h3 1.12.0 → 1.13.1

package/README.md

@@ -3,7 +3,7 @@
 <!-- automd:badges -->
 
 [![npm version](https://img.shields.io/npm/v/h3)](https://npmjs.com/package/h3)
-[![npm downloads](https://img.shields.io/npm/dm/h3)](https://npmjs.com/package/h3)
+[![npm downloads](https://img.shields.io/npm/dm/h3)](https://npm.chart.dev/h3)
 
 <!-- /automd -->
 

package/dist/index.cjs

@@ -41,21 +41,16 @@ function hasProp(obj, prop) {
   }
 }
 
-var __defProp$2 = Object.defineProperty;
-var __defNormalProp$2 = (obj, key, value) => key in obj ? __defProp$2(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$2 = (obj, key, value) => {
-  __defNormalProp$2(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
 class H3Error extends Error {
+  static __h3_error__ = true;
+  statusCode = 500;
+  fatal = false;
+  unhandled = false;
+  statusMessage;
+  data;
+  cause;
   constructor(message, opts = {}) {
     super(message, opts);
-    __publicField$2(this, "statusCode", 500);
-    __publicField$2(this, "fatal", false);
-    __publicField$2(this, "unhandled", false);
-    __publicField$2(this, "statusMessage");
-    __publicField$2(this, "data");
-    __publicField$2(this, "cause");
     if (opts.cause && !this.cause) {
       this.cause = opts.cause;
     }
@@ -74,7 +69,6 @@ class H3Error extends Error {
     return obj;
   }
 }
-__publicField$2(H3Error, "__h3_error__", true);
 function createError(input) {
   if (typeof input === "string") {
     return new H3Error(input);
@@ -414,6 +408,9 @@ function readRawBody(event, encoding = "utf8") {
       if (_resolved.constructor === Object) {
         return Buffer.from(JSON.stringify(_resolved));
       }
+      if (_resolved instanceof URLSearchParams) {
+        return Buffer.from(_resolved.toString());
+      }
       return Buffer.from(_resolved);
     });
     return encoding ? promise2.then((buff) => buff.toString(encoding)) : promise2;
@@ -671,7 +668,7 @@ function splitCookiesString(cookiesString) {
       }
     }
     if (!cookiesSeparatorFound || pos >= cookiesString.length) {
-      cookiesStrings.push(cookiesString.slice(start, cookiesString.length));
+      cookiesStrings.push(cookiesString.slice(start));
     }
   }
   return cookiesStrings;
@@ -1127,6 +1124,7 @@ async function getRequestFingerprint(event, opts = {}) {
 const PayloadMethods = /* @__PURE__ */ new Set(["PATCH", "POST", "PUT", "DELETE"]);
 const ignoredHeaders = /* @__PURE__ */ new Set([
   "transfer-encoding",
+  "accept-encoding",
   "connection",
   "keep-alive",
   "upgrade",
@@ -1147,7 +1145,7 @@ async function proxyRequest(event, target, opts = {}) {
   }
   const method = opts.fetchOptions?.method || event.method;
   const fetchHeaders = mergeHeaders(
-    getProxyRequestHeaders(event),
+    getProxyRequestHeaders(event, { host: target.startsWith("/") }),
     opts.fetchOptions?.headers,
     opts.headers
   );
@@ -1239,11 +1237,11 @@ async function sendProxy(event, target, opts = {}) {
   }
   return event.node.res.end();
 }
-function getProxyRequestHeaders(event) {
+function getProxyRequestHeaders(event, opts) {
   const headers = /* @__PURE__ */ Object.create(null);
   const reqHeaders = getRequestHeaders(event);
   for (const name in reqHeaders) {
-    if (!ignoredHeaders.has(name)) {
+    if (!ignoredHeaders.has(name) || name === "host" && opts?.host) {
       headers[name] = reqHeaders[name];
     }
   }
@@ -1254,7 +1252,9 @@ function fetchWithEvent(event, req, init, options) {
     ...init,
     context: init?.context || event.context,
     headers: {
-      ...getProxyRequestHeaders(event),
+      ...getProxyRequestHeaders(event, {
+        host: typeof req === "string" && req.startsWith("/")
+      }),
       ...init?.headers
     }
   });
@@ -1476,23 +1476,17 @@ function isHttp2Request(event) {
   return getHeader(event, ":path") !== void 0 && getHeader(event, ":method") !== void 0;
 }
 
-var __defProp$1 = Object.defineProperty;
-var __defNormalProp$1 = (obj, key, value) => key in obj ? __defProp$1(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$1 = (obj, key, value) => {
-  __defNormalProp$1(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
 class EventStream {
+  _h3Event;
+  _transformStream = new TransformStream();
+  _writer;
+  _encoder = new TextEncoder();
+  _writerIsClosed = false;
+  _paused = false;
+  _unsentData;
+  _disposed = false;
+  _handled = false;
   constructor(event, opts = {}) {
-    __publicField$1(this, "_h3Event");
-    __publicField$1(this, "_transformStream", new TransformStream());
-    __publicField$1(this, "_writer");
-    __publicField$1(this, "_encoder", new TextEncoder());
-    __publicField$1(this, "_writerIsClosed", false);
-    __publicField$1(this, "_paused", false);
-    __publicField$1(this, "_unsentData");
-    __publicField$1(this, "_disposed", false);
-    __publicField$1(this, "_handled", false);
     this._h3Event = event;
     this._writer = this._transformStream.writable.getWriter();
     this._writer.closed.then(() => {
@@ -1719,32 +1713,26 @@ function defineWebSocketHandler(hooks) {
   });
 }
 
-var __defProp = Object.defineProperty;
-var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField = (obj, key, value) => {
-  __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
 class H3Event {
+  "__is_event__" = true;
+  // Context
+  node;
+  // Node
+  web;
+  // Web
+  context = {};
+  // Shared
+  // Request
+  _method;
+  _path;
+  _headers;
+  _requestBody;
+  // Response
+  _handled = false;
+  // Hooks
+  _onBeforeResponseCalled;
+  _onAfterResponseCalled;
   constructor(req, res) {
-    __publicField(this, "__is_event__", true);
-    // Context
-    __publicField(this, "node");
-    // Node
-    __publicField(this, "web");
-    // Web
-    __publicField(this, "context", {});
-    // Shared
-    // Request
-    __publicField(this, "_method");
-    __publicField(this, "_path");
-    __publicField(this, "_headers");
-    __publicField(this, "_requestBody");
-    // Response
-    __publicField(this, "_handled", false);
-    // Hooks
-    __publicField(this, "_onBeforeResponseCalled");
-    __publicField(this, "_onAfterResponseCalled");
     this.node = { req, res };
   }
   // --- Request ---
@@ -2114,7 +2102,8 @@ function websocketOptions(evResolver, appOptions) {
   return {
     ...appOptions.websocket,
     async resolve(info) {
-      const { pathname } = ufo.parseURL(info.url || "/");
+      const url = info.request?.url || info.url || "/";
+      const { pathname } = typeof url === "string" ? ufo.parseURL(url) : url;
       const resolved = await evResolver(pathname);
       return resolved?.handler?.__websocket__ || {};
     }

package/dist/index.d.cts

@@ -48,7 +48,7 @@ declare class H3Event<_RequestT extends EventHandlerRequest = EventHandlerReques
     toJSON(): string;
     /** @deprecated Please use `event.node.req` instead. */
     get req(): IncomingMessage & {
-        originalUrl?: string | undefined;
+        originalUrl?: string;
     };
     /** @deprecated Please use `event.node.res` instead. */
     get res(): ServerResponse<IncomingMessage>;
@@ -93,7 +93,7 @@ declare const lazyEventHandler: typeof defineLazyEventHandler;
  * https://developer.mozilla.org/en-US/docs/Web/API/Headers
  */
 declare const H3Headers: {
-    new (init?: HeadersInit | undefined): Headers;
+    new (init?: HeadersInit): Headers;
     prototype: Headers;
 };
 /**
@@ -101,11 +101,11 @@ declare const H3Headers: {
  * https://developer.mozilla.org/en-US/docs/Web/API/Response
  */
 declare const H3Response: {
-    new (body?: BodyInit | null | undefined, init?: ResponseInit | undefined): Response;
+    new (body?: BodyInit | null, init?: ResponseInit): Response;
     prototype: Response;
     error(): Response;
-    json(data: any, init?: ResponseInit | undefined): Response;
-    redirect(url: string | URL, status?: number | undefined): Response;
+    json(data: any, init?: ResponseInit): Response;
+    redirect(url: string | URL, status?: number): Response;
 };
 
 type SessionDataT = Record<string, any>;
@@ -135,13 +135,12 @@ interface SessionConfig {
 }
 /**
  * Create a session manager for the current request.
- *
  */
 declare function useSession<T extends SessionDataT = SessionDataT>(event: H3Event, config: SessionConfig): Promise<{
     readonly id: string | undefined;
     readonly data: T;
-    update: (update: SessionUpdate<T>) => Promise<any>;
-    clear: () => Promise<any>;
+    update: (update: SessionUpdate<T>) => Promise</*elided*/ any>;
+    clear: () => Promise</*elided*/ any>;
 }>;
 /**
  * Get the session for the current request.
@@ -470,6 +469,9 @@ declare function readRawBody<E extends Encoding = "utf8">(event: H3Event, encodi
 /**
  * Reads request body and tries to safely parse using [destr](https://github.com/unjs/destr).
  *
+ * Be aware that this utility is not restricted to `application/json` and will parse `application/x-www-form-urlencoded` content types.
+ * Because of this, authenticated `GET`/`POST` handlers may be at risk of a [CSRF](https://owasp.org/www-community/attacks/csrf) attack, and must check the `content-type` header manually.
+ *
  * @example
  * export default defineEventHandler(async (event) => {
  *   const body = await readBody(event);
@@ -510,7 +512,7 @@ declare function readBody<T, Event extends H3Event = H3Event, _T = InferEventInp
  */
 declare function readValidatedBody<T, Event extends H3Event = H3Event, _T = InferEventInput<"body", Event, T>>(event: Event, validate: ValidateFunction<_T>): Promise<_T>;
 /**
- * Tries to read and parse the body of a an H3Event as multipart form.
+ * Tries to read and parse the body of an H3Event as multipart form.
  *
  * @example
  * export default defineEventHandler(async (event) => {
@@ -612,7 +614,7 @@ interface H3CorsOptions {
 declare function handleCors(event: H3Event, options: H3CorsOptions): boolean;
 
 /**
- * Get query the params object from the request URL parsed with [unjs/ufo](https://ufo.unjs.io).
+ * Get the query params object from the request URL parsed with [unjs/ufo](https://ufo.unjs.io).
  *
  * @example
  * export default defineEventHandler((event) => {
@@ -621,7 +623,7 @@ declare function handleCors(event: H3Event, options: H3CorsOptions): boolean;
  */
 declare function getQuery<T, Event extends H3Event = H3Event, _T = Exclude<InferEventInput<"query", Event, T>, undefined>>(event: Event): _T;
 /**
- * Get the query param from the request URL parsed with [unjs/ufo](https://ufo.unjs.io) and validated with validate function.
+ * Get the query params object from the request URL parsed with [unjs/ufo](https://ufo.unjs.io) and validated with validate function.
  *
  * You can use a simple function to validate the query object or a library like `zod` to define a schema.
  *
@@ -793,7 +795,7 @@ declare function getRequestProtocol(event: H3Event, opts?: {
 /** @deprecated Use `event.path` instead */
 declare function getRequestPath(event: H3Event): string;
 /**
- * Generated the full incoming request URL using `getRequestProtocol`, `getRequestHost` and `event.path`.
+ * Generate the full incoming request URL using `getRequestProtocol`, `getRequestHost` and `event.path`.
  *
  * If `xForwardedHost` is `true`, it will use the `x-forwarded-host` header if it exists.
  *
@@ -817,7 +819,9 @@ declare function toWebRequest(event: H3Event): Request;
 /**
  * Try to get the client IP address from the incoming request.
  *
- * If `xForwardedFor` is `true`, it will use the `x-forwarded-for` header if it exists.
+ * If `xForwardedFor` is `true`, it will use the `x-forwarded-for` header set by proxies if it exists.
+ *
+ * Note: Make sure that this header can be trusted (your application running behind a CDN or reverse proxy) before enabling.
  *
  * If IP cannot be determined, it will default to `undefined`.
  *
@@ -827,11 +831,6 @@ declare function toWebRequest(event: H3Event): Request;
  * });
  */
 declare function getRequestIP(event: H3Event, opts?: {
-    /**
-     * Use the X-Forwarded-For HTTP header set by proxies.
-     *
-     * Note: Make sure that this header can be trusted (your application running behind a CDN or reverse proxy) before enabling.
-     */
     xForwardedFor?: boolean;
 }): string | undefined;
 
@@ -853,7 +852,7 @@ declare function appendCorsPreflightHeaders(event: H3Event, options: H3CorsOptio
 declare function appendCorsHeaders(event: H3Event, options: H3CorsOptions): void;
 
 /**
- * Parse the request to get HTTP Cookie header string and returning an object of all cookie name-value pairs.
+ * Parse the request to get HTTP Cookie header string and return an object of all cookie name-value pairs.
  * @param event {H3Event} H3 event or req passed by h3 handler
  * @returns Object of cookie name-value pairs
  * ```ts
@@ -954,7 +953,9 @@ declare function sendProxy(event: H3Event, target: string, opts?: ProxyOptions):
 /**
  * Get the request headers object without headers known to cause issues when proxying.
  */
-declare function getProxyRequestHeaders(event: H3Event): any;
+declare function getProxyRequestHeaders(event: H3Event, opts?: {
+    host?: boolean;
+}): any;
 /**
  * Make a fetch request with the event's context and headers.
  */
@@ -976,7 +977,7 @@ type IteratorSerializer<Value> = (value: Value) => SendableValue | undefined;
  */
 declare function send(event: H3Event, data?: any, type?: MimeType): Promise<void>;
 /**
- * Respond with an empty payload.<br>
+ * Respond with an empty payload.
  *
  * Note that calling this function will close the connection and no other data can be sent to the client afterwards.
  *
@@ -1056,7 +1057,7 @@ declare function sendRedirect(event: H3Event, location: string, code?: StatusCod
  */
 declare function getResponseHeaders(event: H3Event): ReturnType<H3Event["node"]["res"]["getHeaders"]>;
 /**
- * Alias for `getResponseHeaders`.
+ * Get a response header by name.
  *
  * @example
  * export default defineEventHandler((event) => {
@@ -1144,7 +1145,7 @@ declare function clearResponseHeaders(event: H3Event, headerNames?: HTTPHeaderNa
  */
 declare function removeResponseHeader(event: H3Event, name: HTTPHeaderName): void;
 /**
- * Checks if the data is a stream. (Node.js Readable Stream, React Pipeable Stream, or Web Stream)
+ * Checks if the data is a stream (Node.js Readable Stream, React Pipeable Stream, or Web Stream).
  */
 declare function isStream(data: any): data is Readable | ReadableStream;
 /**

package/dist/index.d.mts

@@ -48,7 +48,7 @@ declare class H3Event<_RequestT extends EventHandlerRequest = EventHandlerReques
     toJSON(): string;
     /** @deprecated Please use `event.node.req` instead. */
     get req(): IncomingMessage & {
-        originalUrl?: string | undefined;
+        originalUrl?: string;
     };
     /** @deprecated Please use `event.node.res` instead. */
     get res(): ServerResponse<IncomingMessage>;
@@ -93,7 +93,7 @@ declare const lazyEventHandler: typeof defineLazyEventHandler;
  * https://developer.mozilla.org/en-US/docs/Web/API/Headers
  */
 declare const H3Headers: {
-    new (init?: HeadersInit | undefined): Headers;
+    new (init?: HeadersInit): Headers;
     prototype: Headers;
 };
 /**
@@ -101,11 +101,11 @@ declare const H3Headers: {
  * https://developer.mozilla.org/en-US/docs/Web/API/Response
  */
 declare const H3Response: {
-    new (body?: BodyInit | null | undefined, init?: ResponseInit | undefined): Response;
+    new (body?: BodyInit | null, init?: ResponseInit): Response;
     prototype: Response;
     error(): Response;
-    json(data: any, init?: ResponseInit | undefined): Response;
-    redirect(url: string | URL, status?: number | undefined): Response;
+    json(data: any, init?: ResponseInit): Response;
+    redirect(url: string | URL, status?: number): Response;
 };
 
 type SessionDataT = Record<string, any>;
@@ -135,13 +135,12 @@ interface SessionConfig {
 }
 /**
  * Create a session manager for the current request.
- *
  */
 declare function useSession<T extends SessionDataT = SessionDataT>(event: H3Event, config: SessionConfig): Promise<{
     readonly id: string | undefined;
     readonly data: T;
-    update: (update: SessionUpdate<T>) => Promise<any>;
-    clear: () => Promise<any>;
+    update: (update: SessionUpdate<T>) => Promise</*elided*/ any>;
+    clear: () => Promise</*elided*/ any>;
 }>;
 /**
  * Get the session for the current request.
@@ -470,6 +469,9 @@ declare function readRawBody<E extends Encoding = "utf8">(event: H3Event, encodi
 /**
  * Reads request body and tries to safely parse using [destr](https://github.com/unjs/destr).
  *
+ * Be aware that this utility is not restricted to `application/json` and will parse `application/x-www-form-urlencoded` content types.
+ * Because of this, authenticated `GET`/`POST` handlers may be at risk of a [CSRF](https://owasp.org/www-community/attacks/csrf) attack, and must check the `content-type` header manually.
+ *
  * @example
  * export default defineEventHandler(async (event) => {
  *   const body = await readBody(event);
@@ -510,7 +512,7 @@ declare function readBody<T, Event extends H3Event = H3Event, _T = InferEventInp
  */
 declare function readValidatedBody<T, Event extends H3Event = H3Event, _T = InferEventInput<"body", Event, T>>(event: Event, validate: ValidateFunction<_T>): Promise<_T>;
 /**
- * Tries to read and parse the body of a an H3Event as multipart form.
+ * Tries to read and parse the body of an H3Event as multipart form.
  *
  * @example
  * export default defineEventHandler(async (event) => {
@@ -612,7 +614,7 @@ interface H3CorsOptions {
 declare function handleCors(event: H3Event, options: H3CorsOptions): boolean;
 
 /**
- * Get query the params object from the request URL parsed with [unjs/ufo](https://ufo.unjs.io).
+ * Get the query params object from the request URL parsed with [unjs/ufo](https://ufo.unjs.io).
  *
  * @example
  * export default defineEventHandler((event) => {
@@ -621,7 +623,7 @@ declare function handleCors(event: H3Event, options: H3CorsOptions): boolean;
  */
 declare function getQuery<T, Event extends H3Event = H3Event, _T = Exclude<InferEventInput<"query", Event, T>, undefined>>(event: Event): _T;
 /**
- * Get the query param from the request URL parsed with [unjs/ufo](https://ufo.unjs.io) and validated with validate function.
+ * Get the query params object from the request URL parsed with [unjs/ufo](https://ufo.unjs.io) and validated with validate function.
  *
  * You can use a simple function to validate the query object or a library like `zod` to define a schema.
  *
@@ -793,7 +795,7 @@ declare function getRequestProtocol(event: H3Event, opts?: {
 /** @deprecated Use `event.path` instead */
 declare function getRequestPath(event: H3Event): string;
 /**
- * Generated the full incoming request URL using `getRequestProtocol`, `getRequestHost` and `event.path`.
+ * Generate the full incoming request URL using `getRequestProtocol`, `getRequestHost` and `event.path`.
  *
  * If `xForwardedHost` is `true`, it will use the `x-forwarded-host` header if it exists.
  *
@@ -817,7 +819,9 @@ declare function toWebRequest(event: H3Event): Request;
 /**
  * Try to get the client IP address from the incoming request.
  *
- * If `xForwardedFor` is `true`, it will use the `x-forwarded-for` header if it exists.
+ * If `xForwardedFor` is `true`, it will use the `x-forwarded-for` header set by proxies if it exists.
+ *
+ * Note: Make sure that this header can be trusted (your application running behind a CDN or reverse proxy) before enabling.
  *
  * If IP cannot be determined, it will default to `undefined`.
  *
@@ -827,11 +831,6 @@ declare function toWebRequest(event: H3Event): Request;
  * });
  */
 declare function getRequestIP(event: H3Event, opts?: {
-    /**
-     * Use the X-Forwarded-For HTTP header set by proxies.
-     *
-     * Note: Make sure that this header can be trusted (your application running behind a CDN or reverse proxy) before enabling.
-     */
     xForwardedFor?: boolean;
 }): string | undefined;
 
@@ -853,7 +852,7 @@ declare function appendCorsPreflightHeaders(event: H3Event, options: H3CorsOptio
 declare function appendCorsHeaders(event: H3Event, options: H3CorsOptions): void;
 
 /**
- * Parse the request to get HTTP Cookie header string and returning an object of all cookie name-value pairs.
+ * Parse the request to get HTTP Cookie header string and return an object of all cookie name-value pairs.
  * @param event {H3Event} H3 event or req passed by h3 handler
  * @returns Object of cookie name-value pairs
  * ```ts
@@ -954,7 +953,9 @@ declare function sendProxy(event: H3Event, target: string, opts?: ProxyOptions):
 /**
  * Get the request headers object without headers known to cause issues when proxying.
  */
-declare function getProxyRequestHeaders(event: H3Event): any;
+declare function getProxyRequestHeaders(event: H3Event, opts?: {
+    host?: boolean;
+}): any;
 /**
  * Make a fetch request with the event's context and headers.
  */
@@ -976,7 +977,7 @@ type IteratorSerializer<Value> = (value: Value) => SendableValue | undefined;
  */
 declare function send(event: H3Event, data?: any, type?: MimeType): Promise<void>;
 /**
- * Respond with an empty payload.<br>
+ * Respond with an empty payload.
  *
  * Note that calling this function will close the connection and no other data can be sent to the client afterwards.
  *
@@ -1056,7 +1057,7 @@ declare function sendRedirect(event: H3Event, location: string, code?: StatusCod
  */
 declare function getResponseHeaders(event: H3Event): ReturnType<H3Event["node"]["res"]["getHeaders"]>;
 /**
- * Alias for `getResponseHeaders`.
+ * Get a response header by name.
  *
  * @example
  * export default defineEventHandler((event) => {
@@ -1144,7 +1145,7 @@ declare function clearResponseHeaders(event: H3Event, headerNames?: HTTPHeaderNa
  */
 declare function removeResponseHeader(event: H3Event, name: HTTPHeaderName): void;
 /**
- * Checks if the data is a stream. (Node.js Readable Stream, React Pipeable Stream, or Web Stream)
+ * Checks if the data is a stream (Node.js Readable Stream, React Pipeable Stream, or Web Stream).
  */
 declare function isStream(data: any): data is Readable | ReadableStream;
 /**

package/dist/index.d.ts

@@ -48,7 +48,7 @@ declare class H3Event<_RequestT extends EventHandlerRequest = EventHandlerReques
     toJSON(): string;
     /** @deprecated Please use `event.node.req` instead. */
     get req(): IncomingMessage & {
-        originalUrl?: string | undefined;
+        originalUrl?: string;
     };
     /** @deprecated Please use `event.node.res` instead. */
     get res(): ServerResponse<IncomingMessage>;
@@ -93,7 +93,7 @@ declare const lazyEventHandler: typeof defineLazyEventHandler;
  * https://developer.mozilla.org/en-US/docs/Web/API/Headers
  */
 declare const H3Headers: {
-    new (init?: HeadersInit | undefined): Headers;
+    new (init?: HeadersInit): Headers;
     prototype: Headers;
 };
 /**
@@ -101,11 +101,11 @@ declare const H3Headers: {
  * https://developer.mozilla.org/en-US/docs/Web/API/Response
  */
 declare const H3Response: {
-    new (body?: BodyInit | null | undefined, init?: ResponseInit | undefined): Response;
+    new (body?: BodyInit | null, init?: ResponseInit): Response;
     prototype: Response;
     error(): Response;
-    json(data: any, init?: ResponseInit | undefined): Response;
-    redirect(url: string | URL, status?: number | undefined): Response;
+    json(data: any, init?: ResponseInit): Response;
+    redirect(url: string | URL, status?: number): Response;
 };
 
 type SessionDataT = Record<string, any>;
@@ -135,13 +135,12 @@ interface SessionConfig {
 }
 /**
  * Create a session manager for the current request.
- *
  */
 declare function useSession<T extends SessionDataT = SessionDataT>(event: H3Event, config: SessionConfig): Promise<{
     readonly id: string | undefined;
     readonly data: T;
-    update: (update: SessionUpdate<T>) => Promise<any>;
-    clear: () => Promise<any>;
+    update: (update: SessionUpdate<T>) => Promise</*elided*/ any>;
+    clear: () => Promise</*elided*/ any>;
 }>;
 /**
  * Get the session for the current request.
@@ -470,6 +469,9 @@ declare function readRawBody<E extends Encoding = "utf8">(event: H3Event, encodi
 /**
  * Reads request body and tries to safely parse using [destr](https://github.com/unjs/destr).
  *
+ * Be aware that this utility is not restricted to `application/json` and will parse `application/x-www-form-urlencoded` content types.
+ * Because of this, authenticated `GET`/`POST` handlers may be at risk of a [CSRF](https://owasp.org/www-community/attacks/csrf) attack, and must check the `content-type` header manually.
+ *
  * @example
  * export default defineEventHandler(async (event) => {
  *   const body = await readBody(event);
@@ -510,7 +512,7 @@ declare function readBody<T, Event extends H3Event = H3Event, _T = InferEventInp
  */
 declare function readValidatedBody<T, Event extends H3Event = H3Event, _T = InferEventInput<"body", Event, T>>(event: Event, validate: ValidateFunction<_T>): Promise<_T>;
 /**
- * Tries to read and parse the body of a an H3Event as multipart form.
+ * Tries to read and parse the body of an H3Event as multipart form.
  *
  * @example
  * export default defineEventHandler(async (event) => {
@@ -612,7 +614,7 @@ interface H3CorsOptions {
 declare function handleCors(event: H3Event, options: H3CorsOptions): boolean;
 
 /**
- * Get query the params object from the request URL parsed with [unjs/ufo](https://ufo.unjs.io).
+ * Get the query params object from the request URL parsed with [unjs/ufo](https://ufo.unjs.io).
  *
  * @example
  * export default defineEventHandler((event) => {
@@ -621,7 +623,7 @@ declare function handleCors(event: H3Event, options: H3CorsOptions): boolean;
  */
 declare function getQuery<T, Event extends H3Event = H3Event, _T = Exclude<InferEventInput<"query", Event, T>, undefined>>(event: Event): _T;
 /**
- * Get the query param from the request URL parsed with [unjs/ufo](https://ufo.unjs.io) and validated with validate function.
+ * Get the query params object from the request URL parsed with [unjs/ufo](https://ufo.unjs.io) and validated with validate function.
  *
  * You can use a simple function to validate the query object or a library like `zod` to define a schema.
  *
@@ -793,7 +795,7 @@ declare function getRequestProtocol(event: H3Event, opts?: {
 /** @deprecated Use `event.path` instead */
 declare function getRequestPath(event: H3Event): string;
 /**
- * Generated the full incoming request URL using `getRequestProtocol`, `getRequestHost` and `event.path`.
+ * Generate the full incoming request URL using `getRequestProtocol`, `getRequestHost` and `event.path`.
  *
  * If `xForwardedHost` is `true`, it will use the `x-forwarded-host` header if it exists.
  *
@@ -817,7 +819,9 @@ declare function toWebRequest(event: H3Event): Request;
 /**
  * Try to get the client IP address from the incoming request.
  *
- * If `xForwardedFor` is `true`, it will use the `x-forwarded-for` header if it exists.
+ * If `xForwardedFor` is `true`, it will use the `x-forwarded-for` header set by proxies if it exists.
+ *
+ * Note: Make sure that this header can be trusted (your application running behind a CDN or reverse proxy) before enabling.
  *
  * If IP cannot be determined, it will default to `undefined`.
  *
@@ -827,11 +831,6 @@ declare function toWebRequest(event: H3Event): Request;
  * });
  */
 declare function getRequestIP(event: H3Event, opts?: {
-    /**
-     * Use the X-Forwarded-For HTTP header set by proxies.
-     *
-     * Note: Make sure that this header can be trusted (your application running behind a CDN or reverse proxy) before enabling.
-     */
     xForwardedFor?: boolean;
 }): string | undefined;
 
@@ -853,7 +852,7 @@ declare function appendCorsPreflightHeaders(event: H3Event, options: H3CorsOptio
 declare function appendCorsHeaders(event: H3Event, options: H3CorsOptions): void;
 
 /**
- * Parse the request to get HTTP Cookie header string and returning an object of all cookie name-value pairs.
+ * Parse the request to get HTTP Cookie header string and return an object of all cookie name-value pairs.
  * @param event {H3Event} H3 event or req passed by h3 handler
  * @returns Object of cookie name-value pairs
  * ```ts
@@ -954,7 +953,9 @@ declare function sendProxy(event: H3Event, target: string, opts?: ProxyOptions):
 /**
  * Get the request headers object without headers known to cause issues when proxying.
  */
-declare function getProxyRequestHeaders(event: H3Event): any;
+declare function getProxyRequestHeaders(event: H3Event, opts?: {
+    host?: boolean;
+}): any;
 /**
  * Make a fetch request with the event's context and headers.
  */
@@ -976,7 +977,7 @@ type IteratorSerializer<Value> = (value: Value) => SendableValue | undefined;
  */
 declare function send(event: H3Event, data?: any, type?: MimeType): Promise<void>;
 /**
- * Respond with an empty payload.<br>
+ * Respond with an empty payload.
  *
  * Note that calling this function will close the connection and no other data can be sent to the client afterwards.
  *
@@ -1056,7 +1057,7 @@ declare function sendRedirect(event: H3Event, location: string, code?: StatusCod
  */
 declare function getResponseHeaders(event: H3Event): ReturnType<H3Event["node"]["res"]["getHeaders"]>;
 /**
- * Alias for `getResponseHeaders`.
+ * Get a response header by name.
  *
  * @example
  * export default defineEventHandler((event) => {
@@ -1144,7 +1145,7 @@ declare function clearResponseHeaders(event: H3Event, headerNames?: HTTPHeaderNa
  */
 declare function removeResponseHeader(event: H3Event, name: HTTPHeaderName): void;
 /**
- * Checks if the data is a stream. (Node.js Readable Stream, React Pipeable Stream, or Web Stream)
+ * Checks if the data is a stream (Node.js Readable Stream, React Pipeable Stream, or Web Stream).
  */
 declare function isStream(data: any): data is Readable | ReadableStream;
 /**

package/dist/index.mjs

@@ -34,21 +34,16 @@ function hasProp(obj, prop) {
   }
 }
 
-var __defProp$2 = Object.defineProperty;
-var __defNormalProp$2 = (obj, key, value) => key in obj ? __defProp$2(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$2 = (obj, key, value) => {
-  __defNormalProp$2(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
 class H3Error extends Error {
+  static __h3_error__ = true;
+  statusCode = 500;
+  fatal = false;
+  unhandled = false;
+  statusMessage;
+  data;
+  cause;
   constructor(message, opts = {}) {
     super(message, opts);
-    __publicField$2(this, "statusCode", 500);
-    __publicField$2(this, "fatal", false);
-    __publicField$2(this, "unhandled", false);
-    __publicField$2(this, "statusMessage");
-    __publicField$2(this, "data");
-    __publicField$2(this, "cause");
     if (opts.cause && !this.cause) {
       this.cause = opts.cause;
     }
@@ -67,7 +62,6 @@ class H3Error extends Error {
     return obj;
   }
 }
-__publicField$2(H3Error, "__h3_error__", true);
 function createError(input) {
   if (typeof input === "string") {
     return new H3Error(input);
@@ -407,6 +401,9 @@ function readRawBody(event, encoding = "utf8") {
       if (_resolved.constructor === Object) {
         return Buffer.from(JSON.stringify(_resolved));
       }
+      if (_resolved instanceof URLSearchParams) {
+        return Buffer.from(_resolved.toString());
+      }
       return Buffer.from(_resolved);
     });
     return encoding ? promise2.then((buff) => buff.toString(encoding)) : promise2;
@@ -664,7 +661,7 @@ function splitCookiesString(cookiesString) {
       }
     }
     if (!cookiesSeparatorFound || pos >= cookiesString.length) {
-      cookiesStrings.push(cookiesString.slice(start, cookiesString.length));
+      cookiesStrings.push(cookiesString.slice(start));
     }
   }
   return cookiesStrings;
@@ -1120,6 +1117,7 @@ async function getRequestFingerprint(event, opts = {}) {
 const PayloadMethods = /* @__PURE__ */ new Set(["PATCH", "POST", "PUT", "DELETE"]);
 const ignoredHeaders = /* @__PURE__ */ new Set([
   "transfer-encoding",
+  "accept-encoding",
   "connection",
   "keep-alive",
   "upgrade",
@@ -1140,7 +1138,7 @@ async function proxyRequest(event, target, opts = {}) {
   }
   const method = opts.fetchOptions?.method || event.method;
   const fetchHeaders = mergeHeaders(
-    getProxyRequestHeaders(event),
+    getProxyRequestHeaders(event, { host: target.startsWith("/") }),
     opts.fetchOptions?.headers,
     opts.headers
   );
@@ -1232,11 +1230,11 @@ async function sendProxy(event, target, opts = {}) {
   }
   return event.node.res.end();
 }
-function getProxyRequestHeaders(event) {
+function getProxyRequestHeaders(event, opts) {
   const headers = /* @__PURE__ */ Object.create(null);
   const reqHeaders = getRequestHeaders(event);
   for (const name in reqHeaders) {
-    if (!ignoredHeaders.has(name)) {
+    if (!ignoredHeaders.has(name) || name === "host" && opts?.host) {
       headers[name] = reqHeaders[name];
     }
   }
@@ -1247,7 +1245,9 @@ function fetchWithEvent(event, req, init, options) {
     ...init,
     context: init?.context || event.context,
     headers: {
-      ...getProxyRequestHeaders(event),
+      ...getProxyRequestHeaders(event, {
+        host: typeof req === "string" && req.startsWith("/")
+      }),
       ...init?.headers
     }
   });
@@ -1469,23 +1469,17 @@ function isHttp2Request(event) {
   return getHeader(event, ":path") !== void 0 && getHeader(event, ":method") !== void 0;
 }
 
-var __defProp$1 = Object.defineProperty;
-var __defNormalProp$1 = (obj, key, value) => key in obj ? __defProp$1(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$1 = (obj, key, value) => {
-  __defNormalProp$1(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
 class EventStream {
+  _h3Event;
+  _transformStream = new TransformStream();
+  _writer;
+  _encoder = new TextEncoder();
+  _writerIsClosed = false;
+  _paused = false;
+  _unsentData;
+  _disposed = false;
+  _handled = false;
   constructor(event, opts = {}) {
-    __publicField$1(this, "_h3Event");
-    __publicField$1(this, "_transformStream", new TransformStream());
-    __publicField$1(this, "_writer");
-    __publicField$1(this, "_encoder", new TextEncoder());
-    __publicField$1(this, "_writerIsClosed", false);
-    __publicField$1(this, "_paused", false);
-    __publicField$1(this, "_unsentData");
-    __publicField$1(this, "_disposed", false);
-    __publicField$1(this, "_handled", false);
     this._h3Event = event;
     this._writer = this._transformStream.writable.getWriter();
     this._writer.closed.then(() => {
@@ -1712,32 +1706,26 @@ function defineWebSocketHandler(hooks) {
   });
 }
 
-var __defProp = Object.defineProperty;
-var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField = (obj, key, value) => {
-  __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
 class H3Event {
+  "__is_event__" = true;
+  // Context
+  node;
+  // Node
+  web;
+  // Web
+  context = {};
+  // Shared
+  // Request
+  _method;
+  _path;
+  _headers;
+  _requestBody;
+  // Response
+  _handled = false;
+  // Hooks
+  _onBeforeResponseCalled;
+  _onAfterResponseCalled;
   constructor(req, res) {
-    __publicField(this, "__is_event__", true);
-    // Context
-    __publicField(this, "node");
-    // Node
-    __publicField(this, "web");
-    // Web
-    __publicField(this, "context", {});
-    // Shared
-    // Request
-    __publicField(this, "_method");
-    __publicField(this, "_path");
-    __publicField(this, "_headers");
-    __publicField(this, "_requestBody");
-    // Response
-    __publicField(this, "_handled", false);
-    // Hooks
-    __publicField(this, "_onBeforeResponseCalled");
-    __publicField(this, "_onAfterResponseCalled");
     this.node = { req, res };
   }
   // --- Request ---
@@ -2107,7 +2095,8 @@ function websocketOptions(evResolver, appOptions) {
   return {
     ...appOptions.websocket,
     async resolve(info) {
-      const { pathname } = parseURL(info.url || "/");
+      const url = info.request?.url || info.url || "/";
+      const { pathname } = typeof url === "string" ? parseURL(url) : url;
       const resolved = await evResolver(pathname);
       return resolved?.handler?.__websocket__ || {};
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "h3",
-  "version": "1.12.0",
+  "version": "1.13.1",
   "description": "Minimal H(TTP) framework built for high performance and portability.",
   "repository": "unjs/h3",
   "license": "MIT",
@@ -19,54 +19,58 @@
   "files": [
     "dist"
   ],
+  "scripts": {
+    "build": "unbuild",
+    "dev": "vitest",
+    "lint": "eslint --cache . && prettier -c src test playground examples docs",
+    "lint:fix": "eslint --cache . --fix && prettier -c src test playground examples docs -w",
+    "play": "listhen -w ./playground/app.ts",
+    "profile": "0x -o -D .profile -P 'autocannon -c 100 -p 10 -d 40 http://localhost:$PORT' ./playground/server.cjs",
+    "release": "pnpm test && pnpm build && changelogen --release --publish --publishTag latest && git push --follow-tags",
+    "test": "pnpm lint && vitest --run --coverage"
+  },
+  "resolutions": {
+    "h3": "link:."
+  },
   "dependencies": {
-    "cookie-es": "^1.1.0",
-    "crossws": "^0.2.4",
+    "cookie-es": "^1.2.2",
+    "crossws": "^0.3.1",
     "defu": "^6.1.4",
     "destr": "^2.0.3",
-    "iron-webcrypto": "^1.1.1",
-    "ohash": "^1.1.3",
+    "iron-webcrypto": "^1.2.1",
+    "ohash": "^1.1.4",
     "radix3": "^1.1.2",
-    "ufo": "^1.5.3",
+    "ufo": "^1.5.4",
     "uncrypto": "^0.1.3",
-    "unenv": "^1.9.0"
+    "unenv": "^1.10.0"
   },
   "devDependencies": {
-    "0x": "^5.7.0",
-    "@types/express": "^4.17.21",
-    "@types/node": "^20.12.7",
+    "0x": "^5.8.0",
+    "@types/express": "^5.0.0",
+    "@types/node": "^22.10.5",
     "@types/supertest": "^6.0.2",
-    "@vitest/coverage-v8": "^1.5.2",
-    "autocannon": "^7.15.0",
-    "automd": "^0.3.7",
-    "changelogen": "^0.5.5",
+    "@vitest/coverage-v8": "^2.1.8",
+    "autocannon": "^8.0.0",
+    "automd": "^0.3.12",
+    "changelogen": "^0.5.7",
     "connect": "^3.7.0",
-    "eslint": "^9.1.1",
-    "eslint-config-unjs": "^0.3.0-rc.6",
-    "express": "^4.19.2",
+    "eslint": "^9.17.0",
+    "eslint-config-unjs": "^0.4.2",
+    "express": "^4.21.2",
     "get-port": "^7.1.0",
-    "jiti": "^1.21.0",
-    "listhen": "^1.7.2",
+    "h3": "^1.13.0",
+    "jiti": "^2.4.2",
+    "listhen": "^1.9.0",
     "node-fetch-native": "^1.6.4",
-    "prettier": "^3.2.5",
-    "react": "^18.3.1",
-    "react-dom": "^18.3.1",
+    "prettier": "^3.4.2",
+    "react": "^19.0.0",
+    "react-dom": "^19.0.0",
     "supertest": "^7.0.0",
-    "typescript": "^5.4.5",
-    "unbuild": "^2.0.0",
-    "undici": "^6.19.2",
-    "vitest": "^1.5.2",
-    "zod": "^3.23.4"
+    "typescript": "^5.7.3",
+    "unbuild": "^3.2.0",
+    "undici": "^7.2.0",
+    "vitest": "^2.1.8",
+    "zod": "^3.24.1"
   },
-  "scripts": {
-    "build": "unbuild",
-    "dev": "vitest",
-    "lint": "eslint --cache . && prettier -c src test playground examples docs",
-    "lint:fix": "eslint --cache . --fix && prettier -c src test playground examples docs -w",
-    "play": "listhen -w ./playground/app.ts",
-    "profile": "0x -o -D .profile -P 'autocannon -c 100 -p 10 -d 40 http://localhost:$PORT' ./playground/server.cjs",
-    "release": "pnpm test && pnpm build && changelogen --release && pnpm publish && git push --follow-tags",
-    "release-rc": "pnpm test && pnpm build && changelogen --release --prerelease rc --push --publish --publishTag rc",
-    "test": "pnpm lint && vitest --run --coverage"
-  }
-}
+  "packageManager": "pnpm@9.15.3"
+}