cookie-es 2.0.0 → 3.0.1

package/README.md

@@ -10,26 +10,25 @@
 
 <!-- /automd -->
 
-ESM ready [`Cookie`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cookie) and [`Set-Cookie`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie) parser and serializer based on [cookie](https://github.com/jshttp/cookie) and [set-cookie-parser](https://github.com/nfriedly/set-cookie-parser) with built-in types.
+ESM-ready [`Cookie`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cookie) and [`Set-Cookie`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie) parser and serializer based on [cookie](https://github.com/jshttp/cookie) and [set-cookie-parser](https://github.com/nfriedly/set-cookie-parser) with built-in TypeScript types. Compliant with [RFC 6265bis](https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html).
 
-## Usage
-
-Install:
+## Install
 
 ```sh
 # ✨ Auto-detect (npm, yarn, pnpm, bun, deno)
 npx nypm install cookie-es
 ```
 
-Import:
+## Import
 
 **ESM** (Node.js, Bun, Deno)
 
 ```js
 import {
-  parse,
-  serialize,
+  parseCookie,
   parseSetCookie,
+  serializeCookie,
+  stringifyCookie,
   splitSetCookieString,
 } from "cookie-es";
 ```
@@ -38,15 +37,124 @@ import {
 
 ```js
 import {
-  parse,
-  serialize,
+  parseCookie,
   parseSetCookie,
+  serializeCookie,
+  stringifyCookie,
   splitSetCookieString,
 } from "https://esm.sh/cookie-es";
 ```
 
+## API
+
+### `parseCookie(str, options?)`
+
+Parse a `Cookie` header string into an object. First occurrence wins for duplicate names.
+
+```js
+parseCookie("foo=bar; equation=E%3Dmc%5E2");
+// { foo: "bar", equation: "E=mc^2" }
+
+// Custom decoder
+parseCookie("foo=bar", { decode: (v) => v });
+
+// Only parse specific keys
+parseCookie("a=1; b=2; c=3", { filter: (key) => key !== "b" });
+// { a: "1", c: "3" }
+```
+
+### `parseSetCookie(str, options?)`
+
+Parse a `Set-Cookie` header string into an object with all cookie attributes.
+
+```js
+parseSetCookie(
+  "id=abc; Domain=example.com; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=3600; Partitioned; Priority=High",
+);
+// {
+//   name: "id",
+//   value: "abc",
+//   domain: "example.com",
+//   path: "/",
+//   httpOnly: true,
+//   secure: true,
+//   sameSite: "lax",
+//   maxAge: 3600,
+//   partitioned: true,
+//   priority: "high",
+// }
+```
+
+Supports `decode` option (custom function or `false` to skip decoding). Returns `undefined` for cookies with forbidden names (prototype pollution protection) or when both name and value are empty ([RFC 6265bis](https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html) sec 5.7).
+
+### `serializeCookie(name, value, options?)`
+
+Serialize a cookie name-value pair into a `Set-Cookie` header string.
+
+```js
+serializeCookie("foo", "bar", { httpOnly: true, secure: true, maxAge: 3600 });
+// "foo=bar; Max-Age=3600; HttpOnly; Secure"
+
+// Also accepts a cookie object
+serializeCookie({
+  name: "foo",
+  value: "bar",
+  domain: "example.com",
+  path: "/",
+  sameSite: "lax",
+});
+// "foo=bar; Domain=example.com; Path=/; SameSite=Lax"
+```
+
+Supported attributes: `maxAge`, `expires`, `domain`, `path`, `httpOnly`, `secure`, `sameSite`, `priority`, `partitioned`. Use `encode` option for custom value encoding (default: `encodeURIComponent`).
+
+> [!NOTE]
+> `parse` and `serialize` are available as shorter aliases for `parseCookie` and `serializeCookie`.
+
+### `stringifyCookie(cookies, options?)`
+
+Stringify a cookies object into an HTTP `Cookie` header string.
+
+```js
+stringifyCookie({ foo: "bar", baz: "qux" });
+// "foo=bar; baz=qux"
+```
+
+### `splitSetCookieString(input)`
+
+Split comma-joined `Set-Cookie` headers into individual strings. Correctly handles commas within cookie attributes like `Expires` dates.
+
+```js
+splitSetCookieString(
+  "foo=bar; Expires=Thu, 01 Jan 2026 00:00:00 GMT, baz=qux",
+);
+// ["foo=bar; Expires=Thu, 01 Jan 2026 00:00:00 GMT", "baz=qux"]
+
+// Also accepts an array
+splitSetCookieString(["a=1, b=2", "c=3"]);
+// ["a=1", "b=2", "c=3"]
+```
+
+## Parsing Options
+
+### `allowMultiple`
+
+By default, when a cookie name appears more than once, only the first value is kept. Set `allowMultiple: true` to collect all values into an array:
+
+```js
+import { parseCookie } from "cookie-es";
+
+// Default: first value wins
+parseCookie("foo=a;bar=b;foo=c");
+// => { foo: "a", bar: "b" }
+
+// With allowMultiple: duplicates return arrays
+parseCookie("foo=a;bar=b;foo=c", { allowMultiple: true });
+// => { foo: ["a", "c"], bar: "b" }
+```
+
 ## License
 
 [MIT](./LICENSE)
 
-Based on [jshttp/cookie](https://github.com/jshttp/cookie) (Roman Shtylman and hristopher Wilson) and [nfriedly/set-cookie-parser](https://github.com/nfriedly/set-cookie-parser) (Nathan Friedly).
+Based on [jshttp/cookie](https://github.com/jshttp/cookie) (Roman Shtylman and Douglas Christopher Wilson) and [nfriedly/set-cookie-parser](https://github.com/nfriedly/set-cookie-parser) (Nathan Friedly).

package/dist/index.d.mts

@@ -1,216 +1,227 @@
 /**
- * Basic HTTP cookie parser and serializer for HTTP servers.
+ * Parse options.
  */
+interface CookieParseOptions {
+  /**
+   * Specifies a function that will be used to decode a [cookie-value](https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1).
+   * Since the value of a cookie has a limited character set (and must be a simple string), this function can be used to decode
+   * a previously-encoded cookie value into a JavaScript string.
+   *
+   * The default function is the global `decodeURIComponent`, wrapped in a `try..catch`. If an error
+   * is thrown it will return the cookie's original value. If you provide your own encode/decode
+   * scheme you must ensure errors are appropriately handled.
+   *
+   * @default decode
+   */
+  decode?: (str: string) => string | undefined;
+  /**
+   * Custom function to filter parsing specific keys.
+   */
+  filter?(key: string): boolean;
+  /**
+   * When enabled, duplicate cookie names will return an array of values
+   * instead of only the first value.
+   */
+  allowMultiple?: boolean;
+}
+/**
+ * Cookies object.
+ */
+type Cookies = Record<string, string | undefined>;
 /**
- * Additional serialization options
+ * Cookies object when `allowMultiple` is enabled.
  */
-interface CookieSerializeOptions {
-    /**
-     * Specifies the value for the {@link https://tools.ietf.org/html/rfc6265#section-5.2.3|Domain Set-Cookie attribute}. By default, no
-     * domain is set, and most clients will consider the cookie to apply to only
-     * the current domain.
-     */
-    domain?: string | undefined;
-    /**
-     * Specifies a function that will be used to encode a cookie's value. Since
-     * value of a cookie has a limited character set (and must be a simple
-     * string), this function can be used to encode a value into a string suited
-     * for a cookie's value.
-     *
-     * The default function is the global `encodeURIComponent`, which will
-     * encode a JavaScript string into UTF-8 byte sequences and then URL-encode
-     * any that fall outside of the cookie range.
-     */
-    encode?(value: string): string;
-    /**
-     * Specifies the `Date` object to be the value for the {@link https://tools.ietf.org/html/rfc6265#section-5.2.1|`Expires` `Set-Cookie` attribute}. By default,
-     * no expiration is set, and most clients will consider this a "non-persistent cookie" and will delete
-     * it on a condition like exiting a web browser application.
-     *
-     * *Note* the {@link https://tools.ietf.org/html/rfc6265#section-5.3|cookie storage model specification}
-     * states that if both `expires` and `maxAge` are set, then `maxAge` takes precedence, but it is
-     * possible not all clients by obey this, so if both are set, they should
-     * point to the same date and time.
-     */
-    expires?: Date | undefined;
-    /**
-     * Specifies the boolean value for the {@link https://tools.ietf.org/html/rfc6265#section-5.2.6|`HttpOnly` `Set-Cookie` attribute}.
-     * When truthy, the `HttpOnly` attribute is set, otherwise it is not. By
-     * default, the `HttpOnly` attribute is not set.
-     *
-     * *Note* be careful when setting this to true, as compliant clients will
-     * not allow client-side JavaScript to see the cookie in `document.cookie`.
-     */
-    httpOnly?: boolean | undefined;
-    /**
-     * Specifies the number (in seconds) to be the value for the `Max-Age`
-     * `Set-Cookie` attribute. The given number will be converted to an integer
-     * by rounding down. By default, no maximum age is set.
-     *
-     * *Note* the {@link https://tools.ietf.org/html/rfc6265#section-5.3|cookie storage model specification}
-     * states that if both `expires` and `maxAge` are set, then `maxAge` takes precedence, but it is
-     * possible not all clients by obey this, so if both are set, they should
-     * point to the same date and time.
-     */
-    maxAge?: number | undefined;
-    /**
-     * Specifies the value for the {@link https://tools.ietf.org/html/rfc6265#section-5.2.4|`Path` `Set-Cookie` attribute}.
-     * By default, the path is considered the "default path".
-     */
-    path?: string | undefined;
-    /**
-     * Specifies the `string` to be the value for the [`Priority` `Set-Cookie` attribute][rfc-west-cookie-priority-00-4.1].
-     *
-     * - `'low'` will set the `Priority` attribute to `Low`.
-     * - `'medium'` will set the `Priority` attribute to `Medium`, the default priority when not set.
-     * - `'high'` will set the `Priority` attribute to `High`.
-     *
-     * More information about the different priority levels can be found in
-     * [the specification][rfc-west-cookie-priority-00-4.1].
-     *
-     * **note** This is an attribute that has not yet been fully standardized, and may change in the future.
-     * This also means many clients may ignore this attribute until they understand it.
-     */
-    priority?: "low" | "medium" | "high" | undefined;
-    /**
-     * Specifies the boolean or string to be the value for the {@link https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.7|`SameSite` `Set-Cookie` attribute}.
-     *
-     * - `true` will set the `SameSite` attribute to `Strict` for strict same
-     * site enforcement.
-     * - `false` will not set the `SameSite` attribute.
-     * - `'lax'` will set the `SameSite` attribute to Lax for lax same site
-     * enforcement.
-     * - `'strict'` will set the `SameSite` attribute to Strict for strict same
-     * site enforcement.
-     *  - `'none'` will set the SameSite attribute to None for an explicit
-     *  cross-site cookie.
-     *
-     * More information about the different enforcement levels can be found in {@link https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.7|the specification}.
-     *
-     * *note* This is an attribute that has not yet been fully standardized, and may change in the future. This also means many clients may ignore this attribute until they understand it.
-     */
-    sameSite?: true | false | "lax" | "strict" | "none" | undefined;
-    /**
-     * Specifies the boolean value for the {@link https://tools.ietf.org/html/rfc6265#section-5.2.5|`Secure` `Set-Cookie` attribute}. When truthy, the
-     * `Secure` attribute is set, otherwise it is not. By default, the `Secure` attribute is not set.
-     *
-     * *Note* be careful when setting this to `true`, as compliant clients will
-     * not send the cookie back to the server in the future if the browser does
-     * not have an HTTPS connection.
-     */
-    secure?: boolean | undefined;
-    /**
-     * Specifies the `boolean` value for the [`Partitioned` `Set-Cookie`](https://datatracker.ietf.org/doc/html/draft-cutler-httpbis-partitioned-cookies#section-2.1)
-     * attribute. When truthy, the `Partitioned` attribute is set, otherwise it is not. By default, the
-     * `Partitioned` attribute is not set.
-     *
-     * **note** This is an attribute that has not yet been fully standardized, and may change in the future.
-     * This also means many clients may ignore this attribute until they understand it.
-     *
-     * More information can be found in the [proposal](https://github.com/privacycg/CHIPS).
-     */
-    partitioned?: boolean;
+type MultiCookies = Record<string, string | string[] | undefined>;
+/**
+ * Stringify options.
+ */
+interface CookieStringifyOptions {
+  /**
+   * Specifies a function that will be used to encode a [cookie-value](https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1).
+   * Since value of a cookie has a limited character set (and must be a simple string), this function can be used to encode
+   * a value into a string suited for a cookie's value, and should mirror `decode` when parsing.
+   *
+   * @default encodeURIComponent
+   */
+  encode?: (str: string) => string;
 }
 /**
- * Additional parsing options
+ * Set-Cookie object.
  */
-interface CookieParseOptions {
-    /**
-     * Specifies a function that will be used to decode a cookie's value. Since
-     * the value of a cookie has a limited character set (and must be a simple
-     * string), this function can be used to decode a previously-encoded cookie
-     * value into a JavaScript string or other object.
-     *
-     * The default function is the global `decodeURIComponent`, which will decode
-     * any URL-encoded sequences into their byte representations.
-     *
-     * *Note* if an error is thrown from this function, the original, non-decoded
-     * cookie value will be returned as the cookie's value.
-     */
-    decode?(value: string): string;
-    /**
-     * Custom function to filter parsing specific keys.
-     */
-    filter?(key: string): boolean;
+interface SetCookie {
+  /**
+   * Specifies the name of the cookie.
+   */
+  name: string;
+  /**
+   * Specifies the string to be the value for the cookie.
+   */
+  value: string | undefined;
+  /**
+   * Specifies the `number` (in seconds) to be the value for the [`Max-Age` `Set-Cookie` attribute](https://tools.ietf.org/html/rfc6265#section-5.2.2).
+   *
+   * The [cookie storage model specification](https://tools.ietf.org/html/rfc6265#section-5.3) states that if both `expires` and
+   * `maxAge` are set, then `maxAge` takes precedence, but it is possible not all clients by obey this,
+   * so if both are set, they should point to the same date and time.
+   */
+  maxAge?: number;
+  /**
+   * Specifies the `Date` object to be the value for the [`Expires` `Set-Cookie` attribute](https://tools.ietf.org/html/rfc6265#section-5.2.1).
+   * When no expiration is set, clients consider this a "non-persistent cookie" and delete it when the current session is over.
+   *
+   * The [cookie storage model specification](https://tools.ietf.org/html/rfc6265#section-5.3) states that if both `expires` and
+   * `maxAge` are set, then `maxAge` takes precedence, but it is possible not all clients by obey this,
+   * so if both are set, they should point to the same date and time.
+   */
+  expires?: Date;
+  /**
+   * Specifies the value for the [`Domain` `Set-Cookie` attribute](https://tools.ietf.org/html/rfc6265#section-5.2.3).
+   * When no domain is set, clients consider the cookie to apply to the current domain only.
+   */
+  domain?: string;
+  /**
+   * Specifies the value for the [`Path` `Set-Cookie` attribute](https://tools.ietf.org/html/rfc6265#section-5.2.4).
+   * When no path is set, the path is considered the ["default path"](https://tools.ietf.org/html/rfc6265#section-5.1.4).
+   */
+  path?: string;
+  /**
+   * Enables the [`HttpOnly` `Set-Cookie` attribute](https://tools.ietf.org/html/rfc6265#section-5.2.6).
+   * When enabled, clients will not allow client-side JavaScript to see the cookie in `document.cookie`.
+   */
+  httpOnly?: boolean;
+  /**
+   * Enables the [`Secure` `Set-Cookie` attribute](https://tools.ietf.org/html/rfc6265#section-5.2.5).
+   * When enabled, clients will only send the cookie back if the browser has an HTTPS connection.
+   */
+  secure?: boolean;
+  /**
+   * Enables the [`Partitioned` `Set-Cookie` attribute](https://tools.ietf.org/html/draft-cutler-httpbis-partitioned-cookies/).
+   * When enabled, clients will only send the cookie back when the current domain _and_ top-level domain matches.
+   *
+   * This is an attribute that has not yet been fully standardized, and may change in the future.
+   * This also means clients may ignore this attribute until they understand it. More information
+   * about can be found in [the proposal](https://github.com/privacycg/CHIPS).
+   */
+  partitioned?: boolean;
+  /**
+   * Specifies the value for the [`Priority` `Set-Cookie` attribute](https://tools.ietf.org/html/draft-west-cookie-priority-00#section-4.1).
+   *
+   * - `'low'` will set the `Priority` attribute to `Low`.
+   * - `'medium'` will set the `Priority` attribute to `Medium`, the default priority when not set.
+   * - `'high'` will set the `Priority` attribute to `High`.
+   *
+   * More information about priority levels can be found in [the specification](https://tools.ietf.org/html/draft-west-cookie-priority-00#section-4.1).
+   */
+  priority?: "low" | "medium" | "high";
+  /**
+   * Specifies the value for the [`SameSite` `Set-Cookie` attribute](https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-09#section-5.4.7).
+   *
+   * - `true` will set the `SameSite` attribute to `Strict` for strict same site enforcement.
+   * - `'lax'` will set the `SameSite` attribute to `Lax` for lax same site enforcement.
+   * - `'none'` will set the `SameSite` attribute to `None` for an explicit cross-site cookie.
+   * - `'strict'` will set the `SameSite` attribute to `Strict` for strict same site enforcement.
+   *
+   * More information about enforcement levels can be found in [the specification](https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-09#section-5.4.7).
+   */
+  sameSite?: boolean | "lax" | "strict" | "none";
 }
-
 /**
- * Parse an HTTP Cookie header string and returning an object of all cookie
- * name-value pairs.
+ * Backward compatibility serialize options.
+ */
+type CookieSerializeOptions = CookieStringifyOptions & Omit<SetCookie, "name" | "value">;
+/**
+ * Parse a `Cookie` header.
  *
- * @param str the string representing a `Cookie` header value
- * @param [options] object containing parsing options
+ * Parse the given cookie header string into an object
+ * The object has the various cookies as keys(names) => values
  */
-declare function parse(str: string, options?: CookieParseOptions): Record<string, string>;
-
+declare function parse(str: string, options: CookieParseOptions & {
+  allowMultiple: true;
+}): MultiCookies;
+declare function parse(str: string, options?: CookieParseOptions): Cookies;
 /**
- * Serialize a cookie name-value pair into a `Set-Cookie` header string.
+ * Stringifies an object into an HTTP `Cookie` header.
+ */
+declare function stringifyCookie(cookie: Cookies, options?: CookieStringifyOptions): string;
+/**
+ * Serialize data into a cookie header.
+ *
+ * Serialize a name value pair into a cookie string suitable for
+ * http headers. An optional options object specifies cookie parameters.
  *
- * @param name the name for the cookie
- * @param value value to set the cookie to
- * @param [options] object containing serialization options
- * @throws {TypeError} when `maxAge` options is invalid
+ * serialize('foo', 'bar', { httpOnly: true })
+ *   => "foo=bar; httpOnly"
  */
-declare function serialize(name: string, value: string, options?: CookieSerializeOptions): string;
-
+declare function serialize(cookie: SetCookie, options?: CookieStringifyOptions): string;
+declare function serialize(name: string, val: string, options?: CookieSerializeOptions): string;
 interface SetCookieParseOptions {
-    /**
-     * Custom decode function to use on cookie values.
-     *
-     * By default, `decodeURIComponent` is used.
-     *
-     * **Note:** If decoding fails, the original (undecoded) value will be used
-     */
-    decode?: false | ((value: string) => string);
+  /**
+   * Custom decode function to use on cookie values.
+   *
+   * By default, `decodeURIComponent` is used.
+   *
+   * **Note:** If decoding fails, the original (undecoded) value will be used
+   */
+  decode?: false | ((value: string) => string);
 }
-interface SetCookie {
-    /**
-     * Cookie name
-     */
-    name: string;
-    /**
-     * Cookie value
-     */
-    value: string;
-    /**
-     * Cookie path
-     */
-    path?: string | undefined;
-    /**
-     * Absolute expiration date for the cookie
-     */
-    expires?: Date | undefined;
-    /**
-     * Relative max age of the cookie in seconds from when the client receives it (integer or undefined)
-     *
-     * Note: when using with express's res.cookie() method, multiply maxAge by 1000 to convert to milliseconds
-     */
-    maxAge?: number | undefined;
-    /**
-     * Domain for the cookie,
-     * May begin with "." to indicate the named domain or any subdomain of it
-     */
-    domain?: string | undefined;
-    /**
-     * Indicates that this cookie should only be sent over HTTPs
-     */
-    secure?: boolean | undefined;
-    /**
-     * Indicates that this cookie should not be accessible to client-side JavaScript
-     */
-    httpOnly?: boolean | undefined;
-    /**
-     * Indicates a cookie ought not to be sent along with cross-site requests
-     */
-    sameSite?: true | false | "lax" | "strict" | "none" | undefined;
-    [key: string]: unknown;
+interface SetCookie$1 {
+  /**
+   * Cookie name
+   */
+  name: string;
+  /**
+   * Cookie value
+   */
+  value: string;
+  /**
+   * Cookie path
+   */
+  path?: string | undefined;
+  /**
+   * Absolute expiration date for the cookie
+   */
+  expires?: Date | undefined;
+  /**
+   * Relative max age of the cookie in seconds from when the client receives it (integer or undefined)
+   *
+   * Note: when using with express's res.cookie() method, multiply maxAge by 1000 to convert to milliseconds
+   */
+  maxAge?: number | undefined;
+  /**
+   * Domain for the cookie,
+   * May begin with "." to indicate the named domain or any subdomain of it
+   */
+  domain?: string | undefined;
+  /**
+   * Indicates that this cookie should only be sent over HTTPs
+   */
+  secure?: boolean | undefined;
+  /**
+   * Indicates that this cookie should not be accessible to client-side JavaScript
+   */
+  httpOnly?: boolean | undefined;
+  /**
+   * Indicates a cookie ought not to be sent along with cross-site requests
+   */
+  sameSite?: true | false | "lax" | "strict" | "none" | undefined;
+  /**
+   * Indicates that the cookie should be stored using partitioned storage
+   *
+   * See https://developer.mozilla.org/en-US/docs/Web/Privacy/Privacy_sandbox/Partitioned_cookies
+   */
+  partitioned?: boolean | undefined;
+  /**
+   * Indicates the priority of the cookie
+   *
+   * See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#prioritylow_medium_high
+   */
+  priority?: "low" | "medium" | "high" | undefined;
+  [key: string]: unknown;
 }
-
 /**
  * Parse a [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie) header string into an object.
  */
-declare function parseSetCookie(setCookieValue: string, options?: SetCookieParseOptions): SetCookie;
-
+declare function parseSetCookie(str: string, options?: SetCookieParseOptions): SetCookie$1 | undefined;
 /**
  * Set-Cookie header field-values are sometimes comma joined in one string. This splits them without choking on commas
  * that are within a single set-cookie field-value, such as in the Expires portion.
@@ -218,5 +229,4 @@ declare function parseSetCookie(setCookieValue: string, options?: SetCookieParse
  * See https://tools.ietf.org/html/rfc2616#section-4.2
  */
 declare function splitSetCookieString(cookiesString: string | string[]): string[];
-
-export { type CookieParseOptions, type CookieSerializeOptions, type SetCookie, type SetCookieParseOptions, parse, parseSetCookie, serialize, splitSetCookieString };
+export { type CookieParseOptions, type CookieSerializeOptions, type CookieStringifyOptions, type Cookies, type MultiCookies, type SetCookie, type SetCookieParseOptions, parse, parse as parseCookie, parseSetCookie, serialize, serialize as serializeCookie, splitSetCookieString, stringifyCookie };

package/dist/index.mjs

@@ -1,262 +1,308 @@
+const COOKIE_MAX_AGE_LIMIT = 400 * 24 * 60 * 60;
+function endIndex(str, min, len) {
+	const index = str.indexOf(";", min);
+	return index === -1 ? len : index;
+}
+function eqIndex(str, min, max) {
+	const index = str.indexOf("=", min);
+	return index < max ? index : -1;
+}
+function valueSlice(str, min, max) {
+	if (min === max) return "";
+	let start = min;
+	let end = max;
+	do {
+		const code = str.charCodeAt(start);
+		if (code !== 32 && code !== 9) break;
+	} while (++start < end);
+	while (end > start) {
+		const code = str.charCodeAt(end - 1);
+		if (code !== 32 && code !== 9) break;
+		end--;
+	}
+	return str.slice(start, end);
+}
+const NullObject = /* @__PURE__ */ (() => {
+	const C = function() {};
+	C.prototype = Object.create(null);
+	return C;
+})();
 function parse(str, options) {
-  if (typeof str !== "string") {
-    throw new TypeError("argument str must be a string");
-  }
-  const obj = {};
-  const opt = options || {};
-  const dec = opt.decode || decode;
-  let index = 0;
-  while (index < str.length) {
-    const eqIdx = str.indexOf("=", index);
-    if (eqIdx === -1) {
-      break;
-    }
-    let endIdx = str.indexOf(";", index);
-    if (endIdx === -1) {
-      endIdx = str.length;
-    } else if (endIdx < eqIdx) {
-      index = str.lastIndexOf(";", eqIdx - 1) + 1;
-      continue;
-    }
-    const key = str.slice(index, eqIdx).trim();
-    if (opt?.filter && !opt?.filter(key)) {
-      index = endIdx + 1;
-      continue;
-    }
-    if (void 0 === obj[key]) {
-      let val = str.slice(eqIdx + 1, endIdx).trim();
-      if (val.codePointAt(0) === 34) {
-        val = val.slice(1, -1);
-      }
-      obj[key] = tryDecode(val, dec);
-    }
-    index = endIdx + 1;
-  }
-  return obj;
+	const obj = new NullObject();
+	const len = str.length;
+	if (len < 2) return obj;
+	const dec = options?.decode || decode;
+	const allowMultiple = options?.allowMultiple || false;
+	let index = 0;
+	do {
+		const eqIdx = eqIndex(str, index, len);
+		if (eqIdx === -1) break;
+		const endIdx = endIndex(str, index, len);
+		if (eqIdx > endIdx) {
+			index = str.lastIndexOf(";", eqIdx - 1) + 1;
+			continue;
+		}
+		const key = valueSlice(str, index, eqIdx);
+		if (options?.filter && !options.filter(key)) {
+			index = endIdx + 1;
+			continue;
+		}
+		const val = dec(valueSlice(str, eqIdx + 1, endIdx));
+		if (allowMultiple) {
+			const existing = obj[key];
+			if (existing === void 0) obj[key] = val;
+			else if (Array.isArray(existing)) existing.push(val);
+			else obj[key] = [existing, val];
+		} else if (obj[key] === void 0) obj[key] = val;
+		index = endIdx + 1;
+	} while (index < len);
+	return obj;
 }
 function decode(str) {
-  return str.includes("%") ? decodeURIComponent(str) : str;
+	if (!str.includes("%")) return str;
+	try {
+		return decodeURIComponent(str);
+	} catch {
+		return str;
+	}
 }
-function tryDecode(str, decode2) {
-  try {
-    return decode2(str);
-  } catch {
-    return str;
-  }
+const cookieNameRegExp = /^[\u0021-\u003A\u003C\u003E-\u007E]+$/;
+const cookieValueRegExp = /^[\u0021-\u003A\u003C-\u007E]*$/;
+const domainValueRegExp = /^([.]?[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)([.][a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)*$/i;
+const pathValueRegExp = /^[\u0020-\u003A\u003C-\u007E]*$/;
+const __toString = Object.prototype.toString;
+function stringifyCookie(cookie, options) {
+	const enc = options?.encode || encodeURIComponent;
+	const keys = Object.keys(cookie);
+	let str = "";
+	for (const [i, name] of keys.entries()) {
+		const val = cookie[name];
+		if (val === void 0) continue;
+		if (!cookieNameRegExp.test(name)) throw new TypeError(`cookie name is invalid: ${name}`);
+		const value = enc(val);
+		if (!cookieValueRegExp.test(value)) throw new TypeError(`cookie val is invalid: ${val}`);
+		if (i > 0) str += "; ";
+		str += name + "=" + value;
+	}
+	return str;
 }
-
-const fieldContentRegExp = /^[\u0009\u0020-\u007E\u0080-\u00FF]+$/;
-function serialize(name, value, options) {
-  const opt = options || {};
-  const enc = opt.encode || encodeURIComponent;
-  if (typeof enc !== "function") {
-    throw new TypeError("option encode is invalid");
-  }
-  if (!fieldContentRegExp.test(name)) {
-    throw new TypeError("argument name is invalid");
-  }
-  const encodedValue = enc(value);
-  if (encodedValue && !fieldContentRegExp.test(encodedValue)) {
-    throw new TypeError("argument val is invalid");
-  }
-  let str = name + "=" + encodedValue;
-  if (void 0 !== opt.maxAge && opt.maxAge !== null) {
-    const maxAge = opt.maxAge - 0;
-    if (Number.isNaN(maxAge) || !Number.isFinite(maxAge)) {
-      throw new TypeError("option maxAge is invalid");
-    }
-    str += "; Max-Age=" + Math.floor(maxAge);
-  }
-  if (opt.domain) {
-    if (!fieldContentRegExp.test(opt.domain)) {
-      throw new TypeError("option domain is invalid");
-    }
-    str += "; Domain=" + opt.domain;
-  }
-  if (opt.path) {
-    if (!fieldContentRegExp.test(opt.path)) {
-      throw new TypeError("option path is invalid");
-    }
-    str += "; Path=" + opt.path;
-  }
-  if (opt.expires) {
-    if (!isDate(opt.expires) || Number.isNaN(opt.expires.valueOf())) {
-      throw new TypeError("option expires is invalid");
-    }
-    str += "; Expires=" + opt.expires.toUTCString();
-  }
-  if (opt.httpOnly) {
-    str += "; HttpOnly";
-  }
-  if (opt.secure) {
-    str += "; Secure";
-  }
-  if (opt.priority) {
-    const priority = typeof opt.priority === "string" ? opt.priority.toLowerCase() : opt.priority;
-    switch (priority) {
-      case "low": {
-        str += "; Priority=Low";
-        break;
-      }
-      case "medium": {
-        str += "; Priority=Medium";
-        break;
-      }
-      case "high": {
-        str += "; Priority=High";
-        break;
-      }
-      default: {
-        throw new TypeError("option priority is invalid");
-      }
-    }
-  }
-  if (opt.sameSite) {
-    const sameSite = typeof opt.sameSite === "string" ? opt.sameSite.toLowerCase() : opt.sameSite;
-    switch (sameSite) {
-      case true: {
-        str += "; SameSite=Strict";
-        break;
-      }
-      case "lax": {
-        str += "; SameSite=Lax";
-        break;
-      }
-      case "strict": {
-        str += "; SameSite=Strict";
-        break;
-      }
-      case "none": {
-        str += "; SameSite=None";
-        break;
-      }
-      default: {
-        throw new TypeError("option sameSite is invalid");
-      }
-    }
-  }
-  if (opt.partitioned) {
-    str += "; Partitioned";
-  }
-  return str;
+function serialize(_name, _val, _opts) {
+	const cookie = typeof _name === "object" ? _name : {
+		..._opts,
+		name: _name,
+		value: String(_val)
+	};
+	const enc = (typeof _val === "object" ? _val : _opts)?.encode || encodeURIComponent;
+	if (!cookieNameRegExp.test(cookie.name)) throw new TypeError(`argument name is invalid: ${cookie.name}`);
+	const value = cookie.value ? enc(cookie.value) : "";
+	if (!cookieValueRegExp.test(value)) throw new TypeError(`argument val is invalid: ${cookie.value}`);
+	if (!cookie.secure) {
+		if (cookie.partitioned) throw new TypeError(`Partitioned cookies must have the Secure attribute`);
+		if (cookie.sameSite && String(cookie.sameSite).toLowerCase() === "none") throw new TypeError(`SameSite=None cookies must have the Secure attribute`);
+		if (cookie.name.length > 9 && cookie.name.charCodeAt(0) === 95 && cookie.name.charCodeAt(1) === 95) {
+			const nameLower = cookie.name.toLowerCase();
+			if (nameLower.startsWith("__secure-") || nameLower.startsWith("__host-")) throw new TypeError(`${cookie.name} cookies must have the Secure attribute`);
+		}
+	}
+	if (cookie.name.length > 7 && cookie.name.charCodeAt(0) === 95 && cookie.name.charCodeAt(1) === 95 && cookie.name.toLowerCase().startsWith("__host-")) {
+		if (cookie.path !== "/") throw new TypeError(`__Host- cookies must have Path=/`);
+		if (cookie.domain) throw new TypeError(`__Host- cookies must not have a Domain attribute`);
+	}
+	let str = cookie.name + "=" + value;
+	if (cookie.maxAge !== void 0) {
+		if (!Number.isInteger(cookie.maxAge)) throw new TypeError(`option maxAge is invalid: ${cookie.maxAge}`);
+		str += "; Max-Age=" + Math.max(0, Math.min(cookie.maxAge, COOKIE_MAX_AGE_LIMIT));
+	}
+	if (cookie.domain) {
+		if (!domainValueRegExp.test(cookie.domain)) throw new TypeError(`option domain is invalid: ${cookie.domain}`);
+		str += "; Domain=" + cookie.domain;
+	}
+	if (cookie.path) {
+		if (!pathValueRegExp.test(cookie.path)) throw new TypeError(`option path is invalid: ${cookie.path}`);
+		str += "; Path=" + cookie.path;
+	}
+	if (cookie.expires) {
+		if (!isDate(cookie.expires) || !Number.isFinite(cookie.expires.valueOf())) throw new TypeError(`option expires is invalid: ${cookie.expires}`);
+		str += "; Expires=" + cookie.expires.toUTCString();
+	}
+	if (cookie.httpOnly) str += "; HttpOnly";
+	if (cookie.secure) str += "; Secure";
+	if (cookie.partitioned) str += "; Partitioned";
+	if (cookie.priority) switch (typeof cookie.priority === "string" ? cookie.priority.toLowerCase() : void 0) {
+		case "low":
+			str += "; Priority=Low";
+			break;
+		case "medium":
+			str += "; Priority=Medium";
+			break;
+		case "high":
+			str += "; Priority=High";
+			break;
+		default: throw new TypeError(`option priority is invalid: ${cookie.priority}`);
+	}
+	if (cookie.sameSite) switch (typeof cookie.sameSite === "string" ? cookie.sameSite.toLowerCase() : cookie.sameSite) {
+		case true:
+		case "strict":
+			str += "; SameSite=Strict";
+			break;
+		case "lax":
+			str += "; SameSite=Lax";
+			break;
+		case "none":
+			str += "; SameSite=None";
+			break;
+		default: throw new TypeError(`option sameSite is invalid: ${cookie.sameSite}`);
+	}
+	return str;
 }
 function isDate(val) {
-  return Object.prototype.toString.call(val) === "[object Date]" || val instanceof Date;
+	return __toString.call(val) === "[object Date]";
+}
+const maxAgeRegExp = /^-?\d+$/;
+const _nullProto = Object.getPrototypeOf({});
+function parseSetCookie(str, options) {
+	const len = str.length;
+	let _endIdx = len;
+	let eqIdx = -1;
+	for (let i = 0; i < len; i++) {
+		const c = str.charCodeAt(i);
+		if (c === 59) {
+			_endIdx = i;
+			break;
+		}
+		if (c === 61 && eqIdx === -1) eqIdx = i;
+	}
+	if (eqIdx >= _endIdx) eqIdx = -1;
+	const name = eqIdx === -1 ? "" : _trim(str, 0, eqIdx);
+	if (name && name in _nullProto) return void 0;
+	let value = eqIdx === -1 ? _trim(str, 0, _endIdx) : _trim(str, eqIdx + 1, _endIdx);
+	if (!name && !value) return void 0;
+	if (name.length + value.length > 4096) return void 0;
+	if (options?.decode !== false) value = _decode(value, options?.decode);
+	const setCookie = {
+		name,
+		value
+	};
+	let index = _endIdx + 1;
+	while (index < len) {
+		let endIdx = len;
+		let attrEqIdx = -1;
+		for (let i = index; i < len; i++) {
+			const c = str.charCodeAt(i);
+			if (c === 59) {
+				endIdx = i;
+				break;
+			}
+			if (c === 61 && attrEqIdx === -1) attrEqIdx = i;
+		}
+		if (attrEqIdx >= endIdx) attrEqIdx = -1;
+		const attr = attrEqIdx === -1 ? _trim(str, index, endIdx) : _trim(str, index, attrEqIdx);
+		const val = attrEqIdx === -1 ? void 0 : _trim(str, attrEqIdx + 1, endIdx);
+		if (val === void 0 || val.length <= 1024) switch (attr.toLowerCase()) {
+			case "httponly":
+				setCookie.httpOnly = true;
+				break;
+			case "secure":
+				setCookie.secure = true;
+				break;
+			case "partitioned":
+				setCookie.partitioned = true;
+				break;
+			case "domain":
+				if (val) setCookie.domain = (val.charCodeAt(0) === 46 ? val.slice(1) : val).toLowerCase();
+				break;
+			case "path":
+				setCookie.path = val;
+				break;
+			case "max-age":
+				if (val && maxAgeRegExp.test(val)) setCookie.maxAge = Math.min(Number(val), COOKIE_MAX_AGE_LIMIT);
+				break;
+			case "expires": {
+				if (!val) break;
+				const date = new Date(val);
+				if (Number.isFinite(date.valueOf())) {
+					const maxDate = new Date(Date.now() + COOKIE_MAX_AGE_LIMIT * 1e3);
+					setCookie.expires = date > maxDate ? maxDate : date;
+				}
+				break;
+			}
+			case "priority": {
+				if (!val) break;
+				const priority = val.toLowerCase();
+				if (priority === "low" || priority === "medium" || priority === "high") setCookie.priority = priority;
+				break;
+			}
+			case "samesite": {
+				if (!val) break;
+				const sameSite = val.toLowerCase();
+				if (sameSite === "lax" || sameSite === "strict" || sameSite === "none") setCookie.sameSite = sameSite;
+				else setCookie.sameSite = "lax";
+				break;
+			}
+			default: {
+				const attrLower = attr.toLowerCase();
+				if (attrLower && !(attrLower in _nullProto)) setCookie[attrLower] = val;
+			}
+		}
+		index = endIdx + 1;
+	}
+	return setCookie;
 }
-
-function parseSetCookie(setCookieValue, options) {
-  const parts = (setCookieValue || "").split(";").filter((str) => typeof str === "string" && !!str.trim());
-  const nameValuePairStr = parts.shift() || "";
-  const parsed = _parseNameValuePair(nameValuePairStr);
-  const name = parsed.name;
-  let value = parsed.value;
-  try {
-    value = options?.decode === false ? value : (options?.decode || decodeURIComponent)(value);
-  } catch {
-  }
-  const cookie = {
-    name,
-    value
-  };
-  for (const part of parts) {
-    const sides = part.split("=");
-    const partKey = (sides.shift() || "").trimStart().toLowerCase();
-    const partValue = sides.join("=");
-    switch (partKey) {
-      case "expires": {
-        cookie.expires = new Date(partValue);
-        break;
-      }
-      case "max-age": {
-        cookie.maxAge = Number.parseInt(partValue, 10);
-        break;
-      }
-      case "secure": {
-        cookie.secure = true;
-        break;
-      }
-      case "httponly": {
-        cookie.httpOnly = true;
-        break;
-      }
-      case "samesite": {
-        cookie.sameSite = partValue;
-        break;
-      }
-      default: {
-        cookie[partKey] = partValue;
-      }
-    }
-  }
-  return cookie;
+function _trim(str, start, end) {
+	if (start === end) return "";
+	let s = start;
+	let e = end;
+	while (s < e && (str.charCodeAt(s) === 32 || str.charCodeAt(s) === 9)) s++;
+	while (e > s && (str.charCodeAt(e - 1) === 32 || str.charCodeAt(e - 1) === 9)) e--;
+	return str.slice(s, e);
 }
-function _parseNameValuePair(nameValuePairStr) {
-  let name = "";
-  let value = "";
-  const nameValueArr = nameValuePairStr.split("=");
-  if (nameValueArr.length > 1) {
-    name = nameValueArr.shift();
-    value = nameValueArr.join("=");
-  } else {
-    value = nameValuePairStr;
-  }
-  return { name, value };
+function _decode(value, decode) {
+	if (!decode && !value.includes("%")) return value;
+	try {
+		return (decode || decodeURIComponent)(value);
+	} catch {
+		return value;
+	}
 }
-
 function splitSetCookieString(cookiesString) {
-  if (Array.isArray(cookiesString)) {
-    return cookiesString.flatMap((c) => splitSetCookieString(c));
-  }
-  if (typeof cookiesString !== "string") {
-    return [];
-  }
-  const cookiesStrings = [];
-  let pos = 0;
-  let start;
-  let ch;
-  let lastComma;
-  let nextStart;
-  let cookiesSeparatorFound;
-  const skipWhitespace = () => {
-    while (pos < cookiesString.length && /\s/.test(cookiesString.charAt(pos))) {
-      pos += 1;
-    }
-    return pos < cookiesString.length;
-  };
-  const notSpecialChar = () => {
-    ch = cookiesString.charAt(pos);
-    return ch !== "=" && ch !== ";" && ch !== ",";
-  };
-  while (pos < cookiesString.length) {
-    start = pos;
-    cookiesSeparatorFound = false;
-    while (skipWhitespace()) {
-      ch = cookiesString.charAt(pos);
-      if (ch === ",") {
-        lastComma = pos;
-        pos += 1;
-        skipWhitespace();
-        nextStart = pos;
-        while (pos < cookiesString.length && notSpecialChar()) {
-          pos += 1;
-        }
-        if (pos < cookiesString.length && cookiesString.charAt(pos) === "=") {
-          cookiesSeparatorFound = true;
-          pos = nextStart;
-          cookiesStrings.push(cookiesString.slice(start, lastComma));
-          start = pos;
-        } else {
-          pos = lastComma + 1;
-        }
-      } else {
-        pos += 1;
-      }
-    }
-    if (!cookiesSeparatorFound || pos >= cookiesString.length) {
-      cookiesStrings.push(cookiesString.slice(start));
-    }
-  }
-  return cookiesStrings;
+	if (Array.isArray(cookiesString)) return cookiesString.flatMap((c) => splitSetCookieString(c));
+	if (typeof cookiesString !== "string") return [];
+	const cookiesStrings = [];
+	let pos = 0;
+	let start;
+	let ch;
+	let lastComma;
+	let nextStart;
+	let cookiesSeparatorFound;
+	const skipWhitespace = () => {
+		while (pos < cookiesString.length && /\s/.test(cookiesString.charAt(pos))) pos += 1;
+		return pos < cookiesString.length;
+	};
+	const notSpecialChar = () => {
+		ch = cookiesString.charAt(pos);
+		return ch !== "=" && ch !== ";" && ch !== ",";
+	};
+	while (pos < cookiesString.length) {
+		start = pos;
+		cookiesSeparatorFound = false;
+		while (skipWhitespace()) {
+			ch = cookiesString.charAt(pos);
+			if (ch === ",") {
+				lastComma = pos;
+				pos += 1;
+				skipWhitespace();
+				nextStart = pos;
+				while (pos < cookiesString.length && notSpecialChar()) pos += 1;
+				if (pos < cookiesString.length && cookiesString.charAt(pos) === "=") {
+					cookiesSeparatorFound = true;
+					pos = nextStart;
+					cookiesStrings.push(cookiesString.slice(start, lastComma));
+					start = pos;
+				} else pos = lastComma + 1;
+			} else pos += 1;
+		}
+		if (!cookiesSeparatorFound || pos >= cookiesString.length) cookiesStrings.push(cookiesString.slice(start));
+	}
+	return cookiesStrings;
 }
-
-export { parse, parseSetCookie, serialize, splitSetCookieString };
+export { parse, parse as parseCookie, parseSetCookie, serialize, serialize as serializeCookie, splitSetCookieString, stringifyCookie };

package/package.json

@@ -1,37 +1,40 @@
 {
   "name": "cookie-es",
-  "version": "2.0.0",
-  "repository": "unjs/cookie-es",
+  "version": "3.0.1",
   "license": "MIT",
-  "sideEffects": false,
-  "type": "module",
-  "exports": {
-    "types": "./dist/index.d.mts",
-    "default": "./dist/index.mjs"
-  },
-  "types": "./dist/index.d.mts",
+  "repository": "unjs/cookie-es",
   "files": [
     "dist"
   ],
+  "type": "module",
+  "sideEffects": false,
+  "types": "./dist/index.d.mts",
+  "exports": {
+    ".": "./dist/index.mjs"
+  },
   "scripts": {
-    "build": "unbuild",
+    "build": "obuild",
     "dev": "vitest --coverage",
-    "lint": "eslint --cache . && prettier -c src test",
-    "lint:fix": "automd && eslint --cache . --fix && prettier -c src test -w",
+    "lint": "oxlint . && oxfmt --check src test",
+    "fmt": "automd && oxlint . --fix && oxfmt src test",
     "release": "pnpm test && pnpm build && changelogen --release --push && npm publish",
     "test": "pnpm lint && vitest run --coverage"
   },
   "devDependencies": {
-    "@types/node": "^22.13.5",
-    "@vitest/coverage-v8": "^3.0.7",
-    "automd": "^0.4.0",
-    "changelogen": "^0.6.0",
-    "eslint": "^9.21.0",
-    "eslint-config-unjs": "^0.4.2",
-    "prettier": "^3.5.2",
-    "typescript": "^5.7.3",
-    "unbuild": "^3.5.0",
-    "vitest": "^3.0.7"
+    "@types/node": "^25.5.0",
+    "@vitest/coverage-v8": "^4.1.1",
+    "automd": "^0.4.3",
+    "changelogen": "^0.6.2",
+    "cookie": "^1.1.1",
+    "eslint-config-unjs": "^0.6.2",
+    "magic-string": "^0.30.21",
+    "mitata": "^1.0.34",
+    "obuild": "^0.4.32",
+    "oxfmt": "^0.41.0",
+    "oxlint": "^1.56.0",
+    "rolldown": "1.0.0-rc.11",
+    "typescript": "^6.0.2",
+    "vitest": "^4.1.1"
   },
-  "packageManager": "pnpm@10.5.2"
+  "packageManager": "pnpm@10.32.1"
 }