Skip to content

Merge fastify/send#1

Closed
bjohansebas wants to merge 111 commits into
masterfrom
merge-fastify-send-2
Closed

Merge fastify/send#1
bjohansebas wants to merge 111 commits into
masterfrom
merge-fastify-send-2

Conversation

@bjohansebas
Copy link
Copy Markdown
Owner

@bjohansebas bjohansebas commented Jan 21, 2026

No description provided.

mcollina and others added 30 commits January 11, 2023 11:25
@mcollina
module rename
72004f0 
Signed-off-by: Matteo Collina <hello@matteocollina.com>
@mcollina
fixup
ac7922b 
Signed-off-by: Matteo Collina <hello@matteocollina.com>
@mcollina
Update debug
70aa309 
Signed-off-by: Matteo Collina <hello@matteocollina.com>
@mcollina
Merge pull request #1 from fastify/update-debug
a5ba254 
Update debug
@mcollina
Bumped v1.0.0
e5ebad0 
Signed-off-by: Matteo Collina <hello@matteocollina.com>
@Fdawgs
chore: repo updates (pillarjs#3)
a225093 
* chore: disable package-lock generation

* ci: use org reusable workflow

* chore(.gitignore): use skeleton template

* docs: remove security policy, allowing org one to show

* chore(package): replace eslint with standard

* chore(package): remove engines

* docs(readme): update title, add badges

* chore: lint files
@dependabot
build(deps-dev): bump supertest from 6.2.2 to 6.3.3 (pillarjs#8)
b05ea94 
Bumps [supertest](https://github.com/visionmedia/supertest) from 6.2.2 to 6.3.3.
- [Release notes](https://github.com/visionmedia/supertest/releases)
- [Commits](forwardemail/supertest@v6.2.2...v6.3.3)

---
updated-dependencies:
- dependency-name: supertest
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
build(deps-dev): bump mocha from 9.2.2 to 10.2.0 (pillarjs#9)
8a01a72 
Bumps [mocha](https://github.com/mochajs/mocha) from 9.2.2 to 10.2.0.
- [Release notes](https://github.com/mochajs/mocha/releases)
- [Changelog](https://github.com/mochajs/mocha/blob/master/CHANGELOG.md)
- [Commits](mochajs/mocha@v9.2.2...v10.2.0)

---
updated-dependencies:
- dependency-name: mocha
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@Uzlopak
replace mocha with tap (#10)
e86dba5 
* replace mocha with tap

* fix coverage issue
@Uzlopak
add types, nodenext, upgrade mime (pillarjs#6)
46fd432 
* add types, nodenext, upgrade mime

* improve test coverage
@Uzlopak
use t.error instead of t.pass (pillarjs#11)
5b263c2
@Uzlopak
use listenerCount immediatly (pillarjs#13)
3c18fc1 
* use listenerCount immediatly

* like before
@Uzlopak
remove deprecated options and methods (pillarjs#12)
8642dfb 
* remove deprecated option and methods

* decrease branch coverage to 95
@Uzlopak
remove node < 8 ponyfills for res.headersSent and res.getHeaderNames (p…
ae87c17 
…illarjs#14)
@Uzlopak
100% test coverage (pillarjs#16)
8c05363 
* 100% test coverage

* add ENAMETOOLONG test

* add test case for ENOTDIR

* fix linting

* increase longFilename to 512 characters

* patch onStatError for further investigation on windows

* try to ignore block for coverage

* windows switch

* fix linting
@Uzlopak
avoid deoptimization in range support (pillarjs#20)
7ce38ec
@Uzlopak
add example (pillarjs#19)
3f4ffb2
@Uzlopak
add pre-commit (pillarjs#18)
3ec3d1d
@Uzlopak
use fast-decode-uri-component (pillarjs#21)
75e0ff4
@Uzlopak
remove statuses package, precompute errors (pillarjs#17)
ae3d3d9
@Uzlopak
remove encodeurl (pillarjs#23)
5e28adc
@Uzlopak
remove destroy (pillarjs#25)
9f0df93
@Uzlopak
remove backwards compatibilty of dotfiles (pillarjs#22)
3d6de26
@Uzlopak
remove debug (pillarjs#24)
5ba5860
@Uzlopak
remove etag (pillarjs#26)
54f74ae
@Uzlopak
restructure (pillarjs#27)
504b981
@Fdawgs
chore(license): use github mit license template; add fastify team (pi…
d70d7ca 
…llarjs#28)
@Fdawgs
docs(readme): grammar and clarity fixes (pillarjs#29)
123e7e5
@Uzlopak
integrate range-parser (pillarjs#30)
ff81e96 
* integrate rangeg-parser

* named export parseRange
@Uzlopak
fix benchmark (pillarjs#32)
0c3307b
Fdawgs and others added 18 commits January 15, 2025 15:25
@Fdawgs
build(dependabot): reduce npm updates to monthly (pillarjs#104)
4e783b1
@Fdawgs
chore: rename master to main (pillarjs#105)
c9627d3
@ilteoood
test: move to node test runner (pillarjs#106)
d852829 
* feat: migrate collapseLeadingSlashes

* feat: migrate containsDotFile

* feat: migrate isUtf8MimeType

* feat: migrate normalize list

* feat: migrate parseBytesRange

* feat: migrated mime

* feat: migrate send.1

* feat: migrate send 2

* feat: migrate send.3 and removed tap

* feat: migrated commands

* chore: import

* fix: await

* chore: removed empty plans

* Delete .taprc

Signed-off-by: Matteo Pietro Dazzi <matteopietro.dazzi@gmail.com>

* fix: typo

* BREAKING CHANGE: remove support for node18

* fix: use c8

---------

Signed-off-by: Matteo Pietro Dazzi <matteopietro.dazzi@gmail.com>
@Fdawgs
4.0.0
682f0f8
@Fdawgs
ci(ci): set job permissions (pillarjs#107)
7bdf489
@Fdawgs
ci: set permissions at workflow level (pillarjs#108)
f76c324
@Fdawgs
ci: restore job level permissions (#109)
ef99555
@dependabot
build(deps-dev): bump tsd from 0.31.2 to 0.32.0 (pillarjs#111)
bb6ccc1 
Bumps [tsd](https://github.com/tsdjs/tsd) from 0.31.2 to 0.32.0.
- [Release notes](https://github.com/tsdjs/tsd/releases)
- [Commits](tsdjs/tsd@v0.31.2...v0.32.0)

---
updated-dependencies:
- dependency-name: tsd
  dependency-version: 0.32.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@johaven
feat: add highWaterMark option (pillarjs#113)
c2760b1
@Fdawgs
4.1.0
1b54ebf
@Fdawgs
chore(license): update date ranges; standardise style (pillarjs#115)
107b7e0
@dependabot
build(deps-dev): bump @types/node from 22.15.34 to 24.0.8 (pillarjs#116)
c253fab 
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 22.15.34 to 24.0.8.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 24.0.8
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@Fdawgs
chore(.npmrc): ignore scripts (pillarjs#118)
27b6d67
@Fdawgs
build(deps-dev): remove @fastify/pre-commit (#119)
6b70f2c
@dependabot
build(deps-dev): bump tsd from 0.32.0 to 0.33.0 (pillarjs#120)
b043307 
Bumps [tsd](https://github.com/tsdjs/tsd) from 0.32.0 to 0.33.0.
- [Release notes](https://github.com/tsdjs/tsd/releases)
- [Commits](tsdjs/tsd@v0.32.0...v0.33.0)

---
updated-dependencies:
- dependency-name: tsd
  dependency-version: 0.33.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@Fdawgs
ci(ci): add concurrency config (#121)
3637eaf
@dependabot
build(deps-dev): bump @types/node from 24.10.4 to 25.0.3 (pillarjs#122)
030392f 
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 24.10.4 to 25.0.3.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 25.0.3
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@bjohansebas
Merge remote-tracking branch 'fastify/main' into merge-fastify-send-2
2c5a5f2
github-advanced-security[bot]
github-advanced-security AI found potential problems Jan 21, 2026
View reviewed changes
Comment thread test/utils.js
stream.pipe(res)
} catch (err) {
res.statusCode = 500
res.end(String(err))

Check warning

Code scanning / CodeQL

Exception text reinterpreted as HTML Medium test

Exception text
Loading
is reinterpreted as HTML without escaping meta-characters.
Exception text
Loading
is reinterpreted as HTML without escaping meta-characters.
Exception text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix

AI 4 months ago

In general, to fix this type of issue you must avoid sending raw exception strings (which may embed user-controlled values) directly to the HTTP response in a way that can be interpreted as HTML. Instead, either (a) avoid including the message entirely, (b) send a static, generic error message, or (c) escape/encode the message according to the context (HTML-escape for HTML, JSON-encode for JSON, etc.) before writing it.

Here, the best minimal fix without changing existing functionality is to HTML-escape the error string before passing it to res.end. The project already uses the escape-html library in lib/send.js, which is a standard and appropriate library for this purpose. We can reuse it in test/utils.js by adding a require('escape-html') import and wrapping the error string as escapeHtml(String(err)). This keeps the content of the message visible (just safely escaped) and should not break the tests, as they likely don’t rely on the exact raw characters of the error payload.

Concretely:

  • In test/utils.js, add an import near the top: const escapeHtml = require('escape-html').
  • Then, in the catch (err) block inside createServer, change res.end(String(err)) to res.end(escapeHtml(String(err))).
    No other files (lib/send.js, lib/parseTokenList.js) need modification because they’re not directly writing exception text to HTTP responses; the vulnerable sink is in test/utils.js.
Suggested changeset 1
test/utils.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/test/utils.js b/test/utils.js
--- a/test/utils.js
+++ b/test/utils.js
@@ -3,6 +3,7 @@
 const http = require('node:http')
 const assert = require('node:assert')
 const send = require('..')
+const escapeHtml = require('escape-html')
 
 module.exports.shouldNotHaveHeader = function shouldNotHaveHeader (header, t) {
   return function (res) {
@@ -25,7 +26,7 @@
       stream.pipe(res)
     } catch (err) {
       res.statusCode = 500
-      res.end(String(err))
+      res.end(escapeHtml(String(err)))
     }
   })
 }
EOF
@@ -3,6 +3,7 @@
const http = require('node:http')
const assert = require('node:assert')
const send = require('..')
const escapeHtml = require('escape-html')

module.exports.shouldNotHaveHeader = function shouldNotHaveHeader (header, t) {
return function (res) {
@@ -25,7 +26,7 @@
stream.pipe(res)
} catch (err) {
res.statusCode = 500
res.end(String(err))
res.end(escapeHtml(String(err)))
}
})
}
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Comment thread test/utils.js
stream.pipe(res)
} catch (err) {
res.statusCode = 500
res.end(String(err))

Check warning

Code scanning / CodeQL

Information exposure through a stack trace Medium test

This information exposed to the user depends on
stack trace information
Loading
.

Copilot Autofix

AI 4 months ago

In general, to fix information exposure through stack traces, you should avoid sending the raw error (or its stack) back to the client. Instead, log the full error details on the server (console, logger, etc.) and send a generic, non-sensitive message in the HTTP response. This maintains visibility for developers while preventing attackers from learning internal implementation details.

For this specific code in test/utils.js, we should modify the catch block inside module.exports.createServer so that it no longer does res.end(String(err)). The best minimal-change fix is:

  • Log the error using console.error(err) (built-in, no new dependencies).
  • Respond with a generic error message string such as "Internal Server Error" or "An internal error occurred" that does not include any details from err.

Concretely:

  • In module.exports.createServer, lines 26–29, keep the catch (err) and res.statusCode = 500, but replace res.end(String(err)) with a call to console.error(err) followed by res.end('Internal Server Error') (or similar). This preserves behavior that a 500 is returned on error, but stops exposing stack trace information to the client while still logging it for debugging.

No additional imports or method definitions are needed; we only use the standard console object.

Suggested changeset 1
test/utils.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/test/utils.js b/test/utils.js
--- a/test/utils.js
+++ b/test/utils.js
@@ -24,8 +24,9 @@
       res.writeHead(statusCode, headers)
       stream.pipe(res)
     } catch (err) {
+      console.error(err)
       res.statusCode = 500
-      res.end(String(err))
+      res.end('Internal Server Error')
     }
   })
 }
EOF
@@ -24,8 +24,9 @@
res.writeHead(statusCode, headers)
stream.pipe(res)
} catch (err) {
console.error(err)
res.statusCode = 500
res.end(String(err))
res.end('Internal Server Error')
}
})
}
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
@bjohansebas bjohansebas force-pushed the merge-fastify-send-2 branch 5 times, most recently from 354f681 to 5eb769d Compare January 21, 2026 18:58
@coveralls
Copy link
Copy Markdown

coveralls commented Jan 21, 2026
edited
Loading

Pull Request Test Coverage Report for Build 21231906690

Details

  • 1073 of 1073 (100.0%) changed or added relevant lines in 11 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 100.0%
Totals Coverage Status
Change from base Build 21218235726: 0.0%
Covered Lines: 1094
Relevant Lines: 1094
💛 - Coveralls

@bjohansebas bjohansebas force-pushed the merge-fastify-send-2 branch 2 times, most recently from a9e8e6f to 17df4e4 Compare January 22, 2026 01:01
@bjohansebas
refactor: update package details and README for migration to pillarjs…
e1469ad 
…/send

- I also run the npm run lint:fix command
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.