Merge branch 'main' of github.com:Teyik0/elysia into fix-nested-formdata

Author: Teyik0

CHANGELOG.md

@@ -1,6 +1,28 @@
-# 1.4.17 - TBD
+# 1.4.18 - 4 Dec 2025
+Security:
+- use `JSON.stringify` over custom escape implementation
+
+# 1.4.17 - 2 Dec 2025
+Improvement:
+- [#1573](https://github.com/elysiajs/elysia/pull/1573) `Server` is always resolved to `any` when `@types/bun` is missing
+- [#1568](https://github.com/elysiajs/elysia/pull/1568) optimize cookie value comparison using FNV-1a hash
+- [#1549](https://github.com/elysiajs/elysia/pull/1549) Set-Cookie headers not sent when errors are thrown
+- [#1579](https://github.com/elysiajs/elysia/pull/1579) HEAD to handle Promise value
+
+Security:
+- cookie injection, prototype pollution, and RCE
+
 Bug fix:
+- [#1550](https://github.com/elysiajs/elysia/pull/1550) excess property checking
+- allow cookie.sign to be string
+
+Change:
+- [#1584](https://github.com/elysiajs/elysia/pull/1584) change customError property to unknown
 - [#1556](https://github.com/elysiajs/elysia/issues/1556) prevent sending set-cookie header when cookie value is not modified
+- [#1563](https://github.com/elysiajs/elysia/issues/1563) standard schema on websocket
+- conditional parseQuery parameter
+- conditional pass `c.request` to handler for streaming response
+- fix missing `contentType` type on `parser`
 
 # 1.4.16 - 13 Nov 2025
 Improvement:

bun.lock

@@ -1,22 +1,22 @@
-import { Elysia, status, t } from '../src'
+import { Elysia, t } from '../src'
+import * as z from 'zod'
+import { post, req } from '../test/utils'
 
-const auth = (app: Elysia) =>
-	app.derive(({ headers, status }) => {
-		try {
-			const token = headers['authorization']?.replace('Bearer ', '') || ''
-			return {
-				isAuthenticated: true
-			}
-		} catch (e) {
-			const error = e as Error
-			console.error('Authentication error:', error.message)
-			return status(401, 'Unauthorized')
+const app = new Elysia({
+	cookie: {
+		domain: "\\` + console.log(c.q='pwn2') }) //"
+	}
+})
+	.get('/', ({ cookie: { session } }) => 'awd')
+
+console.log(app.routes[0].compile().toString())
+
+const root = await app.handle(
+	new Request('http://localhost/', {
+		headers: {
+			Cookie: 'session=1234'
 		}
 	})
+)
 
-const app = new Elysia()
-	.use(auth)
-	.get('/', ({ isAuthenticated }) => isAuthenticated)
-	.listen(5000)
-
-app['~Routes']
+console.log(await root.text())

example/a.ts

@@ -0,0 +1,31 @@
+import { Elysia, t } from '../../src'
+
+const total = 1000
+const sub = 50
+
+const app = new Elysia()
+
+const memory = process.memoryUsage().heapTotal / 1024 / 1024
+console.log(`${total} Elysia instances with ${sub} decorations each`)
+
+const t1 = performance.now()
+
+for (let i = 0; i < total; i++) {
+	const plugin = new Elysia()
+
+	for (let j = 0; j < sub; j++)
+		plugin.decorate('a', {
+			[`value-${i * sub + j}`]: 1
+		})
+
+	app.use(plugin)
+}
+
+const t2 = performance.now()
+
+Bun.gc(true)
+
+const memoryAfter = process.memoryUsage().heapTotal / 1024 / 1024
+console.log(+(memoryAfter - memory).toFixed(2), 'MB memory used')
+console.log('total', +(t2 - t1).toFixed(2), 'ms')
+console.log(+((t2 - t1) / (total * sub)).toFixed(6), 'decoration/ms')

example/stress/decorate.ts

@@ -9,7 +9,14 @@ const memory = process.memoryUsage().heapTotal / 1024 / 1024
 const t1 = performance.now()
 
 for (let i = 0; i < total; i++) {
-	const plugin = new Elysia()
+	const plugin = new Elysia({
+		cookie: {
+			domain: 'saltyaom.com',
+			priority: 'high',
+			secrets: 'a',
+			sign: 'a'
+		}
+	})
 
 	for (let j = 0; j < sub; j++) plugin.get(`/${i * sub + j}`, () => 'hi')
 

example/stress/instance.ts

@@ -1,7 +1,7 @@
 {
 	"name": "elysia",
 	"description": "Ergonomic Framework for Human",
-	"version": "1.4.16",
+	"version": "1.4.18",
 	"author": {
 		"name": "saltyAom",
 		"url": "https://github.com/SaltyAom",
@@ -190,15 +190,15 @@
 		"release": "bun run build && bun run test && bun publish"
 	},
 	"dependencies": {
-		"cookie": "^1.0.2",
+		"cookie": "^1.1.1",
 		"exact-mirror": "0.2.5",
 		"fast-decode-uri-component": "^1.0.1",
 		"memoirist": "^0.4.0"
 	},
 	"devDependencies": {
 		"@elysiajs/openapi": "^1.4.1",
 		"@types/bun": "^1.2.12",
-		"@types/cookie": "^1.0.0",
+		"@types/cookie": "1.0.0",
 		"@types/fast-decode-uri-component": "^1.0.0",
 		"@typescript-eslint/eslint-plugin": "^8.30.1",
 		"@typescript-eslint/parser": "^8.30.1",

package.json

@@ -340,6 +340,7 @@ export const BunAdapter: ElysiaAdapter = {
 									createStaticRoute(app.router.response),
 									mapRoutes(app)
 								),
+								// @ts-ignore
 								app.config.serve?.routes
 							),
 							websocket: {
@@ -360,6 +361,7 @@ export const BunAdapter: ElysiaAdapter = {
 									createStaticRoute(app.router.response),
 									mapRoutes(app)
 								),
+								// @ts-ignore
 								app.config.serve?.routes
 							),
 							websocket: {
@@ -402,6 +404,7 @@ export const BunAdapter: ElysiaAdapter = {
 							}),
 							mapRoutes(app)
 						),
+						// @ts-ignore
 						app.config.serve?.routes
 					)
 				})
@@ -428,15 +431,21 @@ export const BunAdapter: ElysiaAdapter = {
 		// eslint-disable-next-line @typescript-eslint/no-unused-vars
 		const { parse, body, response, ...rest } = options
 
-		const validateMessage = getSchemaValidator(body, {
+		const messageValidator = getSchemaValidator(body, {
 			// @ts-expect-error private property
 			modules: app.definitions.typebox,
 			// @ts-expect-error private property
 			models: app.definitions.type as Record<string, TSchema>,
 			normalize: app.config.normalize
 		})
 
-		const validateResponse = getSchemaValidator(response as any, {
+		const validateMessage = messageValidator ?
+			messageValidator.provider === 'standard'
+				? (data: unknown) => messageValidator.schema['~standard'].validate(data).issues
+				: (data: unknown) => messageValidator.Check(data) === false
+				: undefined
+
+		const responseValidator = getSchemaValidator(response as any, {
 			// @ts-expect-error private property
 			modules: app.definitions.typebox,
 			// @ts-expect-error private property
@@ -456,7 +465,7 @@ export const BunAdapter: ElysiaAdapter = {
 				const { set, path, qi, headers, query, params } = context
 
 				// @ts-ignore
-				context.validator = validateResponse
+				context.validator = responseValidator
 
 				if (options.upgrade) {
 					if (typeof options.upgrade === 'function') {
@@ -484,7 +493,7 @@ export const BunAdapter: ElysiaAdapter = {
 						set.headers['set-cookie']
 					) as any
 
-				const handleResponse = createHandleWSResponse(validateResponse)
+				const handleResponse = createHandleWSResponse(responseValidator)
 				const parseMessage = createWSMessageParser(parse as any)
 
 				let _id: string | undefined
@@ -535,7 +544,7 @@ export const BunAdapter: ElysiaAdapter = {
 
 								return (_id = randomId())
 							},
-							validator: validateResponse,
+							validator: responseValidator,
 							ping(ws: ServerWebSocket<any>, data?: unknown) {
 								options.ping?.(ws as any, data)
 							},
@@ -560,18 +569,17 @@ export const BunAdapter: ElysiaAdapter = {
 							) => {
 								const message = await parseMessage(ws, _message)
 
-								if (validateMessage?.Check(message) === false) {
+								if (validateMessage && validateMessage(message)) {
 									const validationError = new ValidationError(
 										'message',
-										validateMessage,
+										messageValidator!,
 										message
 									)
 
-									if (!hasCustomErrorHandlers) {
+									if (!hasCustomErrorHandlers)
 										return void ws.send(
 											validationError.message as string
 										)
-									}
 
 									return handleErrors(ws, validationError)
 								}