Changes
🔒 Buffer overflow protection (CVE-worthy)
- Added 1MB
MAX_BUFFER_SIZEguard in defaultonResponsehook for chunked responses withConnection: close - Previously: unbounded buffering could exhaust process memory via malicious upstream
- Now: returns 502 when response exceeds 1MB, stream destroyed safely
⬆️ fast-proxy-lite ^1.1.2 → ^1.1.3
- SSRF fix:
buildURL()now validates request origin, blocking absolute-form HTTP URLs that bypass the configured base
🧪 Regression tests
- 2MB chunked response → 502 rejection (buffer limit)
- 2MB chunked response with keep-alive → streams normally (no buffering)
Full test suite: 57/57 passing