7 files changed, 28 insertions, 43 deletions
diff --git a/.changeset/breezy-coats-remember.md b/.changeset/breezy-coats-remember.md
new file mode 100644
index 000000000..c87e2803a
--- /dev/null
+++ b/.changeset/breezy-coats-remember.md
@@ -0,0 +1,7 @@
+---
+'astro': patch
+'@astrojs/netlify': patch
+'@astrojs/node': patch
+---
+
+Updated Undici to 5.20.0. This fixes a security issue and handling of cookies in certain cases in dev
diff --git a/packages/astro/package.json b/packages/astro/package.json
index bdd21b083..b53afbf25 100644
--- a/packages/astro/package.json
+++ b/packages/astro/package.json
@@ -188,7 +188,7 @@
     "rollup": "^3.9.0",
     "sass": "^1.52.2",
     "srcset-parse": "^1.1.0",
-    "undici": "^5.14.0",
+    "undici": "^5.20.0",
     "unified": "^10.1.2"
   },
   "engines": {
diff --git a/packages/astro/src/vite-plugin-astro-server/response.ts b/packages/astro/src/vite-plugin-astro-server/response.ts
index 1a4d8ca99..4f1a3e6ab 100644
--- a/packages/astro/src/vite-plugin-astro-server/response.ts
+++ b/packages/astro/src/vite-plugin-astro-server/response.ts
@@ -57,12 +57,6 @@ export async function writeWebResponse(res: http.ServerResponse, webResponse: Re
 
 	const _headers = Object.fromEntries(headers.entries());
 
-	// Undici 5.19.1 includes a `getSetCookie` helper that returns an array of all the `set-cookies` headers.
-	// Previously, `headers.entries()` would already have those merged, but it seems like this isn't the case anymore, weird.
-	if ((headers as any)['getSetCookie']) {
-		_headers['set-cookie'] = (headers as any).getSetCookie();
-	}
-
 	// Attach any set-cookie headers added via Astro.cookies.set()
 	const setCookieHeaders = Array.from(getSetCookiesFromResponse(webResponse));
 	if (setCookieHeaders.length) {
diff --git a/packages/integrations/netlify/src/netlify-functions.ts b/packages/integrations/netlify/src/netlify-functions.ts
index 0f9b58158..eb6ed7600 100644
--- a/packages/integrations/netlify/src/netlify-functions.ts
+++ b/packages/integrations/netlify/src/netlify-functions.ts
@@ -102,34 +102,11 @@ export const createExports = (manifest: SSRManifest, args: Args) => {
 			isBase64Encoded: responseIsBase64Encoded,
 		};
 
-		// Special-case set-cookie which has to be set an different way :/
-		// The fetch API does not have a way to get multiples of a single header, but instead concatenates
-		// them. There are non-standard ways to do it, and node-fetch gives us headers.raw()
-		// See https://github.com/whatwg/fetch/issues/973 for discussion
-		if (response.headers.has('set-cookie')) {
-			if ('raw' in response.headers) {
-				// Node fetch allows you to get the raw headers, which includes multiples of the same type.
-				// This is needed because Set-Cookie *must* be called for each cookie, and can't be
-				// concatenated together.
-				type HeadersWithRaw = Headers & {
-					raw: () => Record<string, string[]>;
-				};
-
-				const rawPacked = (response.headers as HeadersWithRaw).raw();
-				if ('set-cookie' in rawPacked) {
-					fnResponse.multiValueHeaders = {
-						'set-cookie': rawPacked['set-cookie'],
-					};
-				}
-			} else {
-				const cookies = response.headers.get('set-cookie');
-
-				if (cookies) {
-					fnResponse.multiValueHeaders = {
-						'set-cookie': Array.isArray(cookies) ? cookies : splitCookiesString(cookies),
-					};
-				}
-			}
+		const cookies = response.headers.get('set-cookie');
+		if (cookies) {
+			fnResponse.multiValueHeaders = {
+				'set-cookie': Array.isArray(cookies) ? cookies : splitCookiesString(cookies),
+			};
 		}
 
 		// Apply cookies set via Astro.cookies.set/delete
diff --git a/packages/integrations/node/package.json b/packages/integrations/node/package.json
index 9c426c87f..bc597c24b 100644
--- a/packages/integrations/node/package.json
+++ b/packages/integrations/node/package.json
@@ -46,6 +46,6 @@
     "cheerio": "^1.0.0-rc.11",
     "mocha": "^9.2.2",
     "node-mocks-http": "^1.11.0",
-    "undici": "^5.14.0"
+    "undici": "^5.20.0"
   }
 }
diff --git a/packages/telemetry/package.json b/packages/telemetry/package.json
index 31f90a137..ba7f16f81 100644
--- a/packages/telemetry/package.json
+++ b/packages/telemetry/package.json
@@ -32,7 +32,7 @@
     "dset": "^3.1.2",
     "is-docker": "^3.0.0",
     "is-wsl": "^2.2.0",
-    "undici": "^5.14.0",
+    "undici": "^5.20.0",
     "which-pm-runs": "^1.1.0"
   },
   "devDependencies": {
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index f507b7cf8..85b30aabc 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -456,7 +456,7 @@ importers:
       supports-esm: ^1.0.0
       tsconfig-resolver: ^3.0.1
       typescript: '*'
-      undici: ^5.14.0
+      undici: ^5.20.0
       unified: ^10.1.2
       unist-util-visit: ^4.1.0
       vfile: ^5.3.2
@@ -553,7 +553,7 @@ importers:
       rollup: 3.14.0
       sass: 1.58.0
       srcset-parse: 1.1.0
-      undici: 5.18.0
+      undici: 5.20.0
       unified: 10.1.2
 
   packages/astro-prism:
@@ -3117,7 +3117,7 @@ importers:
       node-mocks-http: ^1.11.0
       send: ^0.18.0
       server-destroy: ^1.0.1
-      undici: ^5.14.0
+      undici: ^5.20.0
     dependencies:
       '@astrojs/webapi': link:../../webapi
       send: 0.18.0
@@ -3131,7 +3131,7 @@ importers:
       cheerio: 1.0.0-rc.12
       mocha: 9.2.2
       node-mocks-http: 1.12.1
-      undici: 5.18.0
+      undici: 5.20.0
 
   packages/integrations/node/test/fixtures/api-route:
     specifiers:
@@ -3624,7 +3624,7 @@ importers:
       is-docker: ^3.0.0
       is-wsl: ^2.2.0
       mocha: ^9.2.2
-      undici: ^5.14.0
+      undici: ^5.20.0
       which-pm-runs: ^1.1.0
     dependencies:
       ci-info: 3.7.1
@@ -3633,7 +3633,7 @@ importers:
       dset: 3.1.2
       is-docker: 3.0.0
       is-wsl: 2.2.0
-      undici: 5.18.0
+      undici: 5.20.0
       which-pm-runs: 1.1.0
     devDependencies:
       '@types/debug': 4.1.7
@@ -14864,6 +14864,13 @@ packages:
     engines: {node: '>=12.18'}
     dependencies:
       busboy: 1.6.0
+    dev: false
+
+  /undici/5.20.0:
+    resolution: {integrity: sha512-J3j60dYzuo6Eevbawwp1sdg16k5Tf768bxYK4TUJRH7cBM4kFCbf3mOnM/0E3vQYXvpxITbbWmBafaDbxLDz3g==}
+    engines: {node: '>=12.18'}
+    dependencies:
+      busboy: 1.6.0
 
   /undici/5.9.1:
     resolution: {integrity: sha512-6fB3a+SNnWEm4CJbgo0/CWR8RGcOCQP68SF4X0mxtYTq2VNN8T88NYrWVBAeSX+zb7bny2dx2iYhP3XHi00omg==}