📦️ build

2025-12-15 12:46:30 +00:00 · 2024-07-08 22:44:49 +09:00 · 2024-07-08 22:44:49 +09:00 · c96f24bee9
commit c96f24bee9
parent c5659e27c3
2 changed files with 475 additions and 261 deletions
--- a/dist/index.js
+++ b/dist/index.js
@ -39,7 +39,13 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
    });
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.commentsEqual = exports.getBodyOf = exports.minimizeComment = exports.deleteComment = exports.createComment = exports.updateComment = exports.findPreviousComment = void 0;
+exports.findPreviousComment = findPreviousComment;
 exports.updateComment = updateComment;
 exports.createComment = createComment;
 exports.deleteComment = deleteComment;
 exports.minimizeComment = minimizeComment;
 exports.getBodyOf = getBodyOf;
 exports.commentsEqual = commentsEqual;
 const core = __importStar(__nccwpck_require__(2186));
 function headerComment(header) {
    return `<!-- Sticky Pull Request Comment${header} -->`;
@ -97,7 +103,6 @@ function findPreviousComment(octokit, repo, number, header) {
        return undefined;
    });
 }
 exports.findPreviousComment = findPreviousComment;
 function updateComment(octokit, id, body, header, previousBody) {
    return __awaiter(this, void 0, void 0, function* () {
        if (!body && !previousBody)
@ -121,7 +126,6 @@ function updateComment(octokit, id, body, header, previousBody) {
        });
    });
 }
 exports.updateComment = updateComment;
 function createComment(octokit, repo, issue_number, body, header, previousBody) {
    return __awaiter(this, void 0, void 0, function* () {
        if (!body && !previousBody) {
@ -133,7 +137,6 @@ function createComment(octokit, repo, issue_number, body, header, previousBody)
                : bodyWithHeader(body, header) }));
    });
 }
 exports.createComment = createComment;
 function deleteComment(octokit, id) {
    return __awaiter(this, void 0, void 0, function* () {
        yield octokit.graphql(`
@ -145,7 +148,6 @@ function deleteComment(octokit, id) {
    `, { id });
    });
 }
 exports.deleteComment = deleteComment;
 function minimizeComment(octokit, subjectId, classifier) {
    return __awaiter(this, void 0, void 0, function* () {
        yield octokit.graphql(`
@ -157,7 +159,6 @@ function minimizeComment(octokit, subjectId, classifier) {
    `, { input: { subjectId, classifier } });
    });
 }
 exports.minimizeComment = minimizeComment;
 function getBodyOf(previous, append, hideDetails) {
    var _a;
    if (!append) {
@ -168,12 +169,10 @@ function getBodyOf(previous, append, hideDetails) {
    }
    return (_a = previous.body) === null || _a === void 0 ? void 0 : _a.replace(/(<details.*?)\s*\bopen\b(.*>)/g, "$1$2");
 }
 exports.getBodyOf = getBodyOf;
 function commentsEqual(body, previous, header) {
    const newBody = bodyWithHeader(body, header);
    return newBody === previous;
 }
 exports.commentsEqual = commentsEqual;
 /***/ }),
@ -217,7 +216,8 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 var _a, _b;
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.getBody = exports.ignoreEmpty = exports.githubToken = exports.hideOldComment = exports.skipUnchanged = exports.onlyUpdateComment = exports.onlyCreateComment = exports.deleteOldComment = exports.hideClassify = exports.hideAndRecreate = exports.recreate = exports.hideDetails = exports.append = exports.header = exports.repo = exports.pullRequestNumber = void 0;
+exports.ignoreEmpty = exports.githubToken = exports.hideOldComment = exports.skipUnchanged = exports.onlyUpdateComment = exports.onlyCreateComment = exports.deleteOldComment = exports.hideClassify = exports.hideAndRecreate = exports.recreate = exports.hideDetails = exports.append = exports.header = exports.repo = exports.pullRequestNumber = void 0;
 exports.getBody = getBody;
 const core = __importStar(__nccwpck_require__(2186));
 const github_1 = __nccwpck_require__(5438);
 const fs_1 = __nccwpck_require__(7147);
@ -286,7 +286,6 @@ function getBody() {
        }
    });
 }
 exports.getBody = getBody;
 /***/ }),
@ -8954,214 +8953,6 @@ function removeHook(state, name, method) {
 }
 /***/ }),
 /***/ 3717:
 /***/ ((module, __unused_webpack_exports, __nccwpck_require__) => {
 var concatMap = __nccwpck_require__(6891);
 var balanced = __nccwpck_require__(9417);
 module.exports = expandTop;
 var escSlash = '\0SLASH'+Math.random()+'\0';
 var escOpen = '\0OPEN'+Math.random()+'\0';
 var escClose = '\0CLOSE'+Math.random()+'\0';
 var escComma = '\0COMMA'+Math.random()+'\0';
 var escPeriod = '\0PERIOD'+Math.random()+'\0';
 function numeric(str) {
  return parseInt(str, 10) == str
    ? parseInt(str, 10)
    : str.charCodeAt(0);
 }
 function escapeBraces(str) {
  return str.split('\\\\').join(escSlash)
            .split('\\{').join(escOpen)
            .split('\\}').join(escClose)
            .split('\\,').join(escComma)
            .split('\\.').join(escPeriod);
 }
 function unescapeBraces(str) {
  return str.split(escSlash).join('\\')
            .split(escOpen).join('{')
            .split(escClose).join('}')
            .split(escComma).join(',')
            .split(escPeriod).join('.');
 }
 // Basically just str.split(","), but handling cases
 // where we have nested braced sections, which should be
 // treated as individual members, like {a,{b,c},d}
 function parseCommaParts(str) {
  if (!str)
    return [''];
  var parts = [];
  var m = balanced('{', '}', str);
  if (!m)
    return str.split(',');
  var pre = m.pre;
  var body = m.body;
  var post = m.post;
  var p = pre.split(',');
  p[p.length-1] += '{' + body + '}';
  var postParts = parseCommaParts(post);
  if (post.length) {
    p[p.length-1] += postParts.shift();
    p.push.apply(p, postParts);
  }
  parts.push.apply(parts, p);
  return parts;
 }
 function expandTop(str) {
  if (!str)
    return [];
  // I don't know why Bash 4.3 does this, but it does.
  // Anything starting with {} will have the first two bytes preserved
  // but *only* at the top level, so {},a}b will not expand to anything,
  // but a{},b}c will be expanded to [a}c,abc].
  // One could argue that this is a bug in Bash, but since the goal of
  // this module is to match Bash's rules, we escape a leading {}
  if (str.substr(0, 2) === '{}') {
    str = '\\{\\}' + str.substr(2);
  }
  return expand(escapeBraces(str), true).map(unescapeBraces);
 }
 function identity(e) {
  return e;
 }
 function embrace(str) {
  return '{' + str + '}';
 }
 function isPadded(el) {
  return /^-?0\d/.test(el);
 }
 function lte(i, y) {
  return i <= y;
 }
 function gte(i, y) {
  return i >= y;
 }
 function expand(str, isTop) {
  var expansions = [];
  var m = balanced('{', '}', str);
  if (!m || /\$$/.test(m.pre)) return [str];
  var isNumericSequence = /^-?\d+\.\.-?\d+(?:\.\.-?\d+)?$/.test(m.body);
  var isAlphaSequence = /^[a-zA-Z]\.\.[a-zA-Z](?:\.\.-?\d+)?$/.test(m.body);
  var isSequence = isNumericSequence || isAlphaSequence;
  var isOptions = m.body.indexOf(',') >= 0;
  if (!isSequence && !isOptions) {
    // {a},b}
    if (m.post.match(/,.*\}/)) {
      str = m.pre + '{' + m.body + escClose + m.post;
      return expand(str);
    }
    return [str];
  }
  var n;
  if (isSequence) {
    n = m.body.split(/\.\./);
  } else {
    n = parseCommaParts(m.body);
    if (n.length === 1) {
      // x{{a,b}}y ==> x{a}y x{b}y
      n = expand(n[0], false).map(embrace);
      if (n.length === 1) {
        var post = m.post.length
          ? expand(m.post, false)
          : [''];
        return post.map(function(p) {
          return m.pre + n[0] + p;
        });
      }
    }
  }
  // at this point, n is the parts, and we know it's not a comma set
  // with a single entry.
  // no need to expand pre, since it is guaranteed to be free of brace-sets
  var pre = m.pre;
  var post = m.post.length
    ? expand(m.post, false)
    : [''];
  var N;
  if (isSequence) {
    var x = numeric(n[0]);
    var y = numeric(n[1]);
    var width = Math.max(n[0].length, n[1].length)
    var incr = n.length == 3
      ? Math.abs(numeric(n[2]))
      : 1;
    var test = lte;
    var reverse = y < x;
    if (reverse) {
      incr *= -1;
      test = gte;
    }
    var pad = n.some(isPadded);
    N = [];
    for (var i = x; test(i, y); i += incr) {
      var c;
      if (isAlphaSequence) {
        c = String.fromCharCode(i);
        if (c === '\\')
          c = '';
      } else {
        c = String(i);
        if (pad) {
          var need = width - c.length;
          if (need > 0) {
            var z = new Array(need + 1).join('0');
            if (i < 0)
              c = '-' + z + c.slice(1);
            else
              c = z + c;
          }
        }
      }
      N.push(c);
    }
  } else {
    N = concatMap(n, function(el) { return expand(el, false) });
  }
  for (var j = 0; j < N.length; j++) {
    for (var k = 0; k < post.length; k++) {
      var expansion = pre + N[j] + post[k];
      if (!isTop || isSequence || expansion)
        expansions.push(expansion);
    }
  }
  return expansions;
 }
 /***/ }),
 /***/ 6891:
@ -9270,7 +9061,7 @@ var path = (function () { try { return __nccwpck_require__(1017) } catch (e) {}}
 minimatch.sep = path.sep
 var GLOBSTAR = minimatch.GLOBSTAR = Minimatch.GLOBSTAR = {}
-var expand = __nccwpck_require__(3717)
+var expand = __nccwpck_require__(8184)
 var plTypes = {
  '!': { open: '(?:(?!(?:', close: '))[^/]*?)'},
@ -10210,6 +10001,214 @@ function regExpEscape (s) {
 }
 /***/ }),
 /***/ 8184:
 /***/ ((module, __unused_webpack_exports, __nccwpck_require__) => {
 var concatMap = __nccwpck_require__(6891);
 var balanced = __nccwpck_require__(9417);
 module.exports = expandTop;
 var escSlash = '\0SLASH'+Math.random()+'\0';
 var escOpen = '\0OPEN'+Math.random()+'\0';
 var escClose = '\0CLOSE'+Math.random()+'\0';
 var escComma = '\0COMMA'+Math.random()+'\0';
 var escPeriod = '\0PERIOD'+Math.random()+'\0';
 function numeric(str) {
  return parseInt(str, 10) == str
    ? parseInt(str, 10)
    : str.charCodeAt(0);
 }
 function escapeBraces(str) {
  return str.split('\\\\').join(escSlash)
            .split('\\{').join(escOpen)
            .split('\\}').join(escClose)
            .split('\\,').join(escComma)
            .split('\\.').join(escPeriod);
 }
 function unescapeBraces(str) {
  return str.split(escSlash).join('\\')
            .split(escOpen).join('{')
            .split(escClose).join('}')
            .split(escComma).join(',')
            .split(escPeriod).join('.');
 }
 // Basically just str.split(","), but handling cases
 // where we have nested braced sections, which should be
 // treated as individual members, like {a,{b,c},d}
 function parseCommaParts(str) {
  if (!str)
    return [''];
  var parts = [];
  var m = balanced('{', '}', str);
  if (!m)
    return str.split(',');
  var pre = m.pre;
  var body = m.body;
  var post = m.post;
  var p = pre.split(',');
  p[p.length-1] += '{' + body + '}';
  var postParts = parseCommaParts(post);
  if (post.length) {
    p[p.length-1] += postParts.shift();
    p.push.apply(p, postParts);
  }
  parts.push.apply(parts, p);
  return parts;
 }
 function expandTop(str) {
  if (!str)
    return [];
  // I don't know why Bash 4.3 does this, but it does.
  // Anything starting with {} will have the first two bytes preserved
  // but *only* at the top level, so {},a}b will not expand to anything,
  // but a{},b}c will be expanded to [a}c,abc].
  // One could argue that this is a bug in Bash, but since the goal of
  // this module is to match Bash's rules, we escape a leading {}
  if (str.substr(0, 2) === '{}') {
    str = '\\{\\}' + str.substr(2);
  }
  return expand(escapeBraces(str), true).map(unescapeBraces);
 }
 function identity(e) {
  return e;
 }
 function embrace(str) {
  return '{' + str + '}';
 }
 function isPadded(el) {
  return /^-?0\d/.test(el);
 }
 function lte(i, y) {
  return i <= y;
 }
 function gte(i, y) {
  return i >= y;
 }
 function expand(str, isTop) {
  var expansions = [];
  var m = balanced('{', '}', str);
  if (!m || /\$$/.test(m.pre)) return [str];
  var isNumericSequence = /^-?\d+\.\.-?\d+(?:\.\.-?\d+)?$/.test(m.body);
  var isAlphaSequence = /^[a-zA-Z]\.\.[a-zA-Z](?:\.\.-?\d+)?$/.test(m.body);
  var isSequence = isNumericSequence || isAlphaSequence;
  var isOptions = m.body.indexOf(',') >= 0;
  if (!isSequence && !isOptions) {
    // {a},b}
    if (m.post.match(/,.*\}/)) {
      str = m.pre + '{' + m.body + escClose + m.post;
      return expand(str);
    }
    return [str];
  }
  var n;
  if (isSequence) {
    n = m.body.split(/\.\./);
  } else {
    n = parseCommaParts(m.body);
    if (n.length === 1) {
      // x{{a,b}}y ==> x{a}y x{b}y
      n = expand(n[0], false).map(embrace);
      if (n.length === 1) {
        var post = m.post.length
          ? expand(m.post, false)
          : [''];
        return post.map(function(p) {
          return m.pre + n[0] + p;
        });
      }
    }
  }
  // at this point, n is the parts, and we know it's not a comma set
  // with a single entry.
  // no need to expand pre, since it is guaranteed to be free of brace-sets
  var pre = m.pre;
  var post = m.post.length
    ? expand(m.post, false)
    : [''];
  var N;
  if (isSequence) {
    var x = numeric(n[0]);
    var y = numeric(n[1]);
    var width = Math.max(n[0].length, n[1].length)
    var incr = n.length == 3
      ? Math.abs(numeric(n[2]))
      : 1;
    var test = lte;
    var reverse = y < x;
    if (reverse) {
      incr *= -1;
      test = gte;
    }
    var pad = n.some(isPadded);
    N = [];
    for (var i = x; test(i, y); i += incr) {
      var c;
      if (isAlphaSequence) {
        c = String.fromCharCode(i);
        if (c === '\\')
          c = '';
      } else {
        c = String(i);
        if (pad) {
          var need = width - c.length;
          if (need > 0) {
            var z = new Array(need + 1).join('0');
            if (i < 0)
              c = '-' + z + c.slice(1);
            else
              c = z + c;
          }
        }
      }
      N.push(c);
    }
  } else {
    N = concatMap(n, function(el) { return expand(el, false) });
  }
  for (var j = 0; j < N.length; j++) {
    for (var k = 0; k < post.length; k++) {
      var expansion = pre + N[j] + post[k];
      if (!isTop || isSequence || expansion)
        expansions.push(expansion);
    }
  }
  return expansions;
 }
 /***/ }),
 /***/ 1223:
@ -16873,6 +16872,132 @@ function onConnectTimeout (socket) {
 module.exports = buildConnector
 /***/ }),
 /***/ 4462:
 /***/ ((module) => {
 "use strict";
 /** @type {Record<string, string | undefined>} */
 const headerNameLowerCasedRecord = {}
 // https://developer.mozilla.org/docs/Web/HTTP/Headers
 const wellknownHeaderNames = [
  'Accept',
  'Accept-Encoding',
  'Accept-Language',
  'Accept-Ranges',
  'Access-Control-Allow-Credentials',
  'Access-Control-Allow-Headers',
  'Access-Control-Allow-Methods',
  'Access-Control-Allow-Origin',
  'Access-Control-Expose-Headers',
  'Access-Control-Max-Age',
  'Access-Control-Request-Headers',
  'Access-Control-Request-Method',
  'Age',
  'Allow',
  'Alt-Svc',
  'Alt-Used',
  'Authorization',
  'Cache-Control',
  'Clear-Site-Data',
  'Connection',
  'Content-Disposition',
  'Content-Encoding',
  'Content-Language',
  'Content-Length',
  'Content-Location',
  'Content-Range',
  'Content-Security-Policy',
  'Content-Security-Policy-Report-Only',
  'Content-Type',
  'Cookie',
  'Cross-Origin-Embedder-Policy',
  'Cross-Origin-Opener-Policy',
  'Cross-Origin-Resource-Policy',
  'Date',
  'Device-Memory',
  'Downlink',
  'ECT',
  'ETag',
  'Expect',
  'Expect-CT',
  'Expires',
  'Forwarded',
  'From',
  'Host',
  'If-Match',
  'If-Modified-Since',
  'If-None-Match',
  'If-Range',
  'If-Unmodified-Since',
  'Keep-Alive',
  'Last-Modified',
  'Link',
  'Location',
  'Max-Forwards',
  'Origin',
  'Permissions-Policy',
  'Pragma',
  'Proxy-Authenticate',
  'Proxy-Authorization',
  'RTT',
  'Range',
  'Referer',
  'Referrer-Policy',
  'Refresh',
  'Retry-After',
  'Sec-WebSocket-Accept',
  'Sec-WebSocket-Extensions',
  'Sec-WebSocket-Key',
  'Sec-WebSocket-Protocol',
  'Sec-WebSocket-Version',
  'Server',
  'Server-Timing',
  'Service-Worker-Allowed',
  'Service-Worker-Navigation-Preload',
  'Set-Cookie',
  'SourceMap',
  'Strict-Transport-Security',
  'Supports-Loading-Mode',
  'TE',
  'Timing-Allow-Origin',
  'Trailer',
  'Transfer-Encoding',
  'Upgrade',
  'Upgrade-Insecure-Requests',
  'User-Agent',
  'Vary',
  'Via',
  'WWW-Authenticate',
  'X-Content-Type-Options',
  'X-DNS-Prefetch-Control',
  'X-Frame-Options',
  'X-Permitted-Cross-Domain-Policies',
  'X-Powered-By',
  'X-Requested-With',
  'X-XSS-Protection'
 ]
 for (let i = 0; i < wellknownHeaderNames.length; ++i) {
  const key = wellknownHeaderNames[i]
  const lowerCasedKey = key.toLowerCase()
  headerNameLowerCasedRecord[key] = headerNameLowerCasedRecord[lowerCasedKey] =
    lowerCasedKey
 }
 // Note: object prototypes should not be able to be referenced. e.g. `Object#hasOwnProperty`.
 Object.setPrototypeOf(headerNameLowerCasedRecord, null)
 module.exports = {
  wellknownHeaderNames,
  headerNameLowerCasedRecord
 }
 /***/ }),
 /***/ 8045:
@ -17705,6 +17830,7 @@ const { InvalidArgumentError } = __nccwpck_require__(8045)
 const { Blob } = __nccwpck_require__(4300)
 const nodeUtil = __nccwpck_require__(3837)
 const { stringify } = __nccwpck_require__(3477)
 const { headerNameLowerCasedRecord } = __nccwpck_require__(4462)
 const [nodeMajor, nodeMinor] = process.versions.node.split('.').map(v => Number(v))
@ -17914,6 +18040,15 @@ function parseKeepAliveTimeout (val) {
  return m ? parseInt(m[1], 10) * 1000 : null
 }
 /**
 * Retrieves a header name and returns its lowercase value.
 * @param {string | Buffer} value Header name
 * @returns {string}
 */
 function headerNameToString (value) {
  return headerNameLowerCasedRecord[value] || value.toLowerCase()
 }
 function parseHeaders (headers, obj = {}) {
  // For H2 support
  if (!Array.isArray(headers)) return headers
@ -18185,6 +18320,7 @@ module.exports = {
  isIterable,
  isAsyncIterable,
  isDestroyed,
  headerNameToString,
  parseRawHeaders,
  parseHeaders,
  parseKeepAliveTimeout,
@ -24832,14 +24968,18 @@ const { isBlobLike, toUSVString, ReadableStreamFrom } = __nccwpck_require__(3983
 const assert = __nccwpck_require__(9491)
 const { isUint8Array } = __nccwpck_require__(9830)
 let supportedHashes = []
 // https://nodejs.org/api/crypto.html#determining-if-crypto-support-is-unavailable
 /** @type {import('crypto')|undefined} */
 let crypto
 try {
  crypto = __nccwpck_require__(6113)
  const possibleRelevantHashes = ['sha256', 'sha384', 'sha512']
  supportedHashes = crypto.getHashes().filter((hash) => possibleRelevantHashes.includes(hash))
 /* c8 ignore next 3 */
 } catch {
 }
 function responseURL (response) {
@ -25367,66 +25507,56 @@ function bytesMatch (bytes, metadataList) {
    return true
  }
-  // 3. If parsedMetadata is the empty set, return true.
+  // 3. If response is not eligible for integrity validation, return false.
  // TODO
  // 4. If parsedMetadata is the empty set, return true.
  if (parsedMetadata.length === 0) {
    return true
  }
-  // 4. Let metadata be the result of getting the strongest
+  // 5. Let metadata be the result of getting the strongest
  //    metadata from parsedMetadata.
-  const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo))
+  const strongest = getStrongestMetadata(parsedMetadata)
-  // get the strongest algorithm
+  const metadata = filterMetadataListByAlgorithm(parsedMetadata, strongest)
  const strongest = list[0].algo
  // get all entries that use the strongest algorithm; ignore weaker
  const metadata = list.filter((item) => item.algo === strongest)
-  // 5. For each item in metadata:
+  // 6. For each item in metadata:
  for (const item of metadata) {
    // 1. Let algorithm be the alg component of item.
    const algorithm = item.algo
    // 2. Let expectedValue be the val component of item.
-    let expectedValue = item.hash
+    const expectedValue = item.hash
    // See https://github.com/web-platform-tests/wpt/commit/e4c5cc7a5e48093220528dfdd1c4012dc3837a0e
    // "be liberal with padding". This is annoying, and it's not even in the spec.
    if (expectedValue.endsWith('==')) {
      expectedValue = expectedValue.slice(0, -2)
    }
    // 3. Let actualValue be the result of applying algorithm to bytes.
    let actualValue = crypto.createHash(algorithm).update(bytes).digest('base64')
-    if (actualValue.endsWith('==')) {
+    if (actualValue[actualValue.length - 1] === '=') {
-      actualValue = actualValue.slice(0, -2)
+      if (actualValue[actualValue.length - 2] === '=') {
        actualValue = actualValue.slice(0, -2)
      } else {
        actualValue = actualValue.slice(0, -1)
      }
    }
    // 4. If actualValue is a case-sensitive match for expectedValue,
    //    return true.
-    if (actualValue === expectedValue) {
+    if (compareBase64Mixed(actualValue, expectedValue)) {
      return true
    }
    let actualBase64URL = crypto.createHash(algorithm).update(bytes).digest('base64url')
    if (actualBase64URL.endsWith('==')) {
      actualBase64URL = actualBase64URL.slice(0, -2)
    }
    if (actualBase64URL === expectedValue) {
      return true
    }
  }
-  // 6. Return false.
+  // 7. Return false.
  return false
 }
 // https://w3c.github.io/webappsec-subresource-integrity/#grammardef-hash-with-options
 // https://www.w3.org/TR/CSP2/#source-list-syntax
 // https://www.rfc-editor.org/rfc/rfc5234#appendix-B.1
-const parseHashWithOptions = /((?<algo>sha256|sha384|sha512)-(?<hash>[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i
+const parseHashWithOptions = /(?<algo>sha256|sha384|sha512)-((?<hash>[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)( +[!-~]*)?)?/i
 /**
 * @see https://w3c.github.io/webappsec-subresource-integrity/#parse-metadata
@ -25440,8 +25570,6 @@ function parseMetadata (metadata) {
  // 2. Let empty be equal to true.
  let empty = true
  const supportedHashes = crypto.getHashes()
  // 3. For each token returned by splitting metadata on spaces:
  for (const token of metadata.split(' ')) {
    // 1. Set empty to false.
@ -25451,7 +25579,11 @@ function parseMetadata (metadata) {
    const parsedToken = parseHashWithOptions.exec(token)
    // 3. If token does not parse, continue to the next token.
-    if (parsedToken === null || parsedToken.groups === undefined) {
+    if (
      parsedToken === null ||
      parsedToken.groups === undefined ||
      parsedToken.groups.algo === undefined
    ) {
      // Note: Chromium blocks the request at this point, but Firefox
      // gives a warning that an invalid integrity was given. The
      // correct behavior is to ignore these, and subsequently not
@ -25460,11 +25592,11 @@ function parseMetadata (metadata) {
    }
    // 4. Let algorithm be the hash-algo component of token.
-    const algorithm = parsedToken.groups.algo
+    const algorithm = parsedToken.groups.algo.toLowerCase()
    // 5. If algorithm is a hash function recognized by the user
    //    agent, add the parsed token to result.
-    if (supportedHashes.includes(algorithm.toLowerCase())) {
+    if (supportedHashes.includes(algorithm)) {
      result.push(parsedToken.groups)
    }
  }
@ -25477,6 +25609,82 @@ function parseMetadata (metadata) {
  return result
 }
 /**
 * @param {{ algo: 'sha256' | 'sha384' | 'sha512' }[]} metadataList
 */
 function getStrongestMetadata (metadataList) {
  // Let algorithm be the algo component of the first item in metadataList.
  // Can be sha256
  let algorithm = metadataList[0].algo
  // If the algorithm is sha512, then it is the strongest
  // and we can return immediately
  if (algorithm[3] === '5') {
    return algorithm
  }
  for (let i = 1; i < metadataList.length; ++i) {
    const metadata = metadataList[i]
    // If the algorithm is sha512, then it is the strongest
    // and we can break the loop immediately
    if (metadata.algo[3] === '5') {
      algorithm = 'sha512'
      break
    // If the algorithm is sha384, then a potential sha256 or sha384 is ignored
    } else if (algorithm[3] === '3') {
      continue
    // algorithm is sha256, check if algorithm is sha384 and if so, set it as
    // the strongest
    } else if (metadata.algo[3] === '3') {
      algorithm = 'sha384'
    }
  }
  return algorithm
 }
 function filterMetadataListByAlgorithm (metadataList, algorithm) {
  if (metadataList.length === 1) {
    return metadataList
  }
  let pos = 0
  for (let i = 0; i < metadataList.length; ++i) {
    if (metadataList[i].algo === algorithm) {
      metadataList[pos++] = metadataList[i]
    }
  }
  metadataList.length = pos
  return metadataList
 }
 /**
 * Compares two base64 strings, allowing for base64url
 * in the second string.
 *
 * @param {string} actualValue always base64
 * @param {string} expectedValue base64 or base64url
 * @returns {boolean}
 */
 function compareBase64Mixed (actualValue, expectedValue) {
  if (actualValue.length !== expectedValue.length) {
    return false
  }
  for (let i = 0; i < actualValue.length; ++i) {
    if (actualValue[i] !== expectedValue[i]) {
      if (
        (actualValue[i] === '+' && expectedValue[i] === '-') ||
        (actualValue[i] === '/' && expectedValue[i] === '_')
      ) {
        continue
      }
      return false
    }
  }
  return true
 }
 // https://w3c.github.io/webappsec-upgrade-insecure-requests/#upgrade-request
 function tryUpgradeRequestToAPotentiallyTrustworthyURL (request) {
  // TODO
@ -25892,7 +26100,8 @@ module.exports = {
  urlHasHttpsScheme,
  urlIsHttpHttpsScheme,
  readAllBytes,
-  normalizeMethodRecord
+  normalizeMethodRecord,
  parseMetadata
 }
@ -27979,12 +28188,17 @@ function parseLocation (statusCode, headers) {
 // https://tools.ietf.org/html/rfc7231#section-6.4.4
 function shouldRemoveHeader (header, removeContent, unknownOrigin) {
-  return (
+  if (header.length === 4) {
-    (header.length === 4 && header.toString().toLowerCase() === 'host') ||
+    return util.headerNameToString(header) === 'host'
-    (removeContent && header.toString().toLowerCase().indexOf('content-') === 0) ||
+  }
-    (unknownOrigin && header.length === 13 && header.toString().toLowerCase() === 'authorization') ||
+  if (removeContent && util.headerNameToString(header).startsWith('content-')) {
-    (unknownOrigin && header.length === 6 && header.toString().toLowerCase() === 'cookie')
+    return true
-  )
+  }
  if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) {
    const name = util.headerNameToString(header)
    return name === 'authorization' || name === 'cookie' || name === 'proxy-authorization'
  }
  return false
 }
 // https://tools.ietf.org/html/rfc7231#section-6.4
--- a/dist/index.js.map
+++ b/dist/index.js.map