h3 1.12.0 → 1.13.0

package/dist/index.cjs

@@ -414,6 +414,9 @@ function readRawBody(event, encoding = "utf8") {
       if (_resolved.constructor === Object) {
         return Buffer.from(JSON.stringify(_resolved));
       }
+      if (_resolved instanceof URLSearchParams) {
+        return Buffer.from(_resolved.toString());
+      }
       return Buffer.from(_resolved);
     });
     return encoding ? promise2.then((buff) => buff.toString(encoding)) : promise2;
@@ -671,7 +674,7 @@ function splitCookiesString(cookiesString) {
       }
     }
     if (!cookiesSeparatorFound || pos >= cookiesString.length) {
-      cookiesStrings.push(cookiesString.slice(start, cookiesString.length));
+      cookiesStrings.push(cookiesString.slice(start));
     }
   }
   return cookiesStrings;
@@ -2114,7 +2117,8 @@ function websocketOptions(evResolver, appOptions) {
   return {
     ...appOptions.websocket,
     async resolve(info) {
-      const { pathname } = ufo.parseURL(info.url || "/");
+      const url = info.request?.url || info.url || "/";
+      const { pathname } = typeof url === "string" ? ufo.parseURL(url) : url;
       const resolved = await evResolver(pathname);
       return resolved?.handler?.__websocket__ || {};
     }

package/dist/index.d.cts

@@ -48,7 +48,7 @@ declare class H3Event<_RequestT extends EventHandlerRequest = EventHandlerReques
     toJSON(): string;
     /** @deprecated Please use `event.node.req` instead. */
     get req(): IncomingMessage & {
-        originalUrl?: string | undefined;
+        originalUrl?: string;
     };
     /** @deprecated Please use `event.node.res` instead. */
     get res(): ServerResponse<IncomingMessage>;
@@ -93,7 +93,7 @@ declare const lazyEventHandler: typeof defineLazyEventHandler;
  * https://developer.mozilla.org/en-US/docs/Web/API/Headers
  */
 declare const H3Headers: {
-    new (init?: HeadersInit | undefined): Headers;
+    new (init?: HeadersInit): Headers;
     prototype: Headers;
 };
 /**
@@ -101,11 +101,11 @@ declare const H3Headers: {
  * https://developer.mozilla.org/en-US/docs/Web/API/Response
  */
 declare const H3Response: {
-    new (body?: BodyInit | null | undefined, init?: ResponseInit | undefined): Response;
+    new (body?: BodyInit | null, init?: ResponseInit): Response;
     prototype: Response;
     error(): Response;
-    json(data: any, init?: ResponseInit | undefined): Response;
-    redirect(url: string | URL, status?: number | undefined): Response;
+    json(data: any, init?: ResponseInit): Response;
+    redirect(url: string | URL, status?: number): Response;
 };
 
 type SessionDataT = Record<string, any>;
@@ -470,6 +470,9 @@ declare function readRawBody<E extends Encoding = "utf8">(event: H3Event, encodi
 /**
  * Reads request body and tries to safely parse using [destr](https://github.com/unjs/destr).
  *
+ * Be aware that this utility is not restricted to `application/json` and will parse `application/x-www-form-urlencoded` content types.
+ * Because of this, authenticated `GET`/`POST` handlers may be at risk of a [CSRF](https://owasp.org/www-community/attacks/csrf) attack, and must check the `content-type` header manually.
+ *
  * @example
  * export default defineEventHandler(async (event) => {
  *   const body = await readBody(event);

package/dist/index.d.mts

@@ -48,7 +48,7 @@ declare class H3Event<_RequestT extends EventHandlerRequest = EventHandlerReques
     toJSON(): string;
     /** @deprecated Please use `event.node.req` instead. */
     get req(): IncomingMessage & {
-        originalUrl?: string | undefined;
+        originalUrl?: string;
     };
     /** @deprecated Please use `event.node.res` instead. */
     get res(): ServerResponse<IncomingMessage>;
@@ -93,7 +93,7 @@ declare const lazyEventHandler: typeof defineLazyEventHandler;
  * https://developer.mozilla.org/en-US/docs/Web/API/Headers
  */
 declare const H3Headers: {
-    new (init?: HeadersInit | undefined): Headers;
+    new (init?: HeadersInit): Headers;
     prototype: Headers;
 };
 /**
@@ -101,11 +101,11 @@ declare const H3Headers: {
  * https://developer.mozilla.org/en-US/docs/Web/API/Response
  */
 declare const H3Response: {
-    new (body?: BodyInit | null | undefined, init?: ResponseInit | undefined): Response;
+    new (body?: BodyInit | null, init?: ResponseInit): Response;
     prototype: Response;
     error(): Response;
-    json(data: any, init?: ResponseInit | undefined): Response;
-    redirect(url: string | URL, status?: number | undefined): Response;
+    json(data: any, init?: ResponseInit): Response;
+    redirect(url: string | URL, status?: number): Response;
 };
 
 type SessionDataT = Record<string, any>;
@@ -470,6 +470,9 @@ declare function readRawBody<E extends Encoding = "utf8">(event: H3Event, encodi
 /**
  * Reads request body and tries to safely parse using [destr](https://github.com/unjs/destr).
  *
+ * Be aware that this utility is not restricted to `application/json` and will parse `application/x-www-form-urlencoded` content types.
+ * Because of this, authenticated `GET`/`POST` handlers may be at risk of a [CSRF](https://owasp.org/www-community/attacks/csrf) attack, and must check the `content-type` header manually.
+ *
  * @example
  * export default defineEventHandler(async (event) => {
  *   const body = await readBody(event);

package/dist/index.d.ts

@@ -48,7 +48,7 @@ declare class H3Event<_RequestT extends EventHandlerRequest = EventHandlerReques
     toJSON(): string;
     /** @deprecated Please use `event.node.req` instead. */
     get req(): IncomingMessage & {
-        originalUrl?: string | undefined;
+        originalUrl?: string;
     };
     /** @deprecated Please use `event.node.res` instead. */
     get res(): ServerResponse<IncomingMessage>;
@@ -93,7 +93,7 @@ declare const lazyEventHandler: typeof defineLazyEventHandler;
  * https://developer.mozilla.org/en-US/docs/Web/API/Headers
  */
 declare const H3Headers: {
-    new (init?: HeadersInit | undefined): Headers;
+    new (init?: HeadersInit): Headers;
     prototype: Headers;
 };
 /**
@@ -101,11 +101,11 @@ declare const H3Headers: {
  * https://developer.mozilla.org/en-US/docs/Web/API/Response
  */
 declare const H3Response: {
-    new (body?: BodyInit | null | undefined, init?: ResponseInit | undefined): Response;
+    new (body?: BodyInit | null, init?: ResponseInit): Response;
     prototype: Response;
     error(): Response;
-    json(data: any, init?: ResponseInit | undefined): Response;
-    redirect(url: string | URL, status?: number | undefined): Response;
+    json(data: any, init?: ResponseInit): Response;
+    redirect(url: string | URL, status?: number): Response;
 };
 
 type SessionDataT = Record<string, any>;
@@ -470,6 +470,9 @@ declare function readRawBody<E extends Encoding = "utf8">(event: H3Event, encodi
 /**
  * Reads request body and tries to safely parse using [destr](https://github.com/unjs/destr).
  *
+ * Be aware that this utility is not restricted to `application/json` and will parse `application/x-www-form-urlencoded` content types.
+ * Because of this, authenticated `GET`/`POST` handlers may be at risk of a [CSRF](https://owasp.org/www-community/attacks/csrf) attack, and must check the `content-type` header manually.
+ *
  * @example
  * export default defineEventHandler(async (event) => {
  *   const body = await readBody(event);

package/dist/index.mjs

@@ -407,6 +407,9 @@ function readRawBody(event, encoding = "utf8") {
       if (_resolved.constructor === Object) {
         return Buffer.from(JSON.stringify(_resolved));
       }
+      if (_resolved instanceof URLSearchParams) {
+        return Buffer.from(_resolved.toString());
+      }
       return Buffer.from(_resolved);
     });
     return encoding ? promise2.then((buff) => buff.toString(encoding)) : promise2;
@@ -664,7 +667,7 @@ function splitCookiesString(cookiesString) {
       }
     }
     if (!cookiesSeparatorFound || pos >= cookiesString.length) {
-      cookiesStrings.push(cookiesString.slice(start, cookiesString.length));
+      cookiesStrings.push(cookiesString.slice(start));
     }
   }
   return cookiesStrings;
@@ -2107,7 +2110,8 @@ function websocketOptions(evResolver, appOptions) {
   return {
     ...appOptions.websocket,
     async resolve(info) {
-      const { pathname } = parseURL(info.url || "/");
+      const url = info.request?.url || info.url || "/";
+      const { pathname } = typeof url === "string" ? parseURL(url) : url;
       const resolved = await evResolver(pathname);
       return resolved?.handler?.__websocket__ || {};
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "h3",
-  "version": "1.12.0",
+  "version": "1.13.0",
   "description": "Minimal H(TTP) framework built for high performance and portability.",
   "repository": "unjs/h3",
   "license": "MIT",
@@ -19,54 +19,58 @@
   "files": [
     "dist"
   ],
+  "scripts": {
+    "build": "unbuild",
+    "dev": "vitest",
+    "lint": "eslint --cache . && prettier -c src test playground examples docs",
+    "lint:fix": "eslint --cache . --fix && prettier -c src test playground examples docs -w",
+    "play": "listhen -w ./playground/app.ts",
+    "profile": "0x -o -D .profile -P 'autocannon -c 100 -p 10 -d 40 http://localhost:$PORT' ./playground/server.cjs",
+    "release": "pnpm test && pnpm build && changelogen --release --publish --publishTag latest && git push --follow-tags",
+    "test": "pnpm lint && vitest --run --coverage"
+  },
+  "resolutions": {
+    "h3": "link:."
+  },
   "dependencies": {
-    "cookie-es": "^1.1.0",
-    "crossws": "^0.2.4",
+    "cookie-es": "^1.2.2",
+    "crossws": ">=0.2.0 <0.4.0",
     "defu": "^6.1.4",
     "destr": "^2.0.3",
-    "iron-webcrypto": "^1.1.1",
-    "ohash": "^1.1.3",
+    "iron-webcrypto": "^1.2.1",
+    "ohash": "^1.1.4",
     "radix3": "^1.1.2",
-    "ufo": "^1.5.3",
+    "ufo": "^1.5.4",
     "uncrypto": "^0.1.3",
-    "unenv": "^1.9.0"
+    "unenv": "^1.10.0"
   },
   "devDependencies": {
     "0x": "^5.7.0",
-    "@types/express": "^4.17.21",
-    "@types/node": "^20.12.7",
+    "@types/express": "^5.0.0",
+    "@types/node": "^22.7.4",
     "@types/supertest": "^6.0.2",
-    "@vitest/coverage-v8": "^1.5.2",
+    "@vitest/coverage-v8": "^2.1.2",
     "autocannon": "^7.15.0",
-    "automd": "^0.3.7",
-    "changelogen": "^0.5.5",
+    "automd": "^0.3.9",
+    "changelogen": "^0.5.7",
     "connect": "^3.7.0",
-    "eslint": "^9.1.1",
-    "eslint-config-unjs": "^0.3.0-rc.6",
-    "express": "^4.19.2",
+    "eslint": "^9.11.1",
+    "eslint-config-unjs": "^0.4.1",
+    "express": "^4.21.0",
     "get-port": "^7.1.0",
-    "jiti": "^1.21.0",
-    "listhen": "^1.7.2",
+    "h3": "link:.",
+    "jiti": "^2.1.2",
+    "listhen": "^1.9.0",
     "node-fetch-native": "^1.6.4",
-    "prettier": "^3.2.5",
+    "prettier": "^3.3.3",
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
     "supertest": "^7.0.0",
-    "typescript": "^5.4.5",
+    "typescript": "^5.6.2",
     "unbuild": "^2.0.0",
-    "undici": "^6.19.2",
-    "vitest": "^1.5.2",
-    "zod": "^3.23.4"
+    "undici": "^6.19.8",
+    "vitest": "^2.1.2",
+    "zod": "^3.23.8"
   },
-  "scripts": {
-    "build": "unbuild",
-    "dev": "vitest",
-    "lint": "eslint --cache . && prettier -c src test playground examples docs",
-    "lint:fix": "eslint --cache . --fix && prettier -c src test playground examples docs -w",
-    "play": "listhen -w ./playground/app.ts",
-    "profile": "0x -o -D .profile -P 'autocannon -c 100 -p 10 -d 40 http://localhost:$PORT' ./playground/server.cjs",
-    "release": "pnpm test && pnpm build && changelogen --release && pnpm publish && git push --follow-tags",
-    "release-rc": "pnpm test && pnpm build && changelogen --release --prerelease rc --push --publish --publishTag rc",
-    "test": "pnpm lint && vitest --run --coverage"
-  }
-}
+  "packageManager": "pnpm@9.7.1"
+}