chore: bump to h3 v2 rc.20

[birkskyum]

closing h3js/h3#1362
closing h3js/h3#1361

Bumps h3-v2 to 2.0.1-rc.20 and cookie-es to v3.

This needs a small @tanstack/start-server-core update because both bumps change behavior that Start currently relies on:

• requestHandler now translates the URIError thrown by new H3Event(request) on malformed percent-encoded request paths (e.g. /%80, /%FF, /%E0%A4) into a 400 Bad Request response. Previously these inputs caused an uncaught error that surfaced as a 500.

• getCookies() return type in h3 narrows to Record<string, string | undefined>, so filtering undefined allow start to keep the Record<string, string>

Summary by CodeRabbit

• Chores

  • Bumped core dependencies (cookie and h3) and added a changeset to trigger a patch release.

• Bug Fixes

  • Cookie reads now omit undefined entries for more reliable cookie handling.
  • Requests with malformed URLs are handled gracefully and routed to a safe fallback.

• Tests

  • Updated end-to-end test utilities and fixtures for more consistent imports and exports.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Bumped dependencies in two packages; requestHandler now catches URIError when creating H3Event and retries with a sanitized request path; getCookies() filters out undefined values; several e2e modules switched to add default exports and adjusted imports/exports.

Changes

Cohort / File(s)	Summary
Dependency Version Updates packages/router-core/package.json, packages/start-server-core/package.json	Bumped cookie-es from ^2.0.0 → ^3.0.0. Also updated h3 in start-server-core from h3@2.0.1-rc.16 → h3@2.0.1-rc.20.
Request handling & cookie parsing packages/start-server-core/src/request-response.ts	requestHandler wraps new H3Event(request) in try/catch; on URIError it builds an effectiveRequest with pathname /__tanstack_start_malformed_path__, re-instantiates H3Event, and calls the handler with that effective request. getCookies() now returns a Record<string,string> filtering out entries with undefined values.
E2E data exports e2e/e2e-utils/src/posts.ts, e2e/e2e-utils/src/users.ts	Changed export const declarations to local const with export { name } and added export default name (named export preserved, default export added).
E2E server imports e2e/e2e-utils/src/localDummyServer.ts	Adjusted imports to use default imports for posts and users (import posts from './posts', import users from './users') instead of named imports.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Client as Client
participant RH as RequestHandler
participant H3 as H3Event
participant Handler as RegisteredHandler
participant Converter as h3_toResponse

Client->>RH: send Request
RH->>H3: new H3Event(request)
alt H3Event constructed successfully
    H3-->>RH: event
    RH->>Handler: handler(request)
else URIError thrown
    H3--x RH: throws URIError
    RH->>RH: build effectiveRequest (pathname '/__tanstack_start_malformed_path__')
    RH->>H3: new H3Event(effectiveRequest)
    H3-->>RH: event
    RH->>Handler: handler(effectiveRequest)
end
Handler-->>RH: Response-like value
RH->>Converter: h3_toResponse(h3Event, result)
Converter-->>Client: HTTP Response

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hop through paths both straight and odd,
When URLs snap, I stitch them like a pod.
Cookies swept clean, no undefined crumbs found,
I pass the handler on safe ground.
Hops and commits — a quiet round.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change across multiple packages: bumping h3 to v2 rc.20 and related dependency updates (cookie-es to v3). It directly aligns with the primary objective.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore--bump-h3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 0bbe672

Command	Status	Duration	Result
nx affected --targets=test:eslint,test:unit,tes...	❌ Failed	16m 10s	View ↗
nx run-many --target=build --exclude=examples/*...	✅ Succeeded	35s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-04-11 20:02:08 UTC

[github-actions]

🚀 Changeset Version Preview

2 package(s) bumped directly, 21 bumped as dependents.

🟩 Patch bumps

Package	Version	Reason
@tanstack/router-core	1.168.13 → 1.168.14	Changeset
@tanstack/start-server-core	1.167.17 → 1.167.18	Changeset
@tanstack/react-router	1.168.17 → 1.168.18	Dependent
@tanstack/react-start	1.167.30 → 1.167.31	Dependent
@tanstack/react-start-client	1.166.34 → 1.166.35	Dependent
@tanstack/react-start-rsc	0.0.10 → 0.0.11	Dependent
@tanstack/react-start-server	1.166.35 → 1.166.36	Dependent
@tanstack/router-cli	1.166.29 → 1.166.30	Dependent
@tanstack/router-generator	1.166.28 → 1.166.29	Dependent
@tanstack/router-plugin	1.167.16 → 1.167.17	Dependent
@tanstack/router-vite-plugin	1.166.31 → 1.166.32	Dependent
@tanstack/solid-router	1.168.16 → 1.168.17	Dependent
@tanstack/solid-start	1.167.28 → 1.167.29	Dependent
@tanstack/solid-start-client	1.166.32 → 1.166.33	Dependent
@tanstack/solid-start-server	1.166.33 → 1.166.34	Dependent
@tanstack/start-client-core	1.167.15 → 1.167.16	Dependent
@tanstack/start-plugin-core	1.167.27 → 1.167.28	Dependent
@tanstack/start-static-server-functions	1.166.31 → 1.166.32	Dependent
@tanstack/start-storage-context	1.166.27 → 1.166.28	Dependent
@tanstack/vue-router	1.168.16 → 1.168.17	Dependent
@tanstack/vue-start	1.167.28 → 1.167.29	Dependent
@tanstack/vue-start-client	1.166.32 → 1.166.33	Dependent
@tanstack/vue-start-server	1.166.33 → 1.166.34	Dependent

[pkg-pr-new]

More templates

• tanstack-router-react-example-authenticated-routes
• tanstack-router-react-example-authenticated-routes-firebase
• tanstack-router-react-example-basic
• tanstack-router-react-example-basic-default-search-params
• tanstack-router-react-example-basic-devtools-panel
• tanstack-router-react-example-basic-file-based
• tanstack-router-react-example-basic-non-nested-devtools
• tanstack-router-react-example-react-query
• tanstack-router-react-example-basic-react-query-file-based
• tanstack-router-react-example-basic-ssr-file-based
• tanstack-router-react-example-basic-ssr-streaming-file-based
• tanstack-router-react-example-basic-virtual-file-based
• tanstack-router-react-example-basic-virtual-inside-file-based
• tanstack-router-react-example-deferred-data
• tanstack-router-i18n-paraglide
• tanstack-router-react-example-kitchen-sink
• tanstack-router-react-example-kitchen-sink-file-based
• tanstack-router-react-example-kitchen-sink-react-query
• tanstack-router-react-example-kitchen-sink-react-query-file-based
• tanstack-router-react-example-large-file-based
• tanstack-router-react-example-location-masking
• tanstack-router-react-example-navigation-blocking
• tanstack-router-react-example-quickstart
• tanstack-router-react-example-quickstart-esbuild-file-based
• tanstack-router-react-example-quickstart-file-based
• tanstack-router-react-example-quickstart-rspack-file-based
• tanstack-router-react-example-quickstart-webpack-file-based
• router-monorepo-react-query
• router-mono-simple
• router-mono-simple-lazy
• tanstack-router-react-example-scroll-restoration
• tanstack-search-validator-adapters
• tanstack-start-example-bare
• tanstack-start-example-basic
• tanstack-start-example-basic-auth
• tanstack-router-react-example-basic-authjs
• tanstack-start-example-basic-cloudflare
• tanstack-start-example-basic-react-query
• tanstack-start-example-basic-static
• tanstack-start-bun-hosting
• tanstack-start-example-clerk-basic
• tanstack-start-example-convex-trellaux
• tanstack-start-example-counter
• tanstack-start-i18n-paraglide
• tanstack-start-example-large
• tanstack-start-example-material-ui
• tanstack-start-example-rscs
• tanstack-start-streaming-data-from-server-functions
• tanstack-start-example-supabase-basic
• tanstack-start-tailwind-v4
• tanstack-start-example-trellaux
• tanstack-start-example-workos
• tanstack-router-react-example-view-transitions
• tanstack-router-react-example-with-framer-motion
• tanstack-router-react-example-with-trpc
• tanstack-router-react-example-with-trpc-react-query
• tanstack-router-vue-example-basic-jsx
• tanstack-router-vue-example-basic-file-based-jsx
• tanstack-router-vue-example-basic-file-based-sfc
• tanstack-router-solid-example-authenticated-routes
• tanstack-router-solid-example-authenticated-routes-firebase
• tanstack-router-solid-example-basic
• tanstack-router-solid-example-basic-default-search-params
• tanstack-router-solid-example-basic-devtools-panel
• tanstack-router-solid-example-basic-file-based
• tanstack-router-solid-example-basic-non-nested-devtools
• tanstack-router-solid-example-basic-solid-query
• tanstack-router-solid-example-basic-solid-query-file-based
• tanstack-router-solid-example-basic-ssr-file-based
• tanstack-router-solid-example-basic-ssr-streaming-file-based
• tanstack-router-solid-example-basic-virtual-file-based
• tanstack-router-solid-example-basic-virtual-inside-file-based
• tanstack-router-solid-example-deferred-data
• tanstack-router-solid-i18n-paraglide
• tanstack-router-solid-example-kitchen-sink
• tanstack-router-solid-example-kitchen-sink-file-based
• tanstack-router-solid-example-kitchen-sink-solid-query
• tanstack-router-solid-example-kitchen-sink-solid-query-file-based
• tanstack-router-solid-example-large-file-based
• tanstack-router-solid-example-location-masking
• tanstack-router-solid-example-navigation-blocking
• tanstack-router-solid-example-quickstart
• tanstack-router-solid-example-quickstart-esbuild-file-based
• tanstack-router-solid-example-quickstart-file-based
• tanstack-router-solid-example-quickstart-rspack-file-based
• tanstack-router-solid-example-quickstart-webpack-file-based
• @tanstack/router-solid-mono-simple
• router-solid-mono-simple-lazy
• router-solid-monorepo-solid-query
• tanstack-router-solid-example-scroll-restoration
• tanstack-solid-router-search-validator-adapters
• tanstack-solid-start-example-basic
• tanstack-solid-start-example-basic-auth
• tanstack-solid-start-example-basic-authjs
• tanstack-solid-start-example-basic-cloudflare
• tanstack-solid-start-example-basic-netlify
• tanstack-solid-start-example-basic-nitro
• tanstack-start-example-basic-solid-query
• tanstack-solid-start-example-basic-static
• tanstack-solid-start-bun-hosting
• tanstack-solid-start-example-convex-better-auth
• tanstack-solid-start-example-counter
• tanstack-solid-start-i18n-paraglide
• tanstack-solid-start-example-large
• tanstack-solid-start-streaming-data-from-server-functions
• tanstack-solid-start-example-supabase-basic
• tanstack-solid-start-tailwind-v4
• tanstack-router-solid-example-view-transitions
• tanstack-router-solid-example-with-framer-motion
• tanstack-router-solid-example-with-trpc

@tanstack/arktype-adapter

npm i https://pkg.pr.new/@tanstack/arktype-adapter@7140

@tanstack/eslint-plugin-router

npm i https://pkg.pr.new/@tanstack/eslint-plugin-router@7140

@tanstack/eslint-plugin-start

npm i https://pkg.pr.new/@tanstack/eslint-plugin-start@7140

@tanstack/history

npm i https://pkg.pr.new/@tanstack/history@7140

@tanstack/nitro-v2-vite-plugin

npm i https://pkg.pr.new/@tanstack/nitro-v2-vite-plugin@7140

@tanstack/react-router

npm i https://pkg.pr.new/@tanstack/react-router@7140

@tanstack/react-router-devtools

npm i https://pkg.pr.new/@tanstack/react-router-devtools@7140

@tanstack/react-router-ssr-query

npm i https://pkg.pr.new/@tanstack/react-router-ssr-query@7140

@tanstack/react-start

npm i https://pkg.pr.new/@tanstack/react-start@7140

@tanstack/react-start-client

npm i https://pkg.pr.new/@tanstack/react-start-client@7140

@tanstack/react-start-rsc

npm i https://pkg.pr.new/@tanstack/react-start-rsc@7140

@tanstack/react-start-server

npm i https://pkg.pr.new/@tanstack/react-start-server@7140

@tanstack/router-cli

npm i https://pkg.pr.new/@tanstack/router-cli@7140

@tanstack/router-core

npm i https://pkg.pr.new/@tanstack/router-core@7140

@tanstack/router-devtools

npm i https://pkg.pr.new/@tanstack/router-devtools@7140

@tanstack/router-devtools-core

npm i https://pkg.pr.new/@tanstack/router-devtools-core@7140

@tanstack/router-generator

npm i https://pkg.pr.new/@tanstack/router-generator@7140

@tanstack/router-plugin

npm i https://pkg.pr.new/@tanstack/router-plugin@7140

@tanstack/router-ssr-query-core

npm i https://pkg.pr.new/@tanstack/router-ssr-query-core@7140

@tanstack/router-utils

npm i https://pkg.pr.new/@tanstack/router-utils@7140

@tanstack/router-vite-plugin

npm i https://pkg.pr.new/@tanstack/router-vite-plugin@7140

@tanstack/solid-router

npm i https://pkg.pr.new/@tanstack/solid-router@7140

@tanstack/solid-router-devtools

npm i https://pkg.pr.new/@tanstack/solid-router-devtools@7140

@tanstack/solid-router-ssr-query

npm i https://pkg.pr.new/@tanstack/solid-router-ssr-query@7140

@tanstack/solid-start

npm i https://pkg.pr.new/@tanstack/solid-start@7140

@tanstack/solid-start-client

npm i https://pkg.pr.new/@tanstack/solid-start-client@7140

@tanstack/solid-start-server

npm i https://pkg.pr.new/@tanstack/solid-start-server@7140

@tanstack/start-client-core

npm i https://pkg.pr.new/@tanstack/start-client-core@7140

@tanstack/start-fn-stubs

npm i https://pkg.pr.new/@tanstack/start-fn-stubs@7140

@tanstack/start-plugin-core

npm i https://pkg.pr.new/@tanstack/start-plugin-core@7140

@tanstack/start-server-core

npm i https://pkg.pr.new/@tanstack/start-server-core@7140

@tanstack/start-static-server-functions

npm i https://pkg.pr.new/@tanstack/start-static-server-functions@7140

@tanstack/start-storage-context

npm i https://pkg.pr.new/@tanstack/start-storage-context@7140

@tanstack/valibot-adapter

npm i https://pkg.pr.new/@tanstack/valibot-adapter@7140

@tanstack/virtual-file-routes

npm i https://pkg.pr.new/@tanstack/virtual-file-routes@7140

@tanstack/vue-router

npm i https://pkg.pr.new/@tanstack/vue-router@7140

@tanstack/vue-router-devtools

npm i https://pkg.pr.new/@tanstack/vue-router-devtools@7140

@tanstack/vue-router-ssr-query

npm i https://pkg.pr.new/@tanstack/vue-router-ssr-query@7140

@tanstack/vue-start

npm i https://pkg.pr.new/@tanstack/vue-start@7140

@tanstack/vue-start-client

npm i https://pkg.pr.new/@tanstack/vue-start-client@7140

@tanstack/vue-start-server

npm i https://pkg.pr.new/@tanstack/vue-start-server@7140

@tanstack/zod-adapter

npm i https://pkg.pr.new/@tanstack/zod-adapter@7140

commit: 0bbe672

[github-actions]

Bundle Size Benchmarks

• Commit: 3ef971fa786f
• Measured at: 2026-04-11T19:43:43.951Z
• Baseline source: history:812792fbda3c
• Dashboard: bundle-size history

Scenario	Current (gzip)	Delta vs baseline	Raw	Brotli	Trend
react-router.minimal	87.34 KiB	0 B (0.00%)	274.64 KiB	75.89 KiB	██▇▇▇▄▁▁▁▁▁
react-router.full	90.61 KiB	0 B (0.00%)	285.71 KiB	78.72 KiB	█████▄▁▁▁▁▁
solid-router.minimal	35.53 KiB	0 B (0.00%)	106.64 KiB	31.96 KiB	█████▅▁▁▁▁▁
solid-router.full	39.99 KiB	0 B (0.00%)	120.13 KiB	35.88 KiB	█████▅▁▁▁▁▁
vue-router.minimal	53.31 KiB	0 B (0.00%)	152.04 KiB	47.91 KiB	█████▄▁▁▁▁▁
vue-router.full	58.21 KiB	0 B (0.00%)	167.47 KiB	52.11 KiB	█████▄▁▁▁▁▁
react-start.minimal	101.75 KiB	0 B (0.00%)	322.36 KiB	87.96 KiB	███▅▅▃▁▁▁▁▁
react-start.full	105.19 KiB	0 B (0.00%)	332.69 KiB	90.87 KiB	███▆▆▃▁▁▁▁▁
solid-start.minimal	49.53 KiB	0 B (0.00%)	152.45 KiB	43.67 KiB	███▅▅▃▁▁▁▁▁
solid-start.full	55.04 KiB	0 B (0.00%)	168.65 KiB	48.46 KiB	███▅▅▄▁▁▁▁▁

Trend sparkline is historical gzip bytes ending with this PR measurement; lower is better.

[codspeed-hq]

Merging this PR will not alter performance

✅ 6 untouched benchmarks

---

_{Comparing chore--bump-h3 (0bbe672) with main (812792f)¹}

Footnotes

1. No successful run was found on main (3ef971f) during the generation of this report, so 812792f was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/start-server-core/src/request-response.ts`:
- Around line 307-315: The cookie map uses a plain object (definedCookies) which
inherits Object.prototype and can expose prototype keys; change its creation to
a null-prototype object (e.g., use Object.create(null) for definedCookies) so
only actual cookie keys are present, keep the same filtering logic in the
for-loop over Object.entries(cookies), and ensure the variable's type remains
compatible with Record<string, string> (narrow or cast as needed) to satisfy
TypeScript strict mode.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 53cb6800-ed2a-4033-81fd-e93e793856cd

📥 Commits

Reviewing files that changed from the base of the PR and between 6e2d591 and f099712.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• packages/start-server-core/src/request-response.ts

[nx-cloud]

Nx Cloud is proposing a fix for your failed CI:

We add cookie-es to optimizeDeps.include in the rsc-query Vite config to fix the 504 "Outdated Optimize Dep" test failure. The cookie-es@3 bump caused Vite to discover and re-bundle the dependency mid-test, triggering a reload that produced 504 responses captured by the e2e-utils error fixture. Pre-including it ensures Vite bundles the dependency at server startup before any test page loads.

Tip

✅ We verified this fix by re-running tanstack-react-start-e2e-rsc-query:test:e2e.

diff --git a/e2e/react-start/rsc-query/vite.config.ts b/e2e/react-start/rsc-query/vite.config.ts
index 2431faf6eb..bd8869d8ee 100644
--- a/e2e/react-start/rsc-query/vite.config.ts
+++ b/e2e/react-start/rsc-query/vite.config.ts
@@ -8,6 +8,9 @@ export default defineConfig({
   server: {
     port: 3000,
   },
+  optimizeDeps: {
+    include: ['cookie-es'],
+  },
   plugins: [
     tanstackStart({
       rsc: {

  

Or Apply changes locally with:

npx nx-cloud apply-locally SI5c-vj4A

Apply fix locally with your editor ↗   View interactive diff ↗

_{🎓 Learn more about Self-Healing CI on nx.dev}