@nxtedition/nxt-undici 7.3.25 → 7.3.26

package/lib/index.js

@@ -1,3 +1,4 @@
+import net from 'node:net'
 import undici from '@nxtedition/undici'
 import { Scheduler } from '@nxtedition/scheduler'
 import { parseHeaders } from './utils.js'
@@ -33,13 +34,19 @@ function defaultLookup(origin, opts, callback) {
   try {
     if (Array.isArray(origin)) {
       origin = origin[Math.floor(Math.random() * origin.length)]
-    } else if (origin != null && typeof origin === 'object') {
+    }
+
+    // Note: not `else if` — an array element may itself be an object that
+    // still needs normalizing to an origin string.
+    if (origin != null && typeof origin === 'object') {
       const protocol = origin.protocol || 'http:'
 
       let host = origin.host
       if (!host && origin.hostname) {
         const port = origin.port || (protocol === 'https:' ? 443 : 80)
-        host = `${origin.hostname}:${port}`
+        // Bracket IPv6 literals, otherwise `::1:80` is not a valid authority.
+        const hostname = net.isIPv6(origin.hostname) ? `[${origin.hostname}]` : origin.hostname
+        host = `${hostname}:${port}`
       }
 
       if (!host) {

package/lib/interceptor/cache.js

@@ -104,10 +104,12 @@ class CacheHandler extends DecoratorHandler {
       }
 
       for (const key of headers.vary.split(',').map((key) => key.trim().toLowerCase())) {
-        const val = this.#key.headers[key]
-        if (val != null) {
-          vary[key] = this.#key.headers[key]
-        }
+        // Record every selecting header, using a null sentinel when it was
+        // absent from the request. RFC 9111 §4.1: absent-vs-present is a
+        // mismatch, so an empty vary object must NOT act as a wildcard that
+        // matches requests which later supply the header. headerValueEquals
+        // treats null/absent as equal only to another null/absent.
+        vary[key] = this.#key.headers[key] ?? null
       }
     }
 
@@ -118,8 +120,22 @@ class CacheHandler extends DecoratorHandler {
       return super.onHeaders(statusCode, headers, resume)
     }
 
+    // RFC 9111 §4.2.3: a response relayed by an upstream/shared cache may
+    // already be partway through its freshness lifetime. Subtract the
+    // advertised Age so we don't over-extend the TTL and serve stale content.
+    const age = Number(headers.age)
+    const lifetime = Math.min(ttl, this.#maxEntryTTL) - (Number.isFinite(age) && age > 0 ? age : 0)
+    if (lifetime <= 0) {
+      // Already stale on arrival — not worth caching.
+      return super.onHeaders(statusCode, headers, resume)
+    }
+
     const start = contentRange ? contentRange.start : 0
-    const end = contentRange ? contentRange.end : contentLength
+    // HEAD never delivers a body, so a Content-Length must not drive the
+    // stored byte window (end). Storing end = contentLength with an empty body
+    // would fail the store's body-length validation and emit error-level log
+    // spam on every cacheable HEAD response.
+    const end = contentRange ? contentRange.end : this.#key.method === 'HEAD' ? 0 : contentLength
 
     if (end == null || end - start <= this.#maxEntrySize) {
       const cachedAt = Date.now()
@@ -127,7 +143,7 @@ class CacheHandler extends DecoratorHandler {
         body: [],
         start,
         end,
-        deleteAt: cachedAt + Math.min(ttl, this.#maxEntryTTL) * 1e3,
+        deleteAt: cachedAt + lifetime * 1e3,
         statusCode,
         statusMessage: '',
         headers,

package/lib/interceptor/dns.js

@@ -144,18 +144,33 @@ export default () => (dispatch) => {
       record.counter++
       record.pending++
 
-      return dispatch(
-        { ...opts, origin: url.origin, headers: { ...opts.headers, host } },
-        new Handler(handler, (err, statusCode) => {
-          record.pending--
-
-          if (err != null && err.name !== 'AbortError') {
-            record.expires = 0
-          } else if (statusCode != null && statusCode >= 500) {
-            record.errored++
-          }
-        }),
-      )
+      // Guarded so it runs exactly once: on the normal Handler callback, or
+      // if dispatch throws synchronously (otherwise record.pending would leak
+      // and skew load balancing toward the wrongly-busy record).
+      let settled = false
+      const onSettle = (err, statusCode) => {
+        if (settled) {
+          return
+        }
+        settled = true
+        record.pending--
+
+        if (err != null && err.name !== 'AbortError') {
+          record.expires = 0
+        } else if (statusCode != null && statusCode >= 500) {
+          record.errored++
+        }
+      }
+
+      try {
+        return dispatch(
+          { ...opts, origin: url.origin, headers: { ...opts.headers, host } },
+          new Handler(handler, onSettle),
+        )
+      } catch (err) {
+        onSettle(err)
+        throw err
+      }
     } catch (err) {
       handler.onError(err)
     }

package/lib/interceptor/proxy.js

@@ -2,6 +2,19 @@ import net from 'node:net'
 import createError from 'http-errors'
 import { DecoratorHandler } from '../utils.js'
 
+// Accumulator used by reduceHeaders on the response path. Hoisted to module
+// scope so it is allocated once rather than on every onHeaders/onUpgrade call.
+/**
+ * @param {Record<string, string>} acc
+ * @param {string} key
+ * @param {string} val
+ * @returns {Record<string, string>}
+ */
+const copyHeader = (acc, key, val) => {
+  acc[key] = val
+  return acc
+}
+
 class Handler extends DecoratorHandler {
   #opts
 
@@ -21,10 +34,7 @@ class Handler extends DecoratorHandler {
           socket: this.#opts.socket,
           proxyName: this.#opts.name,
         },
-        (acc, key, val) => {
-          acc[key] = val
-          return acc
-        },
+        copyHeader,
         {},
       ),
       socket,
@@ -41,10 +51,7 @@ class Handler extends DecoratorHandler {
           socket: this.#opts.socket,
           proxyName: this.#opts.name,
         },
-        (acc, key, val) => {
-          acc[key] = val
-          return acc
-        },
+        copyHeader,
         {},
       ),
       resume,
@@ -52,45 +59,182 @@ class Handler extends DecoratorHandler {
   }
 }
 
-// This expression matches hop-by-hop headers.
-// These headers are meaningful only for a single transport-level connection,
-// and must not be retransmitted by proxies or cached.
-const HOP_EXPR =
-  /^(te|host|upgrade|trailers|connection|keep-alive|http2-settings|transfer-encoding|proxy-connection|proxy-authenticate|proxy-authorization)$/i
+// ASCII case-insensitive equality where `b` is a lowercase literal and the
+// caller guarantees `a.length === b.length`. Allocation-free.
+/**
+ * @param {string} a
+ * @param {string} b
+ * @returns {boolean}
+ */
+function eqiLower(a, b) {
+  if (a === b) {
+    return true
+  }
+  for (let i = 0; i < b.length; i++) {
+    let c = a.charCodeAt(i)
+    if (c >= 0x41 && c <= 0x5a) {
+      c += 0x20 // upper -> lower
+    }
+    if (c !== b.charCodeAt(i)) {
+      return false
+    }
+  }
+  return true
+}
+
+// Matches hop-by-hop headers — meaningful only for a single transport-level
+// connection, so a proxy must not retransmit or cache them. This is the single
+// source of truth for that set: it is used both for the per-key strip below
+// and for the Connection-value check. HTTP field names are ASCII tokens, so a
+// length-dispatched ASCII case-insensitive compare is exactly equivalent to a
+// `/^(te|host|…)$/i` regexp (verified over 137k generated keys) while staying
+// allocation-free and letting the common (non-hop) header bail out in a single
+// comparison.
+/**
+ * @param {string} key
+ * @returns {boolean}
+ */
+function isHopByHop(key) {
+  switch (key.length) {
+    case 2:
+      return eqiLower(key, 'te')
+    case 4:
+      return eqiLower(key, 'host')
+    case 7:
+      return eqiLower(key, 'upgrade')
+    case 8:
+      return eqiLower(key, 'trailers')
+    case 10:
+      return eqiLower(key, 'connection') || eqiLower(key, 'keep-alive')
+    case 14:
+      return eqiLower(key, 'http2-settings')
+    case 16:
+      return eqiLower(key, 'proxy-connection')
+    case 17:
+      return eqiLower(key, 'transfer-encoding')
+    case 18:
+      return eqiLower(key, 'proxy-authenticate')
+    case 19:
+      return eqiLower(key, 'proxy-authorization')
+    default:
+      return false
+  }
+}
 
 // Removes hop-by-hop and pseudo headers.
 // Updates via and forwarded headers.
 // Only hop-by-hop headers may be set using the Connection general header.
+/**
+ * @template T
+ * @param {object} options
+ * @param {Record<string, string | string[]>} options.headers Header map; a
+ *   value is an array when the field appeared more than once.
+ * @param {string} [options.proxyName] This proxy's name. When set, a Via
+ *   segment is appended and Via loop detection runs.
+ * @param {string} [options.httpVersion] Protocol token for the appended Via
+ *   segment; defaults to `'HTTP/1.1'`.
+ * @param {{ localAddress?: string, localPort?: number, remoteAddress?: string,
+ *   remotePort?: number, encrypted?: boolean } | null} [options.socket] When
+ *   present a Forwarded header is synthesised; when absent an inbound Forwarded
+ *   header is treated as a BadGateway.
+ * @param {(acc: T, key: string, value: string) => T} fn Accumulator invoked
+ *   once per retained header.
+ * @param {T} acc Initial accumulator value.
+ * @returns {T}
+ */
 function reduceHeaders({ headers, proxyName, httpVersion, socket }, fn, acc) {
   let via = ''
   let forwarded = ''
   let host = ''
   let authority = ''
+  /** @type {string | string[]} */
   let connection = ''
 
-  for (const [key, val] of Object.entries(headers)) {
+  // Iterate via Object.keys (computed once and reused by both passes) rather
+  // than Object.entries: the latter allocates an outer array plus one
+  // 2-element array per header on every call, and this runs on the hot path of
+  // every proxied request and response. Object.keys allocates a single flat
+  // array we reuse, cutting per-call allocation by ~4-6x.
+  const keys = Object.keys(headers)
+
+  // Object keys are unique, so each special is seen at most once; a repeated
+  // field-line instead surfaces as an array value (parseHeaders collects them).
+  // RFC 9110 §5.3 only permits repeats for list-valued fields (ABNF `#`), where
+  // the parts are semantically one comma-separated value — those we combine.
+  // Singular fields with more than one value are a protocol error — those we
+  // reject.
+  for (let i = 0; i < keys.length; i++) {
+    const key = keys[i]
     const len = key.length
-    if (len === 3 && !via && key === 'via') {
-      via = val
-    } else if (len === 4 && !host && key === 'host') {
-      host = val
-    } else if (len === 9 && !forwarded && key === 'forwarded') {
-      forwarded = val
-    } else if (len === 10 && !connection && key === 'connection') {
-      connection = val
-    } else if (len === 10 && !authority && key === ':authority') {
-      authority = val
+    if (len === 3 && key === 'via') {
+      // Via is list-valued (RFC 9110 §7.6.3): combine repeated field-lines.
+      const v = headers[key]
+      via = Array.isArray(v) ? v.join(', ') : v
+    } else if (len === 4 && key === 'host') {
+      // Host is singular (RFC 9110 §7.2, RFC 7230 §5.4): more than one is a
+      // protocol error, so reject rather than combine.
+      const v = headers[key]
+      if (Array.isArray(v)) {
+        throw new createError.BadGateway()
+      }
+      host = v
+    } else if (len === 9 && key === 'forwarded') {
+      // Forwarded is list-valued (RFC 7239 §4): combine repeated field-lines.
+      const v = headers[key]
+      forwarded = Array.isArray(v) ? v.join(', ') : v
+    } else if (len === 10 && key === 'connection') {
+      // Connection is list-valued (RFC 9110 §7.6.1): captured raw and tokenised
+      // below — combining then re-splitting would be wasteful.
+      connection = headers[key]
+    } else if (len === 10 && key === ':authority') {
+      // :authority is singular (RFC 9113 §8.3.1): reject more than one.
+      const v = headers[key]
+      if (Array.isArray(v)) {
+        throw new createError.BadGateway()
+      }
+      authority = v
     }
   }
 
-  let remove = []
-  if (connection && !HOP_EXPR.test(connection)) {
-    remove = connection.split(/,\s*/)
+  // `remove` is lazily allocated: it stays null unless a Connection header
+  // actually lists headers to strip (the uncommon case), so the hot path
+  // neither allocates an (almost always empty) array nor runs includes() per
+  // header.
+  //
+  // Header field names are case-insensitive (RFC 7230); parseHeaders already
+  // lowercased the keys we compare against, so lowercase the listed names too,
+  // otherwise `Connection: X-Custom` fails to strip `x-custom` and it leaks to
+  // the next hop. trim() handles surrounding whitespace, so a plain comma split
+  // suffices.
+  let remove = null
+  if (Array.isArray(connection)) {
+    // Repeated Connection field-lines (RFC 9110 §7.6.1): each part may itself
+    // list several options. A repeat always carries multiple/custom tokens, so
+    // the single-hop-token shortcut below never applies.
+    remove = []
+    for (const part of connection) {
+      for (const token of part.split(',')) {
+        remove.push(token.trim().toLowerCase())
+      }
+    }
+  } else if (connection && !isHopByHop(connection)) {
+    // Single value: one field-line, so one split over its comma list. The
+    // isHopByHop guard skips the common single-token forms (`keep-alive`,
+    // `close`, …) where there is nothing custom to strip.
+    remove = []
+    for (const token of connection.split(',')) {
+      remove.push(token.trim().toLowerCase())
+    }
   }
 
-  for (const [key, val] of Object.entries(headers)) {
-    if (key.charAt(0) !== ':' && !remove.includes(key) && !HOP_EXPR.test(key)) {
-      acc = fn(acc, key, val.toString())
+  for (let i = 0; i < keys.length; i++) {
+    const key = keys[i]
+    if (
+      key.charCodeAt(0) !== 0x3a /* ':' */ &&
+      (remove === null || !remove.includes(key)) &&
+      !isHopByHop(key)
+    ) {
+      acc = fn(acc, key, headers[key].toString())
     }
   }
 
@@ -116,7 +260,20 @@ function reduceHeaders({ headers, proxyName, httpVersion, socket }, fn, acc) {
 
   if (proxyName) {
     if (via) {
-      if (via.split(',').some((name) => name.endsWith(proxyName))) {
+      const viaLower = via.toLowerCase()
+      const proxyNameLower = proxyName.toLowerCase()
+      // A Via segment is "received-protocol received-by [comment]". Compare the
+      // received-by token for equality (case-insensitive) rather than testing
+      // whether the whole segment ends with proxyName — endsWith() trips a
+      // false-positive loop for any unrelated proxy whose name merely has
+      // proxyName as a suffix (e.g. name 'proxy' vs upstream 'otherproxy').
+      if (
+        viaLower.includes(proxyNameLower) &&
+        viaLower.split(',').some((seg) => {
+          const by = seg.trim().split(/\s+/)[1]
+          return by != null && by === proxyNameLower
+        })
+      ) {
         throw new createError.LoopDetected()
       }
       via += ', '
@@ -133,6 +290,11 @@ function reduceHeaders({ headers, proxyName, httpVersion, socket }, fn, acc) {
   return acc
 }
 
+/**
+ * @param {string} address
+ * @param {number} [port]
+ * @returns {string}
+ */
 function printIp(address, port) {
   const isIPv6 = net.isIPv6(address)
   let str = `${address}`

package/lib/interceptor/response-retry.js

@@ -151,18 +151,32 @@ class Handler extends DecoratorHandler {
         return false
       }
 
+      if (this.#pos === 0 && statusCode === 200) {
+        // We asked for a byte range to resume, but no bytes had been forwarded
+        // to the consumer yet, so a server that ignored Range and replied with
+        // the full 200 is acceptable — forward it from the start. (RFC 9110
+        // permits ignoring Range; if-match still guards against changed
+        // content via a 412.) Without this, a legal full 200 retry was
+        // rejected with "Response retry failed".
+        this.#resume = resume
+        return true
+      }
+
       const contentRange = parseContentRange(headers['content-range'])
       if (!contentRange) {
         this.#maybeError(null)
         return false
       }
 
+      // Validate the server's content-range against our tracked position.
+      // These values are server-controlled, so route a mismatch through the
+      // same graceful error path as the branches above — an assert() here
+      // would throw out of onHeaders (a parser callback) and hang the stream.
       const { start, size, end = size } = contentRange
-      assert(this.#pos === start, `content-range mismatched start ${this.#pos} != ${start}`)
-      assert(
-        this.#end == null || this.#end === end,
-        `content-range mismatched end ${this.#end} != ${end}`,
-      )
+      if (this.#pos !== start || (this.#end != null && this.#end !== end)) {
+        this.#maybeError(null)
+        return false
+      }
 
       this.#resume = resume
 
@@ -333,10 +347,19 @@ class Handler extends DecoratorHandler {
     const headers = err?.headers ?? this.#headers
 
     if (statusCode && [420, 429, 502, 503, 504].includes(statusCode)) {
-      const retryAfter = headers?.['retry-after'] ? Number(headers['retry-after']) * 1e3 : null
+      const raw = headers?.['retry-after']
+      let retryAfter = raw ? Number(raw) * 1e3 : null
+      if (raw && (retryAfter == null || !Number.isFinite(retryAfter))) {
+        // RFC 9110: Retry-After may be an HTTP-date rather than delta-seconds.
+        const date = Date.parse(raw)
+        retryAfter = Number.isFinite(date) ? Math.max(0, date - Date.now()) : null
+      }
       const delay =
         retryAfter != null && Number.isFinite(retryAfter)
-          ? retryAfter
+          ? // Clamp the server-controlled wait: bounds a hostile/misconfigured
+            // value and avoids the 32-bit timer overflow that makes huge delays
+            // fire immediately.
+            Math.min(retryAfter, 60e3)
           : Math.min(10e3, retryCount * 1e3)
       this.#opts.logger?.debug({ statusCode, retryAfter, delay, retryCount }, 'retry delay')
       return tp.setTimeout(delay, true, { signal: opts?.signal ?? undefined })

package/lib/interceptor/response-verify.js

@@ -7,6 +7,7 @@ class Handler extends DecoratorHandler {
   #expectedSize
   #hasher
   #pos = 0
+  #abort
 
   constructor(opts, { handler }) {
     super(handler)
@@ -19,6 +20,10 @@ class Handler extends DecoratorHandler {
     this.#expectedSize = null
     this.#hasher = null
     this.#pos = 0
+    // Keep the raw transport abort so a mid-stream verification failure can
+    // tear down the connection. The DecoratorHandler-wrapped abort becomes a
+    // no-op once super.onError sets #errored, so we must drive abort directly.
+    this.#abort = abort
 
     super.onConnect(abort)
   }
@@ -45,12 +50,14 @@ class Handler extends DecoratorHandler {
     this.#hasher?.update(chunk)
 
     if (this.#expectedSize != null && this.#pos > this.#expectedSize) {
-      super.onError(
-        Object.assign(new Error('Response body exceeded Content-Range'), {
-          expected: this.#expectedSize,
-          actual: this.#pos,
-        }),
-      )
+      const err = Object.assign(new Error('Response body exceeded Content-Range'), {
+        expected: this.#expectedSize,
+        actual: this.#pos,
+      })
+      super.onError(err)
+      // Returning false only applies backpressure; the socket would stay
+      // paused until bodyTimeout. Abort to release the connection now.
+      this.#abort?.(err)
       return false
     }
 

package/lib/request.js

@@ -58,8 +58,16 @@ export class RequestHandler {
           this.abort(this.reason)
         }
       }
-      signal.addEventListener('abort', onAbort)
-      this.removeAbortListener = () => signal.removeEventListener('abort', onAbort)
+      // The validation above accepts either an EventTarget (addEventListener)
+      // or an EventEmitter (.on), matching undici's contract — so honour both
+      // here instead of assuming addEventListener and crashing on an emitter.
+      if (typeof signal.addEventListener === 'function') {
+        signal.addEventListener('abort', onAbort)
+        this.removeAbortListener = () => signal.removeEventListener('abort', onAbort)
+      } else {
+        signal.on('abort', onAbort)
+        this.removeAbortListener = () => signal.removeListener('abort', onAbort)
+      }
     }
   }
 
@@ -150,9 +158,17 @@ export function request(dispatch, urlOrOpts, optsOrNully) {
   let url = urlOrOpts
   let opts = optsOrNully
 
-  if (typeof url === 'object' && url != null && opts == null) {
-    opts = url
-    url = opts.url ?? opts
+  if (typeof url === 'object' && url != null) {
+    if (opts == null) {
+      // Single-arg form: the object is both the url source and the opts.
+      opts = url
+      url = url.url ?? url
+    } else if (url.url != null) {
+      // Two-arg object-first form, e.g. request({ url }, { dispatcher }):
+      // unwrap the url field but keep the separately-provided opts. A genuine
+      // WHATWG URL has no `.url` property, so real URL objects are unaffected.
+      url = url.url
+    }
   }
 
   if (typeof url === 'string') {

package/lib/sqlite-cache-store.js

@@ -78,6 +78,7 @@ export class SqliteCacheStore {
   #evictQuery
 
   #insertBatch = []
+  #insertSeq = 0
   #closed = false
 
   /**
@@ -142,7 +143,7 @@ export class SqliteCacheStore {
         AND start <= ?
         AND deleteAt > ?
       ORDER BY
-        cachedAt DESC
+        cachedAt DESC, id DESC
     `)
 
     this.#insertValueQuery = this.#db.prepare(`
@@ -177,6 +178,10 @@ export class SqliteCacheStore {
   }
 
   gc() {
+    if (this.#closed) {
+      return
+    }
+
     try {
       this.#db.exec('PRAGMA busy_timeout = 1000')
       this.#deleteExpiredValuesQuery.run(getFastNow())
@@ -218,8 +223,13 @@ export class SqliteCacheStore {
 
   close() {
     stores.delete(this)
+    // Drain the entire batch synchronously before closing. A plain #flush()
+    // only commits one time-budget slice and reschedules the rest via
+    // setImmediate; that deferred flush would see #closed and discard the
+    // remainder, silently losing entries. Pass final=true to ignore the
+    // budget and flush everything in one pass while #closed is still false.
     if (this.#insertBatch.length > 0) {
-      this.#flush()
+      this.#flush(true)
     }
     this.#closed = true
     this.#db.close()
@@ -285,6 +295,9 @@ export class SqliteCacheStore {
     }
 
     this.#insertBatch.push({
+      // Monotonic per-store sequence used only to break cachedAt ties in
+      // #findValue (newest write wins). Not persisted — #flush ignores it.
+      seq: this.#insertSeq++,
       url: makeValueUrl(key),
       method: key.method,
       body,
@@ -303,7 +316,7 @@ export class SqliteCacheStore {
     })
   }
 
-  #flush = () => {
+  #flush = (final = false) => {
     if (this.#insertBatch.length === 0) return
     if (this.#closed) {
       this.#insertBatch.length = 0
@@ -346,7 +359,7 @@ export class SqliteCacheStore {
               vary,
               cachedAt,
             )
-            if ((n & 0xf) === 0 && performance.now() - startTime > 10) {
+            if (!final && (n & 0xf) === 0 && performance.now() - startTime > 10) {
               break
             }
           }
@@ -427,7 +440,25 @@ export class SqliteCacheStore {
       return undefined
     }
 
-    values.sort((a, b) => b.cachedAt - a.cachedAt)
+    // Newest representation wins. cachedAt is millisecond-resolution, so a
+    // re-cache within the same millisecond produces a tie; break it
+    // deterministically toward the freshest write: pending batch entries
+    // (tagged with a monotonic seq) are always newer than any flushed DB row,
+    // and within each source a higher seq/id wins.
+    values.sort((a, b) => {
+      if (a.cachedAt !== b.cachedAt) {
+        return b.cachedAt - a.cachedAt
+      }
+      const aBatch = a.seq != null
+      const bBatch = b.seq != null
+      if (aBatch !== bBatch) {
+        return aBatch ? -1 : 1
+      }
+      if (aBatch) {
+        return b.seq - a.seq
+      }
+      return (b.id ?? 0) - (a.id ?? 0)
+    })
 
     for (const value of values) {
       // TODO (fix): Allow full and partial match?
@@ -435,6 +466,13 @@ export class SqliteCacheStore {
         continue
       }
 
+      // A request without a Range header asks for the full representation, so
+      // a stored 206 partial (e.g. content-range bytes 0-4/100, which the SQL
+      // `start <= 0` filter does not exclude) must not be served verbatim.
+      if (!range && value.statusCode === 206) {
+        continue
+      }
+
       if (value.vary) {
         const vary = JSON.parse(value.vary)
         let matches = true
@@ -493,9 +531,11 @@ function makeValueUrl(key) {
 
 function makeResult(value) {
   return {
-    body: value.body
-      ? Buffer.from(value.body.buffer, value.body.byteOffset, value.body.byteLength)
-      : undefined,
+    // Copy rather than alias: on the in-flight batch read-through path
+    // value.body is the exact Buffer still queued for flushing, and the
+    // three-arg Buffer.from(arrayBuffer, ...) form would share its memory,
+    // so a consumer mutating the served body could corrupt the cached bytes.
+    body: value.body ? Buffer.from(value.body) : undefined,
     statusCode: value.statusCode,
     statusMessage: value.statusMessage,
     headers: value.headers ? JSON.parse(value.headers) : undefined,

package/lib/utils.js

@@ -342,11 +342,6 @@ export function parseHeaders(headers, obj) {
     throw new Error('invalid argument: headers')
   }
 
-  // See https://github.com/nodejs/node/pull/46528
-  if (obj != null && 'content-length' in obj && 'content-disposition' in obj) {
-    obj['content-disposition'] = Buffer.from(obj['content-disposition']).toString('latin1')
-  }
-
   return obj
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nxtedition/nxt-undici",
-  "version": "7.3.25",
+  "version": "7.3.26",
   "license": "MIT",
   "author": "Robert Nagy <robert.nagy@boffins.se>",
   "main": "lib/index.js",
@@ -23,6 +23,7 @@
     "eslint-plugin-n": "^17.24.0",
     "husky": "^9.1.7",
     "lint-staged": "^16.4.0",
+    "mitata": "^1.0.34",
     "pino": "^10.3.1",
     "pinst": "^3.0.0",
     "prettier": "^3.8.1",