h3 1.15.4 → 1.15.6

package/dist/index.cjs

@@ -3,8 +3,8 @@
 const ufo = require('ufo');
 const cookieEs = require('cookie-es');
 const radix3 = require('radix3');
-const destr = require('destr');
 const defu = require('defu');
+const destr = require('destr');
 const crypto = require('uncrypto');
 const ironWebcrypto = require('iron-webcrypto');
 const nodeMockHttp = require('node-mock-http');
@@ -418,7 +418,9 @@ function readRawBody(event, encoding = "utf8") {
     });
     return encoding ? promise2.then((buff) => buff.toString(encoding)) : promise2;
   }
-  if (!Number.parseInt(event.node.req.headers["content-length"] || "") && !String(event.node.req.headers["transfer-encoding"] ?? "").split(",").map((e) => e.trim()).filter(Boolean).includes("chunked")) {
+  if (!Number.parseInt(event.node.req.headers["content-length"] || "") && !/\bchunked\b/i.test(
+    String(event.node.req.headers["transfer-encoding"] ?? "")
+  )) {
     return Promise.resolve(void 0);
   }
   const promise = event.node.req[RawBodySymbol] = new Promise(
@@ -1440,11 +1442,16 @@ async function updateSession(event, config, update) {
 async function sealSession(event, config) {
   const sessionName = config.name || DEFAULT_NAME;
   const session = event.context.sessions?.[sessionName] || await getSession(event, config);
-  const sealed = await ironWebcrypto.seal(config.crypto || crypto__default, session, config.password, {
-    ...ironWebcrypto.defaults,
-    ttl: config.maxAge ? config.maxAge * 1e3 : 0,
-    ...config.seal
-  });
+  const sealed = await ironWebcrypto.seal(
+    config.crypto || crypto__default,
+    session,
+    config.password,
+    {
+      ...ironWebcrypto.defaults,
+      ttl: config.maxAge ? config.maxAge * 1e3 : 0,
+      ...config.seal
+    }
+  );
   return sealed;
 }
 async function unsealSession(_event, config, sealed) {
@@ -1481,22 +1488,28 @@ function clearSession(event, config) {
 function formatEventStreamMessage(message) {
   let result = "";
   if (message.id) {
-    result += `id: ${message.id}
+    result += `id: ${_sanitizeSingleLine(message.id)}
 `;
   }
   if (message.event) {
-    result += `event: ${message.event}
+    result += `event: ${_sanitizeSingleLine(message.event)}
 `;
   }
   if (typeof message.retry === "number" && Number.isInteger(message.retry)) {
     result += `retry: ${message.retry}
 `;
   }
-  result += `data: ${message.data}
-
+  const data = typeof message.data === "string" ? message.data : "";
+  for (const line of data.split("\n")) {
+    result += `data: ${line}
 `;
+  }
+  result += "\n";
   return result;
 }
+function _sanitizeSingleLine(value) {
+  return value.replace(/[\n\r]/g, "");
+}
 function formatEventStreamMessages(messages) {
   let result = "";
   for (const msg of messages) {
@@ -1661,6 +1674,12 @@ async function serveStatic(event, options) {
   const originalId = ufo.decodePath(
     ufo.withLeadingSlash(ufo.withoutTrailingSlash(ufo.parseURL(event.path).pathname))
   );
+  if (originalId.includes("..")) {
+    if (!options.fallthrough) {
+      throw createError({ statusCode: 404 });
+    }
+    return false;
+  }
   const acceptEncodings = parseAcceptEncoding(
     getRequestHeader(event, "accept-encoding"),
     options.encodings

package/dist/index.mjs

@@ -1,8 +1,8 @@
 import { withoutTrailingSlash, withoutBase, getQuery as getQuery$1, decode, decodePath, withLeadingSlash, parseURL, joinURL } from 'ufo';
 import { parse as parse$1, serialize, parseSetCookie } from 'cookie-es';
 import { createRouter as createRouter$1, toRouteMatcher } from 'radix3';
-import destr from 'destr';
 import { defu } from 'defu';
+import destr from 'destr';
 import crypto from 'uncrypto';
 import { seal, defaults, unseal } from 'iron-webcrypto';
 import { IncomingMessage, ServerResponse } from 'node-mock-http';
@@ -411,7 +411,9 @@ function readRawBody(event, encoding = "utf8") {
     });
     return encoding ? promise2.then((buff) => buff.toString(encoding)) : promise2;
   }
-  if (!Number.parseInt(event.node.req.headers["content-length"] || "") && !String(event.node.req.headers["transfer-encoding"] ?? "").split(",").map((e) => e.trim()).filter(Boolean).includes("chunked")) {
+  if (!Number.parseInt(event.node.req.headers["content-length"] || "") && !/\bchunked\b/i.test(
+    String(event.node.req.headers["transfer-encoding"] ?? "")
+  )) {
     return Promise.resolve(void 0);
   }
   const promise = event.node.req[RawBodySymbol] = new Promise(
@@ -1433,11 +1435,16 @@ async function updateSession(event, config, update) {
 async function sealSession(event, config) {
   const sessionName = config.name || DEFAULT_NAME;
   const session = event.context.sessions?.[sessionName] || await getSession(event, config);
-  const sealed = await seal(config.crypto || crypto, session, config.password, {
-    ...defaults,
-    ttl: config.maxAge ? config.maxAge * 1e3 : 0,
-    ...config.seal
-  });
+  const sealed = await seal(
+    config.crypto || crypto,
+    session,
+    config.password,
+    {
+      ...defaults,
+      ttl: config.maxAge ? config.maxAge * 1e3 : 0,
+      ...config.seal
+    }
+  );
   return sealed;
 }
 async function unsealSession(_event, config, sealed) {
@@ -1474,22 +1481,28 @@ function clearSession(event, config) {
 function formatEventStreamMessage(message) {
   let result = "";
   if (message.id) {
-    result += `id: ${message.id}
+    result += `id: ${_sanitizeSingleLine(message.id)}
 `;
   }
   if (message.event) {
-    result += `event: ${message.event}
+    result += `event: ${_sanitizeSingleLine(message.event)}
 `;
   }
   if (typeof message.retry === "number" && Number.isInteger(message.retry)) {
     result += `retry: ${message.retry}
 `;
   }
-  result += `data: ${message.data}
-
+  const data = typeof message.data === "string" ? message.data : "";
+  for (const line of data.split("\n")) {
+    result += `data: ${line}
 `;
+  }
+  result += "\n";
   return result;
 }
+function _sanitizeSingleLine(value) {
+  return value.replace(/[\n\r]/g, "");
+}
 function formatEventStreamMessages(messages) {
   let result = "";
   for (const msg of messages) {
@@ -1654,6 +1667,12 @@ async function serveStatic(event, options) {
   const originalId = decodePath(
     withLeadingSlash(withoutTrailingSlash(parseURL(event.path).pathname))
   );
+  if (originalId.includes("..")) {
+    if (!options.fallthrough) {
+      throw createError({ statusCode: 404 });
+    }
+    return false;
+  }
   const acceptEncodings = parseAcceptEncoding(
     getRequestHeader(event, "accept-encoding"),
     options.encodings

package/package.json

@@ -1,10 +1,16 @@
 {
   "name": "h3",
-  "version": "1.15.4",
+  "version": "1.15.6",
   "description": "Minimal H(TTP) framework built for high performance and portability.",
-  "repository": "h3js/h3",
   "license": "MIT",
+  "repository": "h3js/h3",
+  "files": [
+    "dist"
+  ],
   "sideEffects": false,
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.ts",
   "exports": {
     "./package.json": "./package.json",
     ".": {
@@ -13,24 +19,17 @@
       "require": "./dist/index.cjs"
     }
   },
-  "main": "./dist/index.cjs",
-  "module": "./dist/index.mjs",
-  "types": "./dist/index.d.ts",
-  "files": [
-    "dist"
-  ],
   "scripts": {
     "build": "unbuild",
     "dev": "vitest",
     "lint": "eslint --cache . && prettier -c src test playground examples docs",
     "lint:fix": "eslint --cache . --fix && prettier -c src test playground examples docs -w",
+    "prepack": "pnpm build",
     "play": "listhen -w ./playground/app.ts",
     "profile": "0x -o -D .profile -P 'autocannon -c 100 -p 10 -d 40 http://localhost:$PORT' ./playground/server.cjs",
-    "release": "pnpm test && pnpm build && changelogen --release --publish --publishTag latest && git push --follow-tags",
-    "test": "pnpm lint && vitest --run --coverage"
-  },
-  "resolutions": {
-    "h3": "^1.14.0"
+    "release": "pnpm test && pnpm build && changelogen --release --publish --publishTag 1x && git push --follow-tags",
+    "test": "pnpm lint && vitest --run --coverage && pnpm test:types",
+    "test:types": "tsgo --noEmit"
   },
   "dependencies": {
     "cookie-es": "^1.2.2",
@@ -38,38 +37,42 @@
     "defu": "^6.1.4",
     "destr": "^2.0.5",
     "iron-webcrypto": "^1.2.1",
-    "node-mock-http": "^1.0.2",
+    "node-mock-http": "^1.0.4",
     "radix3": "^1.1.2",
-    "ufo": "^1.6.1",
+    "ufo": "^1.6.3",
     "uncrypto": "^0.1.3"
   },
   "devDependencies": {
     "0x": "^6.0.0",
-    "@types/express": "^5.0.3",
-    "@types/node": "^24.1.0",
-    "@types/supertest": "^6.0.3",
-    "@vitest/coverage-v8": "^3.2.4",
+    "@types/express": "^5.0.6",
+    "@types/node": "^25.3.5",
+    "@types/supertest": "^7.2.0",
+    "@typescript/native-preview": "latest",
+    "@vitest/coverage-v8": "^4.0.18",
     "autocannon": "^8.0.0",
-    "automd": "^0.4.0",
+    "automd": "^0.4.3",
     "changelogen": "^0.6.2",
     "connect": "^3.7.0",
-    "eslint": "^9.32.0",
-    "eslint-config-unjs": "^0.5.0",
-    "express": "^5.1.0",
+    "eslint": "^10.0.3",
+    "eslint-config-unjs": "^0.6.2",
+    "express": "^5.2.1",
     "get-port": "^7.1.0",
-    "h3": "^1.15.3",
-    "jiti": "^2.5.1",
+    "h3": "^1.15.5",
+    "jiti": "^2.6.1",
     "listhen": "^1.9.0",
-    "node-fetch-native": "^1.6.6",
-    "prettier": "^3.6.2",
-    "react": "^19.1.1",
-    "react-dom": "^19.1.1",
-    "supertest": "^7.1.4",
-    "typescript": "^5.8.3",
-    "unbuild": "^3.6.0",
-    "undici": "^7.12.0",
-    "vitest": "^3.2.4",
-    "zod": "^4.0.14"
+    "node-fetch-native": "^1.6.7",
+    "prettier": "^3.8.1",
+    "react": "^19.2.4",
+    "react-dom": "^19.2.4",
+    "supertest": "^7.2.2",
+    "typescript": "^5.9.3",
+    "unbuild": "^3.6.1",
+    "undici": "^7.22.0",
+    "vitest": "^4.0.18",
+    "zod": "^4.3.6"
+  },
+  "resolutions": {
+    "h3": "^1.14.0"
   },
-  "packageManager": "pnpm@10.2.0"
+  "packageManager": "pnpm@10.28.0"
 }