fix(cookies): Update Undici to 5.20 and fix cookies behaviour (#6323)

* fix(cookies): Update Undici to 5.20 and fix cookies behaviour * chore: changeset
2023-02-21 14:18:17 +01:00 · 2023-02-21 14:18:17 +01:00 · 5e26bc891c
commit 5e26bc891c
parent d3df40af2e
7 changed files with 28 additions and 43 deletions
--- a/.changeset/breezy-coats-remember.md
+++ b/.changeset/breezy-coats-remember.md
@ -0,0 +1,7 @@
+---
+'astro': patch
+'@astrojs/netlify': patch
+'@astrojs/node': patch
+---
+
+Updated Undici to 5.20.0. This fixes a security issue and handling of cookies in certain cases in dev
--- a/packages/astro/package.json
+++ b/packages/astro/package.json
@ -188,7 +188,7 @@
    "rollup": "^3.9.0",
    "sass": "^1.52.2",
    "srcset-parse": "^1.1.0",
-    "undici": "^5.14.0",
+    "undici": "^5.20.0",
    "unified": "^10.1.2"
  },
  "engines": {
--- a/packages/astro/src/vite-plugin-astro-server/response.ts
+++ b/packages/astro/src/vite-plugin-astro-server/response.ts
@ -57,12 +57,6 @@ export async function writeWebResponse(res: http.ServerResponse, webResponse: Re

 	const _headers = Object.fromEntries(headers.entries());

-	// Undici 5.19.1 includes a `getSetCookie` helper that returns an array of all the `set-cookies` headers.
-	// Previously, `headers.entries()` would already have those merged, but it seems like this isn't the case anymore, weird.
-	if ((headers as any)['getSetCookie']) {
-		_headers['set-cookie'] = (headers as any).getSetCookie();
-	}
-
 	// Attach any set-cookie headers added via Astro.cookies.set()
 	const setCookieHeaders = Array.from(getSetCookiesFromResponse(webResponse));
 	if (setCookieHeaders.length) {
--- a/packages/integrations/netlify/src/netlify-functions.ts
+++ b/packages/integrations/netlify/src/netlify-functions.ts
@ -102,34 +102,11 @@ export const createExports = (manifest: SSRManifest, args: Args) => {
 			isBase64Encoded: responseIsBase64Encoded,
 		};

-		// Special-case set-cookie which has to be set an different way :/
-		// The fetch API does not have a way to get multiples of a single header, but instead concatenates
-		// them. There are non-standard ways to do it, and node-fetch gives us headers.raw()
-		// See https://github.com/whatwg/fetch/issues/973 for discussion
-		if (response.headers.has('set-cookie')) {
-			if ('raw' in response.headers) {
-				// Node fetch allows you to get the raw headers, which includes multiples of the same type.
-				// This is needed because Set-Cookie *must* be called for each cookie, and can't be
-				// concatenated together.
-				type HeadersWithRaw = Headers & {
-					raw: () => Record<string, string[]>;
-				};
-
-				const rawPacked = (response.headers as HeadersWithRaw).raw();
-				if ('set-cookie' in rawPacked) {
-					fnResponse.multiValueHeaders = {
-						'set-cookie': rawPacked['set-cookie'],
-					};
-				}
-			} else {
-				const cookies = response.headers.get('set-cookie');
-
-				if (cookies) {
-					fnResponse.multiValueHeaders = {
-						'set-cookie': Array.isArray(cookies) ? cookies : splitCookiesString(cookies),
-					};
-				}
-			}
+		const cookies = response.headers.get('set-cookie');
+		if (cookies) {
+			fnResponse.multiValueHeaders = {
+				'set-cookie': Array.isArray(cookies) ? cookies : splitCookiesString(cookies),
+			};
 		}

 		// Apply cookies set via Astro.cookies.set/delete
--- a/packages/integrations/node/package.json
+++ b/packages/integrations/node/package.json
@ -46,6 +46,6 @@
    "cheerio": "^1.0.0-rc.11",
    "mocha": "^9.2.2",
    "node-mocks-http": "^1.11.0",
-    "undici": "^5.14.0"
+    "undici": "^5.20.0"
  }
 }
--- a/packages/telemetry/package.json
+++ b/packages/telemetry/package.json
@ -32,7 +32,7 @@
    "dset": "^3.1.2",
    "is-docker": "^3.0.0",
    "is-wsl": "^2.2.0",
-    "undici": "^5.14.0",
+    "undici": "^5.20.0",
    "which-pm-runs": "^1.1.0"
  },
  "devDependencies": {
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -456,7 +456,7 @@ importers:
      supports-esm: ^1.0.0
      tsconfig-resolver: ^3.0.1
      typescript: '*'
-      undici: ^5.14.0
+      undici: ^5.20.0
      unified: ^10.1.2
      unist-util-visit: ^4.1.0
      vfile: ^5.3.2
@ -553,7 +553,7 @@ importers:
      rollup: 3.14.0
      sass: 1.58.0
      srcset-parse: 1.1.0
-      undici: 5.18.0
+      undici: 5.20.0
      unified: 10.1.2

  packages/astro-prism:
@ -3117,7 +3117,7 @@ importers:
      node-mocks-http: ^1.11.0
      send: ^0.18.0
      server-destroy: ^1.0.1
-      undici: ^5.14.0
+      undici: ^5.20.0
    dependencies:
      '@astrojs/webapi': link:../../webapi
      send: 0.18.0
@ -3131,7 +3131,7 @@ importers:
      cheerio: 1.0.0-rc.12
      mocha: 9.2.2
      node-mocks-http: 1.12.1
-      undici: 5.18.0
+      undici: 5.20.0

  packages/integrations/node/test/fixtures/api-route:
    specifiers:
@ -3624,7 +3624,7 @@ importers:
      is-docker: ^3.0.0
      is-wsl: ^2.2.0
      mocha: ^9.2.2
-      undici: ^5.14.0
+      undici: ^5.20.0
      which-pm-runs: ^1.1.0
    dependencies:
      ci-info: 3.7.1
@ -3633,7 +3633,7 @@ importers:
      dset: 3.1.2
      is-docker: 3.0.0
      is-wsl: 2.2.0
-      undici: 5.18.0
+      undici: 5.20.0
      which-pm-runs: 1.1.0
    devDependencies:
      '@types/debug': 4.1.7
@ -14864,6 +14864,13 @@ packages:
    engines: {node: '>=12.18'}
    dependencies:
      busboy: 1.6.0
+    dev: false
+
+  /undici/5.20.0:
+    resolution: {integrity: sha512-J3j60dYzuo6Eevbawwp1sdg16k5Tf768bxYK4TUJRH7cBM4kFCbf3mOnM/0E3vQYXvpxITbbWmBafaDbxLDz3g==}
+    engines: {node: '>=12.18'}
+    dependencies:
+      busboy: 1.6.0

  /undici/5.9.1:
    resolution: {integrity: sha512-6fB3a+SNnWEm4CJbgo0/CWR8RGcOCQP68SF4X0mxtYTq2VNN8T88NYrWVBAeSX+zb7bny2dx2iYhP3XHi00omg==}