cdk-common 2.1.33 → 2.1.35

package/.jsii

@@ -3943,7 +3943,7 @@
     "stability": "experimental"
   },
   "homepage": "https://github.com/neilkuan/cdk-common.git",
-  "jsiiVersion": "5.9.37 (build 5176c0d)",
+  "jsiiVersion": "5.9.39 (build cdf85b4)",
   "keywords": [
     "aws",
     "aws-cdk",
@@ -12984,6 +12984,6 @@
       "symbolId": "src/main:LambdaArmFunctionProps"
     }
   },
-  "version": "2.1.33",
-  "fingerprint": "TZIlr4chMoocsv+OgvSlkzU61k1HDWVIPNW4uujRGqA="
+  "version": "2.1.35",
+  "fingerprint": "NFDErK/8HKOBmjwZW7YyqvfsSvofOt2FOB5Or/og6Os="
 }

package/lib/main.js

@@ -38,5 +38,5 @@ class LambdaArmFunction extends constructs_1.Construct {
 }
 exports.LambdaArmFunction = LambdaArmFunction;
 _a = JSII_RTTI_SYMBOL_1;
-LambdaArmFunction[_a] = { fqn: "cdk-common.LambdaArmFunction", version: "2.1.33" };
+LambdaArmFunction[_a] = { fqn: "cdk-common.LambdaArmFunction", version: "2.1.35" };
 //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibWFpbi5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uL3NyYy9tYWluLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7O0FBQUEsbUNBQW1DO0FBQ25DLGlEQUFpRDtBQUNqRCwyQ0FBdUM7QUFLdkMsTUFBYSxpQkFBa0IsU0FBUSxzQkFBUztJQUU5QyxZQUFZLEtBQWdCLEVBQUUsRUFBVSxFQUFFLEtBQTRCO1FBQ3BFLEtBQUssQ0FBQyxLQUFLLEVBQUUsRUFBRSxDQUFDLENBQUM7UUFFakIsTUFBTSxlQUFlLEdBQUcsSUFBSSxHQUFHLENBQXlCO1lBQ3RELENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxXQUFXLEVBQUUsbUNBQW1DLENBQUM7WUFDakUsQ0FBQyxNQUFNLENBQUMsT0FBTyxDQUFDLFdBQVcsRUFBRSxtQ0FBbUMsQ0FBQztZQUNqRSxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsV0FBVyxFQUFFLG1DQUFtQyxDQUFDO1lBQ2pFLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxXQUFXLEVBQUUsa0NBQWtDLENBQUM7WUFDaEUsQ0FBQyxNQUFNLENBQUMsT0FBTyxDQUFDLFdBQVcsRUFBRSxrQ0FBa0MsQ0FBQztZQUNoRSxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsV0FBVyxFQUFFLGtDQUFrQyxDQUFDO1lBQ2hFLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxXQUFXLEVBQUUsa0NBQWtDLENBQUM7WUFDaEUsQ0FBQyxNQUFNLENBQUMsT0FBTyxDQUFDLE9BQU8sRUFBRSw4QkFBOEIsQ0FBQztZQUN4RCxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsT0FBTyxFQUFFLDhCQUE4QixDQUFDO1lBQ3hELENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxRQUFRLEVBQUUsNkJBQTZCLENBQUM7WUFDeEQsQ0FBQyxNQUFNLENBQUMsT0FBTyxDQUFDLFFBQVEsRUFBRSwrQkFBK0IsQ0FBQztZQUMxRCxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsUUFBUSxFQUFFLCtCQUErQixDQUFDO1NBQzNELENBQUMsQ0FBQztRQUVILE1BQU0sT0FBTyxHQUFHLGVBQWUsQ0FBQyxHQUFHLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBQ25ELElBQUksT0FBTyxFQUFFLENBQUM7WUFDWixHQUFHLENBQUMsV0FBVyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxVQUFVLENBQUMsT0FBTyxDQUFDLENBQUM7UUFDL0MsQ0FBQzthQUFNLENBQUM7WUFDTixNQUFNLElBQUksS0FBSyxDQUFDLG1CQUFtQixLQUFLLENBQUMsT0FBTyx1R0FBdUcsQ0FBQyxDQUFDO1FBQzNKLENBQUM7UUFFRCxJQUFJLENBQUMsY0FBYyxHQUFHLElBQUksTUFBTSxDQUFDLFFBQVEsQ0FBQyxJQUFJLEVBQUUsZ0JBQWdCLEVBQUU7WUFDaEUsWUFBWSxFQUFFLEtBQUssQ0FBQyxZQUFZLElBQUksTUFBTSxDQUFDLFlBQVksQ0FBQyxNQUFNO1lBQzlELEdBQUcsS0FBSztTQUNULENBQUMsQ0FBQztJQUNMLENBQUM7O0FBL0JILDhDQWdDQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCAqIGFzIGNkayBmcm9tICdhd3MtY2RrLWxpYic7XG5pbXBvcnQgKiBhcyBsYW1iZGEgZnJvbSAnYXdzLWNkay1saWIvYXdzLWxhbWJkYSc7XG5pbXBvcnQgeyBDb25zdHJ1Y3QgfSBmcm9tICdjb25zdHJ1Y3RzJztcbmV4cG9ydCBpbnRlcmZhY2UgTGFtYmRhQXJtRnVuY3Rpb25Qcm9wcyBleHRlbmRzIGxhbWJkYS5GdW5jdGlvblByb3BzIHtcblxufVxuXG5leHBvcnQgY2xhc3MgTGFtYmRhQXJtRnVuY3Rpb24gZXh0ZW5kcyBDb25zdHJ1Y3Qge1xuICBwdWJsaWMgcmVhZG9ubHkgbGFtYmRhRnVuY3Rpb246IGxhbWJkYS5GdW5jdGlvbjtcbiAgY29uc3RydWN0b3Ioc2NvcGU6IENvbnN0cnVjdCwgaWQ6IHN0cmluZywgcHJvcHM6TGFtYmRhQXJtRnVuY3Rpb25Qcm9wcykge1xuICAgIHN1cGVyKHNjb3BlLCBpZCk7XG5cbiAgICBjb25zdCBydW50aW1lV2FybmluZ3MgPSBuZXcgTWFwPGxhbWJkYS5SdW50aW1lLCBzdHJpbmc+KFtcbiAgICAgIFtsYW1iZGEuUnVudGltZS5OT0RFSlNfMjJfWCwgJ1lvdSBhcmUgdXNpbmcgTm9kZS5qcyAyMi54IGF0IEFSTSddLFxuICAgICAgW2xhbWJkYS5SdW50aW1lLk5PREVKU18yMF9YLCAnWW91IGFyZSB1c2luZyBOb2RlLmpzIDIwLnggYXQgQVJNJ10sXG4gICAgICBbbGFtYmRhLlJ1bnRpbWUuTk9ERUpTXzE4X1gsICdZb3UgYXJlIHVzaW5nIE5vZGUuanMgMTgueCBhdCBBUk0nXSxcbiAgICAgIFtsYW1iZGEuUnVudGltZS5QWVRIT05fM18xMywgJ1lvdSBhcmUgdXNpbmcgUHl0aG9uIDMuMTMgYXQgQVJNJ10sXG4gICAgICBbbGFtYmRhLlJ1bnRpbWUuUFlUSE9OXzNfMTIsICdZb3UgYXJlIHVzaW5nIFB5dGhvbiAzLjEyIGF0IEFSTSddLFxuICAgICAgW2xhbWJkYS5SdW50aW1lLlBZVEhPTl8zXzExLCAnWW91IGFyZSB1c2luZyBQeXRob24gMy4xMSBhdCBBUk0nXSxcbiAgICAgIFtsYW1iZGEuUnVudGltZS5QWVRIT05fM18xMCwgJ1lvdSBhcmUgdXNpbmcgUHl0aG9uIDMuMTAgYXQgQVJNJ10sXG4gICAgICBbbGFtYmRhLlJ1bnRpbWUuSkFWQV8yMSwgJ1lvdSBhcmUgdXNpbmcgSmF2YSAyMSBhdCBBUk0nXSxcbiAgICAgIFtsYW1iZGEuUnVudGltZS5KQVZBXzE3LCAnWW91IGFyZSB1c2luZyBKYXZhIDE3IGF0IEFSTSddLFxuICAgICAgW2xhbWJkYS5SdW50aW1lLkRPVE5FVF84LCAnWW91IGFyZSB1c2luZyAuTkVUIDggYXQgQVJNJ10sXG4gICAgICBbbGFtYmRhLlJ1bnRpbWUuUlVCWV8zXzQsICdZb3UgYXJlIHVzaW5nIFJ1YnkgMy40IGF0IEFSTSddLFxuICAgICAgW2xhbWJkYS5SdW50aW1lLlJVQllfM18zLCAnWW91IGFyZSB1c2luZyBSdWJ5IDMuMyBhdCBBUk0nXSxcbiAgICBdKTtcblxuICAgIGNvbnN0IHdhcm5pbmcgPSBydW50aW1lV2FybmluZ3MuZ2V0KHByb3BzLnJ1bnRpbWUpO1xuICAgIGlmICh3YXJuaW5nKSB7XG4gICAgICBjZGsuQW5ub3RhdGlvbnMub2YodGhpcykuYWRkV2FybmluZyh3YXJuaW5nKTtcbiAgICB9IGVsc2Uge1xuICAgICAgdGhyb3cgbmV3IEVycm9yKGBJbnZhbGlkIFJ1bnRpbWUgJHtwcm9wcy5ydW50aW1lfSBhdCBBUk0sIFNlZSBodHRwczovL2RvY3MuYXdzLmFtYXpvbi5jb20vbGFtYmRhL2xhdGVzdC9kZy9mb3VuZGF0aW9uLWFyY2guaHRtbD9pY21waWQ9ZG9jc19sYW1iZGFfcnNzYCk7XG4gICAgfVxuXG4gICAgdGhpcy5sYW1iZGFGdW5jdGlvbiA9IG5ldyBsYW1iZGEuRnVuY3Rpb24odGhpcywgJ0xhbWJkYUZ1bmN0aW9uJywge1xuICAgICAgYXJjaGl0ZWN0dXJlOiBwcm9wcy5hcmNoaXRlY3R1cmUgPz8gbGFtYmRhLkFyY2hpdGVjdHVyZS5BUk1fNjQsXG4gICAgICAuLi5wcm9wcyxcbiAgICB9KTtcbiAgfVxufVxuIl19

package/node_modules/fast-uri/.github/workflows/ci.yml

@@ -14,6 +14,11 @@ on:
       - 'docs/**'
       - '*.md'
 
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+    group: "${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
+    cancel-in-progress: true
+
 permissions:
   contents: read
 
@@ -24,11 +29,11 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version: '10'
           cache: 'npm'
@@ -66,11 +71,11 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version: '24'
           cache: 'npm'
@@ -80,21 +85,21 @@ jobs:
       - name: Install dependencies
         run: |
           npm install --ignore-scripts
-      
+
       - if: ${{ matrix.os == 'windows-latest' }}
         run: npx playwright install winldd
 
       - name: Run browser tests
         run: |
           npm run test:browser:${{ matrix.browser }}
-  
+
   test:
     needs:
       - test-regression-check-node10
     permissions:
       contents: write
       pull-requests: write
-    uses: fastify/workflows/.github/workflows/plugins-ci.yml@v5
+    uses: fastify/workflows/.github/workflows/plugins-ci.yml@v6
     with:
       license-check: true
       lint: true

package/node_modules/fast-uri/.github/workflows/lock-threads.yml

@@ -0,0 +1,19 @@
+name: Lock Threads
+
+on:
+  schedule:
+    - cron: '0 0 1 * *'
+  workflow_dispatch:
+
+concurrency:
+  group: lock
+
+permissions:
+  contents: read
+
+jobs:
+  lock-threads:
+    permissions:
+      issues: write
+      pull-requests: write
+    uses: fastify/workflows/.github/workflows/lock-threads.yml@v6

package/node_modules/fast-uri/.github/workflows/package-manager-ci.yml

@@ -21,4 +21,4 @@ jobs:
   test:
     permissions:
       contents: read
-    uses: fastify/workflows/.github/workflows/plugins-ci-package-manager.yml@v5
+    uses: fastify/workflows/.github/workflows/plugins-ci-package-manager.yml@v6

package/node_modules/fast-uri/LICENSE

@@ -1,9 +1,7 @@
 Copyright (c) 2011-2021, Gary Court until https://github.com/garycourt/uri-js/commit/a1acf730b4bba3f1097c9f52e7d9d3aba8cdcaae
-Copyright (c) 2021-present The Fastify team
+Copyright (c) 2021-present The Fastify team <https://github.com/fastify/fastify#team>
 All rights reserved.
 
-The Fastify team members are listed at https://github.com/fastify/fastify#team.
-
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:
     * Redistributions of source code must retain the above copyright

package/node_modules/fast-uri/README.md

@@ -1,13 +1,9 @@
 # fast-uri
 
-<div align="center">
-
 [![NPM version](https://img.shields.io/npm/v/fast-uri.svg?style=flat)](https://www.npmjs.com/package/fast-uri)
 [![CI](https://github.com/fastify/fast-uri/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/fastify/fast-uri/actions/workflows/ci.yml)
 [![neostandard javascript style](https://img.shields.io/badge/code_style-neostandard-brightgreen?style=flat)](https://github.com/neostandard/neostandard)
 
-</div>
-
 Dependency-free RFC 3986 URI toolbox.
 
 ## Usage
@@ -16,6 +12,8 @@ Dependency-free RFC 3986 URI toolbox.
 
 All of the above functions can accept an additional options argument that is an object that can contain one or more of the following properties:
 
+Malformed authorities and out-of-range ports are reported through the parsed component's `error` field. `normalize()` leaves malformed string inputs unchanged, and `equal()` returns `false` when either string input is malformed.
+
 *	`scheme` (string)
 	Indicates the scheme that the URI should be treated as, overriding the URI's normal scheme parsing behavior.
 
@@ -70,6 +68,17 @@ uri.resolve("uri://a/b/c/d?q", "../../g")
 "uri://a/g"
 ```
 
+### Normalize
+
+```js
+const uri = require('fast-uri')
+uri.normalize('http://example.com/a%2Fb')
+// Output
+"http://example.com/a%2Fb"
+```
+
+Reserved path escapes such as `%2F` and `%2E` are preserved as path data during normalization and comparison.
+
 ### Equal
 
 ```js

package/node_modules/fast-uri/index.js

@@ -1,6 +1,6 @@
 'use strict'
 
-const { normalizeIPv6, removeDotSegments, recomposeAuthority, normalizeComponentEncoding, isIPv4, nonSimpleDomain } = require('./lib/utils')
+const { normalizeIPv6, removeDotSegments, recomposeAuthority, normalizePercentEncoding, normalizePathEncoding, escapePreservingEscapes, reescapeHostDelimiters, isIPv4, nonSimpleDomain } = require('./lib/utils')
 const { SCHEMES, getSchemeHandler } = require('./lib/schemes')
 
 /**
@@ -11,7 +11,7 @@ const { SCHEMES, getSchemeHandler } = require('./lib/schemes')
  */
 function normalize (uri, options) {
   if (typeof uri === 'string') {
-    uri = /** @type {T} */ (serialize(parse(uri, options), options))
+    uri = /** @type {T} */ (normalizeString(uri, options))
   } else if (typeof uri === 'object') {
     uri = /** @type {T} */ (parse(serialize(uri, options), options))
   }
@@ -106,21 +106,10 @@ function resolveComponent (base, relative, options, skipNormalization) {
  * @returns {boolean}
  */
 function equal (uriA, uriB, options) {
-  if (typeof uriA === 'string') {
-    uriA = unescape(uriA)
-    uriA = serialize(normalizeComponentEncoding(parse(uriA, options), true), { ...options, skipEscape: true })
-  } else if (typeof uriA === 'object') {
-    uriA = serialize(normalizeComponentEncoding(uriA, true), { ...options, skipEscape: true })
-  }
-
-  if (typeof uriB === 'string') {
-    uriB = unescape(uriB)
-    uriB = serialize(normalizeComponentEncoding(parse(uriB, options), true), { ...options, skipEscape: true })
-  } else if (typeof uriB === 'object') {
-    uriB = serialize(normalizeComponentEncoding(uriB, true), { ...options, skipEscape: true })
-  }
+  const normalizedA = normalizeComparableURI(uriA, options)
+  const normalizedB = normalizeComparableURI(uriB, options)
 
-  return uriA.toLowerCase() === uriB.toLowerCase()
+  return normalizedA !== undefined && normalizedB !== undefined && normalizedA.toLowerCase() === normalizedB.toLowerCase()
 }
 
 /**
@@ -156,13 +145,13 @@ function serialize (cmpts, opts) {
 
   if (component.path !== undefined) {
     if (!options.skipEscape) {
-      component.path = escape(component.path)
+      component.path = escapePreservingEscapes(component.path)
 
       if (component.scheme !== undefined) {
         component.path = component.path.split('%3A').join(':')
       }
     } else {
-      component.path = unescape(component.path)
+      component.path = normalizePercentEncoding(component.path)
     }
   }
 
@@ -213,12 +202,29 @@ function serialize (cmpts, opts) {
 
 const URI_PARSE = /^(?:([^#/:?]+):)?(?:\/\/((?:([^#/?@]*)@)?(\[[^#/?\]]+\]|[^#/:?]*)(?::(\d*))?))?([^#?]*)(?:\?([^#]*))?(?:#((?:.|[\n\r])*))?/u
 
+/**
+ * @param {import('./types/index').URIComponent} parsed
+ * @param {RegExpMatchArray} matches
+ * @returns {string|undefined}
+ */
+function getParseError (parsed, matches) {
+  if (matches[2] !== undefined && parsed.path && parsed.path[0] !== '/') {
+    return 'URI path must start with "/" when authority is present.'
+  }
+
+  if (typeof parsed.port === 'number' && (parsed.port < 0 || parsed.port > 65535)) {
+    return 'URI port is malformed.'
+  }
+
+  return undefined
+}
+
 /**
  * @param {string} uri
  * @param {import('./types/index').Options} [opts]
- * @returns
+ * @returns {{ parsed: import('./types/index').URIComponent, malformedAuthorityOrPort: boolean }}
  */
-function parse (uri, opts) {
+function parseWithStatus (uri, opts) {
   const options = Object.assign({}, opts)
   /** @type {import('./types/index').URIComponent} */
   const parsed = {
@@ -231,6 +237,8 @@ function parse (uri, opts) {
     fragment: undefined
   }
 
+  let malformedAuthorityOrPort = false
+
   let isIP = false
   if (options.reference === 'suffix') {
     if (options.scheme) {
@@ -256,6 +264,13 @@ function parse (uri, opts) {
     if (isNaN(parsed.port)) {
       parsed.port = matches[5]
     }
+
+    const parseError = getParseError(parsed, matches)
+    if (parseError !== undefined) {
+      parsed.error = parsed.error || parseError
+      malformedAuthorityOrPort = true
+    }
+
     if (parsed.host) {
       const ipv4result = isIPv4(parsed.host)
       if (ipv4result === false) {
@@ -304,14 +319,18 @@ function parse (uri, opts) {
           parsed.scheme = unescape(parsed.scheme)
         }
         if (parsed.host !== undefined) {
-          parsed.host = unescape(parsed.host)
+          parsed.host = reescapeHostDelimiters(unescape(parsed.host), isIP)
         }
       }
       if (parsed.path) {
-        parsed.path = escape(unescape(parsed.path))
+        parsed.path = normalizePathEncoding(parsed.path)
       }
       if (parsed.fragment) {
-        parsed.fragment = encodeURI(decodeURIComponent(parsed.fragment))
+        try {
+          parsed.fragment = encodeURI(decodeURIComponent(parsed.fragment))
+        } catch {
+          parsed.error = parsed.error || 'URI malformed'
+        }
       }
     }
 
@@ -322,7 +341,54 @@ function parse (uri, opts) {
   } else {
     parsed.error = parsed.error || 'URI can not be parsed.'
   }
-  return parsed
+  return { parsed, malformedAuthorityOrPort }
+}
+
+/**
+ * @param {string} uri
+ * @param {import('./types/index').Options} [opts]
+ * @returns
+ */
+function parse (uri, opts) {
+  return parseWithStatus(uri, opts).parsed
+}
+
+/**
+ * @param {string} uri
+ * @param {import('./types/index').Options} [opts]
+ * @returns {string}
+ */
+function normalizeString (uri, opts) {
+  return normalizeStringWithStatus(uri, opts).normalized
+}
+
+/**
+ * @param {string} uri
+ * @param {import('./types/index').Options} [opts]
+ * @returns {{ normalized: string, malformedAuthorityOrPort: boolean }}
+ */
+function normalizeStringWithStatus (uri, opts) {
+  const { parsed, malformedAuthorityOrPort } = parseWithStatus(uri, opts)
+  return {
+    normalized: malformedAuthorityOrPort ? uri : serialize(parsed, opts),
+    malformedAuthorityOrPort
+  }
+}
+
+/**
+ * @param {import ('./types/index').URIComponent|string} uri
+ * @param {import('./types/index').Options} [opts]
+ * @returns {string|undefined}
+ */
+function normalizeComparableURI (uri, opts) {
+  if (typeof uri === 'string') {
+    const { normalized, malformedAuthorityOrPort } = normalizeStringWithStatus(uri, opts)
+    return malformedAuthorityOrPort ? undefined : normalized
+  }
+
+  if (typeof uri === 'object') {
+    return serialize(uri, opts)
+  }
 }
 
 const fastUri = {

package/node_modules/fast-uri/lib/utils.js

@@ -6,6 +6,15 @@ const isUUID = RegExp.prototype.test.bind(/^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\d
 /** @type {(value: string) => boolean} */
 const isIPv4 = RegExp.prototype.test.bind(/^(?:(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)$/u)
 
+/** @type {(value: string) => boolean} */
+const isHexPair = RegExp.prototype.test.bind(/^[\da-f]{2}$/iu)
+
+/** @type {(value: string) => boolean} */
+const isUnreserved = RegExp.prototype.test.bind(/^[\da-z\-._~]$/iu)
+
+/** @type {(value: string) => boolean} */
+const isPathCharacter = RegExp.prototype.test.bind(/^[\da-z\-._~!$&'()*+,;=:@/]$/iu)
+
 /**
  * @param {Array<string>} input
  * @returns {string}
@@ -264,31 +273,126 @@ function removeDotSegments (path) {
 }
 
 /**
- * @param {import('../types/index').URIComponent} component
- * @param {boolean} esc
- * @returns {import('../types/index').URIComponent}
+ * Re-escape RFC 3986 gen-delims that must not appear literally in the host.
+ * After the URI regex parses, these characters cannot be literal in the host
+ * field, so any that appear after decoding came from percent-encoding and
+ * must be restored to prevent authority structure changes.
+ *
+ * @param {string} host
+ * @param {boolean} isIP - true for IPv4/IPv6 hosts (skip colon re-escaping)
+ * @returns {string}
  */
-function normalizeComponentEncoding (component, esc) {
-  const func = esc !== true ? escape : unescape
-  if (component.scheme !== undefined) {
-    component.scheme = func(component.scheme)
-  }
-  if (component.userinfo !== undefined) {
-    component.userinfo = func(component.userinfo)
-  }
-  if (component.host !== undefined) {
-    component.host = func(component.host)
+const HOST_DELIMS = { '@': '%40', '/': '%2F', '?': '%3F', '#': '%23', ':': '%3A' }
+const HOST_DELIM_RE = /[@/?#:]/g
+const HOST_DELIM_NO_COLON_RE = /[@/?#]/g
+
+function reescapeHostDelimiters (host, isIP) {
+  const re = isIP ? HOST_DELIM_NO_COLON_RE : HOST_DELIM_RE
+  re.lastIndex = 0
+  return host.replace(re, (ch) => HOST_DELIMS[ch])
+}
+
+/**
+ * Normalizes percent escapes and optionally decodes only unreserved ASCII bytes.
+ * Reserved delimiters such as `%2F` and `%2E` stay escaped.
+ *
+ * @param {string} input
+ * @param {boolean} [decodeUnreserved=false]
+ * @returns {string}
+ */
+function normalizePercentEncoding (input, decodeUnreserved = false) {
+  if (input.indexOf('%') === -1) {
+    return input
   }
-  if (component.path !== undefined) {
-    component.path = func(component.path)
+
+  let output = ''
+
+  for (let i = 0; i < input.length; i++) {
+    if (input[i] === '%' && i + 2 < input.length) {
+      const hex = input.slice(i + 1, i + 3)
+      if (isHexPair(hex)) {
+        const normalizedHex = hex.toUpperCase()
+        const decoded = String.fromCharCode(parseInt(normalizedHex, 16))
+
+        if (decodeUnreserved && isUnreserved(decoded)) {
+          output += decoded
+        } else {
+          output += '%' + normalizedHex
+        }
+
+        i += 2
+        continue
+      }
+    }
+
+    output += input[i]
   }
-  if (component.query !== undefined) {
-    component.query = func(component.query)
+
+  return output
+}
+
+/**
+ * Normalizes path data without turning reserved escapes into live path syntax.
+ * Valid escapes are uppercased, raw unsafe characters are escaped, and only
+ * unreserved bytes that are not `.` are decoded.
+ *
+ * @param {string} input
+ * @returns {string}
+ */
+function normalizePathEncoding (input) {
+  let output = ''
+
+  for (let i = 0; i < input.length; i++) {
+    if (input[i] === '%' && i + 2 < input.length) {
+      const hex = input.slice(i + 1, i + 3)
+      if (isHexPair(hex)) {
+        const normalizedHex = hex.toUpperCase()
+        const decoded = String.fromCharCode(parseInt(normalizedHex, 16))
+
+        if (decoded !== '.' && isUnreserved(decoded)) {
+          output += decoded
+        } else {
+          output += '%' + normalizedHex
+        }
+
+        i += 2
+        continue
+      }
+    }
+
+    if (isPathCharacter(input[i])) {
+      output += input[i]
+    } else {
+      output += escape(input[i])
+    }
   }
-  if (component.fragment !== undefined) {
-    component.fragment = func(component.fragment)
+
+  return output
+}
+
+/**
+ * Escapes a component while preserving existing valid percent escapes.
+ *
+ * @param {string} input
+ * @returns {string}
+ */
+function escapePreservingEscapes (input) {
+  let output = ''
+
+  for (let i = 0; i < input.length; i++) {
+    if (input[i] === '%' && i + 2 < input.length) {
+      const hex = input.slice(i + 1, i + 3)
+      if (isHexPair(hex)) {
+        output += '%' + hex.toUpperCase()
+        i += 2
+        continue
+      }
+    }
+
+    output += escape(input[i])
   }
-  return component
+
+  return output
 }
 
 /**
@@ -310,7 +414,7 @@ function recomposeAuthority (component) {
       if (ipV6res.isIPV6 === true) {
         host = `[${ipV6res.escapedHost}]`
       } else {
-        host = component.host
+        host = reescapeHostDelimiters(host, false)
       }
     }
     uriTokens.push(host)
@@ -327,7 +431,10 @@ function recomposeAuthority (component) {
 module.exports = {
   nonSimpleDomain,
   recomposeAuthority,
-  normalizeComponentEncoding,
+  reescapeHostDelimiters,
+  normalizePercentEncoding,
+  normalizePathEncoding,
+  escapePreservingEscapes,
   removeDotSegments,
   isIPv4,
   isUUID,

package/node_modules/fast-uri/package.json

@@ -1,7 +1,7 @@
 {
   "name": "fast-uri",
   "description": "Dependency-free RFC 3986 URI toolbox",
-  "version": "3.1.0",
+  "version": "3.1.2",
   "main": "index.js",
   "type": "commonjs",
   "types": "types/index.d.ts",
@@ -58,12 +58,11 @@
     "test:typescript": "tsd"
   },
   "devDependencies": {
-    "@fastify/pre-commit": "^2.1.0",
     "ajv": "^8.16.0",
     "eslint": "^9.17.0",
-    "neostandard": "^0.12.0",
+    "neostandard": "^0.13.0",
     "playwright-test": "^14.1.12",
     "tape": "^5.8.1",
-    "tsd": "^0.32.0"
+    "tsd": "^0.33.0"
   }
 }

package/node_modules/fast-uri/test/equal.test.js

@@ -106,3 +106,12 @@ test('WSS Equal', (t) => {
   runTest(t, suite)
   t.end()
 })
+
+test('URI Equals tolerates malformed fragments', (t) => {
+  t.equal(
+    fastURI.equal('http://example.com/#%E0%A4A', 'http://example.com/#%E0%A4A'),
+    true,
+    'malformed fragment does not throw during equality checks'
+  )
+  t.end()
+})

package/node_modules/fast-uri/test/parse.test.js

@@ -150,6 +150,11 @@ test('URI parse', (t) => {
   t.equal(components.query, undefined, 'query')
   t.equal(components.fragment, '%0D', 'fragment')
 
+  // malformed percent-encoded fragment must not throw
+  components = fastURI.parse('http://example.com/#%E0%A4A')
+  t.equal(components.error, 'URI malformed', 'malformed fragment errors')
+  t.equal(components.fragment, '%E0%A4A', 'malformed fragment is preserved')
+
   // all
   components = fastURI.parse('uri://user:pass@example.com:123/one/two.three?q1=a1&q2=a2#body')
   t.equal(components.error, undefined, 'all errors')

package/node_modules/fast-uri/test/resolve.test.js

@@ -76,3 +76,12 @@ test('URN Resolving', (t) => {
   t.equal(fastURI.resolve('urn:some:other:prop', 'urn:some:ip:prop'), 'urn:some:ip:prop', 'urn:some:ip:prop')
   t.end()
 })
+
+test('URI Resolving tolerates malformed fragments', (t) => {
+  t.equal(
+    fastURI.resolve('http://base.com/', 'http://example.com/#%E0%A4A'),
+    'http://example.com/#%E0%A4A',
+    'malformed fragment does not throw during resolve'
+  )
+  t.end()
+})

package/node_modules/fast-uri/test/security-normalization.test.js

@@ -0,0 +1,39 @@
+'use strict'
+
+const test = require('tape')
+const fastURI = require('..')
+
+test('parse preserves reserved path escapes as data', (t) => {
+  const components = fastURI.parse('http://example.com/a%2Fb/public/%2e%2e/admin')
+
+  t.equal(components.path, '/a%2Fb/public/%2E%2E/admin')
+  t.end()
+})
+
+test('normalize preserves percent-encoded path separators and dot segments', (t) => {
+  t.equal(
+    fastURI.normalize('http://example.com/public/%2e%2e/admin'),
+    'http://example.com/public/%2E%2E/admin'
+  )
+
+  t.equal(
+    fastURI.normalize('http://example.com/a%2Fb'),
+    'http://example.com/a%2Fb'
+  )
+
+  t.end()
+})
+
+test('equal does not treat reserved path escapes as live path syntax', (t) => {
+  t.equal(
+    fastURI.equal('http://example.com/public/%2e%2e/admin', 'http://example.com/admin', {}),
+    false
+  )
+
+  t.equal(
+    fastURI.equal('http://example.com/a%2Fb', 'http://example.com/a/b', {}),
+    false
+  )
+
+  t.end()
+})

package/node_modules/fast-uri/test/security.test.js

@@ -0,0 +1,133 @@
+'use strict'
+
+const test = require('tape')
+const fastURI = require('..')
+
+test('parse marks malformed authority and port inputs as errors', (t) => {
+  const malformedCases = [
+    {
+      input: 'http://[::1]foo',
+      expectedError: 'URI path must start with "/" when authority is present.'
+    },
+    {
+      input: 'http://[::1]:80abc/path',
+      expectedError: 'URI path must start with "/" when authority is present.'
+    },
+    {
+      input: 'http://example.com:80abc/path',
+      expectedError: 'URI path must start with "/" when authority is present.'
+    },
+    {
+      input: 'http://[::1]:65536',
+      expectedError: 'URI port is malformed.'
+    }
+  ]
+
+  t.plan(malformedCases.length)
+
+  malformedCases.forEach(({ input, expectedError }) => {
+    t.equal(fastURI.parse(input).error, expectedError, input)
+  })
+})
+
+test('normalize does not canonicalize malformed URLs into different valid URLs', (t) => {
+  const malformedCases = [
+    'http://[::1]foo',
+    'http://[::1]:80abc/path',
+    'http://example.com:80abc/path',
+    'http://[::1]:65536'
+  ]
+
+  t.plan(malformedCases.length)
+
+  malformedCases.forEach((input) => {
+    t.equal(fastURI.normalize(input), input, input)
+  })
+})
+
+test('equal returns false when either side is malformed', (t) => {
+  const malformedPairs = [
+    ['http://[::1]foo', 'http://[::1]/foo'],
+    ['http://[::1]:80abc/path', 'http://[::1]/abc/path'],
+    ['http://example.com:80abc/path', 'http://example.com/abc/path'],
+    ['http://[::1]:65536', 'http://[::1]:65536/']
+  ]
+
+  t.plan(malformedPairs.length)
+
+  malformedPairs.forEach(([left, right]) => {
+    t.equal(fastURI.equal(left, right), false, `${left} != ${right}`)
+  })
+})
+
+test('normalize preserves encoded authority delimiters in host', (t) => {
+  const cases = [
+    ['http://trusted.com%40evil.com/', 'http://trusted.com%40evil.com/'],
+    ['http://example.com%3A8080/', 'http://example.com%3A8080/'],
+    ['http://example.com%2Fevil.com/path', 'http://example.com%2Fevil.com/path'],
+    ['http://example.com%23fragment/path', 'http://example.com%23fragment/path'],
+    ['http://example.com%3Fq=evil/path', 'http://example.com%3Fq=evil/path'],
+    ['http://user%3Apass%40evil.com/', 'http://user%3Apass%40evil.com/'],
+    ['http://user@trusted.com%40evil.com/', 'http://user@trusted.com%40evil.com/'],
+    ['https://trusted.com%40evil.com/', 'https://trusted.com%40evil.com/'],
+    ['ws://trusted.com%40evil.com/chat', 'ws://trusted.com%40evil.com/chat'],
+    ['wss://trusted.com%40evil.com/chat', 'wss://trusted.com%40evil.com/chat']
+  ]
+
+  t.plan(cases.length)
+
+  cases.forEach(([input, expected]) => {
+    t.equal(fastURI.normalize(input), expected, input)
+  })
+})
+
+test('parse preserves encoded authority delimiters in host', (t) => {
+  const cases = [
+    ['http://trusted.com%40evil.com/', 'trusted.com%40evil.com'],
+    ['http://example.com%3A8080/', 'example.com%3A8080'],
+    ['http://user%3Apass%40evil.com/', 'user%3Apass%40evil.com']
+  ]
+
+  t.plan(cases.length)
+
+  cases.forEach(([input, expectedHost]) => {
+    t.equal(fastURI.parse(input).host, expectedHost, input)
+  })
+})
+
+test('equal returns false when encoded delimiters differ from live delimiters', (t) => {
+  const pairs = [
+    ['http://trusted.com%40evil.com/', 'http://trusted.com@evil.com/'],
+    ['http://example.com%3A8080/', 'http://example.com:8080/']
+  ]
+
+  t.plan(pairs.length)
+
+  pairs.forEach(([left, right]) => {
+    t.equal(fastURI.equal(left, right, {}), false, `${left} != ${right}`)
+  })
+})
+
+test('resolve preserves encoded authority delimiters', (t) => {
+  const result = fastURI.resolve('http://base.com/', '//trusted.com%40evil.com/path')
+  const parsed = fastURI.parse(result)
+
+  t.plan(1)
+  t.notEqual(parsed.host, 'evil.com', '//trusted.com%40evil.com/path')
+})
+
+test('serialize escapes authority delimiters in host field', (t) => {
+  const result = fastURI.serialize({ scheme: 'http', host: 'trusted.com@evil.com', path: '/' })
+  const parsed = fastURI.parse(result)
+
+  t.plan(1)
+  t.notEqual(parsed.host, 'evil.com', 'host: trusted.com@evil.com')
+})
+
+test('normalize does not double-decode %2540 into a live @', (t) => {
+  const result = fastURI.normalize('http://trusted.com%2540evil.com/')
+  const parsed = fastURI.parse(result)
+
+  t.plan(1)
+  t.notEqual(parsed.host, 'trusted.com@evil.com', 'http://trusted.com%2540evil.com/')
+})

package/package.json

@@ -88,7 +88,7 @@
     "access": "public",
     "provenance": true
   },
-  "version": "2.1.33",
+  "version": "2.1.35",
   "jest": {
     "coverageProvider": "v8",
     "testMatch": [

package/node_modules/fast-uri/.github/.stale.yml

@@ -1,21 +0,0 @@
-# Number of days of inactivity before an issue becomes stale
-daysUntilStale: 15
-# Number of days of inactivity before a stale issue is closed
-daysUntilClose: 7
-# Issues with these labels will never be considered stale
-exemptLabels:
-  - "discussion"
-  - "feature request"
-  - "bug"
-  - "help wanted"
-  - "plugin suggestion"
-  - "good first issue"
-# Label to use when marking an issue as stale
-staleLabel: stale
-# Comment to post when marking an issue as stale. Set to `false` to disable
-markComment: >
-  This issue has been automatically marked as stale because it has not had
-  recent activity. It will be closed if no further activity occurs. Thank you
-  for your contributions.
-# Comment to post when closing a stale issue. Set to `false` to disable
-closeComment: false

package/node_modules/fast-uri/.github/tests_checker.yml

@@ -1,8 +0,0 @@
-comment: |
-  Hello! Thank you for contributing!
-  It appears that you have changed the code, but the tests that verify your change are missing. Could you please add them?
-fileExtensions:
-  - '.ts'
-  - '.js'
-
-testDir: 'test'