diff --git a/.changeset/breezy-coats-remember.md b/.changeset/breezy-coats-remember.md new file mode 100644 index 000000000..c87e2803a --- /dev/null +++ b/.changeset/breezy-coats-remember.md @@ -0,0 +1,7 @@ +--- +'astro': patch +'@astrojs/netlify': patch +'@astrojs/node': patch +--- + +Updated Undici to 5.20.0. This fixes a security issue and handling of cookies in certain cases in dev diff --git a/packages/astro/package.json b/packages/astro/package.json index bdd21b083..b53afbf25 100644 --- a/packages/astro/package.json +++ b/packages/astro/package.json @@ -188,7 +188,7 @@ "rollup": "^3.9.0", "sass": "^1.52.2", "srcset-parse": "^1.1.0", - "undici": "^5.14.0", + "undici": "^5.20.0", "unified": "^10.1.2" }, "engines": { diff --git a/packages/astro/src/vite-plugin-astro-server/response.ts b/packages/astro/src/vite-plugin-astro-server/response.ts index 1a4d8ca99..4f1a3e6ab 100644 --- a/packages/astro/src/vite-plugin-astro-server/response.ts +++ b/packages/astro/src/vite-plugin-astro-server/response.ts @@ -57,12 +57,6 @@ export async function writeWebResponse(res: http.ServerResponse, webResponse: Re const _headers = Object.fromEntries(headers.entries()); - // Undici 5.19.1 includes a `getSetCookie` helper that returns an array of all the `set-cookies` headers. - // Previously, `headers.entries()` would already have those merged, but it seems like this isn't the case anymore, weird. - if ((headers as any)['getSetCookie']) { - _headers['set-cookie'] = (headers as any).getSetCookie(); - } - // Attach any set-cookie headers added via Astro.cookies.set() const setCookieHeaders = Array.from(getSetCookiesFromResponse(webResponse)); if (setCookieHeaders.length) { diff --git a/packages/integrations/netlify/src/netlify-functions.ts b/packages/integrations/netlify/src/netlify-functions.ts index 0f9b58158..eb6ed7600 100644 --- a/packages/integrations/netlify/src/netlify-functions.ts +++ b/packages/integrations/netlify/src/netlify-functions.ts @@ -102,34 +102,11 @@ export const createExports = (manifest: SSRManifest, args: Args) => { isBase64Encoded: responseIsBase64Encoded, }; - // Special-case set-cookie which has to be set an different way :/ - // The fetch API does not have a way to get multiples of a single header, but instead concatenates - // them. There are non-standard ways to do it, and node-fetch gives us headers.raw() - // See https://github.com/whatwg/fetch/issues/973 for discussion - if (response.headers.has('set-cookie')) { - if ('raw' in response.headers) { - // Node fetch allows you to get the raw headers, which includes multiples of the same type. - // This is needed because Set-Cookie *must* be called for each cookie, and can't be - // concatenated together. - type HeadersWithRaw = Headers & { - raw: () => Record; - }; - - const rawPacked = (response.headers as HeadersWithRaw).raw(); - if ('set-cookie' in rawPacked) { - fnResponse.multiValueHeaders = { - 'set-cookie': rawPacked['set-cookie'], - }; - } - } else { - const cookies = response.headers.get('set-cookie'); - - if (cookies) { - fnResponse.multiValueHeaders = { - 'set-cookie': Array.isArray(cookies) ? cookies : splitCookiesString(cookies), - }; - } - } + const cookies = response.headers.get('set-cookie'); + if (cookies) { + fnResponse.multiValueHeaders = { + 'set-cookie': Array.isArray(cookies) ? cookies : splitCookiesString(cookies), + }; } // Apply cookies set via Astro.cookies.set/delete diff --git a/packages/integrations/node/package.json b/packages/integrations/node/package.json index 9c426c87f..bc597c24b 100644 --- a/packages/integrations/node/package.json +++ b/packages/integrations/node/package.json @@ -46,6 +46,6 @@ "cheerio": "^1.0.0-rc.11", "mocha": "^9.2.2", "node-mocks-http": "^1.11.0", - "undici": "^5.14.0" + "undici": "^5.20.0" } } diff --git a/packages/telemetry/package.json b/packages/telemetry/package.json index 31f90a137..ba7f16f81 100644 --- a/packages/telemetry/package.json +++ b/packages/telemetry/package.json @@ -32,7 +32,7 @@ "dset": "^3.1.2", "is-docker": "^3.0.0", "is-wsl": "^2.2.0", - "undici": "^5.14.0", + "undici": "^5.20.0", "which-pm-runs": "^1.1.0" }, "devDependencies": { diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index f507b7cf8..85b30aabc 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -456,7 +456,7 @@ importers: supports-esm: ^1.0.0 tsconfig-resolver: ^3.0.1 typescript: '*' - undici: ^5.14.0 + undici: ^5.20.0 unified: ^10.1.2 unist-util-visit: ^4.1.0 vfile: ^5.3.2 @@ -553,7 +553,7 @@ importers: rollup: 3.14.0 sass: 1.58.0 srcset-parse: 1.1.0 - undici: 5.18.0 + undici: 5.20.0 unified: 10.1.2 packages/astro-prism: @@ -3117,7 +3117,7 @@ importers: node-mocks-http: ^1.11.0 send: ^0.18.0 server-destroy: ^1.0.1 - undici: ^5.14.0 + undici: ^5.20.0 dependencies: '@astrojs/webapi': link:../../webapi send: 0.18.0 @@ -3131,7 +3131,7 @@ importers: cheerio: 1.0.0-rc.12 mocha: 9.2.2 node-mocks-http: 1.12.1 - undici: 5.18.0 + undici: 5.20.0 packages/integrations/node/test/fixtures/api-route: specifiers: @@ -3624,7 +3624,7 @@ importers: is-docker: ^3.0.0 is-wsl: ^2.2.0 mocha: ^9.2.2 - undici: ^5.14.0 + undici: ^5.20.0 which-pm-runs: ^1.1.0 dependencies: ci-info: 3.7.1 @@ -3633,7 +3633,7 @@ importers: dset: 3.1.2 is-docker: 3.0.0 is-wsl: 2.2.0 - undici: 5.18.0 + undici: 5.20.0 which-pm-runs: 1.1.0 devDependencies: '@types/debug': 4.1.7 @@ -14864,6 +14864,13 @@ packages: engines: {node: '>=12.18'} dependencies: busboy: 1.6.0 + dev: false + + /undici/5.20.0: + resolution: {integrity: sha512-J3j60dYzuo6Eevbawwp1sdg16k5Tf768bxYK4TUJRH7cBM4kFCbf3mOnM/0E3vQYXvpxITbbWmBafaDbxLDz3g==} + engines: {node: '>=12.18'} + dependencies: + busboy: 1.6.0 /undici/5.9.1: resolution: {integrity: sha512-6fB3a+SNnWEm4CJbgo0/CWR8RGcOCQP68SF4X0mxtYTq2VNN8T88NYrWVBAeSX+zb7bny2dx2iYhP3XHi00omg==}