From 62cf03d87892c9f50c678fbad03fb94a8a8c4368 Mon Sep 17 00:00:00 2001 From: Ulrich Stark Date: Thu, 26 Mar 2026 08:39:00 +0100 Subject: [PATCH 1/7] upgrade and unpin h3 in start-server-core --- packages/start-server-core/package.json | 2 +- pnpm-lock.yaml | 35 ++++++++++++++++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/packages/start-server-core/package.json b/packages/start-server-core/package.json index cd75951b750..f9b136e7c59 100644 --- a/packages/start-server-core/package.json +++ b/packages/start-server-core/package.json @@ -82,7 +82,7 @@ "@tanstack/router-core": "workspace:*", "@tanstack/start-client-core": "workspace:*", "@tanstack/start-storage-context": "workspace:*", - "h3-v2": "npm:h3@2.0.1-rc.16", + "h3": "2.0.1-rc.19", "seroval": "^1.4.2" }, "devDependencies": { diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 0e7aec511be..c3c3c396d7f 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -12576,9 +12576,9 @@ importers: '@tanstack/start-storage-context': specifier: workspace:* version: link:../start-storage-context - h3-v2: - specifier: npm:h3@2.0.1-rc.16 - version: h3@2.0.1-rc.16(crossws@0.4.4(srvx@0.11.9)) + h3: + specifier: 2.0.1-rc.19 + version: 2.0.1-rc.19(crossws@0.4.4(srvx@0.11.13)) seroval: specifier: ^1.4.2 version: 1.4.2 @@ -21163,6 +21163,16 @@ packages: crossws: optional: true + h3@2.0.1-rc.19: + resolution: {integrity: sha512-47er/mh8eGA7+0nvNUloalj+yTJ1ku8M0BVzA2I1ZHSlpfbUNdBK4LpWztfH7TwW6kuhF8MfAvl0AwB+X9B+2w==} + engines: {node: '>=20.11.1'} + hasBin: true + peerDependencies: + crossws: ^0.4.1 + peerDependenciesMeta: + crossws: + optional: true + handle-thing@2.0.1: resolution: {integrity: sha512-9Qn4yBxelxoh2Ow62nP+Ka/kMnOXRi8BXnRaUwezLNhqelnN49xKz4F/dPP8OYLxLxq6JDtZb2i9XznUQbNPTg==} @@ -23989,6 +23999,11 @@ packages: engines: {node: '>=20.16.0'} hasBin: true + srvx@0.11.13: + resolution: {integrity: sha512-oknN6qduuMPafxKtHucUeG32Q963pjriA5g3/Bl05cwEsUe5VVbIU4qR9LrALHbipSCyBe+VmfDGGydqazDRkw==} + engines: {node: '>=20.16.0'} + hasBin: true + srvx@0.11.9: resolution: {integrity: sha512-97wWJS6F0KTKAhDlHVmBzMvlBOp5FiNp3XrLoodIgYJpXxgG5tE9rX4Pg7s46n2shI4wtEsMATTS1+rI3/ubzA==} engines: {node: '>=20.16.0'} @@ -33184,6 +33199,11 @@ snapshots: optionalDependencies: srvx: 0.10.1 + crossws@0.4.4(srvx@0.11.13): + optionalDependencies: + srvx: 0.11.13 + optional: true + crossws@0.4.4(srvx@0.11.9): optionalDependencies: srvx: 0.11.9 @@ -34807,6 +34827,13 @@ snapshots: optionalDependencies: crossws: 0.4.4(srvx@0.11.9) + h3@2.0.1-rc.19(crossws@0.4.4(srvx@0.11.13)): + dependencies: + rou3: 0.8.1 + srvx: 0.11.13 + optionalDependencies: + crossws: 0.4.4(srvx@0.11.13) + handle-thing@2.0.1: {} has-async-hooks@1.0.0: {} @@ -37984,6 +38011,8 @@ snapshots: srvx@0.10.1: {} + srvx@0.11.13: {} + srvx@0.11.9: {} stable-hash-x@0.2.0: {} From 0713e9ba8d0e15342018d1bfdefe3fc38a52e102 Mon Sep 17 00:00:00 2001 From: Ulrich Stark Date: Thu, 26 Mar 2026 08:39:02 +0100 Subject: [PATCH 2/7] handle that h3's parseCookies returns undefined values --- .../start-server-core/src/request-response.ts | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/packages/start-server-core/src/request-response.ts b/packages/start-server-core/src/request-response.ts index f8de03aa566..fe8d3c79201 100644 --- a/packages/start-server-core/src/request-response.ts +++ b/packages/start-server-core/src/request-response.ts @@ -19,7 +19,7 @@ import { unsealSession as h3_unsealSession, updateSession as h3_updateSession, useSession as h3_useSession, -} from 'h3-v2' +} from 'h3' import type { RequestHeaderMap, RequestHeaderName, @@ -147,7 +147,6 @@ export function getRequest(): Request { } export function getRequestHeaders(): TypedHeaders { - // TODO `as any` not needed when fetchdts is updated return getH3Event().req.headers as any } @@ -284,7 +283,16 @@ export function setResponseStatus(code?: number, text?: string): void { */ export function getCookies(): Record { const event = getH3Event() - return h3_parseCookies(event) + const cookies = h3_parseCookies(event) + const normalizedCookies: Record = {} + + for (const [name, value] of Object.entries(cookies)) { + if (value !== undefined) { + normalizedCookies[name] = value + } + } + + return normalizedCookies } /** @@ -296,7 +304,9 @@ export function getCookies(): Record { * ``` */ export function getCookie(name: string): string | undefined { - return getCookies()[name] || undefined + const event = getH3Event() + const cookies = h3_parseCookies(event) + return cookies[name] || undefined } /** From 97b4906a651c22570bd7005c2e1202710bd15ca2 Mon Sep 17 00:00:00 2001 From: Birk Skyum Date: Sun, 29 Mar 2026 13:44:34 +0200 Subject: [PATCH 3/7] bump cookie-es --- packages/router-core/package.json | 2 +- packages/start-server-core/package.json | 2 +- pnpm-lock.yaml | 13 +++++++++---- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/packages/router-core/package.json b/packages/router-core/package.json index a479f2dd04c..ee5783c2cb8 100644 --- a/packages/router-core/package.json +++ b/packages/router-core/package.json @@ -163,7 +163,7 @@ }, "dependencies": { "@tanstack/history": "workspace:*", - "cookie-es": "^2.0.0", + "cookie-es": "^3.0.0", "seroval": "^1.4.2", "seroval-plugins": "^1.4.2" }, diff --git a/packages/start-server-core/package.json b/packages/start-server-core/package.json index f9b136e7c59..1e1e9b951b2 100644 --- a/packages/start-server-core/package.json +++ b/packages/start-server-core/package.json @@ -88,7 +88,7 @@ "devDependencies": { "@standard-schema/spec": "^1.0.0", "@tanstack/intent": "^0.0.14", - "cookie-es": "^2.0.0", + "cookie-es": "^3.0.0", "fetchdts": "^0.1.6", "vite": "*", "@types/node": ">=20" diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index c3c3c396d7f..7b4ff6a9d50 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -11983,8 +11983,8 @@ importers: specifier: workspace:* version: link:../history cookie-es: - specifier: ^2.0.0 - version: 2.0.0 + specifier: ^3.0.0 + version: 3.1.1 seroval: specifier: ^1.4.2 version: 1.4.2 @@ -12593,8 +12593,8 @@ importers: specifier: 25.0.9 version: 25.0.9 cookie-es: - specifier: ^2.0.0 - version: 2.0.0 + specifier: ^3.0.0 + version: 3.1.1 fetchdts: specifier: ^0.1.6 version: 0.1.7 @@ -19793,6 +19793,9 @@ packages: cookie-es@2.0.0: resolution: {integrity: sha512-RAj4E421UYRgqokKUmotqAwuplYw15qtdXfY+hGzgCJ/MBjCVZcSoHK/kH9kocfjRjcDME7IiDWR/1WX1TM2Pg==} + cookie-es@3.1.1: + resolution: {integrity: sha512-UaXxwISYJPTr9hwQxMFYZ7kNhSXboMXP+Z3TRX6f1/NyaGPfuNUZOWP1pUEb75B2HjfklIYLVRfWiFZJyC6Npg==} + cookie-signature@1.0.6: resolution: {integrity: sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ==} @@ -33129,6 +33132,8 @@ snapshots: cookie-es@2.0.0: {} + cookie-es@3.1.1: {} + cookie-signature@1.0.6: {} cookie-signature@1.2.2: {} From 4d845745562130504589071c131873ba024baf29 Mon Sep 17 00:00:00 2001 From: Ulrich Stark Date: Sun, 29 Mar 2026 13:58:27 +0200 Subject: [PATCH 4/7] remove unnecessary any --- packages/start-server-core/src/request-response.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/start-server-core/src/request-response.ts b/packages/start-server-core/src/request-response.ts index fe8d3c79201..89e38e6a4e2 100644 --- a/packages/start-server-core/src/request-response.ts +++ b/packages/start-server-core/src/request-response.ts @@ -147,7 +147,7 @@ export function getRequest(): Request { } export function getRequestHeaders(): TypedHeaders { - return getH3Event().req.headers as any + return getH3Event().req.headers } export function getRequestHeader(name: RequestHeaderName): string | undefined { From c15834b9d848f93c217ee4800c114d01021fb53c Mon Sep 17 00:00:00 2001 From: Ulrich Stark Date: Sun, 29 Mar 2026 14:16:44 +0200 Subject: [PATCH 5/7] try nx's workaround for malformed paths --- packages/start-server-core/src/request-response.ts | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/packages/start-server-core/src/request-response.ts b/packages/start-server-core/src/request-response.ts index 89e38e6a4e2..2ceb0a2e50e 100644 --- a/packages/start-server-core/src/request-response.ts +++ b/packages/start-server-core/src/request-response.ts @@ -122,7 +122,15 @@ export function requestHandler( handler: RequestHandler, ) { return (request: Request, requestOpts: any): Promise | Response => { - const h3Event = new H3Event(request) + let h3Event: H3Event + try { + h3Event = new H3Event(request) + } catch (err) { + if (err instanceof URIError) { + return new Response(null, { status: 404 }) + } + throw err + } const response = eventStorage.run({ h3Event }, () => handler(request, requestOpts), From 75c727f700cb163bd59df1b22e393e57405f76ec Mon Sep 17 00:00:00 2001 From: Ulrich Stark Date: Sun, 29 Mar 2026 14:31:09 +0200 Subject: [PATCH 6/7] Revert "try nx's workaround for malformed paths" This reverts commit c15834b9d848f93c217ee4800c114d01021fb53c. --- packages/start-server-core/src/request-response.ts | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/packages/start-server-core/src/request-response.ts b/packages/start-server-core/src/request-response.ts index 2ceb0a2e50e..89e38e6a4e2 100644 --- a/packages/start-server-core/src/request-response.ts +++ b/packages/start-server-core/src/request-response.ts @@ -122,15 +122,7 @@ export function requestHandler( handler: RequestHandler, ) { return (request: Request, requestOpts: any): Promise | Response => { - let h3Event: H3Event - try { - h3Event = new H3Event(request) - } catch (err) { - if (err instanceof URIError) { - return new Response(null, { status: 404 }) - } - throw err - } + const h3Event = new H3Event(request) const response = eventStorage.run({ h3Event }, () => handler(request, requestOpts), From dcff88a3d75695073296dc8e355eea58043b925b Mon Sep 17 00:00:00 2001 From: Ulrich Stark Date: Sun, 29 Mar 2026 14:31:50 +0200 Subject: [PATCH 7/7] prevent prototype pollution --- packages/start-server-core/src/request-response.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/start-server-core/src/request-response.ts b/packages/start-server-core/src/request-response.ts index 89e38e6a4e2..780a76c4f6a 100644 --- a/packages/start-server-core/src/request-response.ts +++ b/packages/start-server-core/src/request-response.ts @@ -284,7 +284,7 @@ export function setResponseStatus(code?: number, text?: string): void { export function getCookies(): Record { const event = getH3Event() const cookies = h3_parseCookies(event) - const normalizedCookies: Record = {} + const normalizedCookies: Record = Object.create(null) for (const [name, value] of Object.entries(cookies)) { if (value !== undefined) {