dx-server 0.12.2 → 0.13.0

package/lib/router.js

@@ -0,0 +1,43 @@
+import { getReq } from './dx.js';
+import { urlFromReq } from './bodyHelpers.js';
+// https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods
+const allMethods = [
+    'get', 'head', 'post', 'put', 'delete', 'connect', 'options', 'trace', 'patch'
+];
+function makeRouter(method, // undefined means any method
+routes, { prefix = '' } = {}) {
+    const routeWithUrlPatterns = routes.map(([pattern, handler]) => [new URLPattern({ pathname: `${prefix}${pattern}` }), handler]);
+    return next => {
+        const req = getReq();
+        if (method !== undefined && req.method !== method.toUpperCase())
+            return next();
+        for (const [urlPattern, handler] of routeWithUrlPatterns) {
+            // '' matches nothing
+            // '/' matches both https://example.com and https://example.com/
+            // '/foo' matches https://example.com/foo but not https://example.com/foo/
+            // '/foo/' matches https://example.com/foo/ but not https://example.com/foo
+            // path can be '*' for OPTIONS request
+            // to test: curl -X OPTIONS --request-target '*' http://localhost:3000 -D -
+            // req.url === '*'
+            // new URL('*', 'https://example.com').pathname === '/*'
+            const matched = urlPattern.exec({ pathname: urlFromReq(req).pathname });
+            if (matched)
+                return handler({ matched, next });
+        }
+        return next();
+    };
+}
+export const router = {
+    method(method, ...params) {
+        return typeof params[0] === 'string'
+            ? makeRouter(method, [[params[0], params[1]]], params[2])
+            : makeRouter(method, Object.entries(params[0]), params[1]);
+    },
+    all(...params) {
+        return typeof params[0] === 'string'
+            ? makeRouter(undefined, [[params[0], params[1]]], params[2])
+            : makeRouter(undefined, Object.entries(params[0]), params[1]);
+    }
+};
+for (const method of allMethods)
+    router[method] = router.method.bind(router, method);

package/lib/static.js

@@ -0,0 +1,22 @@
+import { getReq, getRes } from './dx.js';
+import { sendFileTrusted } from './staticHelpers.js';
+import { urlFromReq } from './bodyHelpers.js';
+export function chainStatic(pattern, { getPathname, ...options }) {
+    const urlPattern = new URLPattern({ pathname: pattern });
+    return async (next) => {
+        const req = getReq();
+        if (req.method !== 'GET' && req.method !== 'HEAD')
+            return next();
+        const { pathname } = urlFromReq(req);
+        const matched = urlPattern.exec({ pathname });
+        if (!matched)
+            return next();
+        try {
+            await sendFileTrusted(req, getRes(), getPathname?.(matched)
+                ?? decodeURIComponent(pathname), options);
+        }
+        catch (e) {
+            return next(e); // if request's pathname matches pattern, but file is not found, next() will be called with error
+        }
+    };
+}

package/{cjs → lib}/staticHelpers.d.ts

@@ -1,6 +1,4 @@
-/// <reference types="node" resolution-mode="require"/>
 import { IncomingMessage, ServerResponse } from 'node:http';
-import './polyfillWithResolvers.js';
 export interface SendFileOptions {
     allowDotfiles?: boolean;
     root?: string;

package/lib/staticHelpers.js

@@ -0,0 +1,186 @@
+import path from 'node:path';
+import { stat } from 'node:fs/promises';
+import { entityTagPath, statTag } from './vendors/etag.js';
+import { contentTypeForExtension } from './vendors/mime.js';
+import { fresh, parseHttpDate, parseTokenList } from './vendors/fresh.js';
+import { parseRange } from './vendors/rangeParser.js';
+import { createReadStream } from 'node:fs';
+import { onFinished } from './vendors/onFinished.js';
+import { promisify } from 'node:util';
+const BYTES_RANGE_REGEXP = /^ *bytes=/;
+const UP_PATH_REGEXP = /(?:^|[\\/])\.\.(?:[\\/]|$)/;
+export async function sendFileTrusted(req, res, pathname, // plain path, not URI-encoded
+{ root, allowDotfiles, start = 0, end, disableAcceptRanges, disableLastModified, etag = 'strong', disableCacheControl, maxAge = 60 * 60 * 24 * 365 * 1000, // 1 year
+immutable, } = {}) {
+    // null byte(s)
+    if (pathname.includes('\0'))
+        throw new Error('Forbidden');
+    let parts;
+    if (root) {
+        // normalize
+        pathname = path.normalize(`.${path.sep}${pathname}`);
+        // malicious path
+        if (UP_PATH_REGEXP.test(pathname))
+            throw new Error('Forbidden');
+        // explode path parts
+        parts = pathname.split(path.sep);
+        // join / normalize from optional root dir
+        pathname = path.normalize(path.join(root, pathname));
+    }
+    else {
+        // malicious path
+        if (UP_PATH_REGEXP.test(pathname))
+            throw new Error('Forbidden');
+        // explode path parts
+        parts = path.normalize(pathname).split(path.sep);
+        // join / normalize from optional root dir
+        pathname = path.resolve(pathname);
+    }
+    // dotfile handling
+    if (parts.some(part => part.length > 1 && part[0] === '.') && !allowDotfiles)
+        throw new Error('Forbidden: dotfiles are not allowed');
+    // pathEndsWithSep
+    if (pathname[pathname.length - 1] === path.sep)
+        throw new Error('Forbidden: directory access is not allowed');
+    const fileStat = await stat(pathname);
+    // not found, check extensions
+    // if (err.code === 'ENOENT' && !path.extname(pathname) && !pathEndsWithSep) throw err
+    // switch (err.code) {
+    // 	case 'ENAMETOOLONG':
+    // 	case 'ENOENT':
+    // 	case 'ENOTDIR':
+    // 	default:
+    // }
+    if (fileStat.isDirectory())
+        throw new Error('Forbidden: directory access is not allowed');
+    if (res.headersSent)
+        return;
+    //region set header fields
+    if (!disableAcceptRanges && !res.getHeader('Accept-Ranges'))
+        res.setHeader('Accept-Ranges', 'bytes');
+    if (!disableCacheControl && !res.getHeader('Cache-Control'))
+        res.setHeader('Cache-Control', [
+            `public, max-age=${Math.floor(maxAge / 1000)}`,
+            immutable && 'immutable',
+        ].filter(Boolean).join(', '));
+    if (!disableLastModified && !res.getHeader('Last-Modified'))
+        res.setHeader('Last-Modified', fileStat.mtime.toUTCString());
+    if (etag !== 'disabled' && !res.getHeader('ETag'))
+        res.setHeader('ETag', etag === 'weak' ? statTag(fileStat) : await entityTagPath(fileStat, pathname, false));
+    //endregion set header fields
+    // content-type
+    if (!res.getHeader('Content-Type'))
+        res.setHeader('Content-Type', contentTypeForExtension(path.extname(pathname).slice(1)) || 'application/octet-stream');
+    // conditional GET support
+    // isConditionalGET
+    if (req.headers['if-match'] || req.headers['if-unmodified-since'] || req.headers['if-none-match'] || req.headers['if-modified-since']) {
+        //region isPreconditionFailure
+        // if-match
+        const match = req.headers['if-match'];
+        if (match) {
+            const etag = res.getHeader('ETag');
+            if (!etag
+                || (match !== '*' && parseTokenList(match).every(match => match !== etag && match !== 'W/' + etag && 'W/' + match !== etag)))
+                throw new Error('Precondition Failed: request headers do not match the response');
+        }
+        // if-unmodified-since (ignore when using strong etag since mtime may be unreliable)
+        if (etag === 'weak') {
+            const unmodifiedSince = parseHttpDate(req.headers['if-unmodified-since']);
+            if (!isNaN(unmodifiedSince)) {
+                const lastModified = parseHttpDate(res.getHeader('Last-Modified'));
+                if (isNaN(lastModified) || lastModified > unmodifiedSince)
+                    throw new Error('Precondition Failed: resource has been modified since the specified date');
+            }
+        }
+        //endregion isPreconditionFailure
+        // isCachable
+        if ((res.statusCode >= 200 && res.statusCode < 300 || res.statusCode === 304)
+            && fresh(req.headers, {
+                etag: res.getHeader('ETag'),
+                // Only use last-modified for freshness check when using weak Etag
+                'last-modified': etag === 'weak' ? res.getHeader('Last-Modified') : undefined
+            })) {
+            // removeContentHeaderFields
+            res.removeHeader('Content-Encoding');
+            res.removeHeader('Content-Language');
+            res.removeHeader('Content-Length');
+            res.removeHeader('Content-Range');
+            res.removeHeader('Content-Type');
+            res.statusCode = 304;
+            return void await promisify(res.end.bind(res))();
+        }
+    }
+    // adjust len to start/end options
+    let len = fileStat.size;
+    len = Math.max(0, len - start);
+    if (end !== undefined) {
+        const bytes = end - start + 1;
+        if (len > bytes)
+            len = bytes;
+    }
+    // Range support
+    let ranges = req.headers.range;
+    if (!disableAcceptRanges && BYTES_RANGE_REGEXP.test(ranges ?? '')) {
+        // parse
+        let rangesNum = parseRange(len, ranges, { combine: true });
+        // If-Range support
+        if (!isRangeFresh(req, res))
+            rangesNum = -2;
+        // unsatisfiable
+        if (rangesNum === -1) {
+            // Content-Range
+            res.setHeader('Content-Range', contentRange('bytes', len));
+            // 416 Requested Range Not Satisfiable
+            throw new Error('Requested Range Not Satisfiable: requested range is not satisfiable');
+            // return this.error(416, {
+            // 	headers: {'Content-Range': res.getHeader('Content-Range')}
+            // })
+        }
+        // valid (syntactically invalid/multiple ranges are treated as a regular response)
+        if (rangesNum !== -2 && rangesNum.length === 1) {
+            // Content-Range
+            res.statusCode = 206;
+            res.setHeader('Content-Range', contentRange('bytes', len, rangesNum[0]));
+            // adjust for requested range
+            start += rangesNum[0].start;
+            len = rangesNum[0].end - rangesNum[0].start + 1;
+        }
+    }
+    // set read options
+    end = Math.max(start, start + len - 1);
+    // content-length
+    res.setHeader('Content-Length', len);
+    // HEAD support
+    if (req.method === 'HEAD')
+        return void await promisify(res.end.bind(res))();
+    // Weak ETag path: stream file
+    const stream = createReadStream(pathname, { start, end });
+    stream.pipe(res);
+    const defer = Promise.withResolvers();
+    onFinished(res, cleanup);
+    stream.on('error', err => {
+        cleanup();
+        defer.reject(err);
+    });
+    stream.on('end', defer.resolve);
+    function cleanup() {
+        stream.destroy();
+    }
+    return defer.promise;
+}
+function isRangeFresh(req, res) {
+    const ifRange = req.headers['if-range'];
+    if (!ifRange)
+        return true;
+    // if-range as etag
+    if (ifRange.indexOf('"') !== -1) {
+        const etag = res.getHeader('ETag');
+        return etag && ifRange.includes(etag);
+    }
+    // if-range as modified date
+    const lastModified = res.getHeader('Last-Modified');
+    return parseHttpDate(lastModified) <= parseHttpDate(ifRange);
+}
+function contentRange(type, size, range) {
+    return `${type} ${range ? range.start + '-' + range.end : '*'}/${size}`;
+}

package/{cjs → lib}/stream.d.ts

@@ -1,12 +1,7 @@
-/// <reference types="node" resolution-mode="require"/>
-/// <reference types="node" resolution-mode="require"/>
-/// <reference types="node" resolution-mode="require"/>
-/// <reference types="node" resolution-mode="require"/>
 import type { IncomingMessage } from 'node:http';
 import type { Readable } from 'node:stream';
-import './polyfillWithResolvers.js';
-export declare function getContentStream(req: IncomingMessage, encoding: string, disableInflate?: boolean): IncomingMessage | import("zlib").Gunzip;
+export declare function getContentStream(req: IncomingMessage, encoding: string, disableInflate?: boolean): IncomingMessage | import("node:zlib").Inflate | import("node:zlib").Gunzip | import("node:zlib").BrotliDecompress;
 export declare function readStream(stream: Readable, { length, limit }: {
     length?: number;
     limit?: number;
-}): Promise<Buffer>;
+}): Promise<Buffer<ArrayBufferLike>>;

package/lib/stream.js

@@ -0,0 +1,90 @@
+import { createBrotliDecompress, createGunzip, createInflate } from 'node:zlib';
+// note: there might be multiple encodings applied to the stream
+// we only support one encoding
+export function getContentStream(req, encoding, disableInflate) {
+    if (disableInflate && encoding !== 'identity')
+        throw new Error(`content-encoding ${encoding} is not supported`);
+    switch (encoding) {
+        case 'deflate': {
+            const stream = createInflate();
+            req.pipe(stream);
+            return stream;
+        }
+        case 'gzip': {
+            const stream = createGunzip();
+            req.pipe(stream);
+            return stream;
+        }
+        case 'br': {
+            const stream = createBrotliDecompress();
+            req.pipe(stream);
+            return stream;
+        }
+        case 'identity':
+            return req;
+        default:
+            throw new Error(`unsupported content-encoding ${encoding}`);
+    }
+}
+// https://github.com/stream-utils/raw-body/blob/191e4b6506dcf77198eed01c8feb4b6817008342/index.js#L155
+export async function readStream(stream, { length, limit }) {
+    let completed = false;
+    // check the length and limit options.
+    // note: we intentionally leave the stream paused,
+    // so users should handle the stream themselves.
+    if (limit !== undefined && length !== undefined && length > limit)
+        throw new Error('request entity too large');
+    let received = 0;
+    const buffers = [];
+    const defer = Promise.withResolvers();
+    // attach listeners
+    stream.on('aborted', onAborted);
+    stream.on('close', onClose);
+    stream.on('data', onData);
+    stream.on('end', onEnd);
+    stream.on('error', onError);
+    function done(err, result) {
+        if (completed)
+            return;
+        completed = true;
+        onClose();
+        if (err) {
+            stream.unpipe?.();
+            stream.pause?.();
+            defer.reject(err);
+        }
+        else
+            defer.resolve(result);
+    }
+    function onData(chunk) {
+        if (completed)
+            return;
+        received += chunk.length;
+        if (limit !== undefined && received > limit) {
+            done(new Error('request entity too large'));
+        }
+        else
+            buffers.push(chunk);
+    }
+    function onError(err) {
+        done(err);
+    }
+    function onEnd() {
+        if (length !== undefined && received !== length)
+            done(new Error('request size did not match content length'));
+        else
+            done(undefined, Buffer.concat(buffers));
+    }
+    function onAborted() {
+        done(new Error('request aborted'));
+    }
+    function onClose() {
+        buffers.splice(0, buffers.length);
+        stream.off('aborted', onAborted);
+        stream.off('data', onData);
+        stream.off('end', onEnd);
+        stream.off('error', onError);
+        stream.off('close', onClose);
+    }
+    return await defer.promise;
+}

package/{esm → lib}/vendors/contentType.js

@@ -85,4 +85,3 @@ function formatContentType({ mediaType, parameters }) {
         ? Object.keys(parameters).sort().map(key => `; ${key}=${qstring(parameters[key])}`).join('')
         : ''}`;
 }
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29udGVudFR5cGUuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvdmVuZG9ycy9jb250ZW50VHlwZS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFDQSxxR0FBcUc7QUFDckc7Ozs7OztHQU1HO0FBQ0gsTUFBTSxXQUFXLEdBQUcsNERBQTRELENBQUE7QUFDaEY7Ozs7Ozs7Ozs7Ozs7R0FhRztBQUNILE1BQU0sWUFBWSxHQUFHLGtLQUFrSyxDQUFBLENBQUMsdUNBQXVDO0FBQy9OLE1BQU0sV0FBVyxHQUFHLHVDQUF1QyxDQUFBLENBQUMsdUNBQXVDO0FBQ25HLE1BQU0sWUFBWSxHQUFHLCtCQUErQixDQUFBO0FBQ3BEOzs7OztHQUtHO0FBQ0gsTUFBTSxXQUFXLEdBQUcsNEJBQTRCLENBQUEsQ0FBQyx1Q0FBdUM7QUFFeEYsTUFBTSxVQUFVLGdCQUFnQixDQUFFLE1BQWM7SUFDL0MsSUFBSSxLQUFLLEdBQUcsTUFBTSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsQ0FBQTtJQUMvQixNQUFNLFNBQVMsR0FBRyxLQUFLLEtBQUssQ0FBQyxDQUFDO1FBQzdCLENBQUMsQ0FBQyxNQUFNLENBQUMsS0FBSyxDQUFDLENBQUMsRUFBRSxLQUFLLENBQUMsQ0FBQyxJQUFJLEVBQUU7UUFDL0IsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxJQUFJLEVBQUUsQ0FBQTtJQUVoQixJQUFJLENBQUMsV0FBVyxDQUFDLElBQUksQ0FBQyxTQUFTLENBQUM7UUFBRSxNQUFNLElBQUksU0FBUyxDQUFDLHVCQUF1QixTQUFTLEVBQUUsQ0FBQyxDQUFBO0lBQ3pGLE1BQU0sVUFBVSxHQUEyQixNQUFNLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxDQUFBO0lBRTlELG1CQUFtQjtJQUNuQixJQUFJLEtBQUssS0FBSyxDQUFDLENBQUMsRUFBRSxDQUFDO1FBQ2xCLElBQUksR0FBRyxDQUFBO1FBQ1AsSUFBSSxLQUFLLENBQUE7UUFDVCxJQUFJLEtBQUssQ0FBQTtRQUVULE1BQU0sTUFBTSxHQUFHLElBQUksTUFBTSxDQUFDLFlBQVksQ0FBQyxDQUFBO1FBQ3ZDLE1BQU0sQ0FBQyxTQUFTLEdBQUcsS0FBSyxDQUFBO1FBRXhCLE9BQU8sQ0FBQyxLQUFLLEdBQUcsTUFBTSxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsQ0FBQyxFQUFFLENBQUM7WUFDdEMsSUFBSSxLQUFLLENBQUMsS0FBSyxLQUFLLEtBQUs7Z0JBQUUsTUFBTSxJQUFJLFNBQVMsQ0FBQywwQkFBMEIsQ0FBQyxDQUFBO1lBRTFFLEtBQUssSUFBSSxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUMsTUFBTSxDQUFBO1lBQ3hCLEdBQUcsR0FBRyxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUMsV0FBVyxFQUFFLENBQUE7WUFDNUIsS0FBSyxHQUFHLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQTtZQUVoQixJQUFJLEtBQUssQ0FBQyxVQUFVLENBQUMsQ0FBQyxDQUFDLEtBQUssSUFBSSxDQUFDLE9BQU8sRUFBRSxDQUFDO2dCQUMxQyxnQkFBZ0I7Z0JBQ2hCLEtBQUssR0FBRyxLQUFLLENBQUMsS0FBSyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQyxDQUFBO2dCQUMxQixpQkFBaUI7Z0JBQ2pCLElBQUksS0FBSyxDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDLENBQUM7b0JBQUUsS0FBSyxHQUFHLEtBQUssQ0FBQyxPQUFPLENBQUMsV0FBVyxFQUFFLElBQUksQ0FBQyxDQUFBO1lBQ3pFLENBQUM7WUFFRCxVQUFVLENBQUMsR0FBRyxDQUFDLEdBQUcsS0FBSyxDQUFBO1FBQ3hCLENBQUM7UUFFRCxJQUFJLEtBQUssS0FBSyxNQUFNLENBQUMsTUFBTTtZQUFFLE1BQU0sSUFBSSxTQUFTLENBQUMsMEJBQTBCLENBQUMsQ0FBQTtJQUM3RSxDQUFDO0lBRUQsT0FBTyxFQUFDLFNBQVMsRUFBRSxVQUFVLEVBQUMsQ0FBQTtBQUMvQixDQUFDO0FBRUQ7O0dBRUc7QUFDSCxNQUFNLFlBQVksR0FBRyxVQUFVLENBQUE7QUFDL0IsU0FBUyxPQUFPLENBQUUsR0FBVztJQUM1QiwwQkFBMEI7SUFDMUIsSUFBSSxZQUFZLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQztRQUFFLE9BQU8sR0FBRyxDQUFBO0lBRXRDLElBQUksR0FBRyxDQUFDLE1BQU0sR0FBRyxDQUFDLElBQUksQ0FBQyxXQUFXLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQztRQUFFLE1BQU0sSUFBSSxTQUFTLENBQUMsNEJBQTRCLEdBQUcsRUFBRSxDQUFDLENBQUE7SUFDcEcsT0FBTyxJQUFJLEdBQUcsQ0FBQyxPQUFPLENBQUMsWUFBWSxFQUFFLE1BQU0sQ0FBQyxHQUFHLENBQUE7QUFDaEQsQ0FBQztBQUVELFNBQVMsaUJBQWlCLENBQUMsRUFBQyxTQUFTLEVBQUUsVUFBVSxFQUdoRDtJQUNBLElBQUksQ0FBQyxTQUFTLElBQUksQ0FBQyxXQUFXLENBQUMsSUFBSSxDQUFDLFNBQVMsQ0FBQztRQUFFLE1BQU0sSUFBSSxTQUFTLENBQUMsaUJBQWlCLFNBQVMsRUFBRSxDQUFDLENBQUE7SUFDakcsT0FBTyxHQUFHLFNBQVMsR0FDbEIsVUFBVTtRQUNULENBQUMsQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxDQUFDLElBQUksRUFBRSxDQUFDLEdBQUcsQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDLEtBQUssR0FBRyxJQUFJLE9BQU8sQ0FBQyxVQUFVLENBQUMsR0FBRyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQztRQUM1RixDQUFDLENBQUMsRUFDSixFQUFFLENBQUE7QUFDSCxDQUFDIn0=

package/{cjs → lib}/vendors/etag.d.ts

@@ -1,6 +1,3 @@
-/// <reference types="node" resolution-mode="require"/>
-/// <reference types="node" resolution-mode="require"/>
-/// <reference types="node" resolution-mode="require"/>
 import type { IncomingMessage } from 'node:http';
 import { type Stats } from 'node:fs';
 export declare function entityTag(buf: Buffer, weak?: boolean): string;

package/lib/vendors/etag.js

@@ -0,0 +1,104 @@
+// etag: https://github.com/jshttp/etag/blob/b9f0642256e63654287299d205bc6ced71b1a228/index.js#L39
+import crypto, { createHash } from 'node:crypto';
+import { createReadStream } from 'node:fs';
+export function entityTag(buf, weak) {
+    // pre-computed empty
+    return buf.length
+        ? `${buf.length.toString(16)}-${crypto
+            .createHash('sha1')
+            .update(buf)
+            .digest('base64')
+            .substring(0, 27)}"`
+        : `${weak ? 'W/' : ''}"0-2jmj7l5rSw0yVb/vlWAYkK/YBwk"`;
+    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag#directives
+    // weak W/ vs strong eTag
+    // same weak eTag: 2 resources might be semantically equivalent, but not byte-for-byte identical
+}
+export async function entityTagPath(fileStat, filePath, weak) {
+    const hash = createHash('sha1');
+    const defer = Promise.withResolvers();
+    createReadStream(filePath).pipe(hash)
+        .on('finish', defer.resolve)
+        .on('error', defer.reject);
+    await defer.promise;
+    return `${fileStat.size.toString(16)}-${hash
+        .digest('base64')
+        .substring(0, 27)}`;
+    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag#directives
+    // weak W/ vs strong eTag
+    // same weak eTag: 2 resources might be semantically equivalent, but not byte-for-byte identical
+}
+const CACHE_CONTROL_NO_CACHE_REGEXP = /(?:^|,)\s*?no-cache\s*?(?:,|$)/;
+export function statTag(stat) {
+    const mtime = stat.mtime.getTime().toString(16);
+    const size = stat.size.toString(16);
+    return `"${size}-${mtime}"`;
+}
+// https://github.com/jshttp/fresh/blob/05254186fd7428915224db46144fc94293a7df7d/index.js#L33
+export function isFreshETag(req, etag) {
+    const noneMatch = req.headers['if-none-match'];
+    if (!noneMatch)
+        return;
+    // Always return stale when Cache-Control: no-cache
+    // to support end-to-end reload requests
+    // https://tools.ietf.org/html/rfc2616#section-14.9.4
+    const cacheControl = req.headers['cache-control'];
+    if (cacheControl && CACHE_CONTROL_NO_CACHE_REGEXP.test(cacheControl))
+        return;
+    if (noneMatch && noneMatch !== '*') {
+        if (!etag)
+            return;
+        let etagStale = true;
+        for (const match of parseTokenList(noneMatch)) {
+            if (match === etag || match === `W/${etag}` || `W/${match}` === etag) {
+                etagStale = false;
+                break;
+            }
+        }
+        if (etagStale)
+            return;
+    }
+    return true;
+}
+export function isFreshModifiedSince(req, lastModified) {
+    const modifiedSince = req.headers['if-modified-since'];
+    if (!modifiedSince)
+        return;
+    // Always return stale when Cache-Control: no-cache
+    // to support end-to-end reload requests
+    // https://tools.ietf.org/html/rfc2616#section-14.9.4
+    const cacheControl = req.headers['cache-control'];
+    if (cacheControl && CACHE_CONTROL_NO_CACHE_REGEXP.test(cacheControl))
+        return;
+    if (modifiedSince && lastModified) {
+        const lastModifiedDate = Date.parse(lastModified);
+        const modifiedSinceDate = Date.parse(modifiedSince);
+        return !isNaN(lastModifiedDate) && !isNaN(modifiedSinceDate) && lastModifiedDate <= modifiedSinceDate;
+    }
+    return true;
+}
+function parseTokenList(str) {
+    let end = 0;
+    const list = [];
+    let start = 0;
+    // gather tokens
+    for (let i = 0, len = str.length; i < len; i++) {
+        switch (str.charCodeAt(i)) {
+            case 0x20: /*   */
+                if (start === end) {
+                    start = end = i + 1;
+                }
+                break;
+            case 0x2c: /* , */
+                list.push(str.substring(start, end));
+                start = end = i + 1;
+                break;
+            default:
+                end = i + 1;
+                break;
+        }
+    }
+    // final token
+    list.push(str.substring(start, end));
+    return list;
+}

package/{cjs → lib}/vendors/fresh.d.ts

@@ -6,7 +6,7 @@
  * @return {Boolean}
  * @public
  */
-export declare function fresh(reqHeaders: any, resHeaders: any): boolean;
+export declare function fresh(reqHeaders: Record<string, any>, resHeaders: Record<string, any>): boolean;
 /**
  * Parse an HTTP Date into a number.
  *
@@ -20,4 +20,4 @@ export declare function parseHttpDate(date: any): number;
  * @param {string} str
  * @private
  */
-export declare function parseTokenList(str: any): any[];
+export declare function parseTokenList(str: string): string[];

package/lib/vendors/fresh.js

@@ -0,0 +1,95 @@
+const CACHE_CONTROL_NO_CACHE_REGEXP = /(?:^|,)\s*?no-cache\s*?(?:,|$)/;
+/**
+ * Check freshness of the response using request and response headers.
+ *
+ * @param {Object} reqHeaders
+ * @param {Object} resHeaders
+ * @return {Boolean}
+ * @public
+ */
+export function fresh(reqHeaders, resHeaders) {
+    // fields
+    const modifiedSince = reqHeaders['if-modified-since'];
+    const noneMatch = reqHeaders['if-none-match'];
+    // unconditional request
+    if (!modifiedSince && !noneMatch) {
+        return false;
+    }
+    // Always return stale when Cache-Control: no-cache
+    // to support end-to-end reload requests
+    // https://tools.ietf.org/html/rfc2616#section-14.9.4
+    const cacheControl = reqHeaders['cache-control'];
+    if (cacheControl && CACHE_CONTROL_NO_CACHE_REGEXP.test(cacheControl)) {
+        return false;
+    }
+    // if-none-match takes precedent over if-modified-since
+    if (noneMatch) {
+        if (noneMatch === '*') {
+            return true;
+        }
+        const etag = resHeaders.etag;
+        if (!etag) {
+            return false;
+        }
+        const matches = parseTokenList(noneMatch);
+        for (let i = 0; i < matches.length; i++) {
+            const match = matches[i];
+            if (match === etag || match === 'W/' + etag || 'W/' + match === etag) {
+                return true;
+            }
+        }
+        return false;
+    }
+    // if-modified-since
+    if (modifiedSince) {
+        const lastModified = resHeaders['last-modified'];
+        const modifiedStale = !lastModified || !(parseHttpDate(lastModified) <= parseHttpDate(modifiedSince));
+        if (modifiedStale) {
+            return false;
+        }
+    }
+    return true;
+}
+/**
+ * Parse an HTTP Date into a number.
+ *
+ * @param {string} date
+ * @private
+ */
+export function parseHttpDate(date) {
+    const timestamp = date && Date.parse(date);
+    // istanbul ignore next: guard against date.js Date.parse patching
+    return typeof timestamp === 'number' ? timestamp : NaN;
+}
+/**
+ * Parse a HTTP token list.
+ *
+ * @param {string} str
+ * @private
+ */
+export function parseTokenList(str) {
+    let end = 0;
+    const list = [];
+    let start = 0;
+    // gather tokens
+    let i = 0, len = str.length;
+    for (; i < len; i++) {
+        switch (str.charCodeAt(i)) {
+            case 0x20: /*   */
+                if (start === end) {
+                    start = end = i + 1;
+                }
+                break;
+            case 0x2c: /* , */
+                list.push(str.substring(start, end));
+                start = end = i + 1;
+                break;
+            default:
+                end = i + 1;
+                break;
+        }
+    }
+    // final token
+    list.push(str.substring(start, end));
+    return list;
+}

package/lib/vendors/mime.d.ts

@@ -0,0 +1 @@
+export declare function contentTypeForExtension(extension: string): string | undefined;

package/lib/vendors/mime.js

@@ -0,0 +1,35 @@
+import mimeDbRaw from './mimeDb.js';
+import { mimeScore } from './mimeScore.js';
+const mimeDb = mimeDbRaw;
+const extensionToMime = Object.create(null);
+for (const [type, { extensions = [] }] of Object.entries(mimeDb))
+    for (const extension of extensions)
+        extensionToMime[extension] = preferredType(extension, type, extensionToMime[extension]);
+function preferredType(ext, type0, type1) {
+    const score0 = type0 ? mimeScore(type0, mimeDb[type0].source) : 0;
+    const score1 = type1 ? mimeScore(type1, mimeDb[type1].source) : 0;
+    return score0 > score1 ? type0 : type1;
+}
+export function contentTypeForExtension(extension) {
+    const mimeType = extensionToMime[extension.toLowerCase()];
+    if (!mimeType)
+        return;
+    if (!mimeType.includes('charset')) {
+        const charset = determineCharset(mimeType);
+        if (charset)
+            return mimeType + '; charset=' + charset.toLowerCase();
+    }
+    return mimeType;
+}
+const EXTRACT_TYPE_REGEXP = /^\s*([^;\s]*)(?:;|\s|$)/;
+const TEXT_TYPE_REGEXP = /^text\//i;
+function determineCharset(type) {
+    // _TODO: use media-typer
+    const match = EXTRACT_TYPE_REGEXP.exec(type);
+    const mime = match && mimeDb[match[1].toLowerCase()];
+    if (mime?.charset)
+        return mime.charset;
+    // default text/* to utf-8
+    if (match && TEXT_TYPE_REGEXP.test(match[1]))
+        return 'UTF-8';
+}