chore(deps): update dependency srvx to v0.11.13 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
srvx (source)	0.11.9 → 0.11.13

GitHub Vulnerability Alerts

CVE-2026-33732

Summary

A pathname parsing discrepancy in srvx's FastURL allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. file://).

Details

When Node.js receives an absolute URI in the request line (e.g. GET file://hehe?/internal/run HTTP/1.1), req.url is set verbatim to file://hehe?/internal/run. Since this doesn't start with /, NodeRequestURL passes it directly to FastURL as a string, which stores it in #href for lazy manual parsing.

FastURL#getPos() locates the pathname by finding :// then scanning for the next / — but this fails for URLs like file://hehe?/internal/run where a ? appears before the first / after the authority. The manual parser extracts pathname as /internal/run, while native URL correctly parses it as pathname / with search ?/internal/run.

This discrepancy means the router (using the fast-path) matches /internal/run, but if any middleware triggers a deopt to native URL (e.g. by accessing hostname), subsequent middleware sees a different pathname — bypassing route-based middleware guards.

This is a bypass of CVE-2026-33131.

Impact

Route-based middleware (auth guards, rate limiters, etc.) can be bypassed on the Node.js adapter when a prior middleware triggers FastURL deopt. Requires sending a raw HTTP request (not possible from browsers).

Fix

srvx FastURL constructor now deopts to native URL for any string not starting with /, ensuring consistent pathname resolution.

---

Release Notes

h3js/srvx (srvx)

v0.11.13

Compare Source

compare changes

🩹 Fixes

• url: Deopt absolute URIs in FastURL (de0d699)

🏡 Chore

• Update deps (4e6ace6)
• Update deps (6a72a00)
• Fix type issue (ed8cc2b)
• Apply automated updates (7375fed)
• Update deps (8f4bc4f)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.11.12

Compare Source

compare changes

🩹 Fixes

• node: Improve pipeBody stability and performance (4051f22)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.11.11

Compare Source

compare changes

🩹 Fixes

• node: Handle duck-typed pipe objects in pipeBody (5e731ef)

✅ Tests

• node: Add duck-typed pipe object test for pipeBody (f746e79)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.11.10

Compare Source

compare changes

🩹 Fixes

• node: Handle error and abort propagation for piped Node.js streams (77f879b)
• node: Fallback to socket address on invalid Host header (#​192)
• node: Combine duplicate headers in entries() iterator (4ed7453)

🏡 Chore

• Apply automated updates (9b00c0c)
• Update deps (aa84077)
• Apply automated updates (91a5c14)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Marc marc@plastikpalme.de

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codspeed-hq]

Merging this PR will not alter performance

✅ 2 untouched benchmarks

---

_{Comparing renovate/npm-srvx-vulnerability (7a81534) with main (1c2ef0c)}

[pkg-pr-new]

• nuxt-cli-playground

  npm i https://pkg.pr.new/create-nuxt@1263
  

  npm i https://pkg.pr.new/nuxi@1263
  

  npm i https://pkg.pr.new/@nuxt/cli@1263
  

commit: 8cd726f

[github-actions]

📦 Bundle Size Comparison

📈 nuxi

Metric	Base	Head	Diff
Rendered	3385.37 KB	3391.99 KB	+6.62 KB (+0.20%)

📈 nuxt-cli

Metric	Base	Head	Diff
Rendered	149.88 KB	149.88 KB	+0.00 KB (+0.00%)

📈 create-nuxt

Metric	Base	Head	Diff
Rendered	1640.37 KB	1640.43 KB	+0.06 KB (+0.00%)