undici 7.13.0 → 7.15.0

package/lib/mock/snapshot-utils.js

@@ -0,0 +1,158 @@
+'use strict'
+
+const { InvalidArgumentError } = require('../core/errors')
+
+/**
+ * @typedef {Object} HeaderFilters
+ * @property {Set<string>} ignore - Set of headers to ignore for matching
+ * @property {Set<string>} exclude - Set of headers to exclude from matching
+ * @property {Set<string>} match - Set of headers to match (empty means match
+ */
+
+/**
+ * Creates cached header sets for performance
+ *
+ * @param {import('./snapshot-recorder').SnapshotRecorderMatchOptions} matchOptions - Matching options for headers
+ * @returns {HeaderFilters} - Cached sets for ignore, exclude, and match headers
+ */
+function createHeaderFilters (matchOptions = {}) {
+  const { ignoreHeaders = [], excludeHeaders = [], matchHeaders = [], caseSensitive = false } = matchOptions
+
+  return {
+    ignore: new Set(ignoreHeaders.map(header => caseSensitive ? header : header.toLowerCase())),
+    exclude: new Set(excludeHeaders.map(header => caseSensitive ? header : header.toLowerCase())),
+    match: new Set(matchHeaders.map(header => caseSensitive ? header : header.toLowerCase()))
+  }
+}
+
+let crypto
+try {
+  crypto = require('node:crypto')
+} catch { /* Fallback if crypto is not available */ }
+
+/**
+ * @callback HashIdFunction
+ * @param {string} value - The value to hash
+ * @returns {string} - The base64url encoded hash of the value
+ */
+
+/**
+ * Generates a hash for a given value
+ * @type {HashIdFunction}
+ */
+const hashId = crypto?.hash
+  ? (value) => crypto.hash('sha256', value, 'base64url')
+  : (value) => Buffer.from(value).toString('base64url')
+
+/**
+ * @typedef {(url: string) => boolean} IsUrlExcluded Checks if a URL matches any of the exclude patterns
+ */
+
+/** @typedef {{[key: Lowercase<string>]: string}} NormalizedHeaders */
+/** @typedef {Array<string>} UndiciHeaders */
+/** @typedef {Record<string, string|string[]>} Headers */
+
+/**
+ * @param {*} headers
+ * @returns {headers is UndiciHeaders}
+ */
+function isUndiciHeaders (headers) {
+  return Array.isArray(headers) && (headers.length & 1) === 0
+}
+
+/**
+ * Factory function to create a URL exclusion checker
+ * @param {Array<string| RegExp>} [excludePatterns=[]] - Array of patterns to exclude
+ * @returns {IsUrlExcluded} - A function that checks if a URL matches any of the exclude patterns
+ */
+function isUrlExcludedFactory (excludePatterns = []) {
+  if (excludePatterns.length === 0) {
+    return () => false
+  }
+
+  return function isUrlExcluded (url) {
+    let urlLowerCased
+
+    for (const pattern of excludePatterns) {
+      if (typeof pattern === 'string') {
+        if (!urlLowerCased) {
+          // Convert URL to lowercase only once
+          urlLowerCased = url.toLowerCase()
+        }
+        // Simple string match (case-insensitive)
+        if (urlLowerCased.includes(pattern.toLowerCase())) {
+          return true
+        }
+      } else if (pattern instanceof RegExp) {
+        // Regex pattern match
+        if (pattern.test(url)) {
+          return true
+        }
+      }
+    }
+
+    return false
+  }
+}
+
+/**
+ * Normalizes headers for consistent comparison
+ *
+ * @param {Object|UndiciHeaders} headers - Headers to normalize
+ * @returns {NormalizedHeaders} - Normalized headers as a lowercase object
+ */
+function normalizeHeaders (headers) {
+  /** @type {NormalizedHeaders} */
+  const normalizedHeaders = {}
+
+  if (!headers) return normalizedHeaders
+
+  // Handle array format (undici internal format: [name, value, name, value, ...])
+  if (isUndiciHeaders(headers)) {
+    for (let i = 0; i < headers.length; i += 2) {
+      const key = headers[i]
+      const value = headers[i + 1]
+      if (key && value !== undefined) {
+        // Convert Buffers to strings if needed
+        const keyStr = Buffer.isBuffer(key) ? key.toString() : key
+        const valueStr = Buffer.isBuffer(value) ? value.toString() : value
+        normalizedHeaders[keyStr.toLowerCase()] = valueStr
+      }
+    }
+    return normalizedHeaders
+  }
+
+  // Handle object format
+  if (headers && typeof headers === 'object') {
+    for (const [key, value] of Object.entries(headers)) {
+      if (key && typeof key === 'string') {
+        normalizedHeaders[key.toLowerCase()] = Array.isArray(value) ? value.join(', ') : String(value)
+      }
+    }
+  }
+
+  return normalizedHeaders
+}
+
+const validSnapshotModes = /** @type {const} */ (['record', 'playback', 'update'])
+
+/** @typedef {typeof validSnapshotModes[number]} SnapshotMode */
+
+/**
+ * @param {*} mode - The snapshot mode to validate
+ * @returns {asserts mode is SnapshotMode}
+ */
+function validateSnapshotMode (mode) {
+  if (!validSnapshotModes.includes(mode)) {
+    throw new InvalidArgumentError(`Invalid snapshot mode: ${mode}. Must be one of: ${validSnapshotModes.join(', ')}`)
+  }
+}
+
+module.exports = {
+  createHeaderFilters,
+  hashId,
+  isUndiciHeaders,
+  normalizeHeaders,
+  isUrlExcludedFactory,
+  validateSnapshotMode
+}

package/lib/util/cache.js

@@ -1,7 +1,8 @@
 'use strict'
 
 const {
-  safeHTTPMethods
+  safeHTTPMethods,
+  pathHasQueryOrFragment
 } = require('../core/util')
 
 const { serializePathWithQuery } = require('../core/util')
@@ -14,12 +15,10 @@ function makeCacheKey (opts) {
     throw new Error('opts.origin is undefined')
   }
 
-  let fullPath
-  try {
-    fullPath = serializePathWithQuery(opts.path || '/', opts.query)
-  } catch (error) {
-    // If fails (path already has query params), use as-is
-    fullPath = opts.path || '/'
+  let fullPath = opts.path || '/'
+
+  if (opts.query && !pathHasQueryOrFragment(opts.path)) {
+    fullPath = serializePathWithQuery(fullPath, opts.query)
   }
 
   return {
@@ -34,7 +33,7 @@ function makeCacheKey (opts) {
  * @param {Record<string, string[] | string>}
  * @returns {Record<string, string[] | string>}
  */
-function normaliseHeaders (opts) {
+function normalizeHeaders (opts) {
   let headers
   if (opts.headers == null) {
     headers = {}
@@ -234,7 +233,7 @@ function parseCacheControlHeader (header) {
               }
             }
           } else {
-            // Something like `no-cache=some-header`
+            // Something like `no-cache="some-header"`
             if (key in output) {
               output[key] = output[key].concat(value)
             } else {
@@ -367,7 +366,7 @@ function assertCacheMethods (methods, name = 'CacheMethods') {
 
 module.exports = {
   makeCacheKey,
-  normaliseHeaders,
+  normalizeHeaders,
   assertCacheKey,
   assertCacheValue,
   parseCacheControlHeader,

package/lib/web/cache/cache.js

@@ -18,7 +18,7 @@ const { createDeferredPromise } = require('../../util/promise')
  * @property {'delete' | 'put'} type
  * @property {any} request
  * @property {any} response
- * @property {import('../../types/cache').CacheQueryOptions} options
+ * @property {import('../../../types/cache').CacheQueryOptions} options
  */
 
 /**
@@ -452,7 +452,7 @@ class Cache {
   /**
    * @see https://w3c.github.io/ServiceWorker/#dom-cache-keys
    * @param {any} request
-   * @param {import('../../types/cache').CacheQueryOptions} options
+   * @param {import('../../../types/cache').CacheQueryOptions} options
    * @returns {Promise<readonly Request[]>}
    */
   async keys (request = undefined, options = {}) {
@@ -670,7 +670,7 @@ class Cache {
   /**
    * @see https://w3c.github.io/ServiceWorker/#query-cache
    * @param {any} requestQuery
-   * @param {import('../../types/cache').CacheQueryOptions} options
+   * @param {import('../../../types/cache').CacheQueryOptions} options
    * @param {requestResponseList} targetStorage
    * @returns {requestResponseList}
    */
@@ -695,7 +695,7 @@ class Cache {
    * @param {any} requestQuery
    * @param {any} request
    * @param {any | null} response
-   * @param {import('../../types/cache').CacheQueryOptions | undefined} options
+   * @param {import('../../../types/cache').CacheQueryOptions | undefined} options
    * @returns {boolean}
    */
   #requestMatchesCachedItem (requestQuery, request, response = null, options) {

package/lib/web/cookies/parse.js

@@ -4,7 +4,7 @@ const { maxNameValuePairSize, maxAttributeValueSize } = require('./constants')
 const { isCTLExcludingHtab } = require('./util')
 const { collectASequenceOfCodePointsFast } = require('../fetch/data-url')
 const assert = require('node:assert')
-const { unescape } = require('node:querystring')
+const { unescape: qsUnescape } = require('node:querystring')
 
 /**
  * @description Parses the field-value attributes of a set-cookie header string.
@@ -82,7 +82,7 @@ function parseSetCookie (header) {
   // store arbitrary data in a cookie-value SHOULD encode that data, for
   // example, using Base64 [RFC4648].
   return {
-    name, value: unescape(value), ...parseUnparsedAttributes(unparsedAttributes)
+    name, value: qsUnescape(value), ...parseUnparsedAttributes(unparsedAttributes)
   }
 }
 

package/lib/web/eventsource/eventsource.js

@@ -124,10 +124,10 @@ class EventSource extends EventTarget {
     url = webidl.converters.USVString(url)
     eventSourceInitDict = webidl.converters.EventSourceInitDict(eventSourceInitDict, prefix, 'eventSourceInitDict')
 
-    this.#dispatcher = eventSourceInitDict.dispatcher
+    this.#dispatcher = eventSourceInitDict.node.dispatcher || eventSourceInitDict.dispatcher
     this.#state = {
       lastEventId: '',
-      reconnectionTime: defaultReconnectionTime
+      reconnectionTime: eventSourceInitDict.node.reconnectionTime
     }
 
     // 2. Let settings be ev's relevant settings object.
@@ -472,6 +472,21 @@ webidl.converters.EventSourceInitDict = webidl.dictionaryConverter([
   {
     key: 'dispatcher', // undici only
     converter: webidl.converters.any
+  },
+  {
+    key: 'node', // undici only
+    converter: webidl.dictionaryConverter([
+      {
+        key: 'reconnectionTime',
+        converter: webidl.converters['unsigned long'],
+        defaultValue: () => defaultReconnectionTime
+      },
+      {
+        key: 'dispatcher',
+        converter: webidl.converters.any
+      }
+    ]),
+    defaultValue: () => ({})
   }
 ])
 

package/lib/web/fetch/body.js

@@ -125,7 +125,7 @@ function extractBody (object, keepalive = false) {
     const prefix = `--${boundary}\r\nContent-Disposition: form-data`
 
     /*! formdata-polyfill. MIT License. Jimmy Wärting <https://jimmy.warting.se/opensource> */
-    const escape = (str) =>
+    const formdataEscape = (str) =>
       str.replace(/\n/g, '%0A').replace(/\r/g, '%0D').replace(/"/g, '%22')
     const normalizeLinefeeds = (value) => value.replace(/\r?\n|\r/g, '\r\n')
 
@@ -143,13 +143,13 @@ function extractBody (object, keepalive = false) {
     for (const [name, value] of object) {
       if (typeof value === 'string') {
         const chunk = textEncoder.encode(prefix +
-          `; name="${escape(normalizeLinefeeds(name))}"` +
+          `; name="${formdataEscape(normalizeLinefeeds(name))}"` +
           `\r\n\r\n${normalizeLinefeeds(value)}\r\n`)
         blobParts.push(chunk)
         length += chunk.byteLength
       } else {
-        const chunk = textEncoder.encode(`${prefix}; name="${escape(normalizeLinefeeds(name))}"` +
-          (value.name ? `; filename="${escape(value.name)}"` : '') + '\r\n' +
+        const chunk = textEncoder.encode(`${prefix}; name="${formdataEscape(normalizeLinefeeds(name))}"` +
+          (value.name ? `; filename="${formdataEscape(value.name)}"` : '') + '\r\n' +
           `Content-Type: ${
             value.type || 'application/octet-stream'
           }\r\n\r\n`)

package/lib/web/fetch/formdata.js

@@ -9,7 +9,7 @@ const nodeUtil = require('node:util')
 class FormData {
   #state = []
 
-  constructor (form) {
+  constructor (form = undefined) {
     webidl.util.markAsUncloneable(this)
 
     if (form !== undefined) {

package/lib/web/fetch/index.js

@@ -14,7 +14,6 @@ const { HeadersList } = require('./headers')
 const { Request, cloneRequest, getRequestDispatcher, getRequestState } = require('./request')
 const zlib = require('node:zlib')
 const {
-  bytesMatch,
   makePolicyContainer,
   clonePolicyContainer,
   requestBadPort,
@@ -62,6 +61,7 @@ const { dataURLProcessor, serializeAMimeType, minimizeSupportedMimeType } = requ
 const { getGlobalDispatcher } = require('../../global')
 const { webidl } = require('../webidl')
 const { STATUS_CODES } = require('node:http')
+const { bytesMatch } = require('../subresource-integrity/subresource-integrity')
 const { createDeferredPromise } = require('../../util/promise')
 const GET_OR_HEAD = ['GET', 'HEAD']
 

package/lib/web/fetch/response.js

@@ -22,7 +22,8 @@ const { webidl } = require('../webidl')
 const { URLSerializer } = require('./data-url')
 const { kConstruct } = require('../../core/symbols')
 const assert = require('node:assert')
-const { types } = require('node:util')
+
+const { isArrayBuffer } = nodeUtil.types
 
 const textEncoder = new TextEncoder('utf-8')
 
@@ -243,6 +244,11 @@ class Response {
     // 2. Let clonedResponse be the result of cloning this’s response.
     const clonedResponse = cloneResponse(this.#state)
 
+    // Note: To re-register because of a new stream.
+    if (this.#state.body?.stream) {
+      streamRegistry.register(this, new WeakRef(this.#state.body.stream))
+    }
+
     // 3. Return the result of creating a Response object, given
     // clonedResponse, this’s headers’s guard, and this’s relevant Realm.
     return fromInnerResponse(clonedResponse, getHeadersGuard(this.#headers))
@@ -353,8 +359,6 @@ function cloneResponse (response) {
   // result of cloning response’s body.
   if (response.body != null) {
     newResponse.body = cloneBody(response.body)
-
-    streamRegistry.register(newResponse, new WeakRef(response.body.stream))
   }
 
   // 4. Return newResponse.
@@ -576,7 +580,7 @@ webidl.converters.XMLHttpRequestBodyInit = function (V, prefix, name) {
     return V
   }
 
-  if (ArrayBuffer.isView(V) || types.isArrayBuffer(V)) {
+  if (ArrayBuffer.isView(V) || isArrayBuffer(V)) {
     return V
   }
 

package/lib/web/fetch/util.js

@@ -11,20 +11,6 @@ const assert = require('node:assert')
 const { isUint8Array } = require('node:util/types')
 const { webidl } = require('../webidl')
 
-let supportedHashes = []
-
-// https://nodejs.org/api/crypto.html#determining-if-crypto-support-is-unavailable
-/** @type {import('crypto')} */
-let crypto
-try {
-  crypto = require('node:crypto')
-  const possibleRelevantHashes = ['sha256', 'sha384', 'sha512']
-  supportedHashes = crypto.getHashes().filter((hash) => possibleRelevantHashes.includes(hash))
-/* c8 ignore next 3 */
-} catch {
-
-}
-
 function responseURL (response) {
   // https://fetch.spec.whatwg.org/#responses
   // A response has an associated URL. It is a pointer to the last URL
@@ -698,206 +684,6 @@ function isURLPotentiallyTrustworthy (url) {
   return isOriginPotentiallyTrustworthy(url.origin)
 }
 
-/**
- * @see https://w3c.github.io/webappsec-subresource-integrity/#does-response-match-metadatalist
- * @param {Uint8Array} bytes
- * @param {string} metadataList
- */
-function bytesMatch (bytes, metadataList) {
-  // If node is not built with OpenSSL support, we cannot check
-  // a request's integrity, so allow it by default (the spec will
-  // allow requests if an invalid hash is given, as precedence).
-  /* istanbul ignore if: only if node is built with --without-ssl */
-  if (crypto === undefined) {
-    return true
-  }
-
-  // 1. Let parsedMetadata be the result of parsing metadataList.
-  const parsedMetadata = parseMetadata(metadataList)
-
-  // 2. If parsedMetadata is no metadata, return true.
-  if (parsedMetadata === 'no metadata') {
-    return true
-  }
-
-  // 3. If response is not eligible for integrity validation, return false.
-  // TODO
-
-  // 4. If parsedMetadata is the empty set, return true.
-  if (parsedMetadata.length === 0) {
-    return true
-  }
-
-  // 5. Let metadata be the result of getting the strongest
-  //    metadata from parsedMetadata.
-  const strongest = getStrongestMetadata(parsedMetadata)
-  const metadata = filterMetadataListByAlgorithm(parsedMetadata, strongest)
-
-  // 6. For each item in metadata:
-  for (const item of metadata) {
-    // 1. Let algorithm be the alg component of item.
-    const algorithm = item.algo
-
-    // 2. Let expectedValue be the val component of item.
-    const expectedValue = item.hash
-
-    // See https://github.com/web-platform-tests/wpt/commit/e4c5cc7a5e48093220528dfdd1c4012dc3837a0e
-    // "be liberal with padding". This is annoying, and it's not even in the spec.
-
-    // 3. Let actualValue be the result of applying algorithm to bytes.
-    let actualValue = crypto.createHash(algorithm).update(bytes).digest('base64')
-
-    if (actualValue[actualValue.length - 1] === '=') {
-      if (actualValue[actualValue.length - 2] === '=') {
-        actualValue = actualValue.slice(0, -2)
-      } else {
-        actualValue = actualValue.slice(0, -1)
-      }
-    }
-
-    // 4. If actualValue is a case-sensitive match for expectedValue,
-    //    return true.
-    if (compareBase64Mixed(actualValue, expectedValue)) {
-      return true
-    }
-  }
-
-  // 7. Return false.
-  return false
-}
-
-// https://w3c.github.io/webappsec-subresource-integrity/#grammardef-hash-with-options
-// https://www.w3.org/TR/CSP2/#source-list-syntax
-// https://www.rfc-editor.org/rfc/rfc5234#appendix-B.1
-const parseHashWithOptions = /(?<algo>sha256|sha384|sha512)-((?<hash>[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)( +[!-~]*)?)?/i
-
-/**
- * @see https://w3c.github.io/webappsec-subresource-integrity/#parse-metadata
- * @param {string} metadata
- */
-function parseMetadata (metadata) {
-  // 1. Let result be the empty set.
-  /** @type {{ algo: string, hash: string }[]} */
-  const result = []
-
-  // 2. Let empty be equal to true.
-  let empty = true
-
-  // 3. For each token returned by splitting metadata on spaces:
-  for (const token of metadata.split(' ')) {
-    // 1. Set empty to false.
-    empty = false
-
-    // 2. Parse token as a hash-with-options.
-    const parsedToken = parseHashWithOptions.exec(token)
-
-    // 3. If token does not parse, continue to the next token.
-    if (
-      parsedToken === null ||
-      parsedToken.groups === undefined ||
-      parsedToken.groups.algo === undefined
-    ) {
-      // Note: Chromium blocks the request at this point, but Firefox
-      // gives a warning that an invalid integrity was given. The
-      // correct behavior is to ignore these, and subsequently not
-      // check the integrity of the resource.
-      continue
-    }
-
-    // 4. Let algorithm be the hash-algo component of token.
-    const algorithm = parsedToken.groups.algo.toLowerCase()
-
-    // 5. If algorithm is a hash function recognized by the user
-    //    agent, add the parsed token to result.
-    if (supportedHashes.includes(algorithm)) {
-      result.push(parsedToken.groups)
-    }
-  }
-
-  // 4. Return no metadata if empty is true, otherwise return result.
-  if (empty === true) {
-    return 'no metadata'
-  }
-
-  return result
-}
-
-/**
- * @param {{ algo: 'sha256' | 'sha384' | 'sha512' }[]} metadataList
- */
-function getStrongestMetadata (metadataList) {
-  // Let algorithm be the algo component of the first item in metadataList.
-  // Can be sha256
-  let algorithm = metadataList[0].algo
-  // If the algorithm is sha512, then it is the strongest
-  // and we can return immediately
-  if (algorithm[3] === '5') {
-    return algorithm
-  }
-
-  for (let i = 1; i < metadataList.length; ++i) {
-    const metadata = metadataList[i]
-    // If the algorithm is sha512, then it is the strongest
-    // and we can break the loop immediately
-    if (metadata.algo[3] === '5') {
-      algorithm = 'sha512'
-      break
-    // If the algorithm is sha384, then a potential sha256 or sha384 is ignored
-    } else if (algorithm[3] === '3') {
-      continue
-    // algorithm is sha256, check if algorithm is sha384 and if so, set it as
-    // the strongest
-    } else if (metadata.algo[3] === '3') {
-      algorithm = 'sha384'
-    }
-  }
-  return algorithm
-}
-
-function filterMetadataListByAlgorithm (metadataList, algorithm) {
-  if (metadataList.length === 1) {
-    return metadataList
-  }
-
-  let pos = 0
-  for (let i = 0; i < metadataList.length; ++i) {
-    if (metadataList[i].algo === algorithm) {
-      metadataList[pos++] = metadataList[i]
-    }
-  }
-
-  metadataList.length = pos
-
-  return metadataList
-}
-
-/**
- * Compares two base64 strings, allowing for base64url
- * in the second string.
- *
-* @param {string} actualValue always base64
- * @param {string} expectedValue base64 or base64url
- * @returns {boolean}
- */
-function compareBase64Mixed (actualValue, expectedValue) {
-  if (actualValue.length !== expectedValue.length) {
-    return false
-  }
-  for (let i = 0; i < actualValue.length; ++i) {
-    if (actualValue[i] !== expectedValue[i]) {
-      if (
-        (actualValue[i] === '+' && expectedValue[i] === '-') ||
-        (actualValue[i] === '/' && expectedValue[i] === '_')
-      ) {
-        continue
-      }
-      return false
-    }
-  }
-
-  return true
-}
-
 // https://w3c.github.io/webappsec-upgrade-insecure-requests/#upgrade-request
 function tryUpgradeRequestToAPotentiallyTrustworthyURL (request) {
   // TODO
@@ -1761,7 +1547,6 @@ module.exports = {
   isValidHeaderValue,
   isErrorLike,
   fullyReadBody,
-  bytesMatch,
   readableStreamClose,
   isomorphicEncode,
   urlIsLocal,
@@ -1770,7 +1555,6 @@ module.exports = {
   readAllBytes,
   simpleRangeHeaderValue,
   buildContentRange,
-  parseMetadata,
   createInflate,
   extractMimeType,
   getDecodeSplit,

package/lib/web/subresource-integrity/Readme.md

@@ -0,0 +1,9 @@
+# Subresource Integrity
+
+based on Editor’s Draft, 12 June 2025
+
+This module provides support for Subresource Integrity (SRI) in the context of web fetch operations. SRI is a security feature that allows clients to verify that fetched resources are delivered without unexpected manipulation.
+
+## Links
+
+- [Subresource Integrity](https://w3c.github.io/webappsec-subresource-integrity/)