undici 7.14.0 → 7.16.0

package/lib/web/cookies/index.js

@@ -186,7 +186,7 @@ webidl.converters.Cookie = webidl.dictionaryConverter([
   {
     converter: webidl.sequenceConverter(webidl.converters.DOMString),
     key: 'unparsed',
-    defaultValue: () => new Array(0)
+    defaultValue: () => []
   }
 ])
 

package/lib/web/cookies/parse.js

@@ -4,7 +4,7 @@ const { maxNameValuePairSize, maxAttributeValueSize } = require('./constants')
 const { isCTLExcludingHtab } = require('./util')
 const { collectASequenceOfCodePointsFast } = require('../fetch/data-url')
 const assert = require('node:assert')
-const { unescape } = require('node:querystring')
+const { unescape: qsUnescape } = require('node:querystring')
 
 /**
  * @description Parses the field-value attributes of a set-cookie header string.
@@ -82,7 +82,7 @@ function parseSetCookie (header) {
   // store arbitrary data in a cookie-value SHOULD encode that data, for
   // example, using Base64 [RFC4648].
   return {
-    name, value: unescape(value), ...parseUnparsedAttributes(unparsedAttributes)
+    name, value: qsUnescape(value), ...parseUnparsedAttributes(unparsedAttributes)
   }
 }
 

package/lib/web/eventsource/eventsource-stream.js

@@ -236,7 +236,7 @@ class EventSourceStream extends Transform {
           this.buffer = this.buffer.subarray(this.pos + 1)
           this.pos = 0
           if (
-            this.event.data !== undefined || this.event.event || this.event.id || this.event.retry) {
+            this.event.data !== undefined || this.event.event || this.event.id !== undefined || this.event.retry) {
             this.processEvent(this.event)
           }
           this.clearEvent()
@@ -367,7 +367,7 @@ class EventSourceStream extends Transform {
       this.state.reconnectionTime = parseInt(event.retry, 10)
     }
 
-    if (event.id && isValidLastEventId(event.id)) {
+    if (event.id !== undefined && isValidLastEventId(event.id)) {
       this.state.lastEventId = event.id
     }
 

package/lib/web/eventsource/eventsource.js

@@ -8,7 +8,6 @@ const { EventSourceStream } = require('./eventsource-stream')
 const { parseMIMEType } = require('../fetch/data-url')
 const { createFastMessageEvent } = require('../websocket/events')
 const { isNetworkError } = require('../fetch/response')
-const { delay } = require('./util')
 const { kEnumerableProperty } = require('../../core/util')
 const { environmentSettingsObject } = require('../fetch/util')
 
@@ -318,9 +317,9 @@ class EventSource extends EventTarget {
 
   /**
    * @see https://html.spec.whatwg.org/multipage/server-sent-events.html#sse-processing-model
-   * @returns {Promise<void>}
+   * @returns {void}
    */
-  async #reconnect () {
+  #reconnect () {
     // When a user agent is to reestablish the connection, the user agent must
     // run the following steps. These steps are run in parallel, not as part of
     // a task. (The tasks that it queues, of course, are run like normal tasks
@@ -338,27 +337,27 @@ class EventSource extends EventTarget {
     this.dispatchEvent(new Event('error'))
 
     // 2. Wait a delay equal to the reconnection time of the event source.
-    await delay(this.#state.reconnectionTime)
-
-    // 5. Queue a task to run the following steps:
-
-    //   1. If the EventSource object's readyState attribute is not set to
-    //      CONNECTING, then return.
-    if (this.#readyState !== CONNECTING) return
-
-    //   2. Let request be the EventSource object's request.
-    //   3. If the EventSource object's last event ID string is not the empty
-    //      string, then:
-    //      1. Let lastEventIDValue be the EventSource object's last event ID
-    //         string, encoded as UTF-8.
-    //      2. Set (`Last-Event-ID`, lastEventIDValue) in request's header
-    //         list.
-    if (this.#state.lastEventId.length) {
-      this.#request.headersList.set('last-event-id', this.#state.lastEventId, true)
-    }
+    setTimeout(() => {
+      // 5. Queue a task to run the following steps:
+
+      //   1. If the EventSource object's readyState attribute is not set to
+      //      CONNECTING, then return.
+      if (this.#readyState !== CONNECTING) return
+
+      //   2. Let request be the EventSource object's request.
+      //   3. If the EventSource object's last event ID string is not the empty
+      //      string, then:
+      //      1. Let lastEventIDValue be the EventSource object's last event ID
+      //         string, encoded as UTF-8.
+      //      2. Set (`Last-Event-ID`, lastEventIDValue) in request's header
+      //         list.
+      if (this.#state.lastEventId.length) {
+        this.#request.headersList.set('last-event-id', this.#state.lastEventId, true)
+      }
 
-    //   4. Fetch request and process the response obtained in this fashion, if any, as described earlier in this section.
-    this.#connect()
+      //   4. Fetch request and process the response obtained in this fashion, if any, as described earlier in this section.
+      this.#connect()
+    }, this.#state.reconnectionTime)?.unref()
   }
 
   /**
@@ -383,9 +382,11 @@ class EventSource extends EventTarget {
       this.removeEventListener('open', this.#events.open)
     }
 
-    if (typeof fn === 'function') {
+    const listener = webidl.converters.EventHandlerNonNull(fn)
+
+    if (listener !== null) {
+      this.addEventListener('open', listener)
       this.#events.open = fn
-      this.addEventListener('open', fn)
     } else {
       this.#events.open = null
     }
@@ -400,9 +401,11 @@ class EventSource extends EventTarget {
       this.removeEventListener('message', this.#events.message)
     }
 
-    if (typeof fn === 'function') {
+    const listener = webidl.converters.EventHandlerNonNull(fn)
+
+    if (listener !== null) {
+      this.addEventListener('message', listener)
       this.#events.message = fn
-      this.addEventListener('message', fn)
     } else {
       this.#events.message = null
     }
@@ -417,9 +420,11 @@ class EventSource extends EventTarget {
       this.removeEventListener('error', this.#events.error)
     }
 
-    if (typeof fn === 'function') {
+    const listener = webidl.converters.EventHandlerNonNull(fn)
+
+    if (listener !== null) {
+      this.addEventListener('error', listener)
       this.#events.error = fn
-      this.addEventListener('error', fn)
     } else {
       this.#events.error = null
     }

package/lib/web/eventsource/util.js

@@ -23,15 +23,7 @@ function isASCIINumber (value) {
   return true
 }
 
-// https://github.com/nodejs/undici/issues/2664
-function delay (ms) {
-  return new Promise((resolve) => {
-    setTimeout(resolve, ms)
-  })
-}
-
 module.exports = {
   isValidLastEventId,
-  isASCIINumber,
-  delay
+  isASCIINumber
 }

package/lib/web/fetch/body.js

@@ -60,7 +60,7 @@ function extractBody (object, keepalive = false) {
     // 4. Otherwise, set stream to a new ReadableStream object, and set
     //    up stream with byte reading support.
     stream = new ReadableStream({
-      async pull (controller) {
+      pull (controller) {
         const buffer = typeof source === 'string' ? textEncoder.encode(source) : source
 
         if (buffer.byteLength) {
@@ -110,22 +110,16 @@ function extractBody (object, keepalive = false) {
 
     // Set type to `application/x-www-form-urlencoded;charset=UTF-8`.
     type = 'application/x-www-form-urlencoded;charset=UTF-8'
-  } else if (isArrayBuffer(object)) {
-    // BufferSource/ArrayBuffer
-
-    // Set source to a copy of the bytes held by object.
-    source = new Uint8Array(object.slice())
-  } else if (ArrayBuffer.isView(object)) {
-    // BufferSource/ArrayBufferView
-
-    // Set source to a copy of the bytes held by object.
-    source = new Uint8Array(object.buffer.slice(object.byteOffset, object.byteOffset + object.byteLength))
+  } else if (webidl.is.BufferSource(object)) {
+    source = isArrayBuffer(object)
+      ? new Uint8Array(object.slice())
+      : new Uint8Array(object.buffer.slice(object.byteOffset, object.byteOffset + object.byteLength))
   } else if (webidl.is.FormData(object)) {
     const boundary = `----formdata-undici-0${`${random(1e11)}`.padStart(11, '0')}`
     const prefix = `--${boundary}\r\nContent-Disposition: form-data`
 
     /*! formdata-polyfill. MIT License. Jimmy Wärting <https://jimmy.warting.se/opensource> */
-    const escape = (str) =>
+    const formdataEscape = (str) =>
       str.replace(/\n/g, '%0A').replace(/\r/g, '%0D').replace(/"/g, '%22')
     const normalizeLinefeeds = (value) => value.replace(/\r?\n|\r/g, '\r\n')
 
@@ -143,13 +137,13 @@ function extractBody (object, keepalive = false) {
     for (const [name, value] of object) {
       if (typeof value === 'string') {
         const chunk = textEncoder.encode(prefix +
-          `; name="${escape(normalizeLinefeeds(name))}"` +
+          `; name="${formdataEscape(normalizeLinefeeds(name))}"` +
           `\r\n\r\n${normalizeLinefeeds(value)}\r\n`)
         blobParts.push(chunk)
         length += chunk.byteLength
       } else {
-        const chunk = textEncoder.encode(`${prefix}; name="${escape(normalizeLinefeeds(name))}"` +
-          (value.name ? `; filename="${escape(value.name)}"` : '') + '\r\n' +
+        const chunk = textEncoder.encode(`${prefix}; name="${formdataEscape(normalizeLinefeeds(name))}"` +
+          (value.name ? `; filename="${formdataEscape(value.name)}"` : '') + '\r\n' +
           `Content-Type: ${
             value.type || 'application/octet-stream'
           }\r\n\r\n`)
@@ -320,12 +314,6 @@ function cloneBody (body) {
   }
 }
 
-function throwIfAborted (state) {
-  if (state.aborted) {
-    throw new DOMException('The operation was aborted.', 'AbortError')
-  }
-}
-
 function bodyMixinMethods (instance, getInternalState) {
   const methods = {
     blob () {
@@ -443,24 +431,30 @@ function mixinBody (prototype, getInternalState) {
  * @param {any} instance
  * @param {(target: any) => any} getInternalState
  */
-async function consumeBody (object, convertBytesToJSValue, instance, getInternalState) {
-  webidl.brandCheck(object, instance)
+function consumeBody (object, convertBytesToJSValue, instance, getInternalState) {
+  try {
+    webidl.brandCheck(object, instance)
+  } catch (e) {
+    return Promise.reject(e)
+  }
 
   const state = getInternalState(object)
 
   // 1. If object is unusable, then return a promise rejected
   //    with a TypeError.
   if (bodyUnusable(state)) {
-    throw new TypeError('Body is unusable: Body has already been read')
+    return Promise.reject(new TypeError('Body is unusable: Body has already been read'))
   }
 
-  throwIfAborted(state)
+  if (state.aborted) {
+    return Promise.reject(new DOMException('The operation was aborted.', 'AbortError'))
+  }
 
   // 2. Let promise be a new promise.
   const promise = createDeferredPromise()
 
   // 3. Let errorSteps given error be to reject promise with error.
-  const errorSteps = (error) => promise.reject(error)
+  const errorSteps = promise.reject
 
   // 4. Let successSteps given a byte sequence data be to resolve
   //    promise with the result of running convertBytesToJSValue

package/lib/web/fetch/index.js

@@ -14,7 +14,6 @@ const { HeadersList } = require('./headers')
 const { Request, cloneRequest, getRequestDispatcher, getRequestState } = require('./request')
 const zlib = require('node:zlib')
 const {
-  bytesMatch,
   makePolicyContainer,
   clonePolicyContainer,
   requestBadPort,
@@ -62,7 +61,11 @@ const { dataURLProcessor, serializeAMimeType, minimizeSupportedMimeType } = requ
 const { getGlobalDispatcher } = require('../../global')
 const { webidl } = require('../webidl')
 const { STATUS_CODES } = require('node:http')
+const { bytesMatch } = require('../subresource-integrity/subresource-integrity')
 const { createDeferredPromise } = require('../../util/promise')
+
+const hasZstd = typeof zlib.createZstdDecompress === 'function'
+
 const GET_OR_HEAD = ['GET', 'HEAD']
 
 const defaultUserAgent = typeof __UNDICI_IS_NODE__ !== 'undefined' || typeof esbuildDetection !== 'undefined'
@@ -2104,33 +2107,29 @@ async function httpNetworkFetch (
             return false
           }
 
-          /** @type {string[]} */
-          let codings = []
-
           const headersList = new HeadersList()
 
           for (let i = 0; i < rawHeaders.length; i += 2) {
             headersList.append(bufferToLowerCasedHeaderName(rawHeaders[i]), rawHeaders[i + 1].toString('latin1'), true)
           }
-          const contentEncoding = headersList.get('content-encoding', true)
-          if (contentEncoding) {
-            // https://www.rfc-editor.org/rfc/rfc7231#section-3.1.2.1
-            // "All content-coding values are case-insensitive..."
-            codings = contentEncoding.toLowerCase().split(',').map((x) => x.trim())
-          }
           const location = headersList.get('location', true)
 
           this.body = new Readable({ read: resume })
 
-          const decoders = []
-
           const willFollow = location && request.redirect === 'follow' &&
             redirectStatusSet.has(status)
 
+          const decoders = []
+
           // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding
-          if (codings.length !== 0 && request.method !== 'HEAD' && request.method !== 'CONNECT' && !nullBodyStatus.includes(status) && !willFollow) {
+          if (request.method !== 'HEAD' && request.method !== 'CONNECT' && !nullBodyStatus.includes(status) && !willFollow) {
+            // https://www.rfc-editor.org/rfc/rfc7231#section-3.1.2.1
+            const contentEncoding = headersList.get('content-encoding', true)
+            // "All content-coding values are case-insensitive..."
+            /** @type {string[]} */
+            const codings = contentEncoding ? contentEncoding.toLowerCase().split(',') : []
             for (let i = codings.length - 1; i >= 0; --i) {
-              const coding = codings[i]
+              const coding = codings[i].trim()
               // https://www.rfc-editor.org/rfc/rfc9112.html#section-7.2
               if (coding === 'x-gzip' || coding === 'gzip') {
                 decoders.push(zlib.createGunzip({
@@ -2151,8 +2150,8 @@ async function httpNetworkFetch (
                   flush: zlib.constants.BROTLI_OPERATION_FLUSH,
                   finishFlush: zlib.constants.BROTLI_OPERATION_FLUSH
                 }))
-              } else if (coding === 'zstd' && typeof zlib.createZstdDecompress === 'function') {
-                // Node.js v23.8.0+ and v22.15.0+ supports Zstandard
+              } else if (coding === 'zstd' && hasZstd) {
+              // Node.js v23.8.0+ and v22.15.0+ supports Zstandard
                 decoders.push(zlib.createZstdDecompress({
                   flush: zlib.constants.ZSTD_e_continue,
                   finishFlush: zlib.constants.ZSTD_e_end

package/lib/web/fetch/response.js

@@ -23,8 +23,6 @@ const { URLSerializer } = require('./data-url')
 const { kConstruct } = require('../../core/symbols')
 const assert = require('node:assert')
 
-const { isArrayBuffer } = nodeUtil.types
-
 const textEncoder = new TextEncoder('utf-8')
 
 // https://fetch.spec.whatwg.org/#response-class
@@ -120,7 +118,7 @@ class Response {
     }
 
     if (body !== null) {
-      body = webidl.converters.BodyInit(body)
+      body = webidl.converters.BodyInit(body, 'Response', 'body')
     }
 
     init = webidl.converters.ResponseInit(init)
@@ -580,7 +578,7 @@ webidl.converters.XMLHttpRequestBodyInit = function (V, prefix, name) {
     return V
   }
 
-  if (ArrayBuffer.isView(V) || isArrayBuffer(V)) {
+  if (webidl.is.BufferSource(V)) {
     return V
   }
 

package/lib/web/fetch/util.js

@@ -11,20 +11,6 @@ const assert = require('node:assert')
 const { isUint8Array } = require('node:util/types')
 const { webidl } = require('../webidl')
 
-let supportedHashes = []
-
-// https://nodejs.org/api/crypto.html#determining-if-crypto-support-is-unavailable
-/** @type {import('crypto')} */
-let crypto
-try {
-  crypto = require('node:crypto')
-  const possibleRelevantHashes = ['sha256', 'sha384', 'sha512']
-  supportedHashes = crypto.getHashes().filter((hash) => possibleRelevantHashes.includes(hash))
-/* c8 ignore next 3 */
-} catch {
-
-}
-
 function responseURL (response) {
   // https://fetch.spec.whatwg.org/#responses
   // A response has an associated URL. It is a pointer to the last URL
@@ -516,8 +502,8 @@ function determineRequestsReferrer (request) {
       if (isURLPotentiallyTrustworthy(referrerURL) && !isURLPotentiallyTrustworthy(currentURL)) {
         return 'no-referrer'
       }
-      // 2. Return referrerOrigin
-      return referrerOrigin
+      // 2. Return referrerURL.
+      return referrerURL
     }
   }
 }
@@ -568,17 +554,11 @@ function stripURLForReferrer (url, originOnly = false) {
   return url
 }
 
-const potentialleTrustworthyIPv4RegExp = new RegExp('^(?:' +
-  '(?:127\\.)' +
-  '(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])\\.){2}' +
-  '(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9])' +
-')$')
+const isPotentialleTrustworthyIPv4 = RegExp.prototype.test
+  .bind(/^127\.(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)\.){2}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)$/)
 
-const potentialleTrustworthyIPv6RegExp = new RegExp('^(?:' +
-  '(?:(?:0{1,4}):){7}(?:(?:0{0,3}1))|' +
-  '(?:(?:0{1,4}):){1,6}(?::(?:0{0,3}1))|' +
-  '(?:::(?:0{0,3}1))|' +
-')$')
+const isPotentiallyTrustworthyIPv6 = RegExp.prototype.test
+  .bind(/^(?:(?:0{1,4}:){7}|(?:0{1,4}:){1,6}:|::)0{0,3}1$/)
 
 /**
  * Check if host matches one of the CIDR notations 127.0.0.0/8 or ::1/128.
@@ -593,11 +573,11 @@ function isOriginIPPotentiallyTrustworthy (origin) {
     if (origin[0] === '[' && origin[origin.length - 1] === ']') {
       origin = origin.slice(1, -1)
     }
-    return potentialleTrustworthyIPv6RegExp.test(origin)
+    return isPotentiallyTrustworthyIPv6(origin)
   }
 
   // IPv4
-  return potentialleTrustworthyIPv4RegExp.test(origin)
+  return isPotentialleTrustworthyIPv4(origin)
 }
 
 /**
@@ -698,206 +678,6 @@ function isURLPotentiallyTrustworthy (url) {
   return isOriginPotentiallyTrustworthy(url.origin)
 }
 
-/**
- * @see https://w3c.github.io/webappsec-subresource-integrity/#does-response-match-metadatalist
- * @param {Uint8Array} bytes
- * @param {string} metadataList
- */
-function bytesMatch (bytes, metadataList) {
-  // If node is not built with OpenSSL support, we cannot check
-  // a request's integrity, so allow it by default (the spec will
-  // allow requests if an invalid hash is given, as precedence).
-  /* istanbul ignore if: only if node is built with --without-ssl */
-  if (crypto === undefined) {
-    return true
-  }
-
-  // 1. Let parsedMetadata be the result of parsing metadataList.
-  const parsedMetadata = parseMetadata(metadataList)
-
-  // 2. If parsedMetadata is no metadata, return true.
-  if (parsedMetadata === 'no metadata') {
-    return true
-  }
-
-  // 3. If response is not eligible for integrity validation, return false.
-  // TODO
-
-  // 4. If parsedMetadata is the empty set, return true.
-  if (parsedMetadata.length === 0) {
-    return true
-  }
-
-  // 5. Let metadata be the result of getting the strongest
-  //    metadata from parsedMetadata.
-  const strongest = getStrongestMetadata(parsedMetadata)
-  const metadata = filterMetadataListByAlgorithm(parsedMetadata, strongest)
-
-  // 6. For each item in metadata:
-  for (const item of metadata) {
-    // 1. Let algorithm be the alg component of item.
-    const algorithm = item.algo
-
-    // 2. Let expectedValue be the val component of item.
-    const expectedValue = item.hash
-
-    // See https://github.com/web-platform-tests/wpt/commit/e4c5cc7a5e48093220528dfdd1c4012dc3837a0e
-    // "be liberal with padding". This is annoying, and it's not even in the spec.
-
-    // 3. Let actualValue be the result of applying algorithm to bytes.
-    let actualValue = crypto.createHash(algorithm).update(bytes).digest('base64')
-
-    if (actualValue[actualValue.length - 1] === '=') {
-      if (actualValue[actualValue.length - 2] === '=') {
-        actualValue = actualValue.slice(0, -2)
-      } else {
-        actualValue = actualValue.slice(0, -1)
-      }
-    }
-
-    // 4. If actualValue is a case-sensitive match for expectedValue,
-    //    return true.
-    if (compareBase64Mixed(actualValue, expectedValue)) {
-      return true
-    }
-  }
-
-  // 7. Return false.
-  return false
-}
-
-// https://w3c.github.io/webappsec-subresource-integrity/#grammardef-hash-with-options
-// https://www.w3.org/TR/CSP2/#source-list-syntax
-// https://www.rfc-editor.org/rfc/rfc5234#appendix-B.1
-const parseHashWithOptions = /(?<algo>sha256|sha384|sha512)-((?<hash>[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)( +[!-~]*)?)?/i
-
-/**
- * @see https://w3c.github.io/webappsec-subresource-integrity/#parse-metadata
- * @param {string} metadata
- */
-function parseMetadata (metadata) {
-  // 1. Let result be the empty set.
-  /** @type {{ algo: string, hash: string }[]} */
-  const result = []
-
-  // 2. Let empty be equal to true.
-  let empty = true
-
-  // 3. For each token returned by splitting metadata on spaces:
-  for (const token of metadata.split(' ')) {
-    // 1. Set empty to false.
-    empty = false
-
-    // 2. Parse token as a hash-with-options.
-    const parsedToken = parseHashWithOptions.exec(token)
-
-    // 3. If token does not parse, continue to the next token.
-    if (
-      parsedToken === null ||
-      parsedToken.groups === undefined ||
-      parsedToken.groups.algo === undefined
-    ) {
-      // Note: Chromium blocks the request at this point, but Firefox
-      // gives a warning that an invalid integrity was given. The
-      // correct behavior is to ignore these, and subsequently not
-      // check the integrity of the resource.
-      continue
-    }
-
-    // 4. Let algorithm be the hash-algo component of token.
-    const algorithm = parsedToken.groups.algo.toLowerCase()
-
-    // 5. If algorithm is a hash function recognized by the user
-    //    agent, add the parsed token to result.
-    if (supportedHashes.includes(algorithm)) {
-      result.push(parsedToken.groups)
-    }
-  }
-
-  // 4. Return no metadata if empty is true, otherwise return result.
-  if (empty === true) {
-    return 'no metadata'
-  }
-
-  return result
-}
-
-/**
- * @param {{ algo: 'sha256' | 'sha384' | 'sha512' }[]} metadataList
- */
-function getStrongestMetadata (metadataList) {
-  // Let algorithm be the algo component of the first item in metadataList.
-  // Can be sha256
-  let algorithm = metadataList[0].algo
-  // If the algorithm is sha512, then it is the strongest
-  // and we can return immediately
-  if (algorithm[3] === '5') {
-    return algorithm
-  }
-
-  for (let i = 1; i < metadataList.length; ++i) {
-    const metadata = metadataList[i]
-    // If the algorithm is sha512, then it is the strongest
-    // and we can break the loop immediately
-    if (metadata.algo[3] === '5') {
-      algorithm = 'sha512'
-      break
-    // If the algorithm is sha384, then a potential sha256 or sha384 is ignored
-    } else if (algorithm[3] === '3') {
-      continue
-    // algorithm is sha256, check if algorithm is sha384 and if so, set it as
-    // the strongest
-    } else if (metadata.algo[3] === '3') {
-      algorithm = 'sha384'
-    }
-  }
-  return algorithm
-}
-
-function filterMetadataListByAlgorithm (metadataList, algorithm) {
-  if (metadataList.length === 1) {
-    return metadataList
-  }
-
-  let pos = 0
-  for (let i = 0; i < metadataList.length; ++i) {
-    if (metadataList[i].algo === algorithm) {
-      metadataList[pos++] = metadataList[i]
-    }
-  }
-
-  metadataList.length = pos
-
-  return metadataList
-}
-
-/**
- * Compares two base64 strings, allowing for base64url
- * in the second string.
- *
-* @param {string} actualValue always base64
- * @param {string} expectedValue base64 or base64url
- * @returns {boolean}
- */
-function compareBase64Mixed (actualValue, expectedValue) {
-  if (actualValue.length !== expectedValue.length) {
-    return false
-  }
-  for (let i = 0; i < actualValue.length; ++i) {
-    if (actualValue[i] !== expectedValue[i]) {
-      if (
-        (actualValue[i] === '+' && expectedValue[i] === '-') ||
-        (actualValue[i] === '/' && expectedValue[i] === '_')
-      ) {
-        continue
-      }
-      return false
-    }
-  }
-
-  return true
-}
-
 // https://w3c.github.io/webappsec-upgrade-insecure-requests/#upgrade-request
 function tryUpgradeRequestToAPotentiallyTrustworthyURL (request) {
   // TODO
@@ -1761,7 +1541,6 @@ module.exports = {
   isValidHeaderValue,
   isErrorLike,
   fullyReadBody,
-  bytesMatch,
   readableStreamClose,
   isomorphicEncode,
   urlIsLocal,
@@ -1770,7 +1549,6 @@ module.exports = {
   readAllBytes,
   simpleRangeHeaderValue,
   buildContentRange,
-  parseMetadata,
   createInflate,
   extractMimeType,
   getDecodeSplit,

package/lib/web/subresource-integrity/Readme.md

@@ -0,0 +1,9 @@
+# Subresource Integrity
+
+based on Editor’s Draft, 12 June 2025
+
+This module provides support for Subresource Integrity (SRI) in the context of web fetch operations. SRI is a security feature that allows clients to verify that fetched resources are delivered without unexpected manipulation.
+
+## Links
+
+- [Subresource Integrity](https://w3c.github.io/webappsec-subresource-integrity/)