h3 1.15.8 → 1.15.9

package/dist/index.cjs

@@ -1500,7 +1500,7 @@ function formatEventStreamMessage(message) {
 `;
   }
   const data = typeof message.data === "string" ? message.data : "";
-  for (const line of data.split("\n")) {
+  for (const line of data.split(/\r\n|\r|\n/)) {
     result += `data: ${line}
 `;
   }
@@ -1671,10 +1671,10 @@ async function serveStatic(event, options) {
     }
     return false;
   }
-  const originalId = ufo.decodePath(
-    ufo.withLeadingSlash(ufo.withoutTrailingSlash(ufo.parseURL(event.path).pathname))
+  const originalId = ufo.withLeadingSlash(
+    ufo.withoutTrailingSlash(ufo.parseURL(event.path).pathname)
   );
-  if (/(^|[\\/])\.\.($|[\\/])/.test(originalId)) {
+  if (/(^|[\\/])(\.\.|%2e%2e|%2e\.|\.%2e)($|[\\/])/i.test(originalId)) {
     if (!options.fallthrough) {
       throw createError({ statusCode: 404 });
     }

package/dist/index.mjs

@@ -1,4 +1,4 @@
-import { withoutTrailingSlash, withoutBase, getQuery as getQuery$1, decode, decodePath, withLeadingSlash, parseURL, joinURL } from 'ufo';
+import { withoutTrailingSlash, withoutBase, getQuery as getQuery$1, decode, withLeadingSlash, parseURL, joinURL, decodePath } from 'ufo';
 import { parse as parse$1, serialize, parseSetCookie } from 'cookie-es';
 import { createRouter as createRouter$1, toRouteMatcher } from 'radix3';
 import { defu } from 'defu';
@@ -1493,7 +1493,7 @@ function formatEventStreamMessage(message) {
 `;
   }
   const data = typeof message.data === "string" ? message.data : "";
-  for (const line of data.split("\n")) {
+  for (const line of data.split(/\r\n|\r|\n/)) {
     result += `data: ${line}
 `;
   }
@@ -1664,10 +1664,10 @@ async function serveStatic(event, options) {
     }
     return false;
   }
-  const originalId = decodePath(
-    withLeadingSlash(withoutTrailingSlash(parseURL(event.path).pathname))
+  const originalId = withLeadingSlash(
+    withoutTrailingSlash(parseURL(event.path).pathname)
   );
-  if (/(^|[\\/])\.\.($|[\\/])/.test(originalId)) {
+  if (/(^|[\\/])(\.\.|%2e%2e|%2e\.|\.%2e)($|[\\/])/i.test(originalId)) {
     if (!options.fallthrough) {
       throw createError({ statusCode: 404 });
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "h3",
-  "version": "1.15.8",
+  "version": "1.15.9",
   "description": "Minimal H(TTP) framework built for high performance and portability.",
   "license": "MIT",
   "repository": "h3js/h3",
@@ -45,10 +45,10 @@
   "devDependencies": {
     "0x": "^6.0.0",
     "@types/express": "^5.0.6",
-    "@types/node": "^25.3.5",
+    "@types/node": "^25.5.0",
     "@types/supertest": "^7.2.0",
     "@typescript/native-preview": "latest",
-    "@vitest/coverage-v8": "^4.0.18",
+    "@vitest/coverage-v8": "^4.1.0",
     "autocannon": "^8.0.0",
     "automd": "^0.4.3",
     "changelogen": "^0.6.2",
@@ -57,7 +57,7 @@
     "eslint-config-unjs": "^0.6.2",
     "express": "^5.2.1",
     "get-port": "^7.1.0",
-    "h3": "^1.15.5",
+    "h3": "^1.15.8",
     "jiti": "^2.6.1",
     "listhen": "^1.9.0",
     "node-fetch-native": "^1.6.7",
@@ -67,8 +67,8 @@
     "supertest": "^7.2.2",
     "typescript": "^5.9.3",
     "unbuild": "^3.6.1",
-    "undici": "^7.22.0",
-    "vitest": "^4.0.18",
+    "undici": "^7.24.4",
+    "vitest": "^4.1.0",
     "zod": "^4.3.6"
   },
   "resolutions": {