Skip to content

Commit c31446a

Browse files
v1rtlclaude
v1rtl
and
claude
authored
2026 updates (#477)
* docs: add CLAUDE.md for AI-assisted development Add comprehensive documentation for Claude Code to understand: - Common development commands (build, test, lint) - High-level architecture (App class, Router, extensions) - Project structure and monorepo layout - Testing patterns and helpers - Release process with changesets - Code style and dependencies Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * chore: bump dev dependencies and configure workspace trust policy Update development dependencies: - @biomejs/biome: 2.2.4 → 2.3.7 - @commitlint/cli: 19.8.1 → 20.1.0 - @commitlint/config-conventional: 19.8.1 → 20.0.0 - @types/node: 22.10.7 → 24.10.1 - @vitest/coverage-v8: 3.2.4 → 4.0.13 - supertest-fetch: 1.5.0 → 2.0.0 - typescript: 5.9.2 → 5.9.3 - vite: 7.1.11 → 7.2.4 - vitest: 3.2.4 → 4.0.13 Add pnpm workspace trust policy configuration: - Enable no-downgrade trust policy - Set minimum release age to 24 hours - Configure trust policy timeout Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * test: fix compatibility with Node.js v24 Node.js v24 introduces several breaking changes that affect tests: 1. Cache-Control headers: Node.js v24's fetch automatically adds 'cache-control: no-cache' headers, preventing 304 Not Modified responses. Updated tests to explicitly set 'Cache-Control: max-age=3600' to allow conditional GET behavior. 2. IP/Hostname handling: Node.js v24 may connect via IPv6 (::1) even with Agent({ family: 4 }), and ignores custom Host headers for security. Updated tests to handle both IPv4 and IPv6 connections and accept 'localhost' hostname on v24+. 3. TRACE method: Node.js v24 blocks TRACE HTTP method for security (XST attack prevention). Added version check to skip test on v24+. 4. Host header validation: Node.js v24 has stricter validation for malformed headers. Updated tests to accept either 200 or 500 status codes depending on Node.js version. All changes maintain backward compatibility with Node.js v20 and v22 while supporting the new security-focused behavior in v24. Fixes #476 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * test: fix compatibility with Node.js v24 Node.js v24 introduces several breaking changes that affect tests: 1. Cache-Control headers: Node.js v24's fetch automatically adds 'cache-control: no-cache' headers, preventing 304 Not Modified responses. Updated tests to explicitly set 'Cache-Control: max-age=3600' to allow conditional GET behavior. 2. IP/Hostname handling: Node.js v24 may connect via IPv6 (::1) even with Agent({ family: 4 }), and ignores custom Host headers for security. Updated tests to handle both IPv4 and IPv6 connections and accept 'localhost' hostname on v24+. 3. TRACE method: Node.js v24 blocks TRACE HTTP method for security (XST attack prevention). Added version check to skip test on v24+. 4. Host header validation: Node.js v24 has stricter validation for malformed headers. Updated tests to accept either 200 or 500 status codes depending on Node.js version. All changes maintain backward compatibility with Node.js v20 and v22 while supporting the new security-focused behavior in v24. Fixes #476 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * chore: fix biome check errors - Update biome schema version from 2.2.4 to 2.3.7 - Ignore HTML template files with interpolation syntax - Remove unused biome-ignore comment in firebase example - Apply biome formatting to test files Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * chore: fix biome-ignore placeholder explanations Replace <explanation> placeholders with actual descriptions for: - jsonp: escape shadows global function - cookie: RFC 7230 field-content regex - content-disposition: RFC 5987/6266 parsing regexes Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * ci: update Biome version to 2.3.7 Sync CI Biome version with package.json to fix check failures. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * test: fix Node.js security backport compatibility - Skip TRACE test (security restriction backported to Node 20.19+, 22.13+) - Make hostname tests flexible for both old and new Host header behavior - Make malformed host tests accept both behaviors Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
1 parent b2755ce commit c31446a

File tree

15 files changed

+923
-977
lines changed

15 files changed

+923
-977
lines changed

.github/workflows/main.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ jobs:
4646
- name: Setup Biome
4747
uses: biomejs/setup-biome@454fa0d884737805f48d7dc236c1761a0ac3cc13 # v2.6.0
4848
with:
49-
version: "2.2.4"
49+
version: "2.3.7"
5050
- name: Run Biome
5151
run: biome ci .
5252

CLAUDE.md

Lines changed: 147 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,147 @@
1+
# CLAUDE.md
2+
3+
This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
4+
5+
## About tinyhttp
6+
7+
tinyhttp is a modern Express-like web framework written in TypeScript, compiled to native ESM with minimal dependencies. It provides Express middleware compatibility while targeting recent Node.js versions without legacy polyfills.
8+
9+
## Project Structure
10+
11+
This is a **pnpm monorepo** with packages in the `packages/` directory:
12+
13+
- **`@tinyhttp/app`** - Core application framework (main package)
14+
- **`@tinyhttp/router`** - Routing functionality
15+
- **`@tinyhttp/req`** - Request extensions
16+
- **`@tinyhttp/res`** - Response extensions
17+
- **Other packages** - Utilities like cookie handling, proxy-addr, content-disposition, etag, etc.
18+
19+
Each package follows this structure:
20+
- `src/` - TypeScript source files
21+
- `dist/` - Compiled output (generated by `tsc`)
22+
- `tsconfig.json` - Extends root config, sets rootDir to `src/` and outDir to `dist/`
23+
- `package.json` - Package metadata with `"type": "module"` for ESM
24+
25+
Tests are organized separately:
26+
- `tests/core/` - Core App class tests
27+
- `tests/modules/` - Individual package/module tests
28+
- `tests/wares/` - Middleware tests
29+
- `test_helpers/` - Shared test utilities (e.g., `InitAppAndTest`)
30+
31+
## Common Commands
32+
33+
### Development workflow
34+
```bash
35+
# Install dependencies (root and all packages)
36+
pnpm i && pnpm i -r
37+
38+
# Build all packages
39+
pnpm build
40+
41+
# Run all tests with coverage
42+
pnpm test
43+
44+
# Run tests in watch mode (development)
45+
pnpm test:dev
46+
47+
# Lint and format
48+
pnpm check # runs Biome check
49+
pnpm lint # lint only
50+
pnpm format # format only
51+
```
52+
53+
### Running specific tests
54+
```bash
55+
# Run tests in a specific directory
56+
vitest --dir tests/core
57+
vitest --dir tests/modules
58+
59+
# Run a single test file
60+
vitest tests/modules/router.test.ts
61+
62+
# Run tests with coverage for specific files
63+
vitest run --coverage --dir tests/core
64+
```
65+
66+
### Package-level operations
67+
```bash
68+
# Build a specific package
69+
cd packages/app && pnpm build
70+
71+
# Install dependencies across all packages
72+
pnpm i -r
73+
```
74+
75+
## Architecture Notes
76+
77+
### App Class (packages/app/src/app.ts)
78+
79+
The `App` class extends `Router` and serves as the main entry point. Key responsibilities:
80+
81+
- **Middleware management** - Stores middleware in `App.middleware[]` array
82+
- **Error handling** - Custom `onError` handler (default: `onErrorHandler`)
83+
- **404 handling** - Custom `noMatchHandler`
84+
- **Settings & configuration** - `App.settings` object (views directory, trust proxy, view cache, etc.)
85+
- **Template engines** - Stored in `App.engines` object
86+
- **Request/Response extensions** - Applied via `extendMiddleware` and `applyExtensions`
87+
- **Async error handling** - Middleware wrapped in `applyHandler` catches async errors
88+
89+
The `attach` method is the core request handler that processes the middleware chain.
90+
91+
### Router (packages/router/)
92+
93+
Handles route matching and middleware execution. Uses `regexparam` for path-to-regexp style routing.
94+
95+
### Request/Response Extensions
96+
97+
- **Request** (`packages/req/`) - Extensions like `req.accepts()`, `req.get()`, `req.is()`, etc.
98+
- **Response** (`packages/res/`) - Extensions like `res.send()`, `res.json()`, `res.status()`, etc.
99+
100+
These are applied to Node's IncomingMessage and ServerResponse via extension functions.
101+
102+
### Testing Pattern
103+
104+
Tests use `supertest-fetch` for HTTP assertions and vitest for the test runner. The `InitAppAndTest` helper (in `test_helpers/`) creates an app instance, starts a server, and returns a fetch function for making requests:
105+
106+
```typescript
107+
const { fetch, app, server } = InitAppAndTest(handler, route?, method?, settings?)
108+
await fetch('/path').expect(200, 'expected body')
109+
```
110+
111+
### Vitest Configuration
112+
113+
The `vitest.config.ts` dynamically creates path aliases for all packages in `packages/` directory, mapping `@tinyhttp/{package}` to `packages/{package}/src`. This allows tests to import from source directly without building.
114+
115+
## Release Process
116+
117+
This project uses changesets for version management:
118+
119+
```bash
120+
# Create a changeset (describe changes)
121+
pnpm chgset:run
122+
123+
# Version packages and update CHANGELOG
124+
pnpm chgset:version
125+
126+
# Publish to npm
127+
pnpm release
128+
129+
# Full pre-release check (lint, build, test)
130+
pnpm prerelease
131+
```
132+
133+
## Code Style
134+
135+
- **Formatter/Linter**: Biome (replaces ESLint + Prettier)
136+
- **Target**: ES2022, Node.js 14.21.3+
137+
- **Module system**: ESM only (`"type": "module"`)
138+
- **TypeScript**: Strict mode enabled
139+
- Uses `.js` extensions in imports even in TypeScript files (ESM requirement)
140+
141+
## Key Dependencies
142+
143+
- **regexparam** - Path matching (similar to path-to-regexp)
144+
- **header-range-parser** - HTTP range header parsing
145+
- **supertest-fetch** - HTTP testing utility
146+
- **vitest** - Test runner with coverage via v8
147+
- **Biome** - Linting and formatting

biome.json

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,19 @@
11
{
2-
"$schema": "https://biomejs.dev/schemas/2.2.4/schema.json",
2+
"$schema": "https://biomejs.dev/schemas/2.3.7/schema.json",
33
"vcs": {
44
"enabled": true,
55
"clientKind": "git",
66
"useIgnoreFile": true
77
},
88
"files": {
99
"ignoreUnknown": false,
10-
"includes": ["**", "!coverage", "!packages/*/dist", "tests/fixtures"]
10+
"includes": [
11+
"**",
12+
"!coverage",
13+
"!packages/*/dist",
14+
"tests/fixtures",
15+
"!examples/custom-view/views/*.html"
16+
]
1117
},
1218
"formatter": {
1319
"enabled": true,

examples/firebase-functions/src/index.ts

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,6 @@ export const app = onRequest((request, response) => {
2727

2828
/** Hack for firebase functions request object, it was read only */
2929
function makeReadonlySettable(req: Request) {
30-
// biome-ignore lint/complexity/noForEach: <explanation>
3130
return ['xhr', 'node:path'].forEach((key) => {
3231
Object.defineProperty(req, key, {
3332
get: function () {

package.json

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -14,21 +14,21 @@
1414
"pnpm": ">=8"
1515
},
1616
"devDependencies": {
17-
"@biomejs/biome": "2.2.4",
17+
"@biomejs/biome": "2.3.7",
1818
"@changesets/cli": "2.29.7",
19-
"@commitlint/cli": "19.8.1",
20-
"@commitlint/config-conventional": "19.8.1",
21-
"@types/node": "22.10.7",
22-
"@vitest/coverage-v8": "^3.2.4",
19+
"@commitlint/cli": "20.1.0",
20+
"@commitlint/config-conventional": "20.0.0",
21+
"@types/node": "24.10.1",
22+
"@vitest/coverage-v8": "^4.0.13",
2323
"c8": "^10.1.3",
2424
"eta": "2.2.0",
2525
"header-range-parser": "^1.1.3",
2626
"husky": "9.1.7",
2727
"regexparam": "3.0.0",
28-
"supertest-fetch": "1.5.0",
29-
"typescript": "~5.9.2",
30-
"vite": "^7.1.11",
31-
"vitest": "3.2.4"
28+
"supertest-fetch": "2.0.0",
29+
"typescript": "~5.9.3",
30+
"vite": "^7.2.4",
31+
"vitest": "4.0.13"
3232
},
3333
"scripts": {
3434
"prerelease": "pnpm lint && pnpm build && pnpm test",
@@ -46,7 +46,7 @@
4646
"build": "pnpm -r build",
4747
"prepare": "husky"
4848
},
49-
"packageManager": "pnpm@10.16.1+sha512.0e155aa2629db8672b49e8475da6226aa4bdea85fdcdfdc15350874946d4f3c91faaf64cbdc4a5d1ab8002f473d5c3fcedcd197989cf0390f9badd3c04678706",
49+
"packageManager": "pnpm@10.28.0",
5050
"pnpm": {
5151
"overrides": {
5252
"es-define-property": "npm:@socketregistry/es-define-property@^1",

packages/content-disposition/src/index.ts

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,26 +1,26 @@
1-
// biome-ignore lint/suspicious/noControlCharactersInRegex: <explanation>
1+
// biome-ignore lint/suspicious/noControlCharactersInRegex: RFC 5987 attr-char excludes CTLs
22
const ENCODE_URL_ATTR_CHAR_REGEXP = /[\x00-\x20"'()*,/:;<=>?@[\\\]{}\x7f]/g
33

44
const HEX_ESCAPE_REGEXP = /%[0-9A-Fa-f]{2}/
55
const HEX_ESCAPE_REPLACE_REGEXP = /%([0-9A-Fa-f]{2})/g
66

77
const NON_LATIN1_REGEXP = /[^\x20-\x7e\xa0-\xff]/g
88

9-
// biome-ignore lint/suspicious/noControlCharactersInRegex: <explanation>
9+
// biome-ignore lint/suspicious/noControlCharactersInRegex: RFC 2616 quoted-pair includes CTLs
1010
const QESC_REGEXP = /\\([\u0000-\u007f])/g
1111

1212
const QUOTE_REGEXP = /([\\"])/g
1313

1414
const PARAM_REGEXP =
15-
// biome-ignore lint/suspicious/noControlCharactersInRegex: <explanation>
15+
// biome-ignore lint/suspicious/noControlCharactersInRegex: RFC 6266 parameter parsing includes HTAB
1616
/;[\x09\x20]*([!#$%&'*+.0-9A-Z^_`a-z|~-]+)[\x09\x20]*=[\x09\x20]*("(?:[\x20!\x23-\x5b\x5d-\x7e\x80-\xff]|\\[\x20-\x7e])*"|[!#$%&'*+.0-9A-Z^_`a-z|~-]+)[\x09\x20]*/g
1717
const TEXT_REGEXP = /^[\x20-\x7e\x80-\xff]+$/
1818
const TOKEN_REGEXP = /^[!#$%&'*+.0-9A-Z^_`a-z|~-]+$/
1919

2020
const EXT_VALUE_REGEXP =
2121
/^([A-Za-z0-9!#$%&+\-^_`{}~]+)'(?:[A-Za-z]{2,3}(?:-[A-Za-z]{3}){0,3}|[A-Za-z]{4,8}|)'((?:%[0-9A-Fa-f]{2}|[A-Za-z0-9!#$&+.^_`|~-])+)$/
2222

23-
// biome-ignore lint/suspicious/noControlCharactersInRegex: <explanation>
23+
// biome-ignore lint/suspicious/noControlCharactersInRegex: RFC 6266 disposition-type parsing includes HTAB
2424
const DISPOSITION_TYPE_REGEXP = /^([!#$%&'*+.0-9A-Z^_`a-z|~-]+)[\x09\x20]*(?:$|;)/
2525

2626
const getlatin1 = (val: unknown) => {

packages/cookie/src/index.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ const pairSplitRegExp = /; */
88
* obs-text = %x80-FF
99
*/
1010

11-
// biome-ignore lint/suspicious/noControlCharactersInRegex: <explanation>
11+
// biome-ignore lint/suspicious/noControlCharactersInRegex: RFC 7230 field-content includes HTAB
1212
const fieldContentRegExp = /^[\u0009\u0020-\u007e\u0080-\u00ff]+$/
1313

1414
function tryDecode(str: string, decode: (str: string) => string) {

packages/jsonp/src/index.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ export const jsonp =
4343
(obj: unknown, opts: JSONPOptions = {}): Response => {
4444
const val = obj
4545

46-
// biome-ignore lint/suspicious/noShadowRestrictedNames: <explanation>
46+
// biome-ignore lint/suspicious/noShadowRestrictedNames: escape is a common option name
4747
const { escape, replacer, spaces, callbackName = 'callback' } = opts
4848

4949
let body = stringify(val, replacer, spaces, escape)

0 commit comments

Comments
 (0)