chore: bump to h3 v2 rc.20

[birkskyum]

Bumps h3-v2 to 2.0.1-rc.20 and cookie-es to v3.

This needs a small @tanstack/start-server-core update because both bumps change behavior that Start currently relies on:

• parseCookies() now returns Record<string, string | undefined>, so Start needs to filter out undefined values to preserve the existing getCookies(): Record<string, string> API

Summary by CodeRabbit

• Chores

  • Bumped core dependencies (cookie and h3) and added a changeset to trigger a patch release.

• Bug Fixes

  • Cookie reads now omit undefined entries for more reliable cookie handling.
  • Requests with malformed URLs are handled gracefully and routed to a safe fallback.

• Tests

  • Updated end-to-end test utilities and fixtures for more consistent imports and exports.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Bumped dependencies in two packages; requestHandler now catches URIError when creating H3Event and retries with a sanitized request path; getCookies() filters out undefined values; several e2e modules switched to add default exports and adjusted imports/exports.

Changes

Cohort / File(s)	Summary
Dependency Version Updates packages/router-core/package.json, packages/start-server-core/package.json	Bumped cookie-es from ^2.0.0 → ^3.0.0. Also updated h3 in start-server-core from h3@2.0.1-rc.16 → h3@2.0.1-rc.20.
Request handling & cookie parsing packages/start-server-core/src/request-response.ts	requestHandler wraps new H3Event(request) in try/catch; on URIError it builds an effectiveRequest with pathname /__tanstack_start_malformed_path__, re-instantiates H3Event, and calls the handler with that effective request. getCookies() now returns a Record<string,string> filtering out entries with undefined values.
E2E data exports e2e/e2e-utils/src/posts.ts, e2e/e2e-utils/src/users.ts	Changed export const declarations to local const with export { name } and added export default name (named export preserved, default export added).
E2E server imports e2e/e2e-utils/src/localDummyServer.ts	Adjusted imports to use default imports for posts and users (import posts from './posts', import users from './users') instead of named imports.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Client as Client
participant RH as RequestHandler
participant H3 as H3Event
participant Handler as RegisteredHandler
participant Converter as h3_toResponse

Client->>RH: send Request
RH->>H3: new H3Event(request)
alt H3Event constructed successfully
    H3-->>RH: event
    RH->>Handler: handler(request)
else URIError thrown
    H3--x RH: throws URIError
    RH->>RH: build effectiveRequest (pathname '/__tanstack_start_malformed_path__')
    RH->>H3: new H3Event(effectiveRequest)
    H3-->>RH: event
    RH->>Handler: handler(effectiveRequest)
end
Handler-->>RH: Response-like value
RH->>Converter: h3_toResponse(h3Event, result)
Converter-->>Client: HTTP Response

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hop through paths both straight and odd,
When URLs snap, I stitch them like a pod.
Cookies swept clean, no undefined crumbs found,
I pass the handler on safe ground.
Hops and commits — a quiet round.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change across multiple packages: bumping h3 to v2 rc.20 and related dependency updates (cookie-es to v3). It directly aligns with the primary objective.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore--bump-h3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 775bde6

Command	Status	Duration	Result
nx affected --targets=test:eslint,test:unit,tes...	✅ Succeeded	48s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-04-10 23:18:09 UTC

[github-actions]

🚀 Changeset Version Preview

2 package(s) bumped directly, 20 bumped as dependents.

🟩 Patch bumps

Package	Version	Reason
@tanstack/router-core	1.168.9 → 1.168.10	Changeset
@tanstack/start-server-core	1.167.10 → 1.167.11	Changeset
@tanstack/react-router	1.168.13 → 1.168.14	Dependent
@tanstack/react-start	1.167.20 → 1.167.21	Dependent
@tanstack/react-start-client	1.166.29 → 1.166.30	Dependent
@tanstack/react-start-server	1.166.29 → 1.166.30	Dependent
@tanstack/router-cli	1.166.25 → 1.166.26	Dependent
@tanstack/router-generator	1.166.24 → 1.166.25	Dependent
@tanstack/router-plugin	1.167.12 → 1.167.13	Dependent
@tanstack/router-vite-plugin	1.166.27 → 1.166.28	Dependent
@tanstack/solid-router	1.168.12 → 1.168.13	Dependent
@tanstack/solid-start	1.167.19 → 1.167.20	Dependent
@tanstack/solid-start-client	1.166.27 → 1.166.28	Dependent
@tanstack/solid-start-server	1.166.27 → 1.166.28	Dependent
@tanstack/start-client-core	1.167.10 → 1.167.11	Dependent
@tanstack/start-plugin-core	1.167.18 → 1.167.19	Dependent
@tanstack/start-static-server-functions	1.166.26 → 1.166.27	Dependent
@tanstack/start-storage-context	1.166.23 → 1.166.24	Dependent
@tanstack/vue-router	1.168.12 → 1.168.13	Dependent
@tanstack/vue-start	1.167.19 → 1.167.20	Dependent
@tanstack/vue-start-client	1.166.27 → 1.166.28	Dependent
@tanstack/vue-start-server	1.166.27 → 1.166.28	Dependent

[pkg-pr-new]

More templates

• tanstack-router-react-example-authenticated-routes
• tanstack-router-react-example-authenticated-routes-firebase
• tanstack-router-react-example-basic
• tanstack-router-react-example-basic-default-search-params
• tanstack-router-react-example-basic-devtools-panel
• tanstack-router-react-example-basic-file-based
• tanstack-router-react-example-basic-non-nested-devtools
• tanstack-router-react-example-react-query
• tanstack-router-react-example-basic-react-query-file-based
• tanstack-router-react-example-basic-ssr-file-based
• tanstack-router-react-example-basic-ssr-streaming-file-based
• tanstack-router-react-example-basic-virtual-file-based
• tanstack-router-react-example-basic-virtual-inside-file-based
• tanstack-router-react-example-deferred-data
• tanstack-router-i18n-paraglide
• tanstack-router-react-example-kitchen-sink
• tanstack-router-react-example-kitchen-sink-file-based
• tanstack-router-react-example-kitchen-sink-react-query
• tanstack-router-react-example-kitchen-sink-react-query-file-based
• tanstack-router-react-example-large-file-based
• tanstack-router-react-example-location-masking
• tanstack-router-react-example-navigation-blocking
• tanstack-router-react-example-quickstart
• tanstack-router-react-example-quickstart-esbuild-file-based
• tanstack-router-react-example-quickstart-file-based
• tanstack-router-react-example-quickstart-rspack-file-based
• tanstack-router-react-example-quickstart-webpack-file-based
• router-monorepo-react-query
• router-mono-simple
• router-mono-simple-lazy
• tanstack-router-react-example-scroll-restoration
• tanstack-search-validator-adapters
• tanstack-start-example-bare
• tanstack-start-example-basic
• tanstack-start-example-basic-auth
• tanstack-router-react-example-basic-authjs
• tanstack-start-example-basic-cloudflare
• tanstack-start-example-basic-react-query
• tanstack-start-example-basic-rsc
• tanstack-start-example-basic-static
• tanstack-start-bun-hosting
• tanstack-start-example-clerk-basic
• tanstack-start-example-convex-trellaux
• tanstack-start-example-counter
• tanstack-start-i18n-paraglide
• tanstack-start-example-large
• tanstack-start-example-material-ui
• tanstack-start-streaming-data-from-server-functions
• tanstack-start-example-supabase-basic
• tanstack-start-tailwind-v4
• tanstack-start-example-trellaux
• tanstack-start-example-workos
• tanstack-router-react-example-view-transitions
• tanstack-router-react-example-with-framer-motion
• tanstack-router-react-example-with-trpc
• tanstack-router-react-example-with-trpc-react-query
• tanstack-router-vue-example-basic-jsx
• tanstack-router-vue-example-basic-file-based-jsx
• tanstack-router-vue-example-basic-file-based-sfc
• tanstack-router-solid-example-authenticated-routes
• tanstack-router-solid-example-authenticated-routes-firebase
• tanstack-router-solid-example-basic
• tanstack-router-solid-example-basic-default-search-params
• tanstack-router-solid-example-basic-devtools-panel
• tanstack-router-solid-example-basic-file-based
• tanstack-router-solid-example-basic-non-nested-devtools
• tanstack-router-solid-example-basic-solid-query
• tanstack-router-solid-example-basic-solid-query-file-based
• tanstack-router-solid-example-basic-ssr-file-based
• tanstack-router-solid-example-basic-ssr-streaming-file-based
• tanstack-router-solid-example-basic-virtual-file-based
• tanstack-router-solid-example-basic-virtual-inside-file-based
• tanstack-router-solid-example-deferred-data
• tanstack-router-solid-i18n-paraglide
• tanstack-router-solid-example-kitchen-sink
• tanstack-router-solid-example-kitchen-sink-file-based
• tanstack-router-solid-example-kitchen-sink-solid-query
• tanstack-router-solid-example-kitchen-sink-solid-query-file-based
• tanstack-router-solid-example-large-file-based
• tanstack-router-solid-example-location-masking
• tanstack-router-solid-example-navigation-blocking
• tanstack-router-solid-example-quickstart
• tanstack-router-solid-example-quickstart-esbuild-file-based
• tanstack-router-solid-example-quickstart-file-based
• tanstack-router-solid-example-quickstart-rspack-file-based
• tanstack-router-solid-example-quickstart-webpack-file-based
• @tanstack/router-solid-mono-simple
• router-solid-mono-simple-lazy
• router-solid-monorepo-solid-query
• tanstack-router-solid-example-scroll-restoration
• tanstack-solid-router-search-validator-adapters
• tanstack-solid-start-example-basic
• tanstack-solid-start-example-basic-auth
• tanstack-solid-start-example-basic-authjs
• tanstack-solid-start-example-basic-cloudflare
• tanstack-solid-start-example-basic-netlify
• tanstack-solid-start-example-basic-nitro
• tanstack-start-example-basic-solid-query
• tanstack-solid-start-example-basic-static
• tanstack-solid-start-bun-hosting
• tanstack-solid-start-example-convex-better-auth
• tanstack-solid-start-example-counter
• tanstack-solid-start-i18n-paraglide
• tanstack-solid-start-example-large
• tanstack-solid-start-streaming-data-from-server-functions
• tanstack-solid-start-example-supabase-basic
• tanstack-solid-start-tailwind-v4
• tanstack-router-solid-example-view-transitions
• tanstack-router-solid-example-with-framer-motion
• tanstack-router-solid-example-with-trpc

@tanstack/arktype-adapter

npm i https://pkg.pr.new/@tanstack/arktype-adapter@7140

@tanstack/eslint-plugin-router

npm i https://pkg.pr.new/@tanstack/eslint-plugin-router@7140

@tanstack/history

npm i https://pkg.pr.new/@tanstack/history@7140

@tanstack/nitro-v2-vite-plugin

npm i https://pkg.pr.new/@tanstack/nitro-v2-vite-plugin@7140

@tanstack/react-router

npm i https://pkg.pr.new/@tanstack/react-router@7140

@tanstack/react-router-devtools

npm i https://pkg.pr.new/@tanstack/react-router-devtools@7140

@tanstack/react-router-ssr-query

npm i https://pkg.pr.new/@tanstack/react-router-ssr-query@7140

@tanstack/react-start

npm i https://pkg.pr.new/@tanstack/react-start@7140

@tanstack/react-start-client

npm i https://pkg.pr.new/@tanstack/react-start-client@7140

@tanstack/react-start-server

npm i https://pkg.pr.new/@tanstack/react-start-server@7140

@tanstack/router-cli

npm i https://pkg.pr.new/@tanstack/router-cli@7140

@tanstack/router-core

npm i https://pkg.pr.new/@tanstack/router-core@7140

@tanstack/router-devtools

npm i https://pkg.pr.new/@tanstack/router-devtools@7140

@tanstack/router-devtools-core

npm i https://pkg.pr.new/@tanstack/router-devtools-core@7140

@tanstack/router-generator

npm i https://pkg.pr.new/@tanstack/router-generator@7140

@tanstack/router-plugin

npm i https://pkg.pr.new/@tanstack/router-plugin@7140

@tanstack/router-ssr-query-core

npm i https://pkg.pr.new/@tanstack/router-ssr-query-core@7140

@tanstack/router-utils

npm i https://pkg.pr.new/@tanstack/router-utils@7140

@tanstack/router-vite-plugin

npm i https://pkg.pr.new/@tanstack/router-vite-plugin@7140

@tanstack/solid-router

npm i https://pkg.pr.new/@tanstack/solid-router@7140

@tanstack/solid-router-devtools

npm i https://pkg.pr.new/@tanstack/solid-router-devtools@7140

@tanstack/solid-router-ssr-query

npm i https://pkg.pr.new/@tanstack/solid-router-ssr-query@7140

@tanstack/solid-start

npm i https://pkg.pr.new/@tanstack/solid-start@7140

@tanstack/solid-start-client

npm i https://pkg.pr.new/@tanstack/solid-start-client@7140

@tanstack/solid-start-server

npm i https://pkg.pr.new/@tanstack/solid-start-server@7140

@tanstack/start-client-core

npm i https://pkg.pr.new/@tanstack/start-client-core@7140

@tanstack/start-fn-stubs

npm i https://pkg.pr.new/@tanstack/start-fn-stubs@7140

@tanstack/start-plugin-core

npm i https://pkg.pr.new/@tanstack/start-plugin-core@7140

@tanstack/start-server-core

npm i https://pkg.pr.new/@tanstack/start-server-core@7140

@tanstack/start-static-server-functions

npm i https://pkg.pr.new/@tanstack/start-static-server-functions@7140

@tanstack/start-storage-context

npm i https://pkg.pr.new/@tanstack/start-storage-context@7140

@tanstack/valibot-adapter

npm i https://pkg.pr.new/@tanstack/valibot-adapter@7140

@tanstack/virtual-file-routes

npm i https://pkg.pr.new/@tanstack/virtual-file-routes@7140

@tanstack/vue-router

npm i https://pkg.pr.new/@tanstack/vue-router@7140

@tanstack/vue-router-devtools

npm i https://pkg.pr.new/@tanstack/vue-router-devtools@7140

@tanstack/vue-router-ssr-query

npm i https://pkg.pr.new/@tanstack/vue-router-ssr-query@7140

@tanstack/vue-start

npm i https://pkg.pr.new/@tanstack/vue-start@7140

@tanstack/vue-start-client

npm i https://pkg.pr.new/@tanstack/vue-start-client@7140

@tanstack/vue-start-server

npm i https://pkg.pr.new/@tanstack/vue-start-server@7140

@tanstack/zod-adapter

npm i https://pkg.pr.new/@tanstack/zod-adapter@7140

commit: 775bde6

[github-actions]

Bundle Size Benchmarks

• Commit: 06f7f8de5fb0
• Measured at: 2026-04-10T23:02:32.153Z
• Baseline source: history:70ec1da1ed8a
• Dashboard: bundle-size history

Scenario	Current (gzip)	Delta vs baseline	Raw	Brotli	Trend
react-router.minimal	87.51 KiB	0 B (0.00%)	275.69 KiB	76.08 KiB	▁▁▁▁▂▃▃▅██▆
react-router.full	90.77 KiB	0 B (0.00%)	286.88 KiB	78.95 KiB	▁▁▂▂▄▆▆▆██▄
solid-router.minimal	35.60 KiB	0 B (0.00%)	107.36 KiB	31.94 KiB	▁▁▁▁▁▅▅▆███
solid-router.full	40.07 KiB	0 B (0.00%)	120.90 KiB	35.96 KiB	▁▁▁▁▁▅▅▆███
vue-router.minimal	53.46 KiB	0 B (0.00%)	153.16 KiB	48.00 KiB	▁▁▁▁▂▃▃▆███
vue-router.full	58.36 KiB	0 B (0.00%)	168.62 KiB	52.25 KiB	▁▁▁▁▁▂▂▆███
react-start.minimal	102.00 KiB	0 B (0.00%)	323.94 KiB	88.16 KiB	▁▁▂▂▃▅▅▁██▃
react-start.full	105.40 KiB	0 B (0.00%)	334.28 KiB	91.03 KiB	▁▁▁▁▂▄▄▅██▆
solid-start.minimal	49.70 KiB	0 B (0.00%)	153.61 KiB	43.77 KiB	▁▁▁▁▂▅▅▆███
solid-start.full	55.21 KiB	0 B (0.00%)	169.84 KiB	48.58 KiB	▁▁▁▁▂▅▅▆███

Trend sparkline is historical gzip bytes ending with this PR measurement; lower is better.

[codspeed-hq]

Merging this PR will not alter performance

✅ 6 untouched benchmarks

---

_{Comparing chore--bump-h3 (775bde6) with main (70ec1da)¹}

Footnotes

1. No successful run was found on main (06f7f8d) during the generation of this report, so 70ec1da was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/start-server-core/src/request-response.ts`:
- Around line 307-315: The cookie map uses a plain object (definedCookies) which
inherits Object.prototype and can expose prototype keys; change its creation to
a null-prototype object (e.g., use Object.create(null) for definedCookies) so
only actual cookie keys are present, keep the same filtering logic in the
for-loop over Object.entries(cookies), and ensure the variable's type remains
compatible with Record<string, string> (narrow or cast as needed) to satisfy
TypeScript strict mode.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 53cb6800-ed2a-4033-81fd-e93e793856cd

📥 Commits

Reviewing files that changed from the base of the PR and between 6e2d591 and f099712.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• packages/start-server-core/src/request-response.ts

[schiller-manuel]

why was this changed?

[birkskyum]

It was because the CI failed in this run (the commit before i "fix dummy erver imports") because of the exports

https://github.com/TanStack/router/actions/runs/24258504702/job/70836128095

[schiller-manuel]

why was this changed?

[birkskyum]

same as above

[nx-cloud]

Important

At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.

Nx Cloud has identified a possible root cause for your failed CI:

We identified the failure in tanstack-router-e2e-react-escaped-special-strings:test:e2e as an environment issue, not a regression introduced by our changes. The Chromium headless browser crashed with a SIGSEGV (signal 11 / General Protection Fault) due to a missing system DBus socket (/run/dbus/system_bus_socket) in the CI environment, causing only the first of 13 tests to fail. This project is not touched by our PR, and the crash is unrelated to the h3/cookie-es dependency bumps.

No code changes were suggested for this issue.

Trigger a rerun:

View detailed reasoning on Nx Cloud ↗

_{🎓 Learn more about Self-Healing CI on nx.dev}