjdGlvbi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFFQSxPQUFPLEVBQUUsYUFBYSxFQUFFLE1BQU0sYUFBYSxDQUFDO0FBRzVDLGVBQWUsQ0FBQyxPQUF3QyxFQUFrQixFQUFFO0lBQzFFLE9BQU8sS0FBSyxVQUFVLGFBQWEsQ0FBQyxHQUFHLEVBQUUsSUFBSTtRQUMzQyxNQUFNLElBQUksRUFBRSxDQUFDO1FBRWIsTUFBTSxJQUFJLEdBQUc7WUFDWCxHQUFHLE9BQU87WUFDVixHQUFHLEdBQUcsQ0FBQyxlQUFlLENBQUMsYUFBYTtTQUNyQyxDQUFDO1FBQ0YsSUFBSSxhQUFhLENBQUMsSUFBSSxFQUFFLEdBQUcsQ0FBQztZQUFFLE9BQU87UUFFckMsR0FBRyxDQUFDLEdBQUcsQ0FBQyxrQkFBa0IsRUFBRSxJQUFJLENBQUMsS0FBSyxDQUFDLENBQUM7SUFDMUMsQ0FBQyxDQUFDO0FBQ0osQ0FBQyxDQUFDIn0=

package/dist/lib/utils.d.ts

@@ -1,24 +1,19 @@
-import { SecurityConfig } from "../config/config.default.js";
-import { Context } from "egg";
-import { PathMatchingFun } from "egg-path-matching";
-
-//#region src/lib/utils.d.ts
-
+import type { Context } from 'egg';
+import type { PathMatchingFun } from 'egg-path-matching';
+import type { SecurityConfig } from '../config/config.default.ts';
 /**
  * Check whether a domain is in the safe domain white list or not.
  * @param {String} domain The inputted domain.
  * @param {Array<string>} whiteList The white list for domain.
  * @return {Boolean} If the `domain` is in the white list, return true; otherwise false.
  */
-declare function isSafeDomain(domain: string, whiteList: string[]): boolean;
-declare function isSafePath(path: string, ctx: Context): boolean;
-declare function checkIfIgnore(opts: {
-  enable: boolean;
-  matching?: PathMatchingFun;
+export declare function isSafeDomain(domain: string, whiteList: string[]): boolean;
+export declare function isSafePath(path: string, ctx: Context): boolean;
+export declare function checkIfIgnore(opts: {
+    enable: boolean;
+    matching?: PathMatchingFun;
 }, ctx: Context): boolean;
-declare function getCookieDomain(hostname: string): string;
-declare function merge(origin: Record<string, any>, opts?: Record<string, any>): Record<string, any>;
-declare function preprocessConfig(config: SecurityConfig): void;
-declare function getFromUrl(url: string, prop: string): string | null;
-//#endregion
-export { checkIfIgnore, getCookieDomain, getFromUrl, isSafeDomain, isSafePath, merge, preprocessConfig };
+export declare function getCookieDomain(hostname: string): string;
+export declare function merge(origin: Record<string, any>, opts?: Record<string, any>): Record<string, any>;
+export declare function preprocessConfig(config: SecurityConfig): void;
+export declare function getFromUrl(url: string, prop: string): string | null;

package/dist/lib/utils.js

@@ -1,127 +1,192 @@
-import { normalize } from "node:path";
-import matcher from "matcher";
-import IP from "@eggjs/ip";
-
-//#region src/lib/utils.ts
+import { normalize } from 'node:path';
+import matcher from 'matcher';
+import IP from '@eggjs/ip';
 /**
-* Check whether a domain is in the safe domain white list or not.
-* @param {String} domain The inputted domain.
-* @param {Array<string>} whiteList The white list for domain.
-* @return {Boolean} If the `domain` is in the white list, return true; otherwise false.
-*/
-function isSafeDomain(domain, whiteList) {
-	if (typeof domain !== "string") return false;
-	domain = domain.toLowerCase();
-	const hostname = "." + domain;
-	return whiteList.some((rule) => {
-		if (rule.includes("*")) return matcher.isMatch(domain, rule);
-		if (domain === rule) return true;
-		if (!rule.startsWith(".")) rule = `.${rule}`;
-		return hostname.endsWith(rule);
-	});
+ * Check whether a domain is in the safe domain white list or not.
+ * @param {String} domain The inputted domain.
+ * @param {Array<string>} whiteList The white list for domain.
+ * @return {Boolean} If the `domain` is in the white list, return true; otherwise false.
+ */
+export function isSafeDomain(domain, whiteList) {
+    // domain must be string, otherwise return false
+    if (typeof domain !== 'string')
+        return false;
+    // Ignore case sensitive first
+    domain = domain.toLowerCase();
+    // add prefix `.`, because all domains in white list start with `.`
+    const hostname = '.' + domain;
+    return whiteList.some(rule => {
+        // Check whether we've got '*' as a wild character symbol
+        if (rule.includes('*')) {
+            return matcher.isMatch(domain, rule);
+        }
+        // If domain is an absolute path such as `http://...`
+        // We can directly check whether it directly equals to `domain`
+        // And we don't need to cope with `endWith`.
+        if (domain === rule)
+            return true;
+        // ensure wwweggjs.com not match eggjs.com
+        if (!rule.startsWith('.'))
+            rule = `.${rule}`;
+        return hostname.endsWith(rule);
+    });
 }
-function isSafePath(path, ctx) {
-	path = "." + path;
-	if (path.includes("%")) try {
-		path = decodeURIComponent(path);
-	} catch {
-		if (ctx.app.config.env === "local" || ctx.app.config.env === "unittest") ctx.coreLogger.warn("[@eggjs/security: dta global block] : decode file path %j failed.", path);
-	}
-	const normalizePath = normalize(path);
-	return !(normalizePath.startsWith("../") || normalizePath.startsWith("..\\"));
+export function isSafePath(path, ctx) {
+    path = '.' + path;
+    if (path.includes('%')) {
+        try {
+            path = decodeURIComponent(path);
+        }
+        catch {
+            if (ctx.app.config.env === 'local' || ctx.app.config.env === 'unittest') {
+                // not under production environment, output log
+                ctx.coreLogger.warn('[@eggjs/security: dta global block] : decode file path %j failed.', path);
+            }
+        }
+    }
+    const normalizePath = normalize(path);
+    return !(normalizePath.startsWith('../') || normalizePath.startsWith('..\\'));
 }
-function checkIfIgnore(opts, ctx) {
-	if (!opts.enable) return true;
-	return !opts.matching?.(ctx);
+export function checkIfIgnore(opts, ctx) {
+    // check opts.enable first
+    if (!opts.enable)
+        return true;
+    return !opts.matching?.(ctx);
 }
 const IP_RE = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/;
 const topDomains = {};
-[
-	".net.cn",
-	".gov.cn",
-	".org.cn",
-	".com.cn"
-].forEach((item) => {
-	topDomains[item] = 2 - item.split(".").length;
+['.net.cn', '.gov.cn', '.org.cn', '.com.cn'].forEach(item => {
+    topDomains[item] = 2 - item.split('.').length;
 });
-function getCookieDomain(hostname) {
-	if (IP_RE.test(hostname)) return hostname;
-	const splits = hostname.split(".");
-	let index = -2;
-	if (splits.length >= 4 && splits[splits.length - 3] === "test") index = -3;
-	let domain = getDomain(splits, index);
-	if (topDomains[domain]) domain = getDomain(splits, index + topDomains[domain]);
-	return domain;
+export function getCookieDomain(hostname) {
+    // TODO(fengmk2): support ipv6
+    if (IP_RE.test(hostname)) {
+        return hostname;
+    }
+    // app.test.domain.com => .test.domain.com
+    // app.stable.domain.com => .domain.com
+    // app.domain.com => .domain.com
+    // domain=.domain.com;
+    const splits = hostname.split('.');
+    let index = -2;
+    // only when `*.test.*.com` set `.test.*.com`
+    if (splits.length >= 4 && splits[splits.length - 3] === 'test') {
+        index = -3;
+    }
+    let domain = getDomain(splits, index);
+    if (topDomains[domain]) {
+        // app.foo.org.cn => .foo.org.cn
+        domain = getDomain(splits, index + topDomains[domain]);
+    }
+    return domain;
 }
 function getDomain(splits, index) {
-	return "." + splits.slice(index).join(".");
+    return '.' + splits.slice(index).join('.');
 }
-function merge(origin, opts) {
-	if (!opts) return origin;
-	const res = {};
-	const originKeys = Object.keys(origin);
-	for (let i = 0; i < originKeys.length; i++) {
-		const key = originKeys[i];
-		res[key] = origin[key];
-	}
-	const keys = Object.keys(opts);
-	for (let i = 0; i < keys.length; i++) {
-		const key = keys[i];
-		res[key] = opts[key];
-	}
-	return res;
+export function merge(origin, opts) {
+    if (!opts) {
+        return origin;
+    }
+    const res = {};
+    const originKeys = Object.keys(origin);
+    for (let i = 0; i < originKeys.length; i++) {
+        const key = originKeys[i];
+        res[key] = origin[key];
+    }
+    const keys = Object.keys(opts);
+    for (let i = 0; i < keys.length; i++) {
+        const key = keys[i];
+        res[key] = opts[key];
+    }
+    return res;
 }
-function preprocessConfig(config) {
-	const ssrf = config.ssrf;
-	if (ssrf && ssrf.ipBlackList && !ssrf.checkAddress) {
-		const blackList = ssrf.ipBlackList.map(getContains);
-		const exceptionList = (ssrf.ipExceptionList || []).map(getContains);
-		const hostnameExceptionList = ssrf.hostnameExceptionList;
-		ssrf.checkAddress = (ipAddresses, _family, hostname) => {
-			if (hostname && hostnameExceptionList) {
-				if (hostnameExceptionList.includes(hostname)) return true;
-			}
-			if (!Array.isArray(ipAddresses)) ipAddresses = [ipAddresses];
-			for (const ipAddress of ipAddresses) {
-				let address;
-				if (typeof ipAddress === "string") address = ipAddress;
-				else {
-					if (ipAddress.family === 6) continue;
-					address = ipAddress.address;
-				}
-				for (const exception of exceptionList) if (exception(address)) return true;
-				for (const contains of blackList) if (contains(address)) return false;
-			}
-			return true;
-		};
-	}
-	config.domainWhiteList = config.domainWhiteList || [];
-	config.domainWhiteList = config.domainWhiteList.map((domain) => domain.toLowerCase());
-	config.protocolWhiteList = config.protocolWhiteList || [];
-	config.protocolWhiteList = config.protocolWhiteList.map((protocol) => protocol.toLowerCase());
-	if (config.csrf && config.csrf.refererWhiteList) config.csrf.refererWhiteList = config.csrf.refererWhiteList.map((ref) => ref.toLowerCase());
-	const protocolWhiteListSet = new Set(config.protocolWhiteList);
-	protocolWhiteListSet.add("http");
-	protocolWhiteListSet.add("https");
-	protocolWhiteListSet.add("file");
-	protocolWhiteListSet.add("data");
-	Object.defineProperty(config, "__protocolWhiteListSet", {
-		value: protocolWhiteListSet,
-		enumerable: false
-	});
+export function preprocessConfig(config) {
+    // transfer ssrf.ipBlackList to ssrf.checkAddress
+    // ssrf.ipExceptionList can easily pick out unwanted ips from ipBlackList
+    // checkAddress has higher priority than ipBlackList
+    const ssrf = config.ssrf;
+    if (ssrf && ssrf.ipBlackList && !ssrf.checkAddress) {
+        const blackList = ssrf.ipBlackList.map(getContains);
+        const exceptionList = (ssrf.ipExceptionList || []).map(getContains);
+        const hostnameExceptionList = ssrf.hostnameExceptionList;
+        ssrf.checkAddress = (ipAddresses, _family, hostname) => {
+            // Check white hostname first
+            if (hostname && hostnameExceptionList) {
+                if (hostnameExceptionList.includes(hostname)) {
+                    return true;
+                }
+            }
+            // ipAddresses will be array address on Node.js >= 20
+            // [
+            //   { address: '220.181.125.241', family: 4 },
+            //   { address: '240e:964:ea02:b00:3::3ec', family: 6 }
+            // ]
+            if (!Array.isArray(ipAddresses)) {
+                ipAddresses = [ipAddresses];
+            }
+            for (const ipAddress of ipAddresses) {
+                let address;
+                if (typeof ipAddress === 'string') {
+                    address = ipAddress;
+                }
+                else {
+                    // FIXME: should support ipv6
+                    if (ipAddress.family === 6) {
+                        continue;
+                    }
+                    address = ipAddress.address;
+                }
+                // check white list first
+                for (const exception of exceptionList) {
+                    if (exception(address)) {
+                        return true;
+                    }
+                }
+                // check black list
+                for (const contains of blackList) {
+                    if (contains(address)) {
+                        return false;
+                    }
+                }
+            }
+            // default allow
+            return true;
+        };
+    }
+    // Make sure that `whiteList` or `protocolWhiteList` is case insensitive
+    config.domainWhiteList = config.domainWhiteList || [];
+    config.domainWhiteList = config.domainWhiteList.map((domain) => domain.toLowerCase());
+    config.protocolWhiteList = config.protocolWhiteList || [];
+    config.protocolWhiteList = config.protocolWhiteList.map((protocol) => protocol.toLowerCase());
+    // Make sure refererWhiteList is case insensitive
+    if (config.csrf && config.csrf.refererWhiteList) {
+        config.csrf.refererWhiteList = config.csrf.refererWhiteList.map((ref) => ref.toLowerCase());
+    }
+    // Directly converted to Set collection by a private property (not documented),
+    // And we NO LONGER need to do conversion in `foreach` again and again in `lib/helper/surl.ts`.
+    const protocolWhiteListSet = new Set(config.protocolWhiteList);
+    protocolWhiteListSet.add('http');
+    protocolWhiteListSet.add('https');
+    protocolWhiteListSet.add('file');
+    protocolWhiteListSet.add('data');
+    Object.defineProperty(config, '__protocolWhiteListSet', {
+        value: protocolWhiteListSet,
+        enumerable: false,
+    });
 }
-function getFromUrl(url, prop) {
-	try {
-		const parsed = new URL(url);
-		return Reflect.get(parsed, prop);
-	} catch {
-		return null;
-	}
+export function getFromUrl(url, prop) {
+    try {
+        const parsed = new URL(url);
+        return Reflect.get(parsed, prop);
+    }
+    catch {
+        return null;
+    }
 }
 function getContains(ip) {
-	if (IP.isV4Format(ip) || IP.isV6Format(ip)) return (address) => address === ip;
-	return IP.cidrSubnet(ip).contains;
+    if (IP.isV4Format(ip) || IP.isV6Format(ip)) {
+        return (address) => address === ip;
+    }
+    return IP.cidrSubnet(ip).contains;
 }
-
-//#endregion
-export { checkIfIgnore, getCookieDomain, getFromUrl, isSafeDomain, isSafePath, merge, preprocessConfig };
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidXRpbHMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvbGliL3V0aWxzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sRUFBRSxTQUFTLEVBQUUsTUFBTSxXQUFXLENBQUM7QUFFdEMsT0FBTyxPQUFPLE1BQU0sU0FBUyxDQUFDO0FBQzlCLE9BQU8sRUFBRSxNQUFNLFdBQVcsQ0FBQztBQU0zQjs7Ozs7R0FLRztBQUNILE1BQU0sVUFBVSxZQUFZLENBQUMsTUFBYyxFQUFFLFNBQW1CO0lBQzlELGdEQUFnRDtJQUNoRCxJQUFJLE9BQU8sTUFBTSxLQUFLLFFBQVE7UUFBRSxPQUFPLEtBQUssQ0FBQztJQUM3Qyw4QkFBOEI7SUFDOUIsTUFBTSxHQUFHLE1BQU0sQ0FBQyxXQUFXLEVBQUUsQ0FBQztJQUM5QixtRUFBbUU7SUFDbkUsTUFBTSxRQUFRLEdBQUcsR0FBRyxHQUFHLE1BQU0sQ0FBQztJQUU5QixPQUFPLFNBQVMsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLEVBQUU7UUFDM0IseURBQXlEO1FBQ3pELElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDO1lBQ3ZCLE9BQU8sT0FBTyxDQUFDLE9BQU8sQ0FBQyxNQUFNLEVBQUUsSUFBSSxDQUFDLENBQUM7UUFDdkMsQ0FBQztRQUNELHFEQUFxRDtRQUNyRCwrREFBK0Q7UUFDL0QsNENBQTRDO1FBQzVDLElBQUksTUFBTSxLQUFLLElBQUk7WUFBRSxPQUFPLElBQUksQ0FBQztRQUNqQywwQ0FBMEM7UUFDMUMsSUFBSSxDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsR0FBRyxDQUFDO1lBQUUsSUFBSSxHQUFHLElBQUksSUFBSSxFQUFFLENBQUM7UUFDN0MsT0FBTyxRQUFRLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQyxDQUFDO0lBQ2pDLENBQUMsQ0FBQyxDQUFDO0FBQ0wsQ0FBQztBQUVELE1BQU0sVUFBVSxVQUFVLENBQUMsSUFBWSxFQUFFLEdBQVk7SUFDbkQsSUFBSSxHQUFHLEdBQUcsR0FBRyxJQUFJLENBQUM7SUFDbEIsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUM7UUFDdkIsSUFBSSxDQUFDO1lBQ0gsSUFBSSxHQUFHLGtCQUFrQixDQUFDLElBQUksQ0FBQyxDQUFDO1FBQ2xDLENBQUM7UUFBQyxNQUFNLENBQUM7WUFDUCxJQUFJLEdBQUcsQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLEdBQUcsS0FBSyxPQUFPLElBQUksR0FBRyxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsR0FBRyxLQUFLLFVBQVUsRUFBRSxDQUFDO2dCQUN4RSwrQ0FBK0M7Z0JBQy9DLEdBQUcsQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLG1FQUFtRSxFQUFFLElBQUksQ0FBQyxDQUFDO1lBQ2pHLENBQUM7UUFDSCxDQUFDO0lBQ0gsQ0FBQztJQUNELE1BQU0sYUFBYSxHQUFHLFNBQVMsQ0FBQyxJQUFJLENBQUMsQ0FBQztJQUN0QyxPQUFPLENBQUMsQ0FBQyxhQUFhLENBQUMsVUFBVSxDQUFDLEtBQUssQ0FBQyxJQUFJLGFBQWEsQ0FBQyxVQUFVLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQztBQUNoRixDQUFDO0FBRUQsTUFBTSxVQUFVLGFBQWEsQ0FBQyxJQUFxRCxFQUFFLEdBQVk7SUFDL0YsMEJBQTBCO0lBQzFCLElBQUksQ0FBQyxJQUFJLENBQUMsTUFBTTtRQUFFLE9BQU8sSUFBSSxDQUFDO0lBQzlCLE9BQU8sQ0FBQyxJQUFJLENBQUMsUUFBUSxFQUFFLENBQUMsR0FBRyxDQUFDLENBQUM7QUFDL0IsQ0FBQztBQUVELE1BQU0sS0FBSyxHQUFHLHNDQUFzQyxDQUFDO0FBQ3JELE1BQU0sVUFBVSxHQUEyQixFQUFFLENBQUM7QUFDOUMsQ0FBQyxTQUFTLEVBQUUsU0FBUyxFQUFFLFNBQVMsRUFBRSxTQUFTLENBQUMsQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDLEVBQUU7SUFDMUQsVUFBVSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDLE1BQU0sQ0FBQztBQUNoRCxDQUFDLENBQUMsQ0FBQztBQUVILE1BQU0sVUFBVSxlQUFlLENBQUMsUUFBZ0I7SUFDOUMsOEJBQThCO0lBQzlCLElBQUksS0FBSyxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsRUFBRSxDQUFDO1FBQ3pCLE9BQU8sUUFBUSxDQUFDO0lBQ2xCLENBQUM7SUFDRCwwQ0FBMEM7SUFDMUMsdUNBQXVDO0lBQ3ZDLGdDQUFnQztJQUNoQyxzQkFBc0I7SUFDdEIsTUFBTSxNQUFNLEdBQUcsUUFBUSxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUNuQyxJQUFJLEtBQUssR0FBRyxDQUFDLENBQUMsQ0FBQztJQUVmLDZDQUE2QztJQUM3QyxJQUFJLE1BQU0sQ0FBQyxNQUFNLElBQUksQ0FBQyxJQUFJLE1BQU0sQ0FBQyxNQUFNLENBQUMsTUFBTSxHQUFHLENBQUMsQ0FBQyxLQUFLLE1BQU0sRUFBRSxDQUFDO1FBQy9ELEtBQUssR0FBRyxDQUFDLENBQUMsQ0FBQztJQUNiLENBQUM7SUFDRCxJQUFJLE1BQU0sR0FBRyxTQUFTLENBQUMsTUFBTSxFQUFFLEtBQUssQ0FBQyxDQUFDO0lBQ3RDLElBQUksVUFBVSxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUM7UUFDdkIsZ0NBQWdDO1FBQ2hDLE1BQU0sR0FBRyxTQUFTLENBQUMsTUFBTSxFQUFFLEtBQUssR0FBRyxVQUFVLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQztJQUN6RCxDQUFDO0lBQ0QsT0FBTyxNQUFNLENBQUM7QUFDaEIsQ0FBQztBQUVELFNBQVMsU0FBUyxDQUFDLE1BQWdCLEVBQUUsS0FBYTtJQUNoRCxPQUFPLEdBQUcsR0FBRyxNQUFNLENBQUMsS0FBSyxDQUFDLEtBQUssQ0FBQyxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQztBQUM3QyxDQUFDO0FBRUQsTUFBTSxVQUFVLEtBQUssQ0FBQyxNQUEyQixFQUFFLElBQTBCO0lBQzNFLElBQUksQ0FBQyxJQUFJLEVBQUUsQ0FBQztRQUNWLE9BQU8sTUFBTSxDQUFDO0lBQ2hCLENBQUM7SUFDRCxNQUFNLEdBQUcsR0FBd0IsRUFBRSxDQUFDO0lBRXBDLE1BQU0sVUFBVSxHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLENBQUM7SUFDdkMsS0FBSyxJQUFJLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQyxHQUFHLFVBQVUsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxFQUFFLEVBQUUsQ0FBQztRQUMzQyxNQUFNLEdBQUcsR0FBRyxVQUFVLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDMUIsR0FBRyxDQUFDLEdBQUcsQ0FBQyxHQUFHLE1BQU0sQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUN6QixDQUFDO0lBRUQsTUFBTSxJQUFJLEdBQUcsTUFBTSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQztJQUMvQixLQUFLLElBQUksQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDLEdBQUcsSUFBSSxDQUFDLE1BQU0sRUFBRSxDQUFDLEVBQUUsRUFBRSxDQUFDO1FBQ3JDLE1BQU0sR0FBRyxHQUFHLElBQUksQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUNwQixHQUFHLENBQUMsR0FBRyxDQUFDLEdBQUcsSUFBSSxDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQ3ZCLENBQUM7SUFDRCxPQUFPLEdBQUcsQ0FBQztBQUNiLENBQUM7QUFFRCxNQUFNLFVBQVUsZ0JBQWdCLENBQUMsTUFBc0I7SUFDckQsaURBQWlEO0lBQ2pELHlFQUF5RTtJQUN6RSxvREFBb0Q7SUFDcEQsTUFBTSxJQUFJLEdBQUcsTUFBTSxDQUFDLElBQUksQ0FBQztJQUN6QixJQUFJLElBQUksSUFBSSxJQUFJLENBQUMsV0FBVyxJQUFJLENBQUMsSUFBSSxDQUFDLFlBQVksRUFBRSxDQUFDO1FBQ25ELE1BQU0sU0FBUyxHQUFHLElBQUksQ0FBQyxXQUFXLENBQUMsR0FBRyxDQUFDLFdBQVcsQ0FBQyxDQUFDO1FBQ3BELE1BQU0sYUFBYSxHQUFHLENBQUMsSUFBSSxDQUFDLGVBQWUsSUFBSSxFQUFFLENBQUMsQ0FBQyxHQUFHLENBQUMsV0FBVyxDQUFDLENBQUM7UUFDcEUsTUFBTSxxQkFBcUIsR0FBRyxJQUFJLENBQUMscUJBQXFCLENBQUM7UUFDekQsSUFBSSxDQUFDLFlBQVksR0FBRyxDQUFDLFdBQVcsRUFBRSxPQUFPLEVBQUUsUUFBUSxFQUFFLEVBQUU7WUFDckQsNkJBQTZCO1lBQzdCLElBQUksUUFBUSxJQUFJLHFCQUFxQixFQUFFLENBQUM7Z0JBQ3RDLElBQUkscUJBQXFCLENBQUMsUUFBUSxDQUFDLFFBQVEsQ0FBQyxFQUFFLENBQUM7b0JBQzdDLE9BQU8sSUFBSSxDQUFDO2dCQUNkLENBQUM7WUFDSCxDQUFDO1lBQ0QscURBQXFEO1lBQ3JELElBQUk7WUFDSiwrQ0FBK0M7WUFDL0MsdURBQXVEO1lBQ3ZELElBQUk7WUFDSixJQUFJLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQyxXQUFXLENBQUMsRUFBRSxDQUFDO2dCQUNoQyxXQUFXLEdBQUcsQ0FBQyxXQUFXLENBQUMsQ0FBQztZQUM5QixDQUFDO1lBQ0QsS0FBSyxNQUFNLFNBQVMsSUFBSSxXQUFXLEVBQUUsQ0FBQztnQkFDcEMsSUFBSSxPQUFlLENBQUM7Z0JBQ3BCLElBQUksT0FBTyxTQUFTLEtBQUssUUFBUSxFQUFFLENBQUM7b0JBQ2xDLE9BQU8sR0FBRyxTQUFTLENBQUM7Z0JBQ3RCLENBQUM7cUJBQU0sQ0FBQztvQkFDTiw2QkFBNkI7b0JBQzdCLElBQUksU0FBUyxDQUFDLE1BQU0sS0FBSyxDQUFDLEVBQUUsQ0FBQzt3QkFDM0IsU0FBUztvQkFDWCxDQUFDO29CQUNELE9BQU8sR0FBRyxTQUFTLENBQUMsT0FBTyxDQUFDO2dCQUM5QixDQUFDO2dCQUNELHlCQUF5QjtnQkFDekIsS0FBSyxNQUFNLFNBQVMsSUFBSSxhQUFhLEVBQUUsQ0FBQztvQkFDdEMsSUFBSSxTQUFTLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQzt3QkFDdkIsT0FBTyxJQUFJLENBQUM7b0JBQ2QsQ0FBQztnQkFDSCxDQUFDO2dCQUNELG1CQUFtQjtnQkFDbkIsS0FBSyxNQUFNLFFBQVEsSUFBSSxTQUFTLEVBQUUsQ0FBQztvQkFDakMsSUFBSSxRQUFRLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQzt3QkFDdEIsT0FBTyxLQUFLLENBQUM7b0JBQ2YsQ0FBQztnQkFDSCxDQUFDO1lBQ0gsQ0FBQztZQUNELGdCQUFnQjtZQUNoQixPQUFPLElBQUksQ0FBQztRQUNkLENBQUMsQ0FBQztJQUNKLENBQUM7SUFFRCx3RUFBd0U7SUFDeEUsTUFBTSxDQUFDLGVBQWUsR0FBRyxNQUFNLENBQUMsZUFBZSxJQUFJLEVBQUUsQ0FBQztJQUN0RCxNQUFNLENBQUMsZUFBZSxHQUFHLE1BQU0sQ0FBQyxlQUFlLENBQUMsR0FBRyxDQUFDLENBQUMsTUFBYyxFQUFFLEVBQUUsQ0FBQyxNQUFNLENBQUMsV0FBVyxFQUFFLENBQUMsQ0FBQztJQUU5RixNQUFNLENBQUMsaUJBQWlCLEdBQUcsTUFBTSxDQUFDLGlCQUFpQixJQUFJLEVBQUUsQ0FBQztJQUMxRCxNQUFNLENBQUMsaUJBQWlCLEdBQUcsTUFBTSxDQUFDLGlCQUFpQixDQUFDLEdBQUcsQ0FBQyxDQUFDLFFBQWdCLEVBQUUsRUFBRSxDQUFDLFFBQVEsQ0FBQyxXQUFXLEVBQUUsQ0FBQyxDQUFDO0lBRXRHLGlEQUFpRDtJQUNqRCxJQUFJLE1BQU0sQ0FBQyxJQUFJLElBQUksTUFBTSxDQUFDLElBQUksQ0FBQyxnQkFBZ0IsRUFBRSxDQUFDO1FBQ2hELE1BQU0sQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLEdBQUcsTUFBTSxDQUFDLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxHQUFHLENBQUMsQ0FBQyxHQUFXLEVBQUUsRUFBRSxDQUFDLEdBQUcsQ0FBQyxXQUFXLEVBQUUsQ0FBQyxDQUFDO0lBQ3RHLENBQUM7SUFFRCwrRUFBK0U7SUFDL0UsK0ZBQStGO0lBQy9GLE1BQU0sb0JBQW9CLEdBQUcsSUFBSSxHQUFHLENBQUMsTUFBTSxDQUFDLGlCQUFpQixDQUFDLENBQUM7SUFDL0Qsb0JBQW9CLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxDQUFDO0lBQ2pDLG9CQUFvQixDQUFDLEdBQUcsQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUNsQyxvQkFBb0IsQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLENBQUM7SUFDakMsb0JBQW9CLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxDQUFDO0lBRWpDLE1BQU0sQ0FBQyxjQUFjLENBQUMsTUFBTSxFQUFFLHdCQUF3QixFQUFFO1FBQ3RELEtBQUssRUFBRSxvQkFBb0I7UUFDM0IsVUFBVSxFQUFFLEtBQUs7S0FDbEIsQ0FBQyxDQUFDO0FBQ0wsQ0FBQztBQUVELE1BQU0sVUFBVSxVQUFVLENBQUMsR0FBVyxFQUFFLElBQVk7SUFDbEQsSUFBSSxDQUFDO1FBQ0gsTUFBTSxNQUFNLEdBQUcsSUFBSSxHQUFHLENBQUMsR0FBRyxDQUFDLENBQUM7UUFDNUIsT0FBTyxPQUFPLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSxJQUFJLENBQUMsQ0FBQztJQUNuQyxDQUFDO0lBQUMsTUFBTSxDQUFDO1FBQ1AsT0FBTyxJQUFJLENBQUM7SUFDZCxDQUFDO0FBQ0gsQ0FBQztBQUVELFNBQVMsV0FBVyxDQUFDLEVBQVU7SUFDN0IsSUFBSSxFQUFFLENBQUMsVUFBVSxDQUFDLEVBQUUsQ0FBQyxJQUFJLEVBQUUsQ0FBQyxVQUFVLENBQUMsRUFBRSxDQUFDLEVBQUUsQ0FBQztRQUMzQyxPQUFPLENBQUMsT0FBZSxFQUFFLEVBQUUsQ0FBQyxPQUFPLEtBQUssRUFBRSxDQUFDO0lBQzdDLENBQUM7SUFDRCxPQUFPLEVBQUUsQ0FBQyxVQUFVLENBQUMsRUFBRSxDQUFDLENBQUMsUUFBUSxDQUFDO0FBQ3BDLENBQUMifQ==

package/dist/types.d.ts

@@ -1,38 +1,36 @@
-import { SecurityConfig, SecurityHelperConfig } from "./config/config.default.js";
-import { HttpClientOptions, HttpClientRequestURL, HttpClientResponse } from "./lib/extend/safe_curl.js";
-
-//#region src/types.d.ts
+import type { SecurityConfig, SecurityHelperConfig } from './config/config.default.ts';
+import type { HttpClientRequestURL, HttpClientResponse, HttpClientOptions } from './lib/extend/safe_curl.ts';
 declare module 'egg' {
-  interface EggAppConfig {
-    /**
-     * security options
-     * @member Config#security
-     */
-    security: SecurityConfig;
-    helper: SecurityHelperConfig;
-  }
-  interface Agent {
-    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
-  }
-  interface Application {
-    injectCsrf(html: string): string;
-    injectNonce(html: string): string;
-    injectHijackingDefense(html: string): string;
-    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
-  }
-  interface Context {
-    get securityOptions(): Partial<SecurityConfig & SecurityHelperConfig>;
-    isSafeDomain(domain: string, customWhiteList?: string[]): boolean;
-    get nonce(): string;
-    get csrf(): string;
-    ensureCsrfSecret(rotate?: boolean): void;
-    rotateCsrfSecret(): void;
-    assertCsrf(): void;
-    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
-    unsafeRedirect(url: string, alt?: string): void;
-  }
-  interface Response {
-    unsafeRedirect(url: string, alt?: string): void;
-    redirect(url: string, alt?: string): void;
-  }
-}
+    interface EggAppConfig {
+        /**
+         * security options
+         * @member Config#security
+         */
+        security: SecurityConfig;
+        helper: SecurityHelperConfig;
+    }
+    interface Agent {
+        safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
+    }
+    interface Application {
+        injectCsrf(html: string): string;
+        injectNonce(html: string): string;
+        injectHijackingDefense(html: string): string;
+        safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
+    }
+    interface Context {
+        get securityOptions(): Partial<SecurityConfig & SecurityHelperConfig>;
+        isSafeDomain(domain: string, customWhiteList?: string[]): boolean;
+        get nonce(): string;
+        get csrf(): string;
+        ensureCsrfSecret(rotate?: boolean): void;
+        rotateCsrfSecret(): void;
+        assertCsrf(): void;
+        safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
+        unsafeRedirect(url: string, alt?: string): void;
+    }
+    interface Response {
+        unsafeRedirect(url: string, alt?: string): void;
+        redirect(url: string, alt?: string): void;
+    }
+}

package/dist/types.js

@@ -1 +1,2 @@
-export {  };
+export {};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidHlwZXMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvdHlwZXMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IiJ9

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eggjs/security",
-  "version": "5.0.0-beta.19",
+  "version": "5.0.0-beta.21",
   "type": "module",
   "publishConfig": {
     "access": "public"
@@ -84,7 +84,7 @@
     "zod": "^3.24.1"
   },
   "peerDependencies": {
-    "egg": "4.1.0-beta.19"
+    "egg": "4.1.0-beta.21"
   },
   "devDependencies": {
     "@types/escape-html": "^1.0.4",
@@ -100,9 +100,9 @@
     "tsdown": "^0.15.4",
     "typescript": "^5.9.3",
     "vitest": "4.0.0-beta.16",
-    "@eggjs/mock": "7.0.0-beta.19",
-    "@eggjs/supertest": "9.0.0-beta.19",
-    "@eggjs/tsconfig": "3.1.0-beta.19"
+    "@eggjs/mock": "7.0.0-beta.21",
+    "@eggjs/tsconfig": "3.1.0-beta.21",
+    "@eggjs/supertest": "9.0.0-beta.21"
   },
   "files": [
     "dist"
@@ -111,7 +111,7 @@
   "module": "./dist/index.js",
   "types": "./dist/index.d.ts",
   "scripts": {
-    "build": "tsdown",
+    "build": "tsdown && rimraf dist && tsc -b --clean && tsc",
     "typecheck": "tsc --noEmit",
     "lint": "oxlint --type-aware",
     "lint:fix": "npm run lint -- --fix",