fix(cookies): Update Undici to 5.20 and fix cookies behaviour (#6323)

* fix(cookies): Update Undici to 5.20 and fix cookies behaviour * chore: changeset
withastro · Feb 21, 2023 · 5e26bc8 · 5e26bc8
1 parent d3df40a
commit 5e26bc8
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 43 deletions.
diff --git a/.changeset/breezy-coats-remember.md b/.changeset/breezy-coats-remember.md
@@ -0,0 +1,7 @@
+---
+'astro': patch
+'@astrojs/netlify': patch
+'@astrojs/node': patch
+---
+
+Updated Undici to 5.20.0. This fixes a security issue and handling of cookies in certain cases in dev
diff --git a/packages/astro/package.json b/packages/astro/package.json
@@ -188,7 +188,7 @@
     "rollup": "^3.9.0",
     "sass": "^1.52.2",
     "srcset-parse": "^1.1.0",
-    "undici": "^5.14.0",
+    "undici": "^5.20.0",
     "unified": "^10.1.2"
   },
   "engines": {

diff --git a/packages/astro/src/vite-plugin-astro-server/response.ts b/packages/astro/src/vite-plugin-astro-server/response.ts
@@ -57,12 +57,6 @@ export async function writeWebResponse(res: http.ServerResponse, webResponse: Re
 
 	const _headers = Object.fromEntries(headers.entries());
 
-	// Undici 5.19.1 includes a `getSetCookie` helper that returns an array of all the `set-cookies` headers.
-	// Previously, `headers.entries()` would already have those merged, but it seems like this isn't the case anymore, weird.
-	if ((headers as any)['getSetCookie']) {
-		_headers['set-cookie'] = (headers as any).getSetCookie();
-	}
-
 	// Attach any set-cookie headers added via Astro.cookies.set()
 	const setCookieHeaders = Array.from(getSetCookiesFromResponse(webResponse));
 	if (setCookieHeaders.length) {

diff --git a/packages/integrations/netlify/src/netlify-functions.ts b/packages/integrations/netlify/src/netlify-functions.ts
@@ -102,34 +102,11 @@ export const createExports = (manifest: SSRManifest, args: Args) => {
 			isBase64Encoded: responseIsBase64Encoded,
 		};
 
-		// Special-case set-cookie which has to be set an different way :/
-		// The fetch API does not have a way to get multiples of a single header, but instead concatenates
-		// them. There are non-standard ways to do it, and node-fetch gives us headers.raw()
-		// See https://github.com/whatwg/fetch/issues/973 for discussion
-		if (response.headers.has('set-cookie')) {
-			if ('raw' in response.headers) {
-				// Node fetch allows you to get the raw headers, which includes multiples of the same type.
-				// This is needed because Set-Cookie *must* be called for each cookie, and can't be
-				// concatenated together.
-				type HeadersWithRaw = Headers & {
-					raw: () => Record<string, string[]>;
-				};
-
-				const rawPacked = (response.headers as HeadersWithRaw).raw();
-				if ('set-cookie' in rawPacked) {
-					fnResponse.multiValueHeaders = {
-						'set-cookie': rawPacked['set-cookie'],
-					};
-				}
-			} else {
-				const cookies = response.headers.get('set-cookie');
-
-				if (cookies) {
-					fnResponse.multiValueHeaders = {
-						'set-cookie': Array.isArray(cookies) ? cookies : splitCookiesString(cookies),
-					};
-				}
-			}
+		const cookies = response.headers.get('set-cookie');
+		if (cookies) {
+			fnResponse.multiValueHeaders = {
+				'set-cookie': Array.isArray(cookies) ? cookies : splitCookiesString(cookies),
+			};
 		}
 
 		// Apply cookies set via Astro.cookies.set/delete

diff --git a/packages/integrations/node/package.json b/packages/integrations/node/package.json
@@ -46,6 +46,6 @@
     "cheerio": "^1.0.0-rc.11",
     "mocha": "^9.2.2",
     "node-mocks-http": "^1.11.0",
-    "undici": "^5.14.0"
+    "undici": "^5.20.0"
   }
 }
diff --git a/packages/telemetry/package.json b/packages/telemetry/package.json
@@ -32,7 +32,7 @@
     "dset": "^3.1.2",
     "is-docker": "^3.0.0",
     "is-wsl": "^2.2.0",
-    "undici": "^5.14.0",
+    "undici": "^5.20.0",
     "which-pm-runs": "^1.1.0"
   },
   "devDependencies": {

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml