EventSource · Feb 5, 2025 · Feb 20, 2025 · Mar 14, 2025 · Mar 27, 2025 · Mar 27, 2025
Showing with 1,226 additions and 1,831 deletions.

+6 −0 CHANGELOG.md

+30 −0 MIGRATION.md

+1 −1 SECURITY.md

BIN bun.lockb

+613 −777 deno.lock

+564 −1,046 package-lock.json

+6 −6 package.json

+5 −1 test/server.ts

+1 −0 tsconfig.settings.json
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,12 @@
 All notable changes to this project will be documented in this file. See
 [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [3.0.6](https://github.com/EventSource/eventsource/compare/v3.0.5...v3.0.6) (2025-03-27)
+
+### Bug Fixes
+
+* upgrade parser to latest version, improving performance ([59a5ddd](https://github.com/EventSource/eventsource/commit/59a5ddd135da957456ab93e72fd65a87a9578204))
+
 ## [3.0.5](https://github.com/EventSource/eventsource/compare/v3.0.4...v3.0.5) (2025-01-28)
 
 ### Bug Fixes

diff --git a/MIGRATION.md b/MIGRATION.md
@@ -85,3 +85,33 @@ The default reconnect timeout is now 3 seconds - up from 1 second in v1/v2. This
 Redirect handling now matches Chrome/Safari. On disconnects, we will always reconnect to the _original_ URL. In v1/v2, only HTTP 307 would reconnect to the original, while 301 and 302 would both redirect to the _destination_.
 
 While the _ideal_ behavior would be for 301 and 308 to reconnect to the redirect _destination_, and 302/307 to reconnect to the _original_ URL, this is not possible to do cross-platform (cross-origin requests in browsers do not allow reading location headers, and redirect handling will have to be done manually).
+
+#### Strict checking of Content-Type header
+
+The `Content-Type` header is now checked. It's value must be `text/event-stream` (or
+`text/event-stream; charset=utf-8`), and the connection will be failed otherwise.
+
+To maintain the previous behaviour, you can use the `fetch` option to override the
+returned `Content-Type` header if your server does not send the required header:
+
+```ts
+const es = new EventSource('https://my-server.com/sse', {
+  fetch: async (input, init) => {
+    const response = await fetch(input, init)
+
+    if (response.headers.get('content-type').startsWith('text/event-stream')) {
+      // Valid header, forward response
+      return response
+    }
+
+    // Server did not respond with the correct content-type - override it
+    const newHeaders = new Headers(response.headers)
+    newHeaders.set('content-type', 'text/event-stream')
+    return new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: newHeaders,
+    })
+  },
+})
+```
diff --git a/SECURITY.md b/SECURITY.md
@@ -10,4 +10,4 @@
 
 ## Reporting a Vulnerability
 
-If you find a security vulnerability, do **NOT** open an issue. Use the [https://github.com/EventSource/eventsource/security/advisories/new](GitHub Security Advisory) page instead.
+If you find a security vulnerability, do **NOT** open an issue. Use the [GitHub Security Advisory](https://github.com/EventSource/eventsource/security/advisories/new) page instead.
diff --git a/bun.lockb b/bun.lockb
Original file line number	Diff line number	Diff line change
		@@ -10,4 +10,4 @@

		## Reporting a Vulnerability

		If you find a security vulnerability, do NOT open an issue. Use the [https://github.com/EventSource/eventsource/security/advisories/new](GitHub Security Advisory) page instead.
		If you find a security vulnerability, do NOT open an issue. Use the [GitHub Security Advisory](https://github.com/EventSource/eventsource/security/advisories/new) page instead.