layercache 1.2.4 → 1.2.5

package/README.md

@@ -203,6 +203,8 @@ Glob-style deletion against the tracked key set, plus any layer that can enumera
 await cache.invalidateByPattern('user:*') // deletes user:1, user:2, …
 ```
 
+Patterns must be non-empty, at most 1024 characters long, and free of control characters.
+
 For multi-instance deployments, prefer a shared `RedisTagIndex`. Without it, pattern invalidation still scans real layer keys when available, but that fallback only helps on layers that implement `keys()`, and tag tracking itself remains process-local.
 
 ### `cache.invalidateByPrefix(prefix): Promise<void>`
@@ -320,6 +322,8 @@ await cache.warm(
 
 Returns a scoped view with the same full API (`get`, `set`, `delete`, `clear`, `mget`, `wrap`, `warm`, `invalidateByTag`, `invalidateByPattern`, `getMetrics`). `clear()` only touches `prefix:*` keys, and namespace metrics are serialized per `CacheStack` instance so unrelated caches do not block each other while metrics are collected.
 
+Namespace prefixes must be non-empty, at most 256 characters long, and free of control characters.
+
 ```ts
 const users = cache.namespace('users')
 const posts = cache.namespace('posts')
@@ -712,6 +716,8 @@ http.createServer(statsHandler).listen(9090)
 // GET / → JSON stats
 ```
 
+The built-in handler returns JSON with `Cache-Control: no-store` and `X-Content-Type-Options: nosniff` headers.
+
 Or use the Fastify plugin:
 
 ```ts

package/dist/{chunk-KOYGHLVP.js → chunk-JC26W3KK.js}

@@ -185,6 +185,7 @@ var MemoryLayer = class {
 };
 
 // src/invalidation/TagIndex.ts
+var MAX_PATTERN_RECURSION_DEPTH = 500;
 var TagIndex = class {
   tagToKeys = /* @__PURE__ */ new Map();
   keyToTags = /* @__PURE__ */ new Map();
@@ -239,7 +240,7 @@ var TagIndex = class {
   }
   async matchPattern(pattern) {
     const matches = /* @__PURE__ */ new Set();
-    this.collectPatternMatches(this.root, "", pattern, 0, matches, /* @__PURE__ */ new Set());
+    this.collectPatternMatches(this.root, "", pattern, 0, matches, /* @__PURE__ */ new Set(), 0);
     return [...matches];
   }
   async clear() {
@@ -291,7 +292,10 @@ var TagIndex = class {
       this.collectFromNode(child, `${prefix}${character}`, matches);
     }
   }
-  collectPatternMatches(node, prefix, pattern, patternIndex, matches, visited) {
+  collectPatternMatches(node, prefix, pattern, patternIndex, matches, visited, depth) {
+    if (depth > MAX_PATTERN_RECURSION_DEPTH) {
+      return;
+    }
     const stateKey = `${node.id}:${patternIndex}`;
     if (visited.has(stateKey)) {
       return;
@@ -308,21 +312,37 @@ var TagIndex = class {
       return;
     }
     if (patternChar === "*") {
-      this.collectPatternMatches(node, prefix, pattern, patternIndex + 1, matches, visited);
+      this.collectPatternMatches(node, prefix, pattern, patternIndex + 1, matches, visited, depth + 1);
       for (const [character, child2] of node.children) {
-        this.collectPatternMatches(child2, `${prefix}${character}`, pattern, patternIndex, matches, visited);
+        this.collectPatternMatches(child2, `${prefix}${character}`, pattern, patternIndex, matches, visited, depth + 1);
       }
       return;
     }
     if (patternChar === "?") {
       for (const [character, child2] of node.children) {
-        this.collectPatternMatches(child2, `${prefix}${character}`, pattern, patternIndex + 1, matches, visited);
+        this.collectPatternMatches(
+          child2,
+          `${prefix}${character}`,
+          pattern,
+          patternIndex + 1,
+          matches,
+          visited,
+          depth + 1
+        );
       }
       return;
     }
     const child = node.children.get(patternChar);
     if (child) {
-      this.collectPatternMatches(child, `${prefix}${patternChar}`, pattern, patternIndex + 1, matches, visited);
+      this.collectPatternMatches(
+        child,
+        `${prefix}${patternChar}`,
+        pattern,
+        patternIndex + 1,
+        matches,
+        visited,
+        depth + 1
+      );
     }
   }
   pruneKnownKeysIfNeeded() {
@@ -423,7 +443,7 @@ function normalizeUrl(url) {
   try {
     const parsed = new URL(url, "http://localhost");
     parsed.searchParams.sort();
-    return decodeURIComponent(parsed.pathname) + parsed.search;
+    return parsed.pathname + parsed.search;
   } catch {
     return url;
   }

package/dist/cli.cjs

@@ -281,10 +281,7 @@ async function main(argv = process.argv.slice(2)) {
   }
   const redisUrl = validateRedisUrl(args.redisUrl);
   if (!redisUrl) {
-    process.stderr.write(
-      `Error: invalid Redis URL "${maskRedisUrl(args.redisUrl)}". Expected format: redis://[user:password@]host[:port][/db]
-`
-    );
+    process.stderr.write("Error: invalid Redis URL. Expected format: redis://[user:password@]host[:port][/db]\n");
     process.exitCode = 1;
     return;
   }
@@ -296,7 +293,7 @@ async function main(argv = process.argv.slice(2)) {
   try {
     await redis.connect().catch((error) => {
       const message = error instanceof Error ? error.message : String(error);
-      throw new Error(`Failed to connect to Redis at "${maskRedisUrl(redisUrl)}": ${message}`);
+      throw new Error(`Failed to connect to Redis: ${message}`);
     });
     if (args.command === "stats") {
       const keys = await scanKeys(redis, args.pattern ?? "*");
@@ -451,17 +448,6 @@ function summarizeInspectableValue(value) {
   }
   return value;
 }
-function maskRedisUrl(url) {
-  try {
-    const parsed = new URL(url);
-    if (parsed.password) {
-      parsed.password = "***";
-    }
-    return parsed.toString();
-  } catch {
-    return url.replace(/:([^@/]+)@/, ":***@");
-  }
-}
 if (process.argv[1]?.includes("cli.")) {
   void main();
 }

package/dist/cli.js

@@ -19,10 +19,7 @@ async function main(argv = process.argv.slice(2)) {
   }
   const redisUrl = validateRedisUrl(args.redisUrl);
   if (!redisUrl) {
-    process.stderr.write(
-      `Error: invalid Redis URL "${maskRedisUrl(args.redisUrl)}". Expected format: redis://[user:password@]host[:port][/db]
-`
-    );
+    process.stderr.write("Error: invalid Redis URL. Expected format: redis://[user:password@]host[:port][/db]\n");
     process.exitCode = 1;
     return;
   }
@@ -34,7 +31,7 @@ async function main(argv = process.argv.slice(2)) {
   try {
     await redis.connect().catch((error) => {
       const message = error instanceof Error ? error.message : String(error);
-      throw new Error(`Failed to connect to Redis at "${maskRedisUrl(redisUrl)}": ${message}`);
+      throw new Error(`Failed to connect to Redis: ${message}`);
     });
     if (args.command === "stats") {
       const keys = await scanKeys(redis, args.pattern ?? "*");
@@ -189,17 +186,6 @@ function summarizeInspectableValue(value) {
   }
   return value;
 }
-function maskRedisUrl(url) {
-  try {
-    const parsed = new URL(url);
-    if (parsed.password) {
-      parsed.password = "***";
-    }
-    return parsed.toString();
-  } catch {
-    return url.replace(/:([^@/]+)@/, ":***@");
-  }
-}
 if (process.argv[1]?.includes("cli.")) {
   void main();
 }

package/dist/{edge-Dw97n89L.d.cts → edge-P07GCO2Y.d.cts}

@@ -663,6 +663,7 @@ declare class CacheStack extends EventEmitter {
     private validateRateLimitOptions;
     private validateNonNegativeNumber;
     private validateCacheKey;
+    private validatePattern;
     private validateTtlPolicy;
     private assertActive;
     private awaitStartup;

package/dist/{edge-Dw97n89L.d.ts → edge-P07GCO2Y.d.ts}

@@ -663,6 +663,7 @@ declare class CacheStack extends EventEmitter {
     private validateRateLimitOptions;
     private validateNonNegativeNumber;
     private validateCacheKey;
+    private validatePattern;
     private validateTtlPolicy;
     private assertActive;
     private awaitStartup;

package/dist/edge.cjs

@@ -295,6 +295,7 @@ var PatternMatcher = class _PatternMatcher {
 };
 
 // src/invalidation/TagIndex.ts
+var MAX_PATTERN_RECURSION_DEPTH = 500;
 var TagIndex = class {
   tagToKeys = /* @__PURE__ */ new Map();
   keyToTags = /* @__PURE__ */ new Map();
@@ -349,7 +350,7 @@ var TagIndex = class {
   }
   async matchPattern(pattern) {
     const matches = /* @__PURE__ */ new Set();
-    this.collectPatternMatches(this.root, "", pattern, 0, matches, /* @__PURE__ */ new Set());
+    this.collectPatternMatches(this.root, "", pattern, 0, matches, /* @__PURE__ */ new Set(), 0);
     return [...matches];
   }
   async clear() {
@@ -401,7 +402,10 @@ var TagIndex = class {
       this.collectFromNode(child, `${prefix}${character}`, matches);
     }
   }
-  collectPatternMatches(node, prefix, pattern, patternIndex, matches, visited) {
+  collectPatternMatches(node, prefix, pattern, patternIndex, matches, visited, depth) {
+    if (depth > MAX_PATTERN_RECURSION_DEPTH) {
+      return;
+    }
     const stateKey = `${node.id}:${patternIndex}`;
     if (visited.has(stateKey)) {
       return;
@@ -418,21 +422,37 @@ var TagIndex = class {
       return;
     }
     if (patternChar === "*") {
-      this.collectPatternMatches(node, prefix, pattern, patternIndex + 1, matches, visited);
+      this.collectPatternMatches(node, prefix, pattern, patternIndex + 1, matches, visited, depth + 1);
       for (const [character, child2] of node.children) {
-        this.collectPatternMatches(child2, `${prefix}${character}`, pattern, patternIndex, matches, visited);
+        this.collectPatternMatches(child2, `${prefix}${character}`, pattern, patternIndex, matches, visited, depth + 1);
       }
       return;
     }
     if (patternChar === "?") {
       for (const [character, child2] of node.children) {
-        this.collectPatternMatches(child2, `${prefix}${character}`, pattern, patternIndex + 1, matches, visited);
+        this.collectPatternMatches(
+          child2,
+          `${prefix}${character}`,
+          pattern,
+          patternIndex + 1,
+          matches,
+          visited,
+          depth + 1
+        );
       }
       return;
     }
     const child = node.children.get(patternChar);
     if (child) {
-      this.collectPatternMatches(child, `${prefix}${patternChar}`, pattern, patternIndex + 1, matches, visited);
+      this.collectPatternMatches(
+        child,
+        `${prefix}${patternChar}`,
+        pattern,
+        patternIndex + 1,
+        matches,
+        visited,
+        depth + 1
+      );
     }
   }
   pruneKnownKeysIfNeeded() {
@@ -533,7 +553,7 @@ function normalizeUrl(url) {
   try {
     const parsed = new URL(url, "http://localhost");
     parsed.searchParams.sort();
-    return decodeURIComponent(parsed.pathname) + parsed.search;
+    return parsed.pathname + parsed.search;
   } catch {
     return url;
   }

package/dist/edge.d.cts

@@ -1,2 +1,2 @@
-export { e as CacheGetOptions, f as CacheLayer, h as CacheLayerSetManyEntry, t as CacheMetricsSnapshot, w as CacheRateLimitOptions, B as CacheTtlPolicy, D as CacheTtlPolicyContext, J as CacheWriteOptions, K as EvictionPolicy, M as MemoryLayer, N as MemoryLayerOptions, O as MemoryLayerSnapshotEntry, P as PatternMatcher, T as TagIndex, Q as createHonoCacheMiddleware } from './edge-Dw97n89L.cjs';
+export { e as CacheGetOptions, f as CacheLayer, h as CacheLayerSetManyEntry, t as CacheMetricsSnapshot, w as CacheRateLimitOptions, B as CacheTtlPolicy, D as CacheTtlPolicyContext, J as CacheWriteOptions, K as EvictionPolicy, M as MemoryLayer, N as MemoryLayerOptions, O as MemoryLayerSnapshotEntry, P as PatternMatcher, T as TagIndex, Q as createHonoCacheMiddleware } from './edge-P07GCO2Y.cjs';
 import 'node:events';

package/dist/edge.d.ts

@@ -1,2 +1,2 @@
-export { e as CacheGetOptions, f as CacheLayer, h as CacheLayerSetManyEntry, t as CacheMetricsSnapshot, w as CacheRateLimitOptions, B as CacheTtlPolicy, D as CacheTtlPolicyContext, J as CacheWriteOptions, K as EvictionPolicy, M as MemoryLayer, N as MemoryLayerOptions, O as MemoryLayerSnapshotEntry, P as PatternMatcher, T as TagIndex, Q as createHonoCacheMiddleware } from './edge-Dw97n89L.js';
+export { e as CacheGetOptions, f as CacheLayer, h as CacheLayerSetManyEntry, t as CacheMetricsSnapshot, w as CacheRateLimitOptions, B as CacheTtlPolicy, D as CacheTtlPolicyContext, J as CacheWriteOptions, K as EvictionPolicy, M as MemoryLayer, N as MemoryLayerOptions, O as MemoryLayerSnapshotEntry, P as PatternMatcher, T as TagIndex, Q as createHonoCacheMiddleware } from './edge-P07GCO2Y.js';
 import 'node:events';

package/dist/edge.js

@@ -2,7 +2,7 @@ import {
   MemoryLayer,
   TagIndex,
   createHonoCacheMiddleware
-} from "./chunk-KOYGHLVP.js";
+} from "./chunk-JC26W3KK.js";
 import {
   PatternMatcher
 } from "./chunk-7V7XAB74.js";

package/dist/index.cjs

@@ -176,6 +176,7 @@ var CacheNamespace = class _CacheNamespace {
    * ```
    */
   namespace(childPrefix) {
+    validateNamespaceKey(childPrefix);
     return new _CacheNamespace(this.cache, `${this.prefix}:${childPrefix}`);
   }
   qualify(key) {
@@ -305,6 +306,17 @@ function addMap(base, delta) {
   }
   return result;
 }
+function validateNamespaceKey(key) {
+  if (key.length === 0) {
+    throw new Error("Namespace prefix must not be empty.");
+  }
+  if (key.length > 256) {
+    throw new Error("Namespace prefix must be at most 256 characters.");
+  }
+  if (/[\u0000-\u001F\u007F]/.test(key)) {
+    throw new Error("Namespace prefix contains unsupported control characters.");
+  }
+}
 
 // src/invalidation/PatternMatcher.ts
 var PatternMatcher = class _PatternMatcher {
@@ -425,9 +437,7 @@ var CircuitBreakerManager = class {
     }
     const now = Date.now();
     if (state.openUntil <= now) {
-      state.openUntil = null;
-      state.failures = 0;
-      this.breakers.set(key, state);
+      this.breakers.delete(key);
       return;
     }
     const remainingMs = state.openUntil - now;
@@ -438,15 +448,15 @@ var CircuitBreakerManager = class {
     if (!options) {
       return;
     }
+    this.pruneIfNeeded();
     const failureThreshold = options.failureThreshold ?? 3;
     const cooldownMs = options.cooldownMs ?? 3e4;
-    const state = this.breakers.get(key) ?? { failures: 0, openUntil: null };
+    const state = this.breakers.get(key) ?? { failures: 0, openUntil: null, createdAt: Date.now() };
     state.failures += 1;
     if (state.failures >= failureThreshold) {
       state.openUntil = Date.now() + cooldownMs;
     }
     this.breakers.set(key, state);
-    this.pruneIfNeeded();
   }
   recordSuccess(key) {
     this.breakers.delete(key);
@@ -457,8 +467,7 @@ var CircuitBreakerManager = class {
       return false;
     }
     if (state.openUntil <= Date.now()) {
-      state.openUntil = null;
-      state.failures = 0;
+      this.breakers.delete(key);
       return false;
     }
     return true;
@@ -482,15 +491,20 @@ var CircuitBreakerManager = class {
     if (this.breakers.size <= this.maxEntries) {
       return;
     }
+    const now = Date.now();
     for (const [key, state] of this.breakers.entries()) {
       if (this.breakers.size <= this.maxEntries) {
-        break;
+        return;
       }
-      if (!state.openUntil || state.openUntil <= Date.now()) {
+      if (!state.openUntil || state.openUntil <= now) {
         this.breakers.delete(key);
       }
     }
-    for (const key of this.breakers.keys()) {
+    if (this.breakers.size <= this.maxEntries) {
+      return;
+    }
+    const sorted = [...this.breakers.entries()].sort((a, b) => a[1].createdAt - b[1].createdAt);
+    for (const [key] of sorted) {
       if (this.breakers.size <= this.maxEntries) {
         break;
       }
@@ -500,6 +514,7 @@ var CircuitBreakerManager = class {
 };
 
 // src/internal/FetchRateLimiter.ts
+var MAX_BUCKETS = 1e4;
 var FetchRateLimiter = class {
   buckets = /* @__PURE__ */ new Map();
   queuesByBucket = /* @__PURE__ */ new Map();
@@ -665,10 +680,25 @@ var FetchRateLimiter = class {
     if (existing) {
       return existing;
     }
+    if (this.buckets.size >= MAX_BUCKETS) {
+      this.evictIdleBuckets();
+    }
     const bucket = { active: 0, startedAt: [] };
     this.buckets.set(bucketKey, bucket);
     return bucket;
   }
+  evictIdleBuckets() {
+    for (const [key, bucket] of this.buckets.entries()) {
+      if (this.buckets.size <= MAX_BUCKETS * 0.9) {
+        break;
+      }
+      if (bucket.active === 0 && bucket.startedAt.length === 0 && !this.queuesByBucket.has(key)) {
+        this.buckets.delete(key);
+        this.queuesByBucket.delete(key);
+        this.pendingBuckets.delete(key);
+      }
+    }
+  }
   cleanupBucket(bucketKey, bucket, intervalMs) {
     const queued = this.queuesByBucket.get(bucketKey)?.length ?? 0;
     if (queued === 0 && bucket.active === 0 && bucket.startedAt.length === 0) {
@@ -995,18 +1025,18 @@ var TtlResolver = class {
       return;
     }
     const toRemove = Math.ceil(this.maxProfileEntries * 0.1);
-    let removed = 0;
-    for (const key of this.accessProfiles.keys()) {
-      if (removed >= toRemove) {
-        break;
+    const sorted = [...this.accessProfiles.entries()].sort((a, b) => a[1].lastAccessAt - b[1].lastAccessAt);
+    for (let i = 0; i < toRemove && i < sorted.length; i++) {
+      const entry = sorted[i];
+      if (entry) {
+        this.accessProfiles.delete(entry[0]);
       }
-      this.accessProfiles.delete(key);
-      removed += 1;
     }
   }
 };
 
 // src/invalidation/TagIndex.ts
+var MAX_PATTERN_RECURSION_DEPTH = 500;
 var TagIndex = class {
   tagToKeys = /* @__PURE__ */ new Map();
   keyToTags = /* @__PURE__ */ new Map();
@@ -1061,7 +1091,7 @@ var TagIndex = class {
   }
   async matchPattern(pattern) {
     const matches = /* @__PURE__ */ new Set();
-    this.collectPatternMatches(this.root, "", pattern, 0, matches, /* @__PURE__ */ new Set());
+    this.collectPatternMatches(this.root, "", pattern, 0, matches, /* @__PURE__ */ new Set(), 0);
     return [...matches];
   }
   async clear() {
@@ -1113,7 +1143,10 @@ var TagIndex = class {
       this.collectFromNode(child, `${prefix}${character}`, matches);
     }
   }
-  collectPatternMatches(node, prefix, pattern, patternIndex, matches, visited) {
+  collectPatternMatches(node, prefix, pattern, patternIndex, matches, visited, depth) {
+    if (depth > MAX_PATTERN_RECURSION_DEPTH) {
+      return;
+    }
     const stateKey = `${node.id}:${patternIndex}`;
     if (visited.has(stateKey)) {
       return;
@@ -1130,21 +1163,37 @@ var TagIndex = class {
       return;
     }
     if (patternChar === "*") {
-      this.collectPatternMatches(node, prefix, pattern, patternIndex + 1, matches, visited);
+      this.collectPatternMatches(node, prefix, pattern, patternIndex + 1, matches, visited, depth + 1);
       for (const [character, child2] of node.children) {
-        this.collectPatternMatches(child2, `${prefix}${character}`, pattern, patternIndex, matches, visited);
+        this.collectPatternMatches(child2, `${prefix}${character}`, pattern, patternIndex, matches, visited, depth + 1);
       }
       return;
     }
     if (patternChar === "?") {
       for (const [character, child2] of node.children) {
-        this.collectPatternMatches(child2, `${prefix}${character}`, pattern, patternIndex + 1, matches, visited);
+        this.collectPatternMatches(
+          child2,
+          `${prefix}${character}`,
+          pattern,
+          patternIndex + 1,
+          matches,
+          visited,
+          depth + 1
+        );
       }
       return;
     }
     const child = node.children.get(patternChar);
     if (child) {
-      this.collectPatternMatches(child, `${prefix}${patternChar}`, pattern, patternIndex + 1, matches, visited);
+      this.collectPatternMatches(
+        child,
+        `${prefix}${patternChar}`,
+        pattern,
+        patternIndex + 1,
+        matches,
+        visited,
+        depth + 1
+      );
     }
   }
   pruneKnownKeysIfNeeded() {
@@ -1287,6 +1336,7 @@ var DEFAULT_SINGLE_FLIGHT_TIMEOUT_MS = 5e3;
 var DEFAULT_SINGLE_FLIGHT_POLL_MS = 50;
 var DEFAULT_BACKGROUND_REFRESH_TIMEOUT_MS = 3e4;
 var MAX_CACHE_KEY_LENGTH = 1024;
+var MAX_PATTERN_LENGTH = 1024;
 var DEFAULT_MAX_PROFILE_ENTRIES = 1e5;
 var DANGEROUS_OBJECT_KEYS = /* @__PURE__ */ new Set(["__proto__", "prototype", "constructor"]);
 var DebugLogger = class {
@@ -1720,6 +1770,7 @@ var CacheStack = class extends import_node_events.EventEmitter {
     await this.publishInvalidation({ scope: "keys", keys, sourceId: this.instanceId, operation: "invalidate" });
   }
   async invalidateByPattern(pattern) {
+    this.validatePattern(pattern);
     await this.awaitStartup("invalidateByPattern");
     const keys = await this.keyDiscovery.collectKeysMatchingPattern(this.qualifyPattern(pattern));
     await this.deleteKeys(keys);
@@ -2613,6 +2664,17 @@ var CacheStack = class extends import_node_events.EventEmitter {
     }
     return key;
   }
+  validatePattern(pattern) {
+    if (pattern.length === 0) {
+      throw new Error("Pattern must not be empty.");
+    }
+    if (pattern.length > MAX_PATTERN_LENGTH) {
+      throw new Error(`Pattern length must be at most ${MAX_PATTERN_LENGTH} characters.`);
+    }
+    if (/[\u0000-\u001F\u007F]/.test(pattern)) {
+      throw new Error("Pattern contains unsupported control characters.");
+    }
+  }
   validateTtlPolicy(name, policy) {
     if (!policy || typeof policy === "function" || policy === "until-midnight" || policy === "next-hour") {
       return;
@@ -2777,7 +2839,18 @@ var CacheStack = class extends import_node_events.EventEmitter {
   }
 };
 function createInstanceId() {
-  return globalThis.crypto?.randomUUID?.() ?? `layercache-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+  if (globalThis.crypto?.randomUUID) {
+    return globalThis.crypto.randomUUID();
+  }
+  const bytes = new Uint8Array(16);
+  if (globalThis.crypto?.getRandomValues) {
+    globalThis.crypto.getRandomValues(bytes);
+  } else {
+    for (let i = 0; i < bytes.length; i++) {
+      bytes[i] = Math.floor(Math.random() * 256);
+    }
+  }
+  return `layercache-${Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("")}`;
 }
 
 // src/invalidation/RedisInvalidationBus.ts
@@ -2819,7 +2892,7 @@ var RedisInvalidationBus = class {
   async dispatchToHandlers(payload) {
     let message;
     try {
-      const parsed = JSON.parse(payload);
+      const parsed = sanitizeJsonValue2(JSON.parse(payload));
       if (!this.isInvalidationMessage(parsed)) {
         throw new Error("Invalid invalidation payload shape.");
       }
@@ -2856,6 +2929,22 @@ var RedisInvalidationBus = class {
     console.error(`[layercache] ${message}`, error);
   }
 };
+var DANGEROUS_KEYS = /* @__PURE__ */ new Set(["__proto__", "prototype", "constructor"]);
+function sanitizeJsonValue2(value) {
+  if (Array.isArray(value)) {
+    return value.map(sanitizeJsonValue2);
+  }
+  if (value && typeof value === "object") {
+    const result = /* @__PURE__ */ Object.create(null);
+    for (const key of Object.keys(value)) {
+      if (!DANGEROUS_KEYS.has(key)) {
+        result[key] = sanitizeJsonValue2(value[key]);
+      }
+    }
+    return result;
+  }
+  return value;
+}
 
 // src/invalidation/RedisTagIndex.ts
 var RedisTagIndex = class {
@@ -2996,6 +3085,8 @@ function createCacheStatsHandler(cache) {
   return async (_request, response) => {
     response.statusCode = 200;
     response.setHeader?.("content-type", "application/json; charset=utf-8");
+    response.setHeader?.("cache-control", "no-store");
+    response.setHeader?.("x-content-type-options", "nosniff");
     response.end(JSON.stringify(cache.getStats(), null, 2));
   };
 }
@@ -3081,7 +3172,7 @@ function normalizeUrl(url) {
   try {
     const parsed = new URL(url, "http://localhost");
     parsed.searchParams.sort();
-    return decodeURIComponent(parsed.pathname) + parsed.search;
+    return parsed.pathname + parsed.search;
   } catch {
     return url;
   }
@@ -3132,7 +3223,7 @@ function normalizeUrl2(url) {
   try {
     const parsed = new URL(url, "http://localhost");
     parsed.searchParams.sort();
-    return decodeURIComponent(parsed.pathname) + parsed.search;
+    return parsed.pathname + parsed.search;
   } catch {
     return url;
   }
@@ -3595,8 +3686,9 @@ var RedisLayer = class {
       }
     }
     try {
-      await this.client.del(this.withPrefix(key)).catch(() => void 0);
-    } catch {
+      await this.client.del(this.withPrefix(key));
+    } catch (deleteError) {
+      console.warn(`[layercache] RedisLayer: failed to delete corrupted key "${key}"`, deleteError);
     }
     return null;
   }
@@ -3996,7 +4088,7 @@ var MemcachedLayer = class {
 
 // src/serialization/MsgpackSerializer.ts
 var import_msgpack = require("@msgpack/msgpack");
-var DANGEROUS_KEYS = /* @__PURE__ */ new Set(["__proto__", "prototype", "constructor"]);
+var DANGEROUS_KEYS2 = /* @__PURE__ */ new Set(["__proto__", "prototype", "constructor"]);
 var MsgpackSerializer = class {
   serialize(value) {
     return Buffer.from((0, import_msgpack.encode)(value));
@@ -4015,7 +4107,7 @@ function sanitizeMsgpackValue(value) {
   }
   const sanitized = {};
   for (const [key, entry] of Object.entries(value)) {
-    if (DANGEROUS_KEYS.has(key)) {
+    if (DANGEROUS_KEYS2.has(key)) {
       continue;
     }
     sanitized[key] = sanitizeMsgpackValue(entry);

package/dist/index.d.cts

@@ -1,5 +1,5 @@
-import { I as InvalidationBus, C as CacheLogger, a as InvalidationMessage, b as CacheTagIndex, c as CacheStack, d as CacheWrapOptions, e as CacheGetOptions, f as CacheLayer, g as CacheSerializer, h as CacheLayerSetManyEntry, i as CacheSingleFlightCoordinator, j as CacheSingleFlightExecutionOptions } from './edge-Dw97n89L.cjs';
-export { k as CacheAdaptiveTtlOptions, l as CacheCircuitBreakerOptions, m as CacheDegradationOptions, n as CacheHealthCheckResult, o as CacheHitRateSnapshot, p as CacheInspectResult, q as CacheLayerLatency, r as CacheMGetEntry, s as CacheMSetEntry, t as CacheMetricsSnapshot, u as CacheMissError, v as CacheNamespace, w as CacheRateLimitOptions, x as CacheSnapshotEntry, y as CacheStackEvents, z as CacheStackOptions, A as CacheStatsSnapshot, B as CacheTtlPolicy, D as CacheTtlPolicyContext, E as CacheWarmEntry, F as CacheWarmOptions, G as CacheWarmProgress, H as CacheWriteBehindOptions, J as CacheWriteOptions, K as EvictionPolicy, L as LayerTtlMap, M as MemoryLayer, N as MemoryLayerOptions, O as MemoryLayerSnapshotEntry, P as PatternMatcher, T as TagIndex, Q as createHonoCacheMiddleware } from './edge-Dw97n89L.cjs';
+import { I as InvalidationBus, C as CacheLogger, a as InvalidationMessage, b as CacheTagIndex, c as CacheStack, d as CacheWrapOptions, e as CacheGetOptions, f as CacheLayer, g as CacheSerializer, h as CacheLayerSetManyEntry, i as CacheSingleFlightCoordinator, j as CacheSingleFlightExecutionOptions } from './edge-P07GCO2Y.cjs';
+export { k as CacheAdaptiveTtlOptions, l as CacheCircuitBreakerOptions, m as CacheDegradationOptions, n as CacheHealthCheckResult, o as CacheHitRateSnapshot, p as CacheInspectResult, q as CacheLayerLatency, r as CacheMGetEntry, s as CacheMSetEntry, t as CacheMetricsSnapshot, u as CacheMissError, v as CacheNamespace, w as CacheRateLimitOptions, x as CacheSnapshotEntry, y as CacheStackEvents, z as CacheStackOptions, A as CacheStatsSnapshot, B as CacheTtlPolicy, D as CacheTtlPolicyContext, E as CacheWarmEntry, F as CacheWarmOptions, G as CacheWarmProgress, H as CacheWriteBehindOptions, J as CacheWriteOptions, K as EvictionPolicy, L as LayerTtlMap, M as MemoryLayer, N as MemoryLayerOptions, O as MemoryLayerSnapshotEntry, P as PatternMatcher, T as TagIndex, Q as createHonoCacheMiddleware } from './edge-P07GCO2Y.cjs';
 import Redis from 'ioredis';
 import 'node:events';
 

package/dist/index.d.ts

@@ -1,5 +1,5 @@
-import { I as InvalidationBus, C as CacheLogger, a as InvalidationMessage, b as CacheTagIndex, c as CacheStack, d as CacheWrapOptions, e as CacheGetOptions, f as CacheLayer, g as CacheSerializer, h as CacheLayerSetManyEntry, i as CacheSingleFlightCoordinator, j as CacheSingleFlightExecutionOptions } from './edge-Dw97n89L.js';
-export { k as CacheAdaptiveTtlOptions, l as CacheCircuitBreakerOptions, m as CacheDegradationOptions, n as CacheHealthCheckResult, o as CacheHitRateSnapshot, p as CacheInspectResult, q as CacheLayerLatency, r as CacheMGetEntry, s as CacheMSetEntry, t as CacheMetricsSnapshot, u as CacheMissError, v as CacheNamespace, w as CacheRateLimitOptions, x as CacheSnapshotEntry, y as CacheStackEvents, z as CacheStackOptions, A as CacheStatsSnapshot, B as CacheTtlPolicy, D as CacheTtlPolicyContext, E as CacheWarmEntry, F as CacheWarmOptions, G as CacheWarmProgress, H as CacheWriteBehindOptions, J as CacheWriteOptions, K as EvictionPolicy, L as LayerTtlMap, M as MemoryLayer, N as MemoryLayerOptions, O as MemoryLayerSnapshotEntry, P as PatternMatcher, T as TagIndex, Q as createHonoCacheMiddleware } from './edge-Dw97n89L.js';
+import { I as InvalidationBus, C as CacheLogger, a as InvalidationMessage, b as CacheTagIndex, c as CacheStack, d as CacheWrapOptions, e as CacheGetOptions, f as CacheLayer, g as CacheSerializer, h as CacheLayerSetManyEntry, i as CacheSingleFlightCoordinator, j as CacheSingleFlightExecutionOptions } from './edge-P07GCO2Y.js';
+export { k as CacheAdaptiveTtlOptions, l as CacheCircuitBreakerOptions, m as CacheDegradationOptions, n as CacheHealthCheckResult, o as CacheHitRateSnapshot, p as CacheInspectResult, q as CacheLayerLatency, r as CacheMGetEntry, s as CacheMSetEntry, t as CacheMetricsSnapshot, u as CacheMissError, v as CacheNamespace, w as CacheRateLimitOptions, x as CacheSnapshotEntry, y as CacheStackEvents, z as CacheStackOptions, A as CacheStatsSnapshot, B as CacheTtlPolicy, D as CacheTtlPolicyContext, E as CacheWarmEntry, F as CacheWarmOptions, G as CacheWarmProgress, H as CacheWriteBehindOptions, J as CacheWriteOptions, K as EvictionPolicy, L as LayerTtlMap, M as MemoryLayer, N as MemoryLayerOptions, O as MemoryLayerSnapshotEntry, P as PatternMatcher, T as TagIndex, Q as createHonoCacheMiddleware } from './edge-P07GCO2Y.js';
 import Redis from 'ioredis';
 import 'node:events';