got 15.0.1 → 15.0.2

package/dist/source/as-promise/index.js

@@ -69,12 +69,18 @@ export default function asPromise(firstRequest) {
                                     : (Object.hasOwn(updatedOptions, 'body') && updatedOptions.body !== undefined)
                                         || (Object.hasOwn(updatedOptions, 'json') && updatedOptions.json !== undefined)
                                         || (Object.hasOwn(updatedOptions, 'form') && updatedOptions.form !== undefined);
+                                const clearsCookieJar = Object.hasOwn(updatedOptions, 'cookieJar') && updatedOptions.cookieJar === undefined;
                                 if (hasExplicitBody && !reusesRequestOptions) {
                                     options.clearBody();
                                 }
+                                if (!reusesRequestOptions && clearsCookieJar) {
+                                    options.cookieJar = undefined;
+                                }
                                 if (!reusesRequestOptions) {
                                     options.merge(updatedOptions);
+                                    options.syncCookieHeaderAfterMerge(previousState, updatedOptions.headers);
                                 }
+                                options.clearUnchangedCookieHeader(previousState, reusesRequestOptions ? changedState : undefined);
                                 if (updatedOptions.url) {
                                     const nextUrl = reusesRequestOptions
                                         ? options.url

package/dist/source/core/index.js

@@ -725,6 +725,40 @@ export default class Request extends Duplex {
                 }, this));
             }
         });
+        let canFinalizeResponse = false;
+        const handleResponseEnd = () => {
+            if (!canFinalizeResponse
+                || !response.readableEnded) {
+                return;
+            }
+            canFinalizeResponse = false;
+            if (this._stopReading) {
+                return;
+            }
+            // Validate content-length if it was provided
+            // Per RFC 9112: "If the sender closes the connection before the indicated number
+            // of octets are received, the recipient MUST consider the message to be incomplete"
+            if (this._checkContentLengthMismatch()) {
+                return;
+            }
+            this._responseSize = this._downloadedSize;
+            this.emit('downloadProgress', this.downloadProgress);
+            // Publish response end event
+            publishResponseEnd({
+                requestId: this._requestId,
+                url: typedResponse.url,
+                statusCode,
+                bodySize: this._downloadedSize,
+                timings: this.timings,
+            });
+            this.push(null);
+        };
+        if (!shouldFollowRedirect) {
+            // `set-cookie` handling below awaits the cookie jar. A fast response can fully
+            // end during that await, so we need to observe `end` early without completing
+            // the outward stream until cookie handling has finished.
+            response.once('end', handleResponseEnd);
+        }
         const noPipeCookieJarRawBodyPromise = this._noPipe
             && is.object(options.cookieJar)
             && !isRedirect
@@ -828,6 +862,7 @@ export default class Request extends Duplex {
                     }
                     return changedState;
                 });
+                updatedOptions.clearUnchangedCookieHeader(preHookState, changedState);
                 // If a beforeRedirect hook changed the URL to a different origin,
                 // strip sensitive headers that were preserved for the original origin.
                 // When isDifferentOrigin was already true, headers were already stripped above.
@@ -836,15 +871,7 @@ export default class Request extends Duplex {
                     const hookUrl = updatedOptions.url;
                     if (!isSameOrigin(state.url, hookUrl)) {
                         this._stripUnchangedCrossOriginState(updatedOptions, hookUrl, shouldDropBody, {
-                            headers: state.headers,
-                            username: state.username,
-                            password: state.password,
-                            body: state.body,
-                            json: state.json,
-                            form: state.form,
-                            bodySnapshot: state.bodySnapshot,
-                            jsonSnapshot: state.jsonSnapshot,
-                            formSnapshot: state.formSnapshot,
+                            ...state,
                             changedState,
                             preserveUsername: hasExplicitCredentialInUrlChange(changedState, hookUrl, 'username')
                                 || isCrossOriginCredentialChanged(state.url, hookUrl, 'username'),
@@ -870,6 +897,8 @@ export default class Request extends Duplex {
             }
             return;
         }
+        canFinalizeResponse = true;
+        handleResponseEnd();
         // `HTTPError`s always have `error.response.body` defined.
         // Therefore, we cannot retry if `options.throwHttpErrors` is false.
         // On the last retry, if `options.throwHttpErrors` is false, we would need to return the body,
@@ -894,32 +923,6 @@ export default class Request extends Duplex {
                 }
             }
         }
-        // Set up end listener AFTER redirect check to avoid emitting progress for redirect responses
-        let responseEndHandled = false;
-        const handleResponseEnd = () => {
-            if (responseEndHandled) {
-                return;
-            }
-            responseEndHandled = true;
-            // Validate content-length if it was provided
-            // Per RFC 9112: "If the sender closes the connection before the indicated number
-            // of octets are received, the recipient MUST consider the message to be incomplete"
-            if (this._checkContentLengthMismatch()) {
-                return;
-            }
-            this._responseSize = this._downloadedSize;
-            this.emit('downloadProgress', this.downloadProgress);
-            // Publish response end event
-            publishResponseEnd({
-                requestId: this._requestId,
-                url: typedResponse.url,
-                statusCode,
-                bodySize: this._downloadedSize,
-                timings: this.timings,
-            });
-            this.push(null);
-        };
-        response.once('end', handleResponseEnd);
         this.emit('downloadProgress', this.downloadProgress);
         response.on('readable', () => {
             if (this._triggerRead) {
@@ -1525,17 +1528,46 @@ export default class Request extends Duplex {
     }
     async _makeRequest() {
         const { options } = this;
-        const headers = options.getInternalHeaders();
-        const { username, password } = options;
-        const cookieJar = options.cookieJar;
-        for (const key in headers) {
-            if (is.undefined(headers[key])) {
-                options.deleteInternalHeader(key);
+        const initialHeaders = options.getInternalHeaders();
+        const explicitAuthorizationHeader = options.isHeaderExplicitlySet('authorization') ? initialHeaders.authorization : undefined;
+        const explicitCookieHeader = options.isHeaderExplicitlySet('cookie') ? initialHeaders.cookie : undefined;
+        const authorizationWasInitiallyOmitted = options.isHeaderExplicitlySet('authorization') && is.undefined(initialHeaders.authorization);
+        const cookieWasInitiallyOmitted = options.isHeaderExplicitlySet('cookie') && is.undefined(initialHeaders.cookie);
+        const shouldDeleteGeneratedHeader = (currentHeader, generatedHeader) => currentHeader === generatedHeader || is.undefined(currentHeader);
+        const syncGeneratedHeader = (name, { currentHeader, explicitHeader, nextHeader, staleGeneratedHeader, }) => {
+            if (!is.undefined(nextHeader)) {
+                options.setInternalHeader(name, nextHeader);
+            }
+            else if (!is.undefined(explicitHeader) && currentHeader === staleGeneratedHeader) {
+                options.setInternalHeader(name, explicitHeader);
+            }
+            else if (shouldDeleteGeneratedHeader(currentHeader, staleGeneratedHeader)) {
+                options.deleteInternalHeader(name);
             }
-            else if (is.null(headers[key])) {
-                throw new TypeError(`Use \`undefined\` instead of \`null\` to delete the \`${key}\` header`);
+        };
+        const getAuthorizationHeader = (username, password, isExplicitlyOmitted) => !isExplicitlyOmitted && (username || password)
+            ? `Basic ${stringToBase64(`${username}:${password}`)}`
+            : undefined;
+        const sanitizeHeaders = () => {
+            const currentHeaders = options.getInternalHeaders();
+            for (const key in currentHeaders) {
+                if (is.undefined(currentHeaders[key])) {
+                    options.deleteInternalHeader(key);
+                }
+                else if (is.null(currentHeaders[key])) {
+                    throw new TypeError(`Use \`undefined\` instead of \`null\` to delete the \`${key}\` header`);
+                }
             }
-        }
+            return currentHeaders;
+        };
+        const getCookieHeader = async (cookieJar) => {
+            if (!cookieJar) {
+                return undefined;
+            }
+            const cookieString = await cookieJar.getCookieString(options.url.toString());
+            return is.nonEmptyString(cookieString) ? cookieString : undefined;
+        };
+        const headers = sanitizeHeaders();
         if (options.decompress && is.undefined(headers['accept-encoding'])) {
             const encodings = ['gzip', 'deflate'];
             if (supportsBrotli) {
@@ -1546,34 +1578,93 @@ export default class Request extends Duplex {
             }
             options.setInternalHeader('accept-encoding', encodings.join(', '));
         }
-        if (username || password) {
-            const credentials = stringToBase64(`${username}:${password}`);
-            options.setInternalHeader('authorization', `Basic ${credentials}`);
+        const { username, password } = options;
+        const cookieJar = options.cookieJar;
+        const generatedAuthorizationHeader = getAuthorizationHeader(username, password, authorizationWasInitiallyOmitted);
+        let generatedCookieHeader;
+        if (!is.undefined(generatedAuthorizationHeader)) {
+            options.setInternalHeader('authorization', generatedAuthorizationHeader);
         }
-        // Set cookies
-        if (cookieJar) {
-            const cookieString = await cookieJar.getCookieString(options.url.toString());
-            if (is.nonEmptyString(cookieString)) {
-                options.setInternalHeader('cookie', cookieString);
+        if (!cookieWasInitiallyOmitted) {
+            generatedCookieHeader = await getCookieHeader(cookieJar);
+            if (!is.undefined(generatedCookieHeader)) {
+                options.setInternalHeader('cookie', generatedCookieHeader);
             }
         }
         let request;
-        for (const hook of options.hooks.beforeRequest) {
-            // eslint-disable-next-line no-await-in-loop
-            const result = await hook(options, { retryCount: this.retryCount });
-            if (!is.undefined(result)) {
-                // @ts-expect-error Skip the type mismatch to support abstract responses
-                request = () => result;
-                break;
+        let shouldOmitRequestUrlCredentials = false;
+        const changedState = await options.trackStateMutations(async (changedState) => {
+            for (const hook of options.hooks.beforeRequest) {
+                // eslint-disable-next-line no-await-in-loop
+                const result = await hook(options, { retryCount: this.retryCount });
+                if (!is.undefined(result)) {
+                    // @ts-expect-error Skip the type mismatch to support abstract responses
+                    request = () => result;
+                    break;
+                }
+            }
+            return changedState;
+        });
+        if (request === undefined) {
+            const currentHeaders = options.getInternalHeaders();
+            // `headers.authorization = undefined` / `headers.cookie = undefined` is an
+            // explicit opt-out. Respect that instead of regenerating values from URL
+            // credentials or the cookie jar later in request setup.
+            const isHeaderExplicitlyOmitted = (header) => options.isHeaderExplicitlySet(header) && is.undefined(currentHeaders[header]);
+            const authorizationWasExplicitlyOmitted = isHeaderExplicitlyOmitted('authorization');
+            const cookieWasExplicitlyOmitted = isHeaderExplicitlyOmitted('cookie');
+            const currentAuthorizationHeader = currentHeaders.authorization;
+            const currentCookieHeader = currentHeaders.cookie;
+            sanitizeHeaders();
+            if (!is.undefined(currentHeaders['transfer-encoding']) && !is.undefined(currentHeaders['content-length'])) {
+                options.deleteInternalHeader('content-length');
+            }
+            if (authorizationWasExplicitlyOmitted) {
+                shouldOmitRequestUrlCredentials = true;
+                options.deleteInternalHeader('authorization');
+                if (changedState.has('authorization') && is.undefined(explicitAuthorizationHeader) && !authorizationWasInitiallyOmitted) {
+                    delete options.headers.authorization;
+                }
+            }
+            const authorizationHeader = getAuthorizationHeader(options.username, options.password, authorizationWasExplicitlyOmitted);
+            const cookieJar = options.cookieJar;
+            if (changedState.has('authorization')) {
+                // A beforeRequest hook intentionally set the outgoing Authorization header.
+            }
+            else {
+                syncGeneratedHeader('authorization', {
+                    currentHeader: currentAuthorizationHeader,
+                    explicitHeader: explicitAuthorizationHeader,
+                    nextHeader: authorizationHeader,
+                    staleGeneratedHeader: generatedAuthorizationHeader,
+                });
+            }
+            if (cookieWasExplicitlyOmitted) {
+                options.deleteInternalHeader('cookie');
+                if (changedState.has('cookie') && is.undefined(explicitCookieHeader) && !cookieWasInitiallyOmitted) {
+                    delete options.headers.cookie;
+                }
+            }
+            else if (changedState.has('cookie')) {
+                // A beforeRequest hook intentionally set the outgoing Cookie header.
+            }
+            else {
+                syncGeneratedHeader('cookie', {
+                    currentHeader: currentCookieHeader,
+                    explicitHeader: explicitCookieHeader,
+                    nextHeader: await getCookieHeader(cookieJar),
+                    staleGeneratedHeader: generatedCookieHeader,
+                });
             }
-        }
-        if (!is.undefined(headers['transfer-encoding']) && !is.undefined(headers['content-length'])) {
-            // TODO: Throw instead of silently dropping `content-length` in the next major version.
-            options.deleteInternalHeader('content-length');
         }
         request ??= options.getRequestFunction();
-        const url = options.url;
+        const url = shouldOmitRequestUrlCredentials
+            ? new URL(stripUrlAuth(options.url))
+            : options.url;
         this._requestOptions = options.createNativeRequestOptions();
+        if (shouldOmitRequestUrlCredentials) {
+            this._requestOptions.auth = undefined;
+        }
         if (options.cache) {
             this._requestOptions._request = request;
             this._requestOptions.cache = options.cache;

package/dist/source/core/options.d.ts

@@ -31,6 +31,8 @@ export type Agents = {
 export type Headers = Record<string, string | string[] | undefined>;
 export type CrossOriginState = {
     headers: Headers;
+    hadCookieJar: boolean;
+    cookieWasExplicitlySet: boolean;
     username: string;
     password: string;
     body: unknown;
@@ -788,7 +790,7 @@ export declare function applyUrlOverride(options: Options, url: string | URL, {
 All parsing methods supported by Got.
 */
 export type ResponseType = 'json' | 'buffer' | 'text';
-type OptionsToSkip = 'searchParameters' | 'followRedirects' | 'auth' | 'toJSON' | 'merge' | 'isHeaderExplicitlySet' | 'shouldCopyPipedHeader' | 'setPipedHeader' | 'getInternalHeaders' | 'setInternalHeader' | 'deleteInternalHeader' | 'trackStateMutations' | 'clearBody' | 'stripUnchangedCrossOriginState' | 'stripSensitiveHeaders' | 'createNativeRequestOptions' | 'getRequestFunction' | 'freeze';
+type OptionsToSkip = 'searchParameters' | 'followRedirects' | 'auth' | 'toJSON' | 'merge' | 'isHeaderExplicitlySet' | 'shouldCopyPipedHeader' | 'setPipedHeader' | 'getInternalHeaders' | 'setInternalHeader' | 'deleteInternalHeader' | 'trackStateMutations' | 'clearBody' | 'clearUnchangedCookieHeader' | 'restoreCookieHeader' | 'syncCookieHeaderAfterMerge' | 'stripUnchangedCrossOriginState' | 'stripSensitiveHeaders' | 'createNativeRequestOptions' | 'getRequestFunction' | 'freeze';
 export type InternalsType = Except<Options, OptionsToSkip>;
 export type OptionsError = NodeJS.ErrnoException & {
     options?: Options;
@@ -1226,6 +1228,9 @@ export default class Options {
     deleteInternalHeader(name: string): void;
     trackStateMutations<Value>(operation: (changedState: Set<string>) => Promisable<Value>): Promise<Value>;
     clearBody(): void;
+    clearUnchangedCookieHeader(previousState: CrossOriginState | undefined, changedState?: Set<string>): void;
+    restoreCookieHeader(previousState: CrossOriginState | undefined, headers?: Headers): void;
+    syncCookieHeaderAfterMerge(previousState: CrossOriginState | undefined, headers?: Headers): void;
     stripUnchangedCrossOriginState(previousState: CrossOriginState, changedState: Set<string>, { clearBody }?: {
         clearBody?: boolean;
     }): void;

package/dist/source/core/options.js

@@ -1406,6 +1406,35 @@ export default class Options {
             this.deleteInternalHeader(header);
         }
     }
+    clearUnchangedCookieHeader(previousState, changedState) {
+        if (previousState?.hadCookieJar
+            && this.cookieJar === undefined
+            && !this.isHeaderExplicitlySet('cookie')
+            && !changedState?.has('cookie')
+            && this.headers.cookie === previousState.headers.cookie) {
+            this.deleteInternalHeader('cookie');
+        }
+    }
+    restoreCookieHeader(previousState, headers) {
+        if (!previousState) {
+            return;
+        }
+        if (Object.hasOwn(headers ?? {}, 'cookie')) {
+            return;
+        }
+        if (previousState.cookieWasExplicitlySet) {
+            this.headers.cookie = previousState.headers.cookie;
+            return;
+        }
+        delete this.headers.cookie;
+        if (previousState.headers.cookie !== undefined) {
+            this.setInternalHeader('cookie', previousState.headers.cookie);
+        }
+    }
+    syncCookieHeaderAfterMerge(previousState, headers) {
+        this.restoreCookieHeader(previousState, headers);
+        this.clearUnchangedCookieHeader(previousState);
+    }
     stripUnchangedCrossOriginState(previousState, changedState, { clearBody = true } = {}) {
         const headers = this.getInternalHeaders();
         const url = this.#internals.url;
@@ -2111,6 +2140,8 @@ export default class Options {
 }
 export const snapshotCrossOriginState = (options) => ({
     headers: { ...options.getInternalHeaders() },
+    hadCookieJar: options.cookieJar !== undefined,
+    cookieWasExplicitlySet: options.isHeaderExplicitlySet('cookie'),
     username: options.username,
     password: options.password,
     body: options.body,

package/dist/source/core/parse-link-header.js

@@ -1,9 +1,56 @@
+const splitHeaderValue = (value, separator) => {
+    const values = [];
+    let current = '';
+    let inQuotes = false;
+    let inReference = false;
+    let isEscaped = false;
+    for (const character of value) {
+        if (inQuotes && isEscaped) {
+            current += character;
+            isEscaped = false;
+            continue;
+        }
+        if (inQuotes && character === '\\') {
+            current += character;
+            isEscaped = true;
+            continue;
+        }
+        if (character === '"') {
+            inQuotes = !inQuotes;
+            current += character;
+            continue;
+        }
+        if (!inQuotes && character === '<') {
+            inReference = true;
+            current += character;
+            continue;
+        }
+        if (!inQuotes && character === '>') {
+            inReference = false;
+            current += character;
+            continue;
+        }
+        // Link headers use both quoted strings and <URI-reference> values, so raw
+        // splitting on `,` / `;` would break valid values containing those characters.
+        if (!inQuotes && !inReference && character === separator) {
+            values.push(current);
+            current = '';
+            continue;
+        }
+        current += character;
+    }
+    if (inQuotes || isEscaped) {
+        throw new Error(`Failed to parse Link header: ${value}`);
+    }
+    values.push(current);
+    return values;
+};
 export default function parseLinkHeader(link) {
     const parsed = [];
-    const items = link.split(',');
+    const items = splitHeaderValue(link, ',');
     for (const item of items) {
         // https://tools.ietf.org/html/rfc5988#section-5
-        const [rawUriReference, ...rawLinkParameters] = item.split(';');
+        const [rawUriReference, ...rawLinkParameters] = splitHeaderValue(item, ';');
         const trimmedUriReference = rawUriReference.trim();
         // eslint-disable-next-line @typescript-eslint/prefer-string-starts-ends-with
         if (trimmedUriReference[0] !== '<' || trimmedUriReference.at(-1) !== '>') {
@@ -11,6 +58,9 @@ export default function parseLinkHeader(link) {
         }
         const reference = trimmedUriReference.slice(1, -1);
         const parameters = {};
+        if (reference.includes('<') || reference.includes('>')) {
+            throw new Error(`Invalid format of the Link header reference: ${trimmedUriReference}`);
+        }
         if (rawLinkParameters.length === 0) {
             throw new Error(`Unexpected end of Link header parameters: ${rawLinkParameters.join(';')}`);
         }

package/dist/source/create.js

@@ -180,6 +180,7 @@ const create = (defaults) => {
             }
             if (optionsToMerge === response.request.options) {
                 normalizedOptions = response.request.options;
+                normalizedOptions.clearUnchangedCookieHeader(previousState, changedState);
                 if (previousUrl) {
                     const nextUrl = normalizedOptions.url;
                     if (nextUrl && !isSameOrigin(previousUrl, nextUrl)) {
@@ -192,10 +193,15 @@ const create = (defaults) => {
                 const hasExplicitBody = (Object.hasOwn(optionsToMerge, 'body') && optionsToMerge.body !== undefined)
                     || (Object.hasOwn(optionsToMerge, 'json') && optionsToMerge.json !== undefined)
                     || (Object.hasOwn(optionsToMerge, 'form') && optionsToMerge.form !== undefined);
+                const clearsCookieJar = Object.hasOwn(optionsToMerge, 'cookieJar') && optionsToMerge.cookieJar === undefined;
                 if (hasExplicitBody) {
                     normalizedOptions.clearBody();
                 }
+                if (clearsCookieJar) {
+                    normalizedOptions.cookieJar = undefined;
+                }
                 normalizedOptions.merge(optionsToMerge);
+                normalizedOptions.syncCookieHeaderAfterMerge(previousState, optionsToMerge.headers);
                 try {
                     assert.any([is.string, is.urlInstance, is.undefined], optionsToMerge.url);
                 }

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "got",
-	"version": "15.0.1",
+	"version": "15.0.2",
 	"description": "Human-friendly and powerful HTTP request library for Node.js",
 	"license": "MIT",
 	"repository": "sindresorhus/got",