h3 2.0.1-rc.2 → 2.0.1-rc.21

package/dist/{h3.mjs → h3-CRCltuUf.mjs}

@@ -1,74 +1,66 @@
-import { NullProtoObj as EmptyObject, addRoute, createRouter, findRoute, routeToRegExp } from "rou3";
+import "./h3-DagAgogP.mjs";
+import { NullProtoObj as EmptyObject, addRoute, createRouter, findRoute, removeRoute, routeToRegExp } from "rou3";
 import { FastResponse, FastURL } from "srvx";
-import { parse, parseSetCookie, serialize, splitSetCookieString } from "cookie-es";
-
-//#region src/_entries/_common.ts
 function freezeApp(app) {
 	app.config = Object.freeze(app.config);
-	app._addRoute = () => {
+	app["~addRoute"] = () => {
 		throw new Error("Cannot add routes after the server init.");
 	};
 }
-
-//#endregion
-//#region src/types/h3.ts
-function definePlugin(def) {
-	return (opts) => (h3) => def(h3, opts);
+function withLeadingSlash(path) {
+	if (!path || path === "/") return "/";
+	return path[0] === "/" ? path : `/${path}`;
+}
+function withoutTrailingSlash(path) {
+	if (!path || path === "/") return "/";
+	return path[path.length - 1] === "/" ? path.slice(0, -1) : path;
+}
+function withoutBase(input = "", base = "") {
+	if (!base || base === "/") return input;
+	const _base = withoutTrailingSlash(base);
+	if (!input.startsWith(_base) || input.length > _base.length && input[_base.length] !== "/") return input;
+	return "/" + input.slice(_base.length).replace(/^\/+/, "");
+}
+function decodePathname(pathname) {
+	return decodeURI(pathname.includes("%25") ? pathname.replace(/%25/g, "%2525") : pathname);
+}
+function resolveDotSegments(path) {
+	if (!path.includes(".") && !path.includes("%2")) return path;
+	const segments = path.replaceAll("\\", "/").split("/");
+	const resolved = [];
+	for (const segment of segments) {
+		const normalized = segment.replace(/%2e/gi, ".");
+		if (normalized === "..") {
+			if (resolved.length > 1) resolved.pop();
+		} else if (normalized !== ".") resolved.push(segment);
+	}
+	return resolved.join("/") || "/";
 }
-
-//#endregion
-//#region src/event.ts
 const kEventNS = "h3.internal.event.";
 const kEventRes = /* @__PURE__ */ Symbol.for(`${kEventNS}res`);
 const kEventResHeaders = /* @__PURE__ */ Symbol.for(`${kEventNS}res.headers`);
+const kEventResErrHeaders = /* @__PURE__ */ Symbol.for(`${kEventNS}res.err.headers`);
 var H3Event = class {
-	/**
-	* Access to the H3 application instance.
-	*/
 	app;
-	/**
-	* Incoming HTTP request info.
-	*
-	* [MDN Reference](https://developer.mozilla.org/en-US/docs/Web/API/Request)
-	*/
 	req;
-	/**
-	* Access to the parsed request URL.
-	*
-	* [MDN Reference](https://developer.mozilla.org/en-US/docs/Web/API/URL)
-	*/
 	url;
-	/**
-	* Event context.
-	*/
 	context;
-	/**
-	* @internal
-	*/
 	static __is_event__ = true;
 	constructor(req, context, app) {
 		this.context = context || req.context || new EmptyObject();
 		this.req = req;
 		this.app = app;
 		const _url = req._url;
-		this.url = _url && _url instanceof URL ? _url : new FastURL(req.url);
+		const url = _url && _url instanceof URL ? _url : new FastURL(req.url);
+		if (url.pathname.includes("%")) url.pathname = decodePathname(url.pathname);
+		this.url = url;
 	}
-	/**
-	* Prepared HTTP response.
-	*/
 	get res() {
 		return this[kEventRes] ||= new H3EventResponse();
 	}
-	/**
-	* Access to runtime specific additional context.
-	*
-	*/
 	get runtime() {
 		return this.req.runtime;
 	}
-	/**
-	* Tell the runtime about an ongoing operation that shouldn't close until the promise resolves.
-	*/
 	waitUntil(promise) {
 		this.req.waitUntil?.(promise);
 	}
@@ -78,38 +70,15 @@ var H3Event = class {
 	toJSON() {
 		return this.toString();
 	}
-	/**
-	* Access to the raw Node.js req/res objects.
-	*
-	* @deprecated Use `event.runtime.{node|deno|bun|...}.` instead.
-	*/
 	get node() {
 		return this.req.runtime?.node;
 	}
-	/**
-	* Access to the incoming request headers.
-	*
-	* @deprecated Use `event.req.headers` instead.
-	*
-	*/
 	get headers() {
 		return this.req.headers;
 	}
-	/**
-	* Access to the incoming request url (pathname+search).
-	*
-	* @deprecated Use `event.url.pathname + event.url.search` instead.
-	*
-	* Example: `/api/hello?name=world`
-	* */
 	get path() {
 		return this.url.pathname + this.url.search;
 	}
-	/**
-	* Access to the incoming request method.
-	*
-	* @deprecated Use `event.req.method` instead.
-	*/
 	get method() {
 		return this.req.method;
 	}
@@ -120,90 +89,34 @@ var H3EventResponse = class {
 	get headers() {
 		return this[kEventResHeaders] ||= new Headers();
 	}
+	get errHeaders() {
+		return this[kEventResErrHeaders] ||= new Headers();
+	}
 };
-
-//#endregion
-//#region src/utils/sanitize.ts
 const DISALLOWED_STATUS_CHARS = /[^\u0009\u0020-\u007E]/g;
-/**
-* Make sure the status message is safe to use in a response.
-*
-* Allowed characters: horizontal tabs, spaces or visible ascii characters: https://www.rfc-editor.org/rfc/rfc7230#section-3.1.2
-*/
 function sanitizeStatusMessage(statusMessage = "") {
 	return statusMessage.replace(DISALLOWED_STATUS_CHARS, "");
 }
-/**
-* Make sure the status code is a valid HTTP status code.
-*/
 function sanitizeStatusCode(statusCode, defaultStatusCode = 200) {
 	if (!statusCode) return defaultStatusCode;
 	if (typeof statusCode === "string") statusCode = +statusCode;
 	if (statusCode < 100 || statusCode > 599) return defaultStatusCode;
 	return statusCode;
 }
-
-//#endregion
-//#region src/error.ts
-/**
-* HTTPError
-*/
 var HTTPError = class HTTPError extends Error {
 	get name() {
 		return "HTTPError";
 	}
-	/**
-	* HTTP status code in range [200...599]
-	*/
 	status;
-	/**
-	* HTTP status text
-	*
-	* **NOTE:** This should be short (max 512 to 1024 characters).
-	* Allowed characters are tabs, spaces, visible ASCII characters, and extended characters (byte value 128–255).
-	*
-	* **TIP:** Use `message` for longer error descriptions in JSON body.
-	*/
 	statusText;
-	/**
-	* Additional HTTP headers to be sent in error response.
-	*/
 	headers;
-	/**
-	* Original error object that caused this error.
-	*/
 	cause;
-	/**
-	* Additional data attached in the error JSON body under `data` key.
-	*/
 	data;
-	/**
-	* Additional top level JSON body properties to attach in the error JSON body.
-	*/
 	body;
-	/**
-	* Flag to indicate that the error was not handled by the application.
-	*
-	* Unhandled error stack trace, data and message are hidden in non debug mode for security reasons.
-	*/
 	unhandled;
-	/**
-	* Check if the input is an instance of HTTPError using its constructor name.
-	*
-	* It is safer than using `instanceof` because it works across different contexts (e.g., if the error was thrown in a different module).
-	*/
 	static isError(input) {
 		return input instanceof Error && input?.name === "HTTPError";
 	}
-	/**
-	* Create a new HTTPError with the given status code and optional status text and details.
-	*
-	* @example
-	*
-	* HTTPError.status(404)
-	* HTTPError.status(418, "I'm a teapot")
-	* HTTPError.status(403, "Forbidden", { message: "Not authenticated" })
-	*/
 	static status(status, statusText, details) {
 		return new HTTPError({
 			...details,
@@ -218,8 +131,8 @@ var HTTPError = class HTTPError extends Error {
 			messageInput = arg1;
 			details = arg2;
 		} else details = arg1;
-		const status = sanitizeStatusCode(details?.status || (details?.cause)?.status || details?.status || details?.statusCode, 500);
-		const statusText = sanitizeStatusMessage(details?.statusText || (details?.cause)?.statusText || details?.statusText || details?.statusMessage);
+		const status = sanitizeStatusCode(details?.status || details?.statusCode || (details?.cause)?.status || (details?.cause)?.statusCode, 500);
+		const statusText = sanitizeStatusMessage(details?.statusText || details?.statusMessage || (details?.cause)?.statusText || (details?.cause)?.statusMessage);
 		const message = messageInput || details?.message || (details?.cause)?.message || details?.statusText || details?.statusMessage || [
 			"HTTPError",
 			status,
@@ -227,7 +140,6 @@ var HTTPError = class HTTPError extends Error {
 		].filter(Boolean).join(" ");
 		super(message, { cause: details });
 		this.cause = details;
-		Error.captureStackTrace?.(this, this.constructor);
 		this.status = status;
 		this.statusText = statusText || void 0;
 		const rawHeaders = details?.headers || (details?.cause)?.headers;
@@ -236,15 +148,9 @@ var HTTPError = class HTTPError extends Error {
 		this.data = details?.data;
 		this.body = details?.body;
 	}
-	/**
-	* @deprecated Use `status`
-	*/
 	get statusCode() {
 		return this.status;
 	}
-	/**
-	* @deprecated Use `statusText`
-	*/
 	get statusMessage() {
 		return this.statusText;
 	}
@@ -260,15 +166,6 @@ var HTTPError = class HTTPError extends Error {
 		};
 	}
 };
-
-//#endregion
-//#region src/utils/internal/object.ts
-/**
-* Checks if a certain input has a given property.
-* @param obj - The input to check.
-* @param prop - The property to check for.
-* @returns A boolean indicating whether the input is an object and has the property.
-*/
 function hasProp(obj, prop) {
 	try {
 		return prop in obj;
@@ -286,17 +183,14 @@ function isJSONSerializable(value, _type) {
 	const proto = Object.getPrototypeOf(value);
 	return proto === Object.prototype || proto === null;
 }
-
-//#endregion
-//#region src/response.ts
 const kNotFound = /* @__PURE__ */ Symbol.for("h3.notFound");
 const kHandled = /* @__PURE__ */ Symbol.for("h3.handled");
 function toResponse(val, event, config = {}) {
-	if (typeof val?.then === "function") return (val.catch?.((error) => error) || Promise.resolve(val)).then((resolvedVal) => toResponse(resolvedVal, event, config));
+	if (typeof val?.then === "function") return val.then((resolvedVal) => toResponse(resolvedVal, event, config), (r) => toResponse(typeof r === "number" ? new HTTPError({ status: r }) : r, event, config));
 	const response = prepareResponse(val, event, config);
 	if (typeof response?.then === "function") return toResponse(response, event, config);
-	const { onResponse: onResponse$1 } = config;
-	return onResponse$1 ? Promise.resolve(onResponse$1(response, event)).then(() => response) : response;
+	const { onResponse } = config;
+	return onResponse ? Promise.resolve(onResponse(response, event)).then(() => response) : response;
 }
 var HTTPResponse = class {
 	#headers;
@@ -330,11 +224,13 @@ function prepareResponse(val, event, config, nested) {
 			if (val?.stack) error.stack = val.stack;
 		}
 		if (error.unhandled && !config.silent) console.error(error);
-		const { onError: onError$1 } = config;
-		return onError$1 && !nested ? Promise.resolve(onError$1(error, event)).catch((error$1) => error$1).then((newVal) => prepareResponse(newVal ?? val, event, config, true)) : errorResponse(error, config.debug);
+		const { onError } = config;
+		const errHeaders = event[kEventRes]?.[kEventResErrHeaders];
+		return onError && !nested ? Promise.resolve(onError(error, event)).catch((error) => error).then((newVal) => prepareResponse(newVal ?? val, event, config, true)) : errorResponse(error, config.debug, errHeaders);
 	}
 	const preparedRes = event[kEventRes];
 	const preparedHeaders = preparedRes?.[kEventResHeaders];
+	event[kEventRes] = void 0;
 	if (!(val instanceof Response)) {
 		const res = prepareResponseBody(val, event, config);
 		const status = res.status || preparedRes?.status;
@@ -344,7 +240,7 @@ function prepareResponse(val, event, config, nested) {
 			headers: res.headers && preparedHeaders ? mergeHeaders$1(res.headers, preparedHeaders) : res.headers || preparedHeaders
 		});
 	}
-	if (!preparedHeaders) return val;
+	if (!preparedHeaders || nested || !val.ok) return val;
 	try {
 		mergeHeaders$1(val.headers, preparedHeaders, val.headers);
 		return val;
@@ -361,8 +257,16 @@ function mergeHeaders$1(base, overrides, target = new Headers(base)) {
 	else target.set(name, value);
 	return target;
 }
-const emptyHeaders = /* @__PURE__ */ new Headers({ "content-length": "0" });
-const jsonHeaders = /* @__PURE__ */ new Headers({ "content-type": "application/json;charset=UTF-8" });
+const frozen = (name) => (...args) => {
+	throw new Error(`Headers are frozen (${name} ${args.join(", ")})`);
+};
+var FrozenHeaders = class extends Headers {
+	set = frozen("set");
+	append = frozen("append");
+	delete = frozen("delete");
+};
+const emptyHeaders = /* @__PURE__ */ new FrozenHeaders({ "content-length": "0" });
+const jsonHeaders = /* @__PURE__ */ new FrozenHeaders({ "content-type": "application/json;charset=UTF-8" });
 function prepareResponseBody(val, event, config) {
 	if (val === null || val === void 0) return {
 		body: "",
@@ -405,19 +309,18 @@ function prepareResponseBody(val, event, config) {
 function nullBody(method, status) {
 	return method === "HEAD" || status === 100 || status === 101 || status === 102 || status === 204 || status === 205 || status === 304;
 }
-function errorResponse(error, debug) {
+function errorResponse(error, debug, errHeaders) {
+	let headers = error.headers ? mergeHeaders$1(jsonHeaders, error.headers) : new Headers(jsonHeaders);
+	if (errHeaders) headers = mergeHeaders$1(headers, errHeaders);
 	return new FastResponse(JSON.stringify({
 		...error.toJSON(),
 		stack: debug && error.stack ? error.stack.split("\n").map((l) => l.trim()) : void 0
 	}, void 0, debug ? 2 : void 0), {
 		status: error.status,
 		statusText: error.statusText,
-		headers: error.headers ? mergeHeaders$1(jsonHeaders, error.headers) : jsonHeaders
+		headers
 	});
 }
-
-//#endregion
-//#region src/middleware.ts
 function defineMiddleware(input) {
 	return input;
 }
@@ -431,7 +334,7 @@ function normalizeMiddleware(input, opts = {}) {
 	};
 }
 function createMatcher(opts) {
-	if (!opts.route && !opts.method && !opts.match) return void 0;
+	if (!opts.route && !opts.method && !opts.match) return;
 	const routeMatcher = opts.route ? routeToRegExp(opts.route) : void 0;
 	const method = opts.method?.toUpperCase();
 	return function _middlewareMatcher(event) {
@@ -459,14 +362,34 @@ function callMiddleware(event, middleware, handler, index = 0) {
 		return nextResult;
 	};
 	const ret = fn(event, next);
-	return is404(ret) ? next() : typeof ret?.then === "function" ? ret.then((resolved) => is404(resolved) ? next() : resolved) : ret;
+	return isUnhandledResponse(ret) ? next() : typeof ret?.then === "function" ? ret.then((resolved) => isUnhandledResponse(resolved) ? next() : resolved) : ret;
+}
+function isUnhandledResponse(val) {
+	return val === void 0 || val === kNotFound;
+}
+function toMiddleware(input) {
+	let h = input.handler || input;
+	let isFunction = typeof h === "function";
+	if (!isFunction && typeof input?.fetch === "function") {
+		isFunction = true;
+		h = function _fetchHandler(event) {
+			return input.fetch(event.req);
+		};
+	}
+	if (!isFunction) return function noopMiddleware(event, next) {
+		return next();
+	};
+	if (h.length === 2) return h;
+	return function _middlewareHandler(event, next) {
+		const res = h(event);
+		return typeof res?.then === "function" ? res.then((r) => {
+			return is404(r) ? next() : r;
+		}) : is404(res) ? next() : res;
+	};
 }
 function is404(val) {
-	return val === void 0 || val === kNotFound || val?.status === 404 && val instanceof Response;
+	return isUnhandledResponse(val) || val?.status === 404 && val instanceof Response;
 }
-
-//#endregion
-//#region src/utils/internal/query.ts
 const plusRegex = /\+/g;
 function parseQuery(input) {
 	const params = new EmptyObject();
@@ -485,7 +408,7 @@ function parseQuery(input) {
 	for (let i = 0; i < inputLength + 1; i++) {
 		c = i === inputLength ? 38 : input.charCodeAt(i);
 		switch (c) {
-			case 38: {
+			case 38:
 				hasBothKeyValuePair = equalityIndex > startingIndex;
 				if (!hasBothKeyValuePair) equalityIndex = i;
 				key = input.slice(startingIndex + 1, equalityIndex);
@@ -514,41 +437,35 @@ function parseQuery(input) {
 				keyHasPlus = false;
 				valueHasPlus = false;
 				break;
-			}
-			case 61: {
+			case 61:
 				if (equalityIndex <= startingIndex) equalityIndex = i;
 				else shouldDecodeValue = true;
 				break;
-			}
-			case 43: {
+			case 43:
 				if (equalityIndex > startingIndex) valueHasPlus = true;
 				else keyHasPlus = true;
 				break;
-			}
-			case 37: {
+			case 37:
 				if (equalityIndex > startingIndex) shouldDecodeValue = true;
 				else shouldDecodeKey = true;
 				break;
-			}
 		}
 	}
 	return params;
 }
-
-//#endregion
-//#region src/utils/internal/validate.ts
-async function validateData(data, fn) {
+const VALIDATION_FAILED = "Validation failed";
+async function validateData(data, fn, options) {
 	if ("~standard" in fn) {
 		const result = await fn["~standard"].validate(data);
-		if (result.issues) throw createValidationError({
-			message: "Validation failed",
+		if (result.issues) throw createValidationError(options?.onError?.(result) || {
+			message: VALIDATION_FAILED,
 			issues: result.issues
 		});
 		return result.value;
 	}
 	try {
 		const res = await fn(data);
-		if (res === false) throw createValidationError({ message: "Validation failed" });
+		if (res === false) throw createValidationError(options?.onError?.({ issues: [{ message: VALIDATION_FAILED }] }) || { message: VALIDATION_FAILED });
 		if (res === true) return data;
 		return res ?? data;
 	} catch (error) {
@@ -563,14 +480,23 @@ const reqBodyKeys = new Set([
 ]);
 function validatedRequest(req, validate) {
 	if (validate.headers) {
-		const validatedheaders = syncValidate("headers", Object.fromEntries(req.headers.entries()), validate.headers);
+		const validatedheaders = syncValidate("headers", Object.fromEntries(req.headers.entries()), validate.headers, validate.onError);
 		for (const [key, value] of Object.entries(validatedheaders)) req.headers.set(key, value);
 	}
 	if (!validate.body) return req;
 	return new Proxy(req, { get(_target, prop) {
 		if (validate.body) {
 			if (prop === "json") return function _validatedJson() {
-				return req.json().then((data) => validate.body["~standard"].validate(data)).then((result) => result.issues ? Promise.reject(createValidationError(result)) : result.value);
+				return req.json().then((data) => validate.body["~standard"].validate(data)).then((result) => {
+					if (result.issues) throw createValidationError(validate.onError?.({
+						_source: "body",
+						...result
+					}) || {
+						message: VALIDATION_FAILED,
+						issues: result.issues
+					});
+					return result.value;
+				});
 			};
 			else if (reqBodyKeys.has(prop)) throw new TypeError(`Cannot access .${prop} on request with JSON validation enabled. Use .json() instead.`);
 		}
@@ -579,48 +505,40 @@ function validatedRequest(req, validate) {
 }
 function validatedURL(url, validate) {
 	if (!validate.query) return url;
-	const validatedQuery = syncValidate("query", Object.fromEntries(url.searchParams.entries()), validate.query);
+	const validatedQuery = syncValidate("query", Object.fromEntries(url.searchParams.entries()), validate.query, validate.onError);
 	for (const [key, value] of Object.entries(validatedQuery)) url.searchParams.set(key, value);
 	return url;
 }
-function syncValidate(type, data, fn) {
+function syncValidate(source, data, fn, onError) {
 	const result = fn["~standard"].validate(data);
-	if (result instanceof Promise) throw new TypeError(`Asynchronous validation is not supported for ${type}`);
-	if (result.issues) throw createValidationError({ issues: result.issues });
+	if (result instanceof Promise) throw new TypeError(`Asynchronous validation is not supported for ${source}`);
+	if (result.issues) throw createValidationError(onError?.({
+		_source: source,
+		...result
+	}) || {
+		message: VALIDATION_FAILED,
+		issues: result.issues
+	});
 	return result.value;
 }
-function createValidationError(validateError) {
-	return new HTTPError({
-		status: 400,
-		statusText: "Validation failed",
-		message: validateError?.message,
-		data: validateError,
-		cause: validateError
+function createValidationError(cause) {
+	return HTTPError.isError(cause) ? cause : new HTTPError({
+		cause,
+		status: cause?.status || 400,
+		statusText: cause?.statusText || VALIDATION_FAILED,
+		message: cause?.message || VALIDATION_FAILED,
+		data: {
+			issues: cause?.issues,
+			message: cause instanceof Error ? VALIDATION_FAILED : cause?.message || VALIDATION_FAILED
+		}
 	});
 }
-
-//#endregion
-//#region src/utils/event.ts
-/**
-* Checks if the input is an H3Event object.
-* @param input - The input to check.
-* @returns True if the input is an H3Event object, false otherwise.
-* @see H3Event
-*/
 function isEvent(input) {
 	return input instanceof H3Event || input?.constructor?.__is_event__;
 }
-/**
-* Checks if the input is an object with `{ req: Request }` signature.
-* @param input - The input to check.
-* @returns True if the input is is `{ req: Request }`
-*/
 function isHTTPEvent(input) {
 	return input?.req instanceof Request;
 }
-/**
-* Gets the context of the event, if it does not exists, initializes a new context on `req.context`.
-*/
 function getEventContext(event) {
 	if (event.context) return event.context;
 	event.req.context ??= {};
@@ -628,6 +546,7 @@ function getEventContext(event) {
 }
 function mockEvent(_request, options) {
 	let request;
+	if (options?.body && !options.duplex) options.duplex = "half";
 	if (typeof _request === "string") {
 		let url = _request;
 		if (url[0] === "/") url = `http://localhost${url}`;
@@ -636,145 +555,53 @@ function mockEvent(_request, options) {
 	else request = _request;
 	return new H3Event(request);
 }
-
-//#endregion
-//#region src/utils/request.ts
-/**
-* Convert input into a web [Request](https://developer.mozilla.org/en-US/docs/Web/API/Request).
-*
-* If input is a relative URL, it will be normalized into a full path based on headers.
-*
-* If input is already a Request and no options are provided, it will be returned as-is.
-*/
+function requestWithURL(req, url) {
+	const cache = { url };
+	return new Proxy(req, { get(target, prop) {
+		if (prop in cache) return cache[prop];
+		const value = Reflect.get(target, prop);
+		cache[prop] = typeof value === "function" ? value.bind(target) : value;
+		return cache[prop];
+	} });
+}
+function requestWithBaseURL(req, base) {
+	const url = new URL(req.url);
+	url.pathname = decodePathname(url.pathname).slice(base.length) || "/";
+	return requestWithURL(req, url.href);
+}
 function toRequest(input, options) {
 	if (typeof input === "string") {
 		let url = input;
 		if (url[0] === "/") {
 			const headers = options?.headers ? new Headers(options.headers) : void 0;
 			const host = headers?.get("host") || "localhost";
-			const proto = headers?.get("x-forwarded-proto") === "https" ? "https" : "http";
-			url = `${proto}://${host}${url}`;
+			url = `${headers?.get("x-forwarded-proto") === "https" ? "https" : "http"}://${host}${url}`;
 		}
 		return new Request(url, options);
 	} else if (options || input instanceof URL) return new Request(input, options);
 	return input;
 }
-/**
-* Get parsed query string object from the request URL.
-*
-* @example
-* app.get("/", (event) => {
-*   const query = getQuery(event); // { key: "value", key2: ["value1", "value2"] }
-* });
-*/
 function getQuery(event) {
-	const url = event.url || new URL(event.req.url);
-	return parseQuery(url.search.slice(1));
-}
-/**
-* Get the query param from the request URL validated with validate function.
-*
-* You can use a simple function to validate the query object or use a Standard-Schema compatible library like `zod` to define a schema.
-*
-* @example
-* app.get("/", async (event) => {
-*   const query = await getValidatedQuery(event, (data) => {
-*     return "key" in data && typeof data.key === "string";
-*   });
-* });
-* @example
-* import { z } from "zod";
-*
-* app.get("/", async (event) => {
-*   const query = await getValidatedQuery(
-*     event,
-*     z.object({
-*       key: z.string(),
-*     }),
-*   );
-* });
-*/
-function getValidatedQuery(event, validate) {
-	const query = getQuery(event);
-	return validateData(query, validate);
-}
-/**
-* Get matched route params.
-*
-* If `decode` option is `true`, it will decode the matched route params using `decodeURIComponent`.
-*
-* @example
-* app.get("/", (event) => {
-*   const params = getRouterParams(event); // { key: "value" }
-* });
-*/
+	return parseQuery((event.url || new URL(event.req.url)).search.slice(1));
+}
+function getValidatedQuery(event, validate, options) {
+	return validateData(getQuery(event), validate, options);
+}
 function getRouterParams(event, opts = {}) {
-	const context = getEventContext(event);
-	let params = context.params || {};
+	let params = getEventContext(event).params || {};
 	if (opts.decode) {
 		params = { ...params };
 		for (const key in params) params[key] = decodeURIComponent(params[key]);
 	}
 	return params;
 }
-/**
-* Get matched route params and validate with validate function.
-*
-* If `decode` option is `true`, it will decode the matched route params using `decodeURI`.
-*
-* You can use a simple function to validate the params object or use a Standard-Schema compatible library like `zod` to define a schema.
-*
-* @example
-* app.get("/", async (event) => {
-*   const params = await getValidatedRouterParams(event, (data) => {
-*     return "key" in data && typeof data.key === "string";
-*   });
-* });
-* @example
-* import { z } from "zod";
-*
-* app.get("/", async (event) => {
-*   const params = await getValidatedRouterParams(
-*     event,
-*     z.object({
-*       key: z.string(),
-*     }),
-*   );
-* });
-*/
-function getValidatedRouterParams(event, validate, opts = {}) {
-	const routerParams = getRouterParams(event, opts);
-	return validateData(routerParams, validate);
-}
-/**
-* Get a matched route param by name.
-*
-* If `decode` option is `true`, it will decode the matched route param using `decodeURI`.
-*
-* @example
-* app.get("/", (event) => {
-*   const param = getRouterParam(event, "key");
-* });
-*/
+function getValidatedRouterParams(event, validate, options = {}) {
+	const { decode, ...opts } = options;
+	return validateData(getRouterParams(event, { decode }), validate, opts);
+}
 function getRouterParam(event, name, opts = {}) {
-	const params = getRouterParams(event, opts);
-	return params[name];
-}
-/**
-*
-* Checks if the incoming request method is of the expected type.
-*
-* If `allowHead` is `true`, it will allow `HEAD` requests to pass if the expected method is `GET`.
-*
-* @example
-* app.get("/", (event) => {
-*   if (isMethod(event, "GET")) {
-*     // Handle GET request
-*   } else if (isMethod(event, ["POST", "PUT"])) {
-*     // Handle POST or PUT request
-*   }
-* });
-*/
+	return getRouterParams(event, opts)[name];
+}
 function isMethod(event, expected, allowHead) {
 	if (allowHead && event.req.method === "HEAD") return true;
 	if (typeof expected === "string") {
@@ -782,75 +609,30 @@ function isMethod(event, expected, allowHead) {
 	} else if (expected.includes(event.req.method)) return true;
 	return false;
 }
-/**
-* Asserts that the incoming request method is of the expected type using `isMethod`.
-*
-* If the method is not allowed, it will throw a 405 error with the message "HTTP method is not allowed".
-*
-* If `allowHead` is `true`, it will allow `HEAD` requests to pass if the expected method is `GET`.
-*
-* @example
-* app.get("/", (event) => {
-*   assertMethod(event, "GET");
-*   // Handle GET request, otherwise throw 405 error
-* });
-*/
 function assertMethod(event, expected, allowHead) {
-	if (!isMethod(event, expected, allowHead)) throw new HTTPError({ status: 405 });
-}
-/**
-* Get the request hostname.
-*
-* If `xForwardedHost` is `true`, it will use the `x-forwarded-host` header if it exists.
-*
-* If no host header is found, it will default to "localhost".
-*
-* @example
-* app.get("/", (event) => {
-*   const host = getRequestHost(event); // "example.com"
-* });
-*/
+	if (!isMethod(event, expected, allowHead)) {
+		const allowed = Array.isArray(expected) ? expected : [expected];
+		throw new HTTPError({
+			status: 405,
+			headers: { Allow: allowHead ? [...allowed, "HEAD"].join(", ") : allowed.join(", ") }
+		});
+	}
+}
 function getRequestHost(event, opts = {}) {
 	if (opts.xForwardedHost) {
-		const _header = event.req.headers.get("x-forwarded-host");
-		const xForwardedHost = (_header || "").split(",").shift()?.trim();
+		const xForwardedHost = (event.req.headers.get("x-forwarded-host") || "").split(",").shift()?.trim();
 		if (xForwardedHost) return xForwardedHost;
 	}
 	return event.req.headers.get("host") || "";
 }
-/**
-* Get the request protocol.
-*
-* If `x-forwarded-proto` header is set to "https", it will return "https". You can disable this behavior by setting `xForwardedProto` to `false`.
-*
-* If protocol cannot be determined, it will default to "http".
-*
-* @example
-* app.get("/", (event) => {
-*   const protocol = getRequestProtocol(event); // "https"
-* });
-*/
 function getRequestProtocol(event, opts = {}) {
 	if (opts.xForwardedProto !== false) {
 		const forwardedProto = event.req.headers.get("x-forwarded-proto");
 		if (forwardedProto === "https") return "https";
 		if (forwardedProto === "http") return "http";
 	}
-	const url = event.url || new URL(event.req.url);
-	return url.protocol.slice(0, -1);
-}
-/**
-* Generated the full incoming request URL.
-*
-* If `xForwardedHost` is `true`, it will use the `x-forwarded-host` header if it exists.
-*
-* If `xForwardedProto` is `false`, it will not use the `x-forwarded-proto` header.
-*
-* @example
-* app.get("/", (event) => {
-*   const url = getRequestURL(event); // "https://example.com/path"
-* });
-*/
+	return (event.url || new URL(event.req.url)).protocol.slice(0, -1);
+}
 function getRequestURL(event, opts = {}) {
 	const url = new URL(event.url || event.req.url);
 	url.protocol = getRequestProtocol(event, opts);
@@ -858,23 +640,11 @@ function getRequestURL(event, opts = {}) {
 		const host = getRequestHost(event, opts);
 		if (host) {
 			url.host = host;
-			if (!host.includes(":")) url.port = "";
+			if (!/:\d+$/.test(host)) url.port = "";
 		}
 	}
 	return url;
 }
-/**
-* Try to get the client IP address from the incoming request.
-*
-* If `xForwardedFor` is `true`, it will use the `x-forwarded-for` header if it exists.
-*
-* If IP cannot be determined, it will default to `undefined`.
-*
-* @example
-* app.get("/", (event) => {
-*   const ip = getRequestIP(event); // "192.0.2.0"
-* });
-*/
 function getRequestIP(event, opts = {}) {
 	if (opts.xForwardedFor) {
 		const _header = event.req.headers.get("x-forwarded-for");
@@ -885,9 +655,6 @@ function getRequestIP(event, opts = {}) {
 	}
 	return event.req.context?.clientAddress || event.req.ip || void 0;
 }
-
-//#endregion
-//#region src/handler.ts
 function defineHandler(input) {
 	if (typeof input === "function") return handlerWithFetch(input);
 	const handler = input.handler || (input.fetch ? function _fetchHandler(event) {
@@ -897,9 +664,6 @@ function defineHandler(input) {
 		return callMiddleware(event, input.middleware, handler);
 	} : handler), input);
 }
-/**
-* @experimental defineValidatedHandler is an experimental feature and API may change.
-*/
 function defineValidatedHandler(def) {
 	if (!def.validate) return defineHandler(def);
 	return defineHandler({
@@ -935,16 +699,12 @@ function dynamicEventHandler(initial) {
 function defineLazyEventHandler(loader) {
 	let handler;
 	let promise;
-	const resolveLazyHandler = () => {
-		if (handler) return Promise.resolve(handler);
-		return promise ??= Promise.resolve(loader()).then((r) => {
+	return defineHandler(function lazyHandler(event) {
+		return handler ? handler(event) : (promise ??= Promise.resolve(loader()).then(function resolveLazyHandler(r) {
 			handler = toEventHandler(r) || toEventHandler(r.default);
 			if (typeof handler !== "function") throw new TypeError("Invalid lazy handler", { cause: { resolved: r } });
 			return handler;
-		});
-	};
-	return defineHandler(function lazyHandler(event) {
-		return handler ? handler(event) : resolveLazyHandler().then((r) => r(event));
+		})).then((r) => r(event));
 	});
 }
 function toEventHandler(handler) {
@@ -954,103 +714,96 @@ function toEventHandler(handler) {
 		return handler.fetch(event.req);
 	};
 }
-
-//#endregion
-//#region src/h3.ts
 const NoHandler = () => kNotFound;
-const H3Core = /* @__PURE__ */ (() => {
-	const HTTPMethods = [
-		"GET",
-		"POST",
-		"PUT",
-		"DELETE",
-		"PATCH",
-		"HEAD",
-		"OPTIONS",
-		"CONNECT",
-		"TRACE"
-	];
-	class H3Core$1 {
-		_middleware;
-		_routes = [];
-		config;
+var H3Core = class {
+	config;
+	"~middleware";
+	"~routes" = [];
+	constructor(config = {}) {
+		this["~middleware"] = [];
+		this.config = config;
+		this.fetch = this.fetch.bind(this);
+		this.handler = this.handler.bind(this);
+	}
+	fetch(request) {
+		return this["~request"](request);
+	}
+	handler(event) {
+		const route = this["~findRoute"](event);
+		if (route) {
+			event.context.params = route.params;
+			event.context.matchedRoute = route.data;
+		}
+		const routeHandler = route?.data.handler || NoHandler;
+		const middleware = this["~getMiddleware"](event, route);
+		return middleware.length > 0 ? callMiddleware(event, middleware, routeHandler) : routeHandler(event);
+	}
+	"~request"(request, context) {
+		const event = new H3Event(request, context, this);
+		let handlerRes;
+		try {
+			if (this.config.onRequest) {
+				const hookRes = this.config.onRequest(event);
+				handlerRes = typeof hookRes?.then === "function" ? hookRes.then(() => this.handler(event)) : this.handler(event);
+			} else handlerRes = this.handler(event);
+		} catch (error) {
+			handlerRes = Promise.reject(error);
+		}
+		return toResponse(handlerRes, event, this.config);
+	}
+	"~findRoute"(_event) {}
+	"~addRoute"(_route) {
+		this["~routes"].push(_route);
+	}
+	"~getMiddleware"(_event, route) {
+		const routeMiddleware = route?.data.middleware;
+		const globalMiddleware = this["~middleware"];
+		return routeMiddleware ? [...globalMiddleware, ...routeMiddleware] : globalMiddleware;
+	}
+};
+const H3 = /* @__PURE__ */ (() => {
+	class H3 extends H3Core {
+		"~rou3";
 		constructor(config = {}) {
-			this._middleware = [];
-			this.config = config;
-			this.fetch = this.fetch.bind(this);
+			super(config);
+			this["~rou3"] = createRouter();
 			this.request = this.request.bind(this);
-			this.handler = this.handler.bind(this);
 			config.plugins?.forEach((plugin) => plugin(this));
 		}
-		fetch(request) {
-			return this._request(request);
-		}
-		request(_req, _init, context) {
-			return this._request(toRequest(_req, _init), context);
-		}
-		_request(request, context) {
-			const event = new H3Event(request, context, this);
-			let handlerRes;
-			try {
-				if (this.config.onRequest) {
-					const hookRes = this.config.onRequest(event);
-					handlerRes = typeof hookRes?.then === "function" ? hookRes.then(() => this.handler(event)) : this.handler(event);
-				} else handlerRes = this.handler(event);
-			} catch (error) {
-				handlerRes = Promise.reject(error);
-			}
-			return toResponse(handlerRes, event, this.config);
-		}
-		/**
-		* Immediately register an H3 plugin.
-		*/
 		register(plugin) {
 			plugin(this);
 			return this;
 		}
-		_findRoute(_event) {}
-		_addRoute(_route) {
-			this._routes.push(_route);
-		}
-		_getMiddleware(_event, route) {
-			return route?.data.middleware ? [...this._middleware, ...route.data.middleware] : this._middleware;
-		}
-		handler(event) {
-			const route = this._findRoute(event);
-			if (route) {
-				event.context.params = route.params;
-				event.context.matchedRoute = route.data;
-			}
-			const routeHandler = route?.data.handler || NoHandler;
-			const middleware = this._getMiddleware(event, route);
-			return middleware.length > 0 ? callMiddleware(event, middleware, routeHandler) : routeHandler(event);
+		request(_req, _init, context) {
+			return this["~request"](toRequest(_req, _init), context);
 		}
 		mount(base, input) {
 			if ("handler" in input) {
-				if (input._middleware.length > 0) this._middleware.push((event, next) => {
-					return event.url.pathname.startsWith(base) ? callMiddleware(event, input._middleware, next) : next();
+				if (input["~middleware"].length > 0) this["~middleware"].push((event, next) => {
+					const originalPathname = event.url.pathname;
+					if (!originalPathname.startsWith(base) || originalPathname.length > base.length && originalPathname[base.length] !== "/") return next();
+					event.url.pathname = event.url.pathname.slice(base.length) || "/";
+					return callMiddleware(event, input["~middleware"], () => {
+						event.url.pathname = originalPathname;
+						return next();
+					});
 				});
-				for (const r of input._routes) this._addRoute({
+				for (const r of input["~routes"]) this["~addRoute"]({
 					...r,
 					route: base + r.route
 				});
 			} else {
 				const fetchHandler = "fetch" in input ? input.fetch : input;
 				this.all(`${base}/**`, function _mountedMiddleware(event) {
-					const url = new URL(event.url);
-					url.pathname = url.pathname.slice(base.length) || "/";
-					return fetchHandler(new Request(url, event.req));
+					return fetchHandler(requestWithBaseURL(event.req, base));
 				});
 			}
 			return this;
 		}
-		all(route, handler, opts) {
-			return this.on("", route, handler, opts);
-		}
 		on(method, route, handler, opts) {
 			const _method = (method || "").toUpperCase();
 			route = new URL(route, "http://_").pathname;
-			this._addRoute({
+			this["~addRoute"]({
 				method: _method,
 				route,
 				handler: toEventHandler(handler),
@@ -1062,8 +815,15 @@ const H3Core = /* @__PURE__ */ (() => {
 			});
 			return this;
 		}
-		_normalizeMiddleware(fn, _opts) {
-			return fn;
+		all(route, handler, opts) {
+			return this.on("", route, handler, opts);
+		}
+		"~findRoute"(_event) {
+			return findRoute(this["~rou3"], _event.req.method, _event.url.pathname);
+		}
+		"~addRoute"(_route) {
+			addRoute(this["~rou3"], _route.method, _route.route, _route);
+			super["~addRoute"](_route);
 		}
 		use(arg1, arg2, arg3) {
 			let route;
@@ -1077,42 +837,29 @@ const H3Core = /* @__PURE__ */ (() => {
 				fn = arg1;
 				opts = arg2;
 			}
-			this._middleware.push(this._normalizeMiddleware(fn, {
+			if (typeof fn !== "function" && "handler" in fn) return this.mount(route || "", fn);
+			this["~middleware"].push(normalizeMiddleware(fn, {
 				...opts,
 				route
 			}));
 			return this;
 		}
 	}
-	for (const method of HTTPMethods) H3Core$1.prototype[method.toLowerCase()] = function(route, handler, opts) {
+	for (const method of [
+		"GET",
+		"POST",
+		"PUT",
+		"DELETE",
+		"PATCH",
+		"HEAD",
+		"OPTIONS",
+		"CONNECT",
+		"TRACE"
+	]) H3Core.prototype[method.toLowerCase()] = function(route, handler, opts) {
 		return this.on(method, route, handler, opts);
 	};
-	return H3Core$1;
+	return H3;
 })();
-var H3 = class extends H3Core {
-	/** @internal */
-	_rou3;
-	constructor(config = {}) {
-		super(config);
-		this._rou3 = createRouter();
-	}
-	_findRoute(_event) {
-		return findRoute(this._rou3, _event.req.method, _event.url.pathname);
-	}
-	_addRoute(_route) {
-		addRoute(this._rou3, _route.method, _route.route, _route);
-		super._addRoute(_route);
-	}
-	_normalizeMiddleware(fn, opts) {
-		return normalizeMiddleware(fn, opts);
-	}
-};
-
-//#endregion
-//#region src/adapters.ts
-/**
-* @deprecated Since h3 v2 you can directly use `app.fetch(request, init?, context?)`
-*/
 function toWebHandler(app) {
 	return (request, context) => {
 		return Promise.resolve(app.request(request, void 0, context || request.context));
@@ -1141,8 +888,16 @@ function callNodeHandler(handler, req, res) {
 	return new Promise((resolve, reject) => {
 		res.once("close", () => resolve(kHandled));
 		res.once("finish", () => resolve(kHandled));
-		res.once("pipe", (stream) => resolve(stream));
 		res.once("error", (error) => reject(error));
+		res.once("pipe", (stream) => {
+			resolve(new Promise((resolve, reject) => {
+				stream.once("close", () => resolve(kHandled));
+				stream.once("error", (error) => {
+					console.error("[h3] Stream error in Node.js handler", { cause: error });
+					reject(kHandled);
+				});
+			}));
+		});
 		try {
 			if (isMiddleware) Promise.resolve(handler(req, res, (error) => error ? reject(new HTTPError({
 				cause: error,
@@ -1163,44 +918,19 @@ function callNodeHandler(handler, req, res) {
 		}
 	});
 }
-
-//#endregion
-//#region src/utils/route.ts
-/**
-* Define a route as a plugin that can be registered with app.register()
-*
-* @example
-* ```js
-* import { z } from "zod";
-*
-* const userRoute = defineRoute({
-*    method: 'POST',
-*    validate: {
-*      query: z.object({ id: z.string().uuid() }),
-*      body: z.object({ name: z.string() }),
-*    },
-*    handler: (event) => {
-*      return { success: true };
-*    }
-* });
-*
-* app.register(userRoute);
-* ```
-*/
 function defineRoute(def) {
 	const handler = defineValidatedHandler(def);
 	return (h3) => {
 		h3.on(def.method, def.route, handler);
 	};
 }
-
-//#endregion
-//#region src/utils/internal/encoding.ts
-/**
-Base64 encoding based on https://github.com/denoland/std/tree/main/encoding (modified with url compatibility)
-Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
-https://github.com/denoland/std/blob/main/LICENSE
-*/
+function removeRoute$1(app, method, route) {
+	const _method = method ? method.toUpperCase() : void 0;
+	route = new URL(route, "http://_").pathname;
+	removeRoute(app["~rou3"], _method || "", route);
+	const idx = app["~routes"].findIndex((r) => r.route === route && (_method == null || r.method === _method));
+	if (idx !== -1) app["~routes"].splice(idx, 1);
+}
 const textEncoder = /* @__PURE__ */ new TextEncoder();
 const textDecoder = /* @__PURE__ */ new TextDecoder();
 const base64Code = [
@@ -1295,19 +1025,6 @@ function validateBinaryLike(source) {
 	else if (source instanceof ArrayBuffer) return new Uint8Array(source);
 	throw new TypeError(`The input must be a Uint8Array, a string, or an ArrayBuffer.`);
 }
-
-//#endregion
-//#region src/utils/internal/iterable.ts
-/**
-* The default implementation for {@link iterable}'s `serializer` argument.
-* It serializes values as follows:
-* - Instances of {@link String}, {@link Uint8Array} and `undefined` are returned as-is.
-* - Objects are serialized through {@link JSON.stringify}.
-* - Functions are serialized as `undefined`.
-* - Values of type boolean, number, bigint or symbol are serialized using their `toString` function.
-*
-* @param value - The value to serialize to either a string or Uint8Array.
-*/
 function serializeIterableValue(value) {
 	switch (typeof value) {
 		case "string": return textEncoder.encode(value);
@@ -1315,57 +1032,31 @@ function serializeIterableValue(value) {
 		case "number":
 		case "bigint":
 		case "symbol": return textEncoder.encode(value.toString());
-		case "object": {
+		case "object":
 			if (value instanceof Uint8Array) return value;
 			return textEncoder.encode(JSON.stringify(value));
-		}
 	}
 	return new Uint8Array();
 }
-function coerceIterable(iterable$1) {
-	if (typeof iterable$1 === "function") iterable$1 = iterable$1();
-	if (Symbol.iterator in iterable$1) return iterable$1[Symbol.iterator]();
-	if (Symbol.asyncIterator in iterable$1) return iterable$1[Symbol.asyncIterator]();
-	return iterable$1;
-}
-
-//#endregion
-//#region src/utils/response.ts
-/**
-* Respond with an empty payload.<br>
-*
-* @example
-* app.get("/", () => noContent());
-*
-* @param status status code to be send. By default, it is `204 No Content`.
-*/
+function coerceIterable(iterable) {
+	if (typeof iterable === "function") iterable = iterable();
+	if (Symbol.iterator in iterable) return iterable[Symbol.iterator]();
+	if (Symbol.asyncIterator in iterable) return iterable[Symbol.asyncIterator]();
+	return iterable;
+}
 function noContent(status = 204) {
 	return new HTTPResponse(null, {
 		status,
 		statusText: "No Content"
 	});
 }
-/**
-* Send a redirect response to the client.
-*
-* It adds the `location` header to the response and sets the status code to 302 by default.
-*
-* In the body, it sends a simple HTML page with a meta refresh tag to redirect the client in case the headers are ignored.
-*
-* @example
-* app.get("/", () => {
-*   return redirect("https://example.com");
-* });
-*
-* @example
-* app.get("/", () => {
-*   return redirect("https://example.com", 301); // Permanent redirect
-* });
-*/
 function redirect(location, status = 302, statusText) {
-	const encodedLoc = location.replace(/"/g, "%22");
-	const body = `<html><head><meta http-equiv="refresh" content="0; url=${encodedLoc}" /></head></html>`;
-	return new HTTPResponse(body, {
+	return new HTTPResponse(`<html><head><meta http-equiv="refresh" content="0; url=${location.replace(/[&"<>]/g, (c) => ({
+		"&": "&amp;",
+		"\"": "&quot;",
+		"<": "&lt;",
+		">": "&gt;"
+	})[c])}" /></head></html>`, {
 		status,
 		statusText: statusText || (status === 301 ? "Moved Permanently" : "Found"),
 		headers: {
@@ -1374,49 +1065,32 @@ function redirect(location, status = 302, statusText) {
 		}
 	});
 }
-/**
-* Write `HTTP/1.1 103 Early Hints` to the client.
-*/
+function redirectBack(event, opts = {}) {
+	const referer = event.req.headers.get("referer");
+	let location = opts.fallback ?? "/";
+	if (referer && URL.canParse(referer)) {
+		const refererURL = new URL(referer);
+		if (refererURL.origin === event.url.origin) {
+			let pathname = refererURL.pathname;
+			if (pathname.startsWith("//")) pathname = "/" + pathname.replace(/^\/+/, "");
+			location = pathname + (opts.allowQuery ? refererURL.search : "");
+		}
+	}
+	return redirect(location, opts.status);
+}
 function writeEarlyHints(event, hints) {
-	if (!event.runtime?.node?.res?.writeEarlyHints) return;
-	return new Promise((resolve) => {
+	if (event.runtime?.node?.res?.writeEarlyHints) return new Promise((resolve) => {
 		event.runtime?.node?.res?.writeEarlyHints(hints, () => resolve());
 	});
+	for (const [name, value] of Object.entries(hints)) {
+		if (name.toLowerCase() !== "link") continue;
+		if (Array.isArray(value)) for (const v of value) event.res.headers.append("link", v);
+		else event.res.headers.append("link", value);
+	}
 }
-/**
-* Iterate a source of chunks and send back each chunk in order.
-* Supports mixing async work together with emitting chunks.
-*
-* Each chunk must be a string or a buffer.
-*
-* For generator (yielding) functions, the returned value is treated the same as yielded values.
-*
-* @param iterable - Iterator that produces chunks of the response.
-* @param serializer - Function that converts values from the iterable into stream-compatible values.
-* @template Value - Test
-*
-* @example
-* return iterable(async function* work() {
-*   // Open document body
-*   yield "<!DOCTYPE html>\n<html><body><h1>Executing...</h1><ol>\n";
-*   // Do work ...
-*   for (let i = 0; i < 1000) {
-*     await delay(1000);
-*     // Report progress
-*     yield `<li>Completed job #`;
-*     yield i;
-*     yield `</li>\n`;
-*   }
-*   // Close out the report
-*   return `</ol></body></html>`;
-* })
-* async function delay(ms) {
-*   return new Promise(resolve => setTimeout(resolve, ms));
-* }
-*/
-function iterable(iterable$1, options) {
+function iterable(iterable, options) {
 	const serializer = options?.serializer ?? serializeIterableValue;
-	const iterator = coerceIterable(iterable$1);
+	const iterator = coerceIterable(iterable);
 	return new HTTPResponse(new ReadableStream({
 		async pull(controller) {
 			const { value, done } = await iterator.next();
@@ -1432,38 +1106,73 @@ function iterable(iterable$1, options) {
 	}));
 }
 function html(first, ...values) {
-	const body = typeof first === "string" ? first : first.reduce((out, str, i) => out + str + (values[i] ?? ""), "");
-	return new HTTPResponse(body, { headers: { "content-type": "text/html; charset=utf-8" } });
-}
-
-//#endregion
-//#region src/utils/middleware.ts
-/**
-* Define a middleware that runs on each request.
-*/
+	return new HTTPResponse(typeof first === "string" ? first : first.reduce((out, str, i) => out + str + (values[i] ?? ""), ""), { headers: { "content-type": "text/html; charset=utf-8" } });
+}
+function parseURLEncodedBody(body) {
+	const form = new URLSearchParams(body);
+	const parsedForm = new EmptyObject();
+	for (const [key, value] of form.entries()) if (hasProp(parsedForm, key)) {
+		if (!Array.isArray(parsedForm[key])) parsedForm[key] = [parsedForm[key]];
+		parsedForm[key].push(value);
+	} else parsedForm[key] = value;
+	return parsedForm;
+}
+async function readBody(event) {
+	const text = await event.req.text();
+	if (!text) return;
+	if ((event.req.headers.get("content-type") || "").startsWith("application/x-www-form-urlencoded")) return parseURLEncodedBody(text);
+	try {
+		return JSON.parse(text);
+	} catch {
+		throw new HTTPError({
+			status: 400,
+			statusText: "Bad Request",
+			message: "Invalid JSON body"
+		});
+	}
+}
+async function readValidatedBody(event, validate, options) {
+	return validateData(await readBody(event), validate, options);
+}
+async function assertBodySize(event, limit) {
+	if (!await isBodySizeWithin(event, limit)) throw new HTTPError({
+		status: 413,
+		statusText: "Request Entity Too Large",
+		message: `Request body size exceeds the limit of ${limit} bytes`
+	});
+}
+async function isBodySizeWithin(event, limit) {
+	const req = event.req;
+	if (req.body === null) return true;
+	const contentLength = req.headers.get("content-length");
+	if (contentLength) {
+		if (req.headers.get("transfer-encoding")) throw new HTTPError({ status: 400 });
+		if (+contentLength > limit) return false;
+	}
+	const reader = req.clone().body.getReader();
+	let chunk = await reader.read();
+	let size = 0;
+	while (!chunk.done) {
+		size += chunk.value.byteLength;
+		if (size > limit) {
+			reader.cancel();
+			return false;
+		}
+		chunk = await reader.read();
+	}
+	return true;
+}
 function onRequest(hook) {
 	return async function _onRequestMiddleware(event) {
 		await hook(event);
 	};
 }
-/**
-* Define a middleware that runs after Response is generated.
-*
-* You can return a new Response from the handler to replace the original response.
-*/
 function onResponse(hook) {
 	return async function _onResponseMiddleware(event, next) {
-		const rawBody = await next();
-		const response = await toResponse(rawBody, event);
-		const hookResponse = await hook(response, event);
-		return hookResponse || response;
+		const response = await toResponse(await next(), event);
+		return await hook(response, event) || response;
 	};
 }
-/**
-* Define a middleware that runs when an error occurs.
-*
-* You can return a new Response from the handler to gracefully handle the error.
-*/
 function onError(hook) {
 	return async (event, next) => {
 		try {
@@ -1481,9 +1190,12 @@ function onError(hook) {
 		}
 	};
 }
-
-//#endregion
-//#region src/utils/internal/proxy.ts
+function bodyLimit(limit) {
+	return async (event, next) => {
+		await assertBodySize(event, limit);
+		return next();
+	};
+}
 const PayloadMethods = new Set([
 	"PATCH",
 	"POST",
@@ -1509,22 +1221,16 @@ function rewriteCookieProperty(header, map, property) {
 		return newValue ? prefix + newValue : "";
 	});
 }
-function mergeHeaders(defaults$1, ...inputs) {
+function mergeHeaders(defaults, ...inputs) {
 	const _inputs = inputs.filter(Boolean);
-	if (_inputs.length === 0) return defaults$1;
-	const merged = new Headers(defaults$1);
+	if (_inputs.length === 0) return defaults;
+	const merged = new Headers(defaults);
 	for (const input of _inputs) {
 		const entries = Array.isArray(input) ? input : typeof input.entries === "function" ? input.entries() : Object.entries(input);
 		for (const [key, value] of entries) if (value !== void 0) merged.set(key, value);
 	}
 	return merged;
 }
-
-//#endregion
-//#region src/utils/proxy.ts
-/**
-* Proxy the incoming request to a target URL.
-*/
 async function proxyRequest(event, target, opts = {}) {
 	const requestBody = PayloadMethods.has(event.req.method) ? event.req.body : void 0;
 	const method = opts.fetchOptions?.method || event.req.method;
@@ -1544,9 +1250,6 @@ async function proxyRequest(event, target, opts = {}) {
 		}
 	});
 }
-/**
-* Make a proxy request to a target URL and send the response back to the client.
-*/
 async function proxy(event, target, opts = {}) {
 	const fetchOptions = {
 		headers: opts.headers,
@@ -1564,13 +1267,12 @@ async function proxy(event, target, opts = {}) {
 	const headers = new Headers();
 	const cookies = [];
 	for (const [key, value] of response.headers.entries()) {
-		if (key === "content-encoding") continue;
-		if (key === "content-length") continue;
+		if (key === "content-encoding" || key === "content-length" || key === "transfer-encoding") continue;
 		if (key === "set-cookie") {
-			cookies.push(...splitSetCookieString(value));
+			cookies.push(value);
 			continue;
 		}
-		headers.set(key, value);
+		headers.append(key, value);
 	}
 	if (cookies.length > 0) {
 		const _cookies = cookies.map((cookie) => {
@@ -1587,9 +1289,6 @@ async function proxy(event, target, opts = {}) {
 		headers
 	});
 }
-/**
-* Get the request headers object without headers known to cause issues when proxying.
-*/
 function getProxyRequestHeaders(event, opts) {
 	const headers = new EmptyObject();
 	for (const [name, value] of event.req.headers.entries()) {
@@ -1605,9 +1304,6 @@ function getProxyRequestHeaders(event, opts) {
 	}
 	return headers;
 }
-/**
-* Make a fetch request with the event's context and headers.
-*/
 async function fetchWithEvent(event, url, init) {
 	if (url[0] !== "/") return fetch(url, init);
 	return event.app.fetch(createSubRequest(event, url, {
@@ -1623,123 +1319,281 @@ function createSubRequest(event, path, init) {
 	req.ip = event.req.ip;
 	return req;
 }
-
-//#endregion
-//#region src/utils/internal/body.ts
-function parseURLEncodedBody(body) {
-	const form = new URLSearchParams(body);
-	const parsedForm = new EmptyObject();
-	for (const [key, value] of form.entries()) if (hasProp(parsedForm, key)) {
-		if (!Array.isArray(parsedForm[key])) parsedForm[key] = [parsedForm[key]];
-		parsedForm[key].push(value);
-	} else parsedForm[key] = value;
-	return parsedForm;
+const COOKIE_MAX_AGE_LIMIT = 3456e4;
+function endIndex(str, min, len) {
+	const index = str.indexOf(";", min);
+	return index === -1 ? len : index;
+}
+function eqIndex(str, min, max) {
+	const index = str.indexOf("=", min);
+	return index < max ? index : -1;
+}
+function valueSlice(str, min, max) {
+	if (min === max) return "";
+	let start = min;
+	let end = max;
+	do {
+		const code = str.charCodeAt(start);
+		if (code !== 32 && code !== 9) break;
+	} while (++start < end);
+	while (end > start) {
+		const code = str.charCodeAt(end - 1);
+		if (code !== 32 && code !== 9) break;
+		end--;
+	}
+	return str.slice(start, end);
+}
+const NullObject = /* @__PURE__ */ (() => {
+	const C = function() {};
+	C.prototype = Object.create(null);
+	return C;
+})();
+function parse(str, options) {
+	const obj = new NullObject();
+	const len = str.length;
+	if (len < 2) return obj;
+	const dec = options?.decode || decode;
+	const allowMultiple = options?.allowMultiple || false;
+	let index = 0;
+	do {
+		const eqIdx = eqIndex(str, index, len);
+		if (eqIdx === -1) break;
+		const endIdx = endIndex(str, index, len);
+		if (eqIdx > endIdx) {
+			index = str.lastIndexOf(";", eqIdx - 1) + 1;
+			continue;
+		}
+		const key = valueSlice(str, index, eqIdx);
+		if (options?.filter && !options.filter(key)) {
+			index = endIdx + 1;
+			continue;
+		}
+		const val = dec(valueSlice(str, eqIdx + 1, endIdx));
+		if (allowMultiple) {
+			const existing = obj[key];
+			if (existing === void 0) obj[key] = val;
+			else if (Array.isArray(existing)) existing.push(val);
+			else obj[key] = [existing, val];
+		} else if (obj[key] === void 0) obj[key] = val;
+		index = endIdx + 1;
+	} while (index < len);
+	return obj;
+}
+function decode(str) {
+	if (!str.includes("%")) return str;
+	try {
+		return decodeURIComponent(str);
+	} catch {
+		return str;
+	}
+}
+const cookieNameRegExp = /^[\u0021-\u003A\u003C\u003E-\u007E]+$/;
+const cookieValueRegExp = /^[\u0021-\u003A\u003C-\u007E]*$/;
+const domainValueRegExp = /^([.]?[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)([.][a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)*$/i;
+const pathValueRegExp = /^[\u0020-\u003A\u003C-\u007E]*$/;
+const __toString = Object.prototype.toString;
+function serialize(_a0, _a1, _a2) {
+	const isObj = typeof _a0 === "object" && _a0 !== null;
+	const options = isObj ? _a1 : _a2;
+	const stringify = options?.stringify || JSON.stringify;
+	const cookie = isObj ? _a0 : {
+		..._a2,
+		name: _a0,
+		value: _a1 == void 0 ? "" : typeof _a1 === "string" ? _a1 : stringify(_a1)
+	};
+	const enc = options?.encode || encodeURIComponent;
+	if (!cookieNameRegExp.test(cookie.name)) throw new TypeError(`argument name is invalid: ${cookie.name}`);
+	const value = cookie.value ? enc(cookie.value) : "";
+	if (!cookieValueRegExp.test(value)) throw new TypeError(`argument val is invalid: ${cookie.value}`);
+	if (!cookie.secure) {
+		if (cookie.partitioned) throw new TypeError(`Partitioned cookies must have the Secure attribute`);
+		if (cookie.sameSite && String(cookie.sameSite).toLowerCase() === "none") throw new TypeError(`SameSite=None cookies must have the Secure attribute`);
+		if (cookie.name.length > 9 && cookie.name.charCodeAt(0) === 95 && cookie.name.charCodeAt(1) === 95) {
+			const nameLower = cookie.name.toLowerCase();
+			if (nameLower.startsWith("__secure-") || nameLower.startsWith("__host-")) throw new TypeError(`${cookie.name} cookies must have the Secure attribute`);
+		}
+	}
+	if (cookie.name.length > 7 && cookie.name.charCodeAt(0) === 95 && cookie.name.charCodeAt(1) === 95 && cookie.name.toLowerCase().startsWith("__host-")) {
+		if (cookie.path !== "/") throw new TypeError(`__Host- cookies must have Path=/`);
+		if (cookie.domain) throw new TypeError(`__Host- cookies must not have a Domain attribute`);
+	}
+	let str = cookie.name + "=" + value;
+	if (cookie.maxAge !== void 0) {
+		if (!Number.isInteger(cookie.maxAge)) throw new TypeError(`option maxAge is invalid: ${cookie.maxAge}`);
+		str += "; Max-Age=" + Math.max(0, Math.min(cookie.maxAge, COOKIE_MAX_AGE_LIMIT));
+	}
+	if (cookie.domain) {
+		if (!domainValueRegExp.test(cookie.domain)) throw new TypeError(`option domain is invalid: ${cookie.domain}`);
+		str += "; Domain=" + cookie.domain;
+	}
+	if (cookie.path) {
+		if (!pathValueRegExp.test(cookie.path)) throw new TypeError(`option path is invalid: ${cookie.path}`);
+		str += "; Path=" + cookie.path;
+	}
+	if (cookie.expires) {
+		if (!isDate(cookie.expires) || !Number.isFinite(cookie.expires.valueOf())) throw new TypeError(`option expires is invalid: ${cookie.expires}`);
+		str += "; Expires=" + cookie.expires.toUTCString();
+	}
+	if (cookie.httpOnly) str += "; HttpOnly";
+	if (cookie.secure) str += "; Secure";
+	if (cookie.partitioned) str += "; Partitioned";
+	if (cookie.priority) switch (typeof cookie.priority === "string" ? cookie.priority.toLowerCase() : void 0) {
+		case "low":
+			str += "; Priority=Low";
+			break;
+		case "medium":
+			str += "; Priority=Medium";
+			break;
+		case "high":
+			str += "; Priority=High";
+			break;
+		default: throw new TypeError(`option priority is invalid: ${cookie.priority}`);
+	}
+	if (cookie.sameSite) switch (typeof cookie.sameSite === "string" ? cookie.sameSite.toLowerCase() : cookie.sameSite) {
+		case true:
+		case "strict":
+			str += "; SameSite=Strict";
+			break;
+		case "lax":
+			str += "; SameSite=Lax";
+			break;
+		case "none":
+			str += "; SameSite=None";
+			break;
+		default: throw new TypeError(`option sameSite is invalid: ${cookie.sameSite}`);
+	}
+	return str;
+}
+function isDate(val) {
+	return __toString.call(val) === "[object Date]";
+}
+const maxAgeRegExp = /^-?\d+$/;
+const _nullProto = /* @__PURE__ */ Object.getPrototypeOf({});
+function parseSetCookie(str, options) {
+	const len = str.length;
+	let _endIdx = len;
+	let eqIdx = -1;
+	for (let i = 0; i < len; i++) {
+		const c = str.charCodeAt(i);
+		if (c === 59) {
+			_endIdx = i;
+			break;
+		}
+		if (c === 61 && eqIdx === -1) eqIdx = i;
+	}
+	if (eqIdx >= _endIdx) eqIdx = -1;
+	const name = eqIdx === -1 ? "" : _trim(str, 0, eqIdx);
+	if (name && name in _nullProto) return void 0;
+	let value = eqIdx === -1 ? _trim(str, 0, _endIdx) : _trim(str, eqIdx + 1, _endIdx);
+	if (!name && !value) return void 0;
+	if (name.length + value.length > 4096) return void 0;
+	if (options?.decode !== false) value = _decode(value, options?.decode);
+	const setCookie = {
+		name,
+		value
+	};
+	let index = _endIdx + 1;
+	while (index < len) {
+		let endIdx = len;
+		let attrEqIdx = -1;
+		for (let i = index; i < len; i++) {
+			const c = str.charCodeAt(i);
+			if (c === 59) {
+				endIdx = i;
+				break;
+			}
+			if (c === 61 && attrEqIdx === -1) attrEqIdx = i;
+		}
+		if (attrEqIdx >= endIdx) attrEqIdx = -1;
+		const attr = attrEqIdx === -1 ? _trim(str, index, endIdx) : _trim(str, index, attrEqIdx);
+		const val = attrEqIdx === -1 ? void 0 : _trim(str, attrEqIdx + 1, endIdx);
+		if (val === void 0 || val.length <= 1024) switch (attr.toLowerCase()) {
+			case "httponly":
+				setCookie.httpOnly = true;
+				break;
+			case "secure":
+				setCookie.secure = true;
+				break;
+			case "partitioned":
+				setCookie.partitioned = true;
+				break;
+			case "domain":
+				if (val) setCookie.domain = (val.charCodeAt(0) === 46 ? val.slice(1) : val).toLowerCase();
+				break;
+			case "path":
+				setCookie.path = val;
+				break;
+			case "max-age":
+				if (val && maxAgeRegExp.test(val)) setCookie.maxAge = Math.min(Number(val), COOKIE_MAX_AGE_LIMIT);
+				break;
+			case "expires": {
+				if (!val) break;
+				const date = new Date(val);
+				if (Number.isFinite(date.valueOf())) {
+					const maxDate = new Date(Date.now() + COOKIE_MAX_AGE_LIMIT * 1e3);
+					setCookie.expires = date > maxDate ? maxDate : date;
+				}
+				break;
+			}
+			case "priority": {
+				if (!val) break;
+				const priority = val.toLowerCase();
+				if (priority === "low" || priority === "medium" || priority === "high") setCookie.priority = priority;
+				break;
+			}
+			case "samesite": {
+				if (!val) break;
+				const sameSite = val.toLowerCase();
+				if (sameSite === "lax" || sameSite === "strict" || sameSite === "none") setCookie.sameSite = sameSite;
+				else setCookie.sameSite = "lax";
+				break;
+			}
+			default: {
+				const attrLower = attr.toLowerCase();
+				if (attrLower && !(attrLower in _nullProto)) setCookie[attrLower] = val;
+			}
+		}
+		index = endIdx + 1;
+	}
+	return setCookie;
 }
-
-//#endregion
-//#region src/utils/body.ts
-/**
-* Reads request body and tries to parse using JSON.parse or URLSearchParams.
-*
-* @example
-* app.get("/", async (event) => {
-*   const body = await readBody(event);
-* });
-*
-* @param event H3 event passed by h3 handler
-* @param encoding The character encoding to use, defaults to 'utf-8'.
-*
-* @return {*} The `Object`, `Array`, `String`, `Number`, `Boolean`, or `null` value corresponding to the request JSON body
-*/
-async function readBody(event) {
-	const text = await event.req.text();
-	if (!text) return void 0;
-	const contentType = event.req.headers.get("content-type") || "";
-	if (contentType.startsWith("application/x-www-form-urlencoded")) return parseURLEncodedBody(text);
+function _trim(str, start, end) {
+	if (start === end) return "";
+	let s = start;
+	let e = end;
+	while (s < e && (str.charCodeAt(s) === 32 || str.charCodeAt(s) === 9)) s++;
+	while (e > s && (str.charCodeAt(e - 1) === 32 || str.charCodeAt(e - 1) === 9)) e--;
+	return str.slice(s, e);
+}
+function _decode(value, decode) {
+	if (!decode && !value.includes("%")) return value;
 	try {
-		return JSON.parse(text);
+		return (decode || decodeURIComponent)(value);
 	} catch {
-		throw new HTTPError({
-			status: 400,
-			statusText: "Bad Request",
-			message: "Invalid JSON body"
-		});
+		return value;
 	}
 }
-/**
-* Tries to read the request body via `readBody`, then uses the provided validation schema or function and either throws a validation error or returns the result.
-*
-* You can use a simple function to validate the body or use a Standard-Schema compatible library like `zod` to define a schema.
-*
-* @example
-* app.get("/", async (event) => {
-*   const body = await readValidatedBody(event, (body) => {
-*     return typeof body === "object" && body !== null;
-*   });
-* });
-* @example
-* import { z } from "zod";
-*
-* app.get("/", async (event) => {
-*   const objectSchema = z.object({
-*     name: z.string().min(3).max(20),
-*     age: z.number({ coerce: true }).positive().int(),
-*   });
-*   const body = await readValidatedBody(event, objectSchema);
-* });
-*
-* @param event The HTTPEvent passed by the handler.
-* @param validate The function to use for body validation. It will be called passing the read request body. If the result is not false, the parsed body will be returned.
-* @throws If the validation function returns `false` or throws, a validation error will be thrown.
-* @return {*} The `Object`, `Array`, `String`, `Number`, `Boolean`, or `null` value corresponding to the request JSON body.
-* @see {readBody}
-*/
-async function readValidatedBody(event, validate) {
-	const _body = await readBody(event);
-	return validateData(_body, validate);
-}
-
-//#endregion
-//#region src/utils/cookie.ts
 const CHUNKED_COOKIE = "__chunked__";
 const CHUNKS_MAX_LENGTH = 4e3;
-/**
-* Parse the request to get HTTP Cookie header string and returning an object of all cookie name-value pairs.
-* @param event {HTTPEvent} H3 event or req passed by h3 handler
-* @returns Object of cookie name-value pairs
-* ```ts
-* const cookies = parseCookies(event)
-* ```
-*/
 function parseCookies(event) {
 	return parse(event.req.headers.get("cookie") || "");
 }
-/**
-* Get a cookie value by name.
-* @param event {HTTPEvent} H3 event or req passed by h3 handler
-* @param name Name of the cookie to get
-* @returns {*} Value of the cookie (String or undefined)
-* ```ts
-* const authorization = getCookie(request, 'Authorization')
-* ```
-*/
+function getValidatedCookies(event, validate, options) {
+	return validateData(parseCookies(event), validate, options);
+}
 function getCookie(event, name) {
 	return parseCookies(event)[name];
 }
-/**
-* Set a cookie value by name.
-* @param event {H3Event} H3 event or res passed by h3 handler
-* @param name Name of the cookie to set
-* @param value Value of the cookie to set
-* @param options {CookieSerializeOptions} Options for serializing the cookie
-* ```ts
-* setCookie(res, 'Authorization', '1234567')
-* ```
-*/
 function setCookie(event, name, value, options) {
-	const newCookie = serialize(name, value, {
+	const { encode, stringify, ...attrs } = options ?? {};
+	const newCookie = serialize({
+		name,
+		value,
 		path: "/",
-		...options
+		...attrs
+	}, {
+		encode,
+		stringify
 	});
 	const currentCookies = event.res.headers.getSetCookie();
 	if (currentCookies.length === 0) {
@@ -1749,59 +1603,32 @@ function setCookie(event, name, value, options) {
 	const newCookieKey = _getDistinctCookieKey(name, options || {});
 	event.res.headers.delete("set-cookie");
 	for (const cookie of currentCookies) {
-		const _key = _getDistinctCookieKey(cookie.split("=")?.[0], parseSetCookie(cookie));
-		if (_key === newCookieKey) continue;
+		const parsed = parseSetCookie(cookie);
+		if (!parsed) continue;
+		if (_getDistinctCookieKey(cookie.split("=")?.[0], parsed) === newCookieKey) continue;
 		event.res.headers.append("set-cookie", cookie);
 	}
 	event.res.headers.append("set-cookie", newCookie);
 }
-/**
-* Remove a cookie by name.
-* @param event {H3Event} H3 event or res passed by h3 handler
-* @param name Name of the cookie to delete
-* @param serializeOptions {CookieSerializeOptions} Cookie options
-* ```ts
-* deleteCookie(res, 'SessionId')
-* ```
-*/
 function deleteCookie(event, name, serializeOptions) {
 	setCookie(event, name, "", {
 		...serializeOptions,
 		maxAge: 0
 	});
 }
-/**
-* Get a chunked cookie value by name. Will join chunks together.
-* @param event {HTTPEvent} { req: Request }
-* @param name Name of the cookie to get
-* @returns {*} Value of the cookie (String or undefined)
-* ```ts
-* const authorization = getCookie(request, 'Session')
-* ```
-*/
 function getChunkedCookie(event, name) {
 	const mainCookie = getCookie(event, name);
 	if (!mainCookie || !mainCookie.startsWith(CHUNKED_COOKIE)) return mainCookie;
 	const chunksCount = getChunkedCookieCount(mainCookie);
-	if (chunksCount === 0) return void 0;
+	if (chunksCount === 0) return;
 	const chunks = [];
 	for (let i = 1; i <= chunksCount; i++) {
 		const chunk = getCookie(event, chunkCookieName(name, i));
-		if (!chunk) return void 0;
+		if (!chunk) return;
 		chunks.push(chunk);
 	}
 	return chunks.join("");
 }
-/**
-* Set a cookie value by name. Chunked cookies will be created as needed.
-* @param event {H3Event} H3 event or res passed by h3 handler
-* @param name Name of the cookie to set
-* @param value Value of the cookie to set
-* @param options {CookieSerializeOptions} Options for serializing the cookie
-* ```ts
-* setCookie(res, 'Session', '<session data>')
-* ```
-*/
 function setChunkedCookie(event, name, value, options) {
 	const chunkMaxLength = options?.chunkMaxLength || CHUNKS_MAX_LENGTH;
 	const chunkCount = Math.ceil(value.length / chunkMaxLength);
@@ -1814,8 +1641,7 @@ function setChunkedCookie(event, name, value, options) {
 		setCookie(event, name, value, options);
 		return;
 	}
-	const mainCookieValue = `${CHUNKED_COOKIE}${chunkCount}`;
-	setCookie(event, name, mainCookieValue, options);
+	setCookie(event, name, `${CHUNKED_COOKIE}${chunkCount}`, options);
 	for (let i = 1; i <= chunkCount; i++) {
 		const start = (i - 1) * chunkMaxLength;
 		const end = start + chunkMaxLength;
@@ -1823,26 +1649,12 @@ function setChunkedCookie(event, name, value, options) {
 		setCookie(event, chunkCookieName(name, i), chunkValue, options);
 	}
 }
-/**
-* Remove a set of chunked cookies by name.
-* @param event {H3Event} H3 event or res passed by h3 handler
-* @param name Name of the cookie to delete
-* @param serializeOptions {CookieSerializeOptions} Cookie options
-* ```ts
-* deleteCookie(res, 'Session')
-* ```
-*/
 function deleteChunkedCookie(event, name, serializeOptions) {
 	const mainCookie = getCookie(event, name);
 	deleteCookie(event, name, serializeOptions);
 	const chunksCount = getChunkedCookieCount(mainCookie);
 	if (chunksCount >= 0) for (let i = 0; i < chunksCount; i++) deleteCookie(event, chunkCookieName(name, i + 1), serializeOptions);
 }
-/**
-* Cookies are unique by "cookie-name, domain-value, and path-value".
-*
-* @see https://httpwg.org/specs/rfc6265.html#rfc.section.4.1.2
-*/
 function _getDistinctCookieKey(name, options) {
 	return [
 		name,
@@ -1850,19 +1662,17 @@ function _getDistinctCookieKey(name, options) {
 		options.path || "/"
 	].join(";");
 }
+const MAX_CHUNKED_COOKIE_COUNT = 100;
 function getChunkedCookieCount(cookie) {
-	if (!cookie?.startsWith(CHUNKED_COOKIE)) return Number.NaN;
-	return Number.parseInt(cookie.slice(CHUNKED_COOKIE.length));
+	if (!cookie?.startsWith(CHUNKED_COOKIE)) return NaN;
+	const count = Number.parseInt(cookie.slice(11));
+	if (Number.isNaN(count) || count < 0 || count > MAX_CHUNKED_COOKIE_COUNT) return NaN;
+	return count;
 }
 function chunkCookieName(name, chunkNumber) {
 	return `${name}.${chunkNumber}`;
 }
-
-//#endregion
-//#region src/utils/internal/event-stream.ts
-/**
-* A helper class for [server sent events](https://developer.mozilla.org/en-US/docs/Web/API/Server-sent_events/Using_server-sent_events#event_stream_format)
-*/
+const _noop = () => {};
 var EventStream = class {
 	_event;
 	_transformStream = new TransformStream();
@@ -1876,7 +1686,7 @@ var EventStream = class {
 	constructor(event, opts = {}) {
 		this._event = event;
 		this._writer = this._transformStream.writable.getWriter();
-		this._writer.closed.then(() => {
+		this._writer.closed.catch(_noop).finally(() => {
 			this._writerIsClosed = true;
 		});
 		if (opts.autoclose !== false) this._event.runtime?.node?.res?.once("close", () => this.close());
@@ -1909,7 +1719,9 @@ var EventStream = class {
 			this._unsentData += formatEventStreamComment(comment);
 			return;
 		}
-		await this._writer.write(this._encoder.encode(formatEventStreamComment(comment))).catch();
+		await this._writer.write(this._encoder.encode(formatEventStreamComment(comment))).catch(() => {
+			this._writerIsClosed = true;
+		});
 	}
 	async _sendEvent(message) {
 		if (this._writerIsClosed) return;
@@ -1921,7 +1733,9 @@ var EventStream = class {
 			this._unsentData += formatEventStreamMessage(message);
 			return;
 		}
-		await this._writer.write(this._encoder.encode(formatEventStreamMessage(message))).catch();
+		await this._writer.write(this._encoder.encode(formatEventStreamMessage(message))).catch(() => {
+			this._writerIsClosed = true;
+		});
 	}
 	async _sendEvents(messages) {
 		if (this._writerIsClosed) return;
@@ -1934,7 +1748,9 @@ var EventStream = class {
 			this._unsentData += payload;
 			return;
 		}
-		await this._writer.write(this._encoder.encode(payload)).catch();
+		await this._writer.write(this._encoder.encode(payload)).catch(() => {
+			this._writerIsClosed = true;
+		});
 	}
 	pause() {
 		this._paused = true;
@@ -1949,13 +1765,12 @@ var EventStream = class {
 	async flush() {
 		if (this._writerIsClosed) return;
 		if (this._unsentData?.length) {
-			await this._writer.write(this._encoder.encode(this._unsentData));
+			await this._writer.write(this._encoder.encode(this._unsentData)).catch(() => {
+				this._writerIsClosed = true;
+			});
 			this._unsentData = void 0;
 		}
 	}
-	/**
-	* Close the stream and the connection if the stream is being sent to the client
-	*/
 	async close() {
 		if (this._disposed) return;
 		if (!this._writerIsClosed) try {
@@ -1963,12 +1778,8 @@ var EventStream = class {
 		} catch {}
 		this._disposed = true;
 	}
-	/**
-	* Triggers callback when the writable stream is closed.
-	* It is also triggered after calling the `close()` method.
-	*/
 	onClosed(cb) {
-		this._writer.closed.then(cb);
+		this._writer.closed.then(cb).catch(_noop);
 	}
 	async send() {
 		setEventStreamHeaders(this._event);
@@ -1978,16 +1789,21 @@ var EventStream = class {
 	}
 };
 function formatEventStreamComment(comment) {
-	return `: ${comment}\n\n`;
+	return comment.split(/\r\n|\r|\n/).map((l) => `: ${l}\n`).join("") + "\n";
 }
 function formatEventStreamMessage(message) {
 	let result = "";
-	if (message.id) result += `id: ${message.id}\n`;
-	if (message.event) result += `event: ${message.event}\n`;
+	if (message.id) result += `id: ${_sanitizeSingleLine(message.id)}\n`;
+	if (message.event) result += `event: ${_sanitizeSingleLine(message.event)}\n`;
 	if (typeof message.retry === "number" && Number.isInteger(message.retry)) result += `retry: ${message.retry}\n`;
-	result += `data: ${message.data}\n\n`;
+	const data = typeof message.data === "string" ? message.data : "";
+	for (const line of data.split(/\r\n|\r|\n/)) result += `data: ${line}\n`;
+	result += "\n";
 	return result;
 }
+function _sanitizeSingleLine(value) {
+	return value.replace(/[\n\r]/g, "");
+}
 function formatEventStreamMessages(messages) {
 	let result = "";
 	for (const msg of messages) result += formatEventStreamMessage(msg);
@@ -1999,63 +1815,50 @@ function setEventStreamHeaders(event) {
 	event.res.headers.set("x-accel-buffering", "no");
 	if (event.req.headers.get("connection") === "keep-alive") event.res.headers.set("connection", "keep-alive");
 }
-
-//#endregion
-//#region src/utils/event-stream.ts
-/**
-* Initialize an EventStream instance for creating [server sent events](https://developer.mozilla.org/en-US/docs/Web/API/Server-sent_events/Using_server-sent_events)
-*
-* @experimental This function is experimental and might be unstable in some environments.
-*
-* @example
-*
-* ```ts
-* import { createEventStream, sendEventStream } from "h3";
-*
-* app.get("/sse", (event) => {
-*   const eventStream = createEventStream(event);
-*
-*   // Send a message every second
-*   const interval = setInterval(async () => {
-*     await eventStream.push("Hello world");
-*   }, 1000);
-*
-*   // cleanup the interval and close the stream when the connection is terminated
-*   eventStream.onClosed(async () => {
-*     console.log("closing SSE...");
-*     clearInterval(interval);
-*     await eventStream.close();
-*   });
-*
-*   return eventStream.send();
-* });
-* ```
-*/
 function createEventStream(event, opts) {
 	return new EventStream(event, opts);
 }
-
-//#endregion
-//#region src/utils/cache.ts
-/**
-* Check request caching headers (`If-Modified-Since`) and add caching headers (Last-Modified, Cache-Control)
-* Note: `public` cache control will be added by default
-* @returns `true` when cache headers are matching. When `true` is returned, no response should be sent anymore
-*/
+function setServerTiming(event, name, opts) {
+	if (!_isValidToken(name)) throw new TypeError(`Invalid Server-Timing metric name: ${name}`);
+	if (opts?.dur !== void 0 && (!Number.isFinite(opts.dur) || opts.dur < 0)) throw new TypeError(`Invalid Server-Timing duration: ${opts.dur}`);
+	const value = name + (opts?.desc ? `;desc="${_escapeDesc(opts.desc)}"` : "") + (opts?.dur !== void 0 ? `;dur=${opts.dur}` : "");
+	event.res.headers.append("server-timing", value);
+	const ctx = event.context;
+	if (!Array.isArray(ctx.timing)) ctx.timing = [];
+	ctx.timing.push({
+		name,
+		...opts
+	});
+}
+async function withServerTiming(event, name, fn) {
+	const start = performance.now();
+	try {
+		return await fn();
+	} finally {
+		setServerTiming(event, name, { dur: performance.now() - start });
+	}
+}
+const _tokenRE = /^[\w!#$%&'*+.^`|~-]+$/;
+function _isValidToken(value) {
+	return _tokenRE.test(value);
+}
+function _escapeDesc(value) {
+	return value.replaceAll("\\", "\\\\").replaceAll("\"", "\\\"");
+}
 function handleCacheHeaders(event, opts) {
 	const cacheControls = ["public", ...opts.cacheControls || []];
 	let cacheMatched = false;
 	if (opts.maxAge !== void 0) cacheControls.push(`max-age=${+opts.maxAge}`, `s-maxage=${+opts.maxAge}`);
 	if (opts.modifiedTime) {
 		const modifiedTime = new Date(opts.modifiedTime);
+		modifiedTime.setMilliseconds(0);
 		const ifModifiedSince = event.req.headers.get("if-modified-since");
 		event.res.headers.set("last-modified", modifiedTime.toUTCString());
 		if (ifModifiedSince && new Date(ifModifiedSince) >= modifiedTime) cacheMatched = true;
 	}
 	if (opts.etag) {
 		event.res.headers.set("etag", opts.etag);
-		const ifNonMatch = event.req.headers.get("if-none-match");
-		if (ifNonMatch === opts.etag) cacheMatched = true;
+		if (event.req.headers.get("if-none-match") === opts.etag) cacheMatched = true;
 	}
 	event.res.headers.set("cache-control", cacheControls.join(", "));
 	if (cacheMatched) {
@@ -2064,27 +1867,6 @@ function handleCacheHeaders(event, opts) {
 	}
 	return false;
 }
-
-//#endregion
-//#region src/utils/internal/path.ts
-function withLeadingSlash(path) {
-	if (!path || path === "/") return "/";
-	return path[0] === "/" ? path : `/${path}`;
-}
-function withoutTrailingSlash(path) {
-	if (!path || path === "/") return "/";
-	return path[path.length - 1] === "/" ? path.slice(0, -1) : path;
-}
-function withoutBase(input = "", base = "") {
-	if (!base || base === "/") return input;
-	const _base = withoutTrailingSlash(base);
-	if (!input.startsWith(_base)) return input;
-	const trimmed = input.slice(_base.length);
-	return trimmed[0] === "/" ? trimmed : "/" + trimmed;
-}
-
-//#endregion
-//#region src/utils/internal/mime.ts
 const COMMON_MIME_TYPES = {
 	".html": "text/html",
 	".htm": "text/html",
@@ -2116,12 +1898,6 @@ function getExtension(path) {
 function getType(ext) {
 	return ext ? COMMON_MIME_TYPES[ext] : void 0;
 }
-
-//#endregion
-//#region src/utils/static.ts
-/**
-* Dynamically serve static assets based on the request path.
-*/
 async function serveStatic(event, options) {
 	if (options.headers) {
 		const entries = Array.isArray(options.headers) ? options.headers : typeof options.headers.entries === "function" ? options.headers.entries() : Object.entries(options.headers);
@@ -2132,7 +1908,7 @@ async function serveStatic(event, options) {
 		event.res.headers.set("allow", "GET, HEAD");
 		throw new HTTPError({ status: 405 });
 	}
-	const originalId = decodeURI(withLeadingSlash(withoutTrailingSlash(event.url.pathname)));
+	const originalId = resolveDotSegments(decodeURI(withLeadingSlash(withoutTrailingSlash(event.url.pathname))));
 	const acceptEncodings = parseAcceptEncoding(event.req.headers.get("accept-encoding") || "", options.encodings);
 	if (acceptEncodings.length > 1) event.res.headers.set("vary", "accept-encoding");
 	let id = originalId;
@@ -2160,8 +1936,7 @@ async function serveStatic(event, options) {
 		if (!event.res.headers.get("last-modified")) event.res.headers.set("last-modified", mtimeDate.toUTCString());
 	}
 	if (meta.etag && !event.res.headers.has("etag")) event.res.headers.set("etag", meta.etag);
-	const ifNotMatch = meta.etag && event.req.headers.get("if-none-match") === meta.etag;
-	if (ifNotMatch) return new HTTPResponse(null, {
+	if (meta.etag && event.req.headers.get("if-none-match") === meta.etag) return new HTTPResponse(null, {
 		status: 304,
 		statusText: "Not Modified"
 	});
@@ -2174,8 +1949,7 @@ async function serveStatic(event, options) {
 	if (meta.encoding && !event.res.headers.get("content-encoding")) event.res.headers.set("content-encoding", meta.encoding);
 	if (meta.size !== void 0 && meta.size > 0 && !event.req.headers.get("content-length")) event.res.headers.set("content-length", meta.size + "");
 	if (event.req.method === "HEAD") return new HTTPResponse(null, { status: 200 });
-	const contents = await options.getContents(id);
-	return new HTTPResponse(contents || null, { status: 200 });
+	return new HTTPResponse(await options.getContents(id) || null, { status: 200 });
 }
 function parseAcceptEncoding(header, encodingMap) {
 	if (!encodingMap || !header) return [];
@@ -2186,21 +1960,6 @@ function idSearchPaths(id, encodings, indexNames) {
 	for (const suffix of ["", ...indexNames]) for (const encoding of [...encodings, ""]) ids.push(`${id}${suffix}${encoding}`);
 	return ids;
 }
-
-//#endregion
-//#region src/utils/base.ts
-/**
-* Returns a new event handler that removes the base url of the event before calling the original handler.
-*
-* @example
-* const api = new H3()
-*  .get("/", () => "Hello API!");
-* const app = new H3();
-*  .use("/api/**", withBase("/api", api.handler));
-*
-* @param base The base path to prefix.
-* @param handler The event handler to use with the adapted path.
-*/
 function withBase(base, input) {
 	base = withoutTrailingSlash(base);
 	const handler = toEventHandler(input);
@@ -2215,10 +1974,6 @@ function withBase(base, input) {
 		}
 	};
 }
-
-//#endregion
-//#region src/utils/internal/iron-crypto.ts
-/** The default encryption and integrity settings. */
 const defaults = /* @__PURE__ */ Object.freeze({
 	ttl: 0,
 	timestampSkewSec: 60,
@@ -2236,7 +1991,6 @@ const defaults = /* @__PURE__ */ Object.freeze({
 		minPasswordlength: 32
 	})
 });
-/** Configuration of each supported algorithm. */
 const algorithms = /* @__PURE__ */ Object.freeze({
 	"aes-128-ctr": /* @__PURE__ */ Object.freeze({
 		keyBits: 128,
@@ -2254,9 +2008,7 @@ const algorithms = /* @__PURE__ */ Object.freeze({
 		name: "SHA-256"
 	})
 });
-/** MAC normalization prefix. */
 const macPrefix = "Fe26.2";
-/** Serializes, encrypts, and signs objects into an iron protocol string. */
 async function seal(object, password, opts) {
 	const now = Date.now() + (opts.localtimeOffsetMsec || 0);
 	if (!password) throw new Error("Empty password");
@@ -2268,10 +2020,8 @@ async function seal(object, password, opts) {
 	const expiration = opts.ttl ? now + opts.ttl : "";
 	const macBaseString = `${macPrefix}*${id}*${key.salt}*${iv}*${encryptedB64}*${expiration}`;
 	const mac = await hmacWithPassword(integrity, opts.integrity, macBaseString);
-	const sealed = `${macBaseString}*${mac.salt}*${mac.digest}`;
-	return sealed;
+	return `${macBaseString}*${mac.salt}*${mac.digest}`;
 }
-/** Verifies, decrypts, and reconstruct an iron protocol string into an object. */
 async function unseal(sealed, password, opts) {
 	const now = Date.now() + (opts.localtimeOffsetMsec || 0);
 	if (!password) throw new Error("Empty password");
@@ -2279,11 +2029,10 @@ async function unseal(sealed, password, opts) {
 	if (parts.length !== 8) throw new Error("Incorrect number of sealed components");
 	const [prefix, passwordId, encryptionSalt, encryptionIv, encryptedB64, expiration, hmacSalt, hmac] = parts;
 	const macBaseString = `${prefix}*${passwordId}*${encryptionSalt}*${encryptionIv}*${encryptedB64}*${expiration}`;
-	if (macPrefix !== prefix) throw new Error("Wrong mac prefix");
+	if ("Fe26.2" !== prefix) throw new Error("Wrong mac prefix");
 	if (expiration) {
 		if (!/^\d+$/.test(expiration)) throw new Error("Invalid expiration");
-		const exp = Number.parseInt(expiration, 10);
-		if (exp <= now - opts.timestampSkewSec * 1e3) throw new Error("Expired seal");
+		if (Number.parseInt(expiration, 10) <= now - opts.timestampSkewSec * 1e3) throw new Error("Expired seal");
 	}
 	let pass = "";
 	const _passwordId = passwordId || "default";
@@ -2291,11 +2040,10 @@ async function unseal(sealed, password, opts) {
 	else if (_passwordId in password) pass = password[_passwordId];
 	else throw new Error(`Cannot find password: ${_passwordId}`);
 	pass = normalizePassword(pass);
-	const mac = await hmacWithPassword(pass.integrity, {
+	if (!fixedTimeComparison((await hmacWithPassword(pass.integrity, {
 		...opts.integrity,
 		salt: hmacSalt
-	}, macBaseString);
-	if (!fixedTimeComparison(mac.digest, hmac)) throw new Error("Bad hmac value");
+	}, macBaseString)).digest, hmac)) throw new Error("Bad hmac value");
 	const encrypted = base64Decode(encryptedB64);
 	const decryptOptions = {
 		...opts.encryption,
@@ -2305,7 +2053,6 @@ async function unseal(sealed, password, opts) {
 	const decrypted = await decrypt(pass.encryption, decryptOptions, encrypted);
 	return decrypted ? JSON.parse(decrypted) : null;
 }
-/** Calculates a HMAC digest. */
 async function hmacWithPassword(password, options, data) {
 	const key = await generateKey(password, {
 		...options,
@@ -2313,13 +2060,11 @@ async function hmacWithPassword(password, options, data) {
 	});
 	const textBuffer = textEncoder.encode(data);
 	const signed = await crypto.subtle.sign({ name: "HMAC" }, key.key, textBuffer);
-	const digest = base64Encode(new Uint8Array(signed));
 	return {
-		digest,
+		digest: base64Encode(new Uint8Array(signed)),
 		salt: key.salt
 	};
 }
-/** Generates a key from the password. */
 async function generateKey(password, options) {
 	if (!password?.length) throw new Error("Empty password");
 	if (options == null || typeof options !== "object") throw new Error("Bad options");
@@ -2344,8 +2089,7 @@ async function generateKey(password, options) {
 			salt = [...new Uint8Array(randomSalt)].map((x) => x.toString(16).padStart(2, "0")).join("");
 		}
 		const derivedKey = await pbkdf2(password, salt, options.iterations, algorithm.keyBits / 8, "SHA-1");
-		const importedEncryptionKey = await crypto.subtle.importKey("raw", derivedKey, id, false, usage);
-		resultKey = importedEncryptionKey;
+		resultKey = await crypto.subtle.importKey("raw", derivedKey, id, false, usage);
 		resultSalt = salt;
 	} else {
 		if (password.length < algorithm.keyBits / 8) throw new Error("Key buffer (password) too small");
@@ -2361,19 +2105,16 @@ async function generateKey(password, options) {
 		iv: resultIV
 	};
 }
-/** Provides an asynchronous Password-Based Key Derivation Function 2 (PBKDF2) implementation. */
 async function pbkdf2(password, salt, iterations, keyLength, hash) {
 	const passwordBuffer = textEncoder.encode(password);
 	const importedKey = await crypto.subtle.importKey("raw", passwordBuffer, { name: "PBKDF2" }, false, ["deriveBits"]);
-	const saltBuffer = textEncoder.encode(salt);
 	const params = {
 		name: "PBKDF2",
 		hash,
-		salt: saltBuffer,
+		salt: textEncoder.encode(salt),
 		iterations
 	};
-	const derivation = await crypto.subtle.deriveBits(params, importedKey, keyLength * 8);
-	return derivation;
+	return await crypto.subtle.deriveBits(params, importedKey, keyLength * 8);
 }
 async function encrypt(password, options, data) {
 	const key = await generateKey(password, options);
@@ -2402,14 +2143,12 @@ function getEncryptParams(algorithm, key, data) {
 		typeof data === "string" ? textEncoder.encode(data) : data
 	];
 }
-/** Returns true if `a` is equal to `b`, without leaking timing information that would allow an attacker to guess one of the values. */
 function fixedTimeComparison(a, b) {
 	let mismatch = a.length === b.length ? 0 : 1;
 	if (mismatch) b = a;
 	for (let i = 0; i < a.length; i += 1) mismatch |= a.charCodeAt(i) ^ b.charCodeAt(i);
 	return mismatch === 0;
 }
-/** Normalizes a password parameter. */
 function normalizePassword(password) {
 	if (typeof password === "string" || password instanceof Uint8Array) return {
 		encryption: password,
@@ -2426,46 +2165,30 @@ function normalizePassword(password) {
 		integrity: password.integrity
 	};
 }
-/** Generate cryptographically strong pseudorandom bits. */
 function randomBits(bits) {
 	if (bits < 1) throw new Error("Invalid random bits count");
-	const bytes = Math.ceil(bits / 8);
-	return randomBytes(bytes);
+	return randomBytes(Math.ceil(bits / 8));
 }
-/** Generates cryptographically strong pseudorandom bytes. */
 function randomBytes(size) {
 	const bytes = new Uint8Array(size);
 	crypto.getRandomValues(bytes);
 	return bytes;
 }
-
-//#endregion
-//#region src/utils/internal/session.ts
 const kGetSession = /* @__PURE__ */ Symbol.for("h3.internal.session.promise");
-const DEFAULT_SESSION_NAME = "h3";
 const DEFAULT_SESSION_COOKIE = {
 	path: "/",
 	secure: true,
 	httpOnly: true
 };
-
-//#endregion
-//#region src/utils/session.ts
-/**
-* Create a session manager for the current request.
-*
-*/
 async function useSession(event, config) {
-	const sessionName = config.name || DEFAULT_SESSION_NAME;
+	const sessionName = config.name || "h3";
 	await getSession(event, config);
 	const sessionManager = {
 		get id() {
-			const context = getEventContext(event);
-			return context?.sessions?.[sessionName]?.id;
+			return getEventContext(event)?.sessions?.[sessionName]?.id;
 		},
 		get data() {
-			const context = getEventContext(event);
-			return context.sessions?.[sessionName]?.data || {};
+			return getEventContext(event).sessions?.[sessionName]?.data || {};
 		},
 		update: async (update) => {
 			await updateSession(event, config, update);
@@ -2478,11 +2201,8 @@ async function useSession(event, config) {
 	};
 	return sessionManager;
 }
-/**
-* Get the session for the current request.
-*/
 async function getSession(event, config) {
-	const sessionName = config.name || DEFAULT_SESSION_NAME;
+	const sessionName = config.name || "h3";
 	const context = getEventContext(event);
 	if (!context.sessions) context.sessions = new EmptyObject();
 	const existingSession = context.sessions[sessionName];
@@ -2516,42 +2236,26 @@ async function getSession(event, config) {
 	}
 	return session;
 }
-/**
-* Update the session data for the current request.
-*/
 async function updateSession(event, config, update) {
-	const sessionName = config.name || DEFAULT_SESSION_NAME;
-	const context = getEventContext(event);
-	const session = context.sessions?.[sessionName] || await getSession(event, config);
+	const sessionName = config.name || "h3";
+	const session = getEventContext(event).sessions?.[sessionName] || await getSession(event, config);
 	if (typeof update === "function") update = update(session.data);
 	if (update) Object.assign(session.data, update);
-	if (config.cookie !== false && event.res) {
-		const sealed = await sealSession(event, config);
-		setChunkedCookie(event, sessionName, sealed, {
-			...DEFAULT_SESSION_COOKIE,
-			expires: config.maxAge ? new Date(session.createdAt + config.maxAge * 1e3) : void 0,
-			...config.cookie
-		});
-	}
+	if (config.cookie !== false && event.res) setChunkedCookie(event, sessionName, await sealSession(event, config), {
+		...DEFAULT_SESSION_COOKIE,
+		expires: config.maxAge ? new Date(session.createdAt + config.maxAge * 1e3) : void 0,
+		...config.cookie
+	});
 	return session;
 }
-/**
-* Encrypt and sign the session data for the current request.
-*/
 async function sealSession(event, config) {
-	const sessionName = config.name || DEFAULT_SESSION_NAME;
-	const context = getEventContext(event);
-	const session = context.sessions?.[sessionName] || await getSession(event, config);
-	const sealed = await seal(session, config.password, {
+	const sessionName = config.name || "h3";
+	return await seal(getEventContext(event).sessions?.[sessionName] || await getSession(event, config), config.password, {
 		...defaults,
 		ttl: config.maxAge ? config.maxAge * 1e3 : 0,
 		...config.seal
 	});
-	return sealed;
 }
-/**
-* Decrypt and verify the session data for the current request.
-*/
 async function unsealSession(_event, config, sealed) {
 	const unsealed = await unseal(sealed, config.password, {
 		...defaults,
@@ -2559,30 +2263,20 @@ async function unsealSession(_event, config, sealed) {
 		...config.seal
 	});
 	if (config.maxAge) {
-		const age = Date.now() - (unsealed.createdAt || Number.NEGATIVE_INFINITY);
-		if (age > config.maxAge * 1e3) throw new Error("Session expired!");
+		if (Date.now() - (unsealed.createdAt || Number.NEGATIVE_INFINITY) > config.maxAge * 1e3) throw new Error("Session expired!");
 	}
 	return unsealed;
 }
-/**
-* Clear the session data for the current request.
-*/
 function clearSession(event, config) {
 	const context = getEventContext(event);
-	const sessionName = config.name || DEFAULT_SESSION_NAME;
+	const sessionName = config.name || "h3";
 	if (context.sessions?.[sessionName]) delete context.sessions[sessionName];
-	if (event.res && config.cookie !== false) setChunkedCookie(event, sessionName, "", {
+	if (event.res && config.cookie !== false) deleteChunkedCookie(event, sessionName, {
 		...DEFAULT_SESSION_COOKIE,
 		...config.cookie
 	});
 	return Promise.resolve();
 }
-
-//#endregion
-//#region src/utils/internal/cors.ts
-/**
-* Resolve CORS options.
-*/
 function resolveCorsOptions(options = {}) {
 	const defaultOptions = {
 		origin: "*",
@@ -2593,7 +2287,7 @@ function resolveCorsOptions(options = {}) {
 		maxAge: false,
 		preflight: { statusCode: 204 }
 	};
-	return {
+	const resolved = {
 		...defaultOptions,
 		...options,
 		preflight: {
@@ -2601,10 +2295,9 @@ function resolveCorsOptions(options = {}) {
 			...options.preflight
 		}
 	};
+	if (resolved.credentials && (!options.origin || options.origin === "*")) console.warn("[h3] CORS: `credentials: true` with wildcard origin is not allowed. Browsers will reject the response.");
+	return resolved;
 }
-/**
-* Check if the origin is allowed.
-*/
 function isCorsOriginAllowed(origin, options) {
 	const { origin: originOption } = options;
 	if (!origin) return false;
@@ -2616,9 +2309,6 @@ function isCorsOriginAllowed(origin, options) {
 	});
 	return originOption === origin;
 }
-/**
-* Create the `access-control-allow-origin` header.
-*/
 function createOriginHeaders(event, options) {
 	const { origin: originOption } = options;
 	const origin = event.req.headers.get("origin");
@@ -2633,26 +2323,17 @@ function createOriginHeaders(event, options) {
 	};
 	return {};
 }
-/**
-* Create the `access-control-allow-methods` header.
-*/
 function createMethodsHeaders(options) {
 	const { methods } = options;
 	if (!methods) return {};
 	if (methods === "*") return { "access-control-allow-methods": "*" };
 	return methods.length > 0 ? { "access-control-allow-methods": methods.join(",") } : {};
 }
-/**
-* Create the `access-control-allow-credentials` header.
-*/
 function createCredentialsHeaders(options) {
 	const { credentials } = options;
 	if (credentials) return { "access-control-allow-credentials": "true" };
 	return {};
 }
-/**
-* Create the `access-control-allow-headers` and `vary` headers.
-*/
 function createAllowHeaderHeaders(event, options) {
 	const { allowHeaders } = options;
 	if (!allowHeaders || allowHeaders === "*" || allowHeaders.length === 0) {
@@ -2667,37 +2348,22 @@ function createAllowHeaderHeaders(event, options) {
 		vary: "access-control-request-headers"
 	};
 }
-/**
-* Create the `access-control-expose-headers` header.
-*/
 function createExposeHeaders(options) {
 	const { exposeHeaders } = options;
 	if (!exposeHeaders) return {};
 	if (exposeHeaders === "*") return { "access-control-expose-headers": exposeHeaders };
 	return { "access-control-expose-headers": exposeHeaders.join(",") };
 }
-/**
-* Create the `access-control-max-age` header.
-*/
 function createMaxAgeHeader(options) {
 	const { maxAge } = options;
 	if (maxAge) return { "access-control-max-age": maxAge };
 	return {};
 }
-
-//#endregion
-//#region src/utils/cors.ts
-/**
-* Check if the incoming request is a CORS preflight request.
-*/
 function isPreflightRequest(event) {
 	const origin = event.req.headers.get("origin");
 	const accessControlRequestMethod = event.req.headers.get("access-control-request-method");
 	return event.req.method === "OPTIONS" && !!origin && !!accessControlRequestMethod;
 }
-/**
-* Append CORS preflight headers to the response.
-*/
 function appendCorsPreflightHeaders(event, options) {
 	const headers = {
 		...createOriginHeaders(event, options),
@@ -2706,43 +2372,22 @@ function appendCorsPreflightHeaders(event, options) {
 		...createAllowHeaderHeaders(event, options),
 		...createMaxAgeHeader(options)
 	};
-	for (const [key, value] of Object.entries(headers)) event.res.headers.append(key, value);
+	for (const [key, value] of Object.entries(headers)) {
+		event.res.headers.append(key, value);
+		event.res.errHeaders.append(key, value);
+	}
 }
-/**
-* Append CORS headers to the response.
-*/
 function appendCorsHeaders(event, options) {
 	const headers = {
 		...createOriginHeaders(event, options),
 		...createCredentialsHeaders(options),
 		...createExposeHeaders(options)
 	};
-	for (const [key, value] of Object.entries(headers)) event.res.headers.append(key, value);
-}
-/**
-* Handle CORS for the incoming request.
-*
-* If the incoming request is a CORS preflight request, it will append the CORS preflight headers and send a 204 response.
-*
-* If return value is not `false`, the request is handled and no further action is needed.
-*
-* @example
-* const app = new H3();
-* const router = createRouter();
-* router.use("/", async (event) => {
-*   const corsRes = handleCors(event, {
-*     origin: "*",
-*     preflight: {
-*       statusCode: 204,
-*     },
-*     methods: "*",
-*   });
-*   if (corsRes !== false) {
-*     return corsRes;
-*   }
-*   // Your code here
-* });
-*/
+	for (const [key, value] of Object.entries(headers)) {
+		event.res.headers.append(key, value);
+		event.res.errHeaders.append(key, value);
+	}
+}
 function handleCors(event, options) {
 	const _options = resolveCorsOptions(options);
 	if (isPreflightRequest(event)) {
@@ -2752,30 +2397,46 @@ function handleCors(event, options) {
 	appendCorsHeaders(event, _options);
 	return false;
 }
-
-//#endregion
-//#region src/utils/auth.ts
-/**
-* Apply basic authentication for current request.
-*
-* @example
-* import { defineHandler, requireBasicAuth } from "h3";
-* export default defineHandler(async (event) => {
-*   await requireBasicAuth(event, { password: "test" });
-*   return `Hello, ${event.context.basicAuth.username}!`;
-* });
-*/
+const _textEncoder = /* @__PURE__ */ new TextEncoder();
+function timingSafeEqual(a, b) {
+	const aBuf = _textEncoder.encode(a);
+	const bBuf = _textEncoder.encode(b);
+	const aLen = aBuf.length;
+	const bLen = bBuf.length;
+	const len = Math.max(aLen, bLen);
+	let result = aLen === bLen ? 0 : 1;
+	for (let i = 0; i < len; i++) result |= (aBuf[i % aLen] ?? 0) ^ (bBuf[i % bLen] ?? 0);
+	return result === 0;
+}
+function randomJitter() {
+	const randomBuffer = new Uint32Array(1);
+	crypto.getRandomValues(randomBuffer);
+	const jitter = randomBuffer[0] % 100;
+	return new Promise((resolve) => setTimeout(resolve, jitter));
+}
 async function requireBasicAuth(event, opts) {
-	if (!opts.validate && !opts.password) throw new Error("You must provide either a validate function or a password for basic auth.");
+	if (!opts.validate && !opts.password) throw new HTTPError({
+		message: "Either 'password' or 'validate' option must be provided",
+		status: 500
+	});
 	const authHeader = event.req.headers.get("authorization");
-	if (!authHeader) throw autheFailed(event);
+	if (!authHeader) throw authFailed(event);
 	const [authType, b64auth] = authHeader.split(" ");
-	if (authType !== "Basic" || !b64auth) throw autheFailed(event, opts?.realm);
-	const [username, password] = atob(b64auth).split(":");
-	if (!username || !password) throw autheFailed(event, opts?.realm);
-	if (opts.username && username !== opts.username) throw autheFailed(event, opts?.realm);
-	if (opts.password && password !== opts.password) throw autheFailed(event, opts?.realm);
-	if (opts.validate && !await opts.validate(username, password)) throw autheFailed(event, opts?.realm);
+	if (!b64auth || authType.toLowerCase() !== "basic") throw authFailed(event, opts?.realm);
+	let authDecoded;
+	try {
+		authDecoded = atob(b64auth);
+	} catch {
+		throw authFailed(event, opts?.realm);
+	}
+	const colonIndex = authDecoded.indexOf(":");
+	const username = authDecoded.slice(0, colonIndex);
+	const password = authDecoded.slice(colonIndex + 1);
+	if (!username || !password) throw authFailed(event, opts?.realm);
+	if (opts.username && !timingSafeEqual(username, opts.username) || opts.password && !timingSafeEqual(password, opts.password) || opts.validate && !await opts.validate(username, password)) {
+		await randomJitter();
+		throw authFailed(event, opts?.realm);
+	}
 	const context = getEventContext(event);
 	context.basicAuth = {
 		username,
@@ -2784,37 +2445,19 @@ async function requireBasicAuth(event, opts) {
 	};
 	return true;
 }
-/**
-* Create a basic authentication middleware.
-*
-* @example
-* import { H3, serve, basicAuth } from "h3";
-* const auth = basicAuth({ password: "test" });
-* app.get("/", (event) => `Hello ${event.context.basicAuth?.username}!`, [auth]);
-* serve(app, { port: 3000 });
-*/
 function basicAuth(opts) {
 	return async (event, next) => {
 		await requireBasicAuth(event, opts);
 		return next();
 	};
 }
-function autheFailed(event, realm = "") {
+function authFailed(event, realm = "") {
 	return new HTTPError({
 		status: 401,
 		statusText: "Authentication required",
 		headers: { "www-authenticate": `Basic realm=${JSON.stringify(realm)}` }
 	});
 }
-
-//#endregion
-//#region src/utils/fingerprint.ts
-/**
-*
-* Get a unique fingerprint for the incoming request.
-*
-* @experimental Behavior of this utility might change in the future versions
-*/
 async function getRequestFingerprint(event, opts = {}) {
 	const fingerprint = [];
 	if (opts.ip !== false) fingerprint.push(getRequestIP(event, { xForwardedFor: opts.xForwardedFor }));
@@ -2825,77 +2468,171 @@ async function getRequestFingerprint(event, opts = {}) {
 	if (!fingerprintString) return null;
 	if (opts.hash === false) return fingerprintString;
 	const buffer = await crypto.subtle.digest(opts.hash || "SHA-1", new TextEncoder().encode(fingerprintString));
-	const hash = [...new Uint8Array(buffer)].map((b) => b.toString(16).padStart(2, "0")).join("");
-	return hash;
-}
-
-//#endregion
-//#region src/utils/ws.ts
-/**
-* Define WebSocket hooks.
-*
-* @see https://h3.dev/guide/websocket
-*/
+	return [...new Uint8Array(buffer)].map((b) => b.toString(16).padStart(2, "0")).join("");
+}
 function defineWebSocket(hooks) {
 	return hooks;
 }
-/**
-* Define WebSocket event handler.
-*
-* @see https://h3.dev/guide/websocket
-*/
 function defineWebSocketHandler(hooks) {
-	return defineHandler(function _webSocketHandler() {
-		return Object.assign(new Response("WebSocket upgrade is required.", { status: 426 }), { crossws: hooks });
+	return defineHandler(function _webSocketHandler(event) {
+		const crossws = typeof hooks === "function" ? hooks(event) : hooks;
+		return Object.assign(new Response("WebSocket upgrade is required.", { status: 426 }), { crossws });
 	});
 }
-
-//#endregion
-//#region src/_deprecated.ts
-/** @deprecated Use `HTTPError` */
+const PARSE_ERROR = -32700;
+const INVALID_REQUEST = -32600;
+const METHOD_NOT_FOUND = -32601;
+const INVALID_PARAMS = -32602;
+function defineJsonRpcHandler(opts = {}) {
+	const methodMap = createMethodMap(opts.methods);
+	const handler = async (event) => {
+		if (event.req.method !== "POST") throw new HTTPError({ status: 405 });
+		let body;
+		try {
+			body = await event.req.json();
+		} catch {
+			return createJsonRpcError(null, PARSE_ERROR, "Parse error");
+		}
+		const result = await processJsonRpcBody(body, methodMap, event);
+		return result === void 0 ? new HTTPResponse("", { status: 202 }) : result;
+	};
+	return defineHandler({
+		...opts,
+		handler
+	});
+}
+function defineJsonRpcWebSocketHandler(opts) {
+	const methodMap = createMethodMap(opts.methods);
+	return defineWebSocketHandler({
+		...opts.hooks,
+		async message(peer, message) {
+			let body;
+			try {
+				body = message.json();
+			} catch {
+				peer.send(JSON.stringify(createJsonRpcError(null, PARSE_ERROR, "Parse error")));
+				return;
+			}
+			const result = await processJsonRpcBody(body, methodMap, peer);
+			if (result !== void 0) peer.send(JSON.stringify(result));
+		}
+	});
+}
+function createMethodMap(methods) {
+	const methodMap = Object.create(null);
+	for (const key of Object.keys(methods)) methodMap[key] = methods[key];
+	return methodMap;
+}
+async function processJsonRpcBody(body, methodMap, context) {
+	if (!body || typeof body !== "object") return createJsonRpcError(null, PARSE_ERROR, "Parse error");
+	const requests = Array.isArray(body) ? body : [body];
+	if (requests.length === 0) return createJsonRpcError(null, INVALID_REQUEST, "Invalid Request");
+	const finalResponses = (await Promise.all(requests.map((raw) => processJsonRpcMethod(raw, methodMap, context)))).filter((r) => r !== void 0);
+	if (finalResponses.length === 0) return;
+	return Array.isArray(body) ? finalResponses : finalResponses[0];
+}
+async function processJsonRpcMethod(raw, methodMap, context) {
+	if (!raw || typeof raw !== "object" || Array.isArray(raw)) return createJsonRpcError(null, INVALID_REQUEST, "Invalid Request");
+	const req = raw;
+	if (req.jsonrpc !== "2.0" || typeof req.method !== "string" || "id" in req && !isValidId(req.id)) return createJsonRpcError("id" in req && isValidId(req.id) ? req.id : null, INVALID_REQUEST, "Invalid Request");
+	if ("params" in req && req.params !== void 0 && (typeof req.params !== "object" || req.params === null)) return isNotification(req) ? void 0 : createJsonRpcError(req.id, INVALID_PARAMS, "Invalid params");
+	if (req.method.startsWith("rpc.")) return isNotification(req) ? void 0 : createJsonRpcError(req.id, METHOD_NOT_FOUND, "Method not found");
+	const method = req.method;
+	const params = req.params;
+	const notification = isNotification(req);
+	const id = notification ? void 0 : req.id;
+	const methodHandler = methodMap[method];
+	if (!methodHandler) return notification ? void 0 : createJsonRpcError(id, METHOD_NOT_FOUND, "Method not found");
+	try {
+		const rpcReq = {
+			jsonrpc: "2.0",
+			method,
+			params
+		};
+		if (!notification) rpcReq.id = id;
+		const result = await methodHandler(rpcReq, context);
+		return notification ? void 0 : {
+			jsonrpc: "2.0",
+			id,
+			result: result ?? null
+		};
+	} catch (error_) {
+		if (notification) return;
+		const h3Error = HTTPError.isError(error_) ? error_ : {
+			status: 500,
+			message: "Internal error",
+			data: error_ != null && typeof error_ === "object" && "message" in error_ ? error_.message : void 0
+		};
+		const statusCode = h3Error.status;
+		const statusMessage = h3Error.message;
+		return createJsonRpcError(id, mapHttpStatusToJsonRpcError(statusCode), statusMessage, h3Error.data);
+	}
+}
+function mapHttpStatusToJsonRpcError(status) {
+	switch (status) {
+		case 400:
+		case 422: return INVALID_PARAMS;
+		case 401: return -32001;
+		case 403: return -32003;
+		case 404: return -32004;
+		case 408: return -32008;
+		case 409: return -32009;
+		case 429: return -32029;
+		default:
+			if (status >= 300 && status < 500) return -32e3;
+			return -32603;
+	}
+}
+function isNotification(req) {
+	return !("id" in req);
+}
+function isValidId(id) {
+	if (id === null) return true;
+	if (typeof id === "string") return true;
+	return typeof id === "number" && Number.isInteger(id);
+}
+const createJsonRpcError = (id, code, message, data) => {
+	const error = {
+		code,
+		message
+	};
+	if (data !== void 0) error.data = data;
+	return {
+		jsonrpc: "2.0",
+		id,
+		error
+	};
+};
 const H3Error = HTTPError;
 function createError(arg1, arg2) {
 	return new HTTPError(arg1, arg2);
 }
-/**
-* @deprecated Use `HTTPError.isError`
-*/
 function isError(input) {
 	return HTTPError.isError(input);
 }
-/** @deprecated Please use `event.url` */
 const getRequestPath = (event) => event.path;
-/** @deprecated Please use `event.req.headers.get(name)` */
 function getRequestHeader(event, name) {
 	return event.req.headers.get(name) || void 0;
 }
-/** @deprecated Please use `event.req.headers.get(name)` */
 const getHeader = getRequestHeader;
-/** @deprecated Please use `Object.fromEntries(event.req.headers.entries())` */
 function getRequestHeaders(event) {
 	return Object.fromEntries(event.req.headers.entries());
 }
-/** @deprecated Please use `Object.fromEntries(event.req.headers.entries())` */
 const getHeaders = getRequestHeaders;
-/** @deprecated Please use `event.req.method` */
 function getMethod(event, defaultMethod = "GET") {
 	return (event.req.method || defaultMethod).toUpperCase();
 }
-/** @deprecated Please use `event.req.text()` or `event.req.arrayBuffer()` */
 function readRawBody(event, encoding = "utf8") {
 	return encoding ? event.req.text() : event.req.arrayBuffer().then((r) => new Uint8Array(r));
 }
-/** @deprecated Please use `event.req.formData()` */
 async function readFormDataBody(event) {
 	return event.req.formData();
 }
-/** @deprecated Please use `event.req.formData()` */
 const readFormData = readFormDataBody;
-/** @deprecated Please use `event.req.formData()` */
 async function readMultipartFormData(event) {
 	const formData = await event.req.formData();
 	return Promise.all([...formData.entries()].map(async ([key, value]) => {
-		return value instanceof Blob ? {
+		return typeof value === "object" ? {
 			name: key,
 			type: value.type,
 			filename: value.name,
@@ -2906,122 +2643,82 @@ async function readMultipartFormData(event) {
 		};
 	}));
 }
-/** @deprecated Please use `event.req.body` */
 function getBodyStream(event) {
 	return event.req.body || void 0;
 }
-/** @deprecated Please use `event.req.body` */
 const getRequestWebStream = getBodyStream;
-/** @deprecated Please directly return stream */
 function sendStream(_event, value) {
 	return value;
 }
-/** @deprecated Please use `return noContent(event)` */
 const sendNoContent = (_, code) => noContent(code);
-/** @deprecated Please use `return redirect(event, code)` */
 const sendRedirect = (_, loc, code) => redirect(loc, code);
-/** @deprecated Please directly return response */
 const sendWebResponse = (response) => response;
-/** @deprecated Please use `return proxy(event)` */
 const sendProxy = proxy;
-/** @deprecated Please use `return iterable(event, value)` */
 const sendIterable = (_event, val, options) => {
 	return iterable(val, options);
 };
-/** @deprecated Please use `event.res.statusText` */
 function getResponseStatusText(event) {
 	return event.res.statusText || "";
 }
-/** @deprecated Please use `event.res.headers.append(name, value)` */
 function appendResponseHeader(event, name, value) {
 	if (Array.isArray(value)) for (const valueItem of value) event.res.headers.append(name, valueItem);
 	else event.res.headers.append(name, value);
 }
-/** @deprecated Please use `event.res.headers.append(name, value)` */
 const appendHeader = appendResponseHeader;
-/** @deprecated Please use `event.res.headers.set(name, value)` */
 function setResponseHeader(event, name, value) {
 	if (Array.isArray(value)) {
 		event.res.headers.delete(name);
 		for (const valueItem of value) event.res.headers.append(name, valueItem);
 	} else event.res.headers.set(name, value);
 }
-/** @deprecated Please use `event.res.headers.set(name, value)` */
 const setHeader = setResponseHeader;
-/** @deprecated Please use `event.res.headers.set(name, value)` */
 function setResponseHeaders(event, headers) {
 	for (const [name, value] of Object.entries(headers)) event.res.headers.set(name, value);
 }
-/** @deprecated Please use `event.res.headers.set(name, value)` */
 const setHeaders = setResponseHeaders;
-/** @deprecated Please use `event.res.status` */
 function getResponseStatus(event) {
 	return event.res.status || 200;
 }
-/** @deprecated Please directly set `event.res.status` and `event.res.statusText` */
 function setResponseStatus(event, code, text) {
 	if (code) event.res.status = sanitizeStatusCode(code, event.res.status);
 	if (text) event.res.statusText = sanitizeStatusMessage(text);
 }
-/** @deprecated Please use `event.res.headers.set("content-type", type)` */
 function defaultContentType(event, type) {
 	if (type && event.res.status !== 304 && !event.res.headers.has("content-type")) event.res.headers.set("content-type", type);
 }
-/** @deprecated Please use `Object.fromEntries(event.res.headers.entries())` */
 function getResponseHeaders(event) {
 	return Object.fromEntries(event.res.headers.entries());
 }
-/** @deprecated Please use `event.res.headers.get(name)` */
 function getResponseHeader(event, name) {
 	return event.res.headers.get(name) || void 0;
 }
-/** @deprecated Please use `event.res.headers.delete(name)` instead. */
 function removeResponseHeader(event, name) {
 	return event.res.headers.delete(name);
 }
-/** @deprecated Please use `event.res.headers.append(name, value)` */
 function appendResponseHeaders(event, headers) {
 	for (const [name, value] of Object.entries(headers)) appendResponseHeader(event, name, value);
 }
-/** @deprecated Please use `event.res.headers.append(name, value)` */
 const appendHeaders = appendResponseHeaders;
-/** @deprecated Please use `event.res.headers.delete` */
 function clearResponseHeaders(event, headerNames) {
 	if (headerNames && headerNames.length > 0) for (const name of headerNames) event.res.headers.delete(name);
 	else for (const name of event.res.headers.keys()) event.res.headers.delete(name);
 }
-/** Please use `defineHandler`  */
 const defineEventHandler = defineHandler;
-/** Please use `defineHandler`  */
 const eventHandler = defineHandler;
-/** Please use `defineLazyEventHandler` */
 const lazyEventHandler = defineLazyEventHandler;
-/** @deprecated Please use `defineNodeHandler` */
 const defineNodeListener = defineNodeHandler;
-/** @deprecated Please use `defineNodeHandler` */
 const fromNodeMiddleware = fromNodeHandler;
-/**
-* @deprecated please use `toNodeHandler` from `h3/node`.
-*/
 function toNodeHandler(app) {
 	if (toNodeHandler._isWarned !== true) {
 		console.warn(`[h3] "toNodeHandler" export from h3 is deprecated. Please import "toNodeHandler" from "h3/node".`);
 		toNodeHandler._isWarned = true;
 	}
-	const _toNodeHandler = (toNodeHandler._toNodeHandler ??= () => {
-		const _require = globalThis.process.getBuiltinModule("node:module").createRequire(import.meta.url);
-		return _require("srvx/node").toNodeHandler;
-	})();
-	return _toNodeHandler(app.fetch);
+	return (toNodeHandler._toNodeHandler ??= () => {
+		return globalThis.process.getBuiltinModule("node:module").createRequire(import.meta.url)("srvx/node").toNodeHandler;
+	})()(app.fetch);
 }
-/** @deprecated Please use `toNodeHandler` */
 const toNodeListener = toNodeHandler;
-/** @deprecated Please use `new H3()` */
 const createApp = (config) => new H3(config);
-/** @deprecated Please use `new H3()` */
 const createRouter$1 = (config) => new H3(config);
-/** @deprecated Please use `withBase()` */
 const useBase = withBase;
-
-//#endregion
-export { H3, H3Core, H3Error, H3Event, HTTPError, HTTPResponse, appendCorsHeaders, appendCorsPreflightHeaders, appendHeader, appendHeaders, appendResponseHeader, appendResponseHeaders, assertMethod, basicAuth, callMiddleware, clearResponseHeaders, clearSession, createApp, createError, createEventStream, createRouter$1 as createRouter, defaultContentType, defineEventHandler, defineHandler, defineLazyEventHandler, defineMiddleware, defineNodeHandler, defineNodeListener, defineNodeMiddleware, definePlugin, defineRoute, defineValidatedHandler, defineWebSocket, defineWebSocketHandler, deleteChunkedCookie, deleteCookie, dynamicEventHandler, eventHandler, fetchWithEvent, freezeApp, fromNodeHandler, fromNodeMiddleware, fromWebHandler, getBodyStream, getChunkedCookie, getCookie, getEventContext, getHeader, getHeaders, getMethod, getProxyRequestHeaders, getQuery, getRequestFingerprint, getRequestHeader, getRequestHeaders, getRequestHost, getRequestIP, getRequestPath, getRequestProtocol, getRequestURL, getRequestWebStream, getResponseHeader, getResponseHeaders, getResponseStatus, getResponseStatusText, getRouterParam, getRouterParams, getSession, getValidatedQuery, getValidatedRouterParams, handleCacheHeaders, handleCors, html, isCorsOriginAllowed, isError, isEvent, isHTTPEvent, isMethod, isPreflightRequest, iterable, lazyEventHandler, mockEvent, noContent, onError, onRequest, onResponse, parseCookies, proxy, proxyRequest, readBody, readFormData, readFormDataBody, readMultipartFormData, readRawBody, readValidatedBody, redirect, removeResponseHeader, requireBasicAuth, sanitizeStatusCode, sanitizeStatusMessage, sealSession, sendIterable, sendNoContent, sendProxy, sendRedirect, sendStream, sendWebResponse, serveStatic, setChunkedCookie, setCookie, setHeader, setHeaders, setResponseHeader, setResponseHeaders, setResponseStatus, toEventHandler, toNodeHandler, toNodeListener, toRequest, toResponse, toWebHandler, unsealSession, updateSession, useBase, useSession, withBase, writeEarlyHints };
+export { basicAuth as $, defineLazyEventHandler as $t, readFormDataBody as A, freezeApp as An, bodyLimit as At, setHeader as B, redirect as Bt, getResponseHeader as C, toMiddleware as Cn, parseCookies as Ct, isError as D, sanitizeStatusCode as Dn, getProxyRequestHeaders as Dt, getResponseStatusText as E, HTTPError as En, fetchWithEvent as Et, sendNoContent as F, readBody as Ft, toNodeHandler as G, defineNodeHandler as Gt, setResponseHeader as H, writeEarlyHints as Ht, sendProxy as I, readValidatedBody as It, defineJsonRpcHandler as J, fromWebHandler as Jt, toNodeListener as K, defineNodeMiddleware as Kt, sendRedirect as L, html as Lt, readRawBody as M, onRequest as Mt, removeResponseHeader as N, onResponse as Nt, lazyEventHandler as O, sanitizeStatusMessage as On, proxy as Ot, sendIterable as P, assertBodySize as Pt, getRequestFingerprint as Q, defineHandler as Qt, sendStream as R, iterable as Rt, getRequestWebStream as S, defineMiddleware as Sn, getValidatedCookies as St, getResponseStatus as T, toResponse as Tn, setCookie as Tt, setResponseHeaders as U, defineRoute as Ut, setHeaders as V, redirectBack as Vt, setResponseStatus as W, removeRoute$1 as Wt, defineWebSocket as X, H3 as Xt, defineJsonRpcWebSocketHandler as Y, toWebHandler as Yt, defineWebSocketHandler as Z, H3Core as Zt, getHeaders as _, getEventContext as _n, createEventStream as _t, appendResponseHeaders as a, getRequestHost as an, isCorsOriginAllowed as at, getRequestHeaders as b, mockEvent as bn, getChunkedCookie as bt, createError as c, getRequestURL as cn, sealSession as ct, defineEventHandler as d, getValidatedQuery as dn, useSession as dt, defineValidatedHandler as en, requireBasicAuth as et, defineNodeListener as f, getValidatedRouterParams as fn, withBase as ft, getHeader as g, toRequest as gn, withServerTiming as gt, getBodyStream as h, requestWithURL as hn, setServerTiming as ht, appendResponseHeader as i, getQuery as in, isPreflightRequest as it, readMultipartFormData as j, onError as jt, readFormData as k, H3Event as kn, proxyRequest as kt, createRouter$1 as l, getRouterParam as ln, unsealSession as lt, fromNodeMiddleware as m, requestWithBaseURL as mn, handleCacheHeaders as mt, appendHeader as n, toEventHandler as nn, appendCorsPreflightHeaders as nt, clearResponseHeaders as o, getRequestIP as on, clearSession as ot, eventHandler as p, isMethod as pn, serveStatic as pt, useBase as q, fromNodeHandler as qt, appendHeaders as r, assertMethod as rn, handleCors as rt, createApp as s, getRequestProtocol as sn, getSession as st, H3Error as t, dynamicEventHandler as tn, appendCorsHeaders as tt, defaultContentType as u, getRouterParams as un, updateSession as ut, getMethod as v, isEvent as vn, deleteChunkedCookie as vt, getResponseHeaders as w, HTTPResponse as wn, setChunkedCookie as wt, getRequestPath as x, callMiddleware as xn, getCookie as xt, getRequestHeader as y, isHTTPEvent as yn, deleteCookie as yt, sendWebResponse as z, noContent as zt };