chore(deps): bump 0http from 4.4.0 to 5.0.1

[dependabot]

Bumps 0http from 4.4.0 to 5.0.1.

Release notes

Sourced from 0http's releases.

v5.0.1

Bug fixes and a request hot-path performance improvement. No API changes.

⚠️ Notable behavior change

• prioRequestsProcessing now correctly defaults to true even when you pass a partial config (e.g. zero({ router }), zero({ errorHandler })). Previously the documented default only applied to the zero-argument call zero(), and any config object silently disabled it. On standard http/https servers this means requests are now dispatched via setImmediate as documented. Set prioRequestsProcessing: false explicitly to opt out. (#52)

Bug fixes

• Cross-request req.params leak: route matches served from the LRU cache shared a single params object across all requests to the same method+path. A middleware mutating req.params could bleed state into later requests. req.params is now shallow-copied per request. (#52)

Performance

• ~36% faster query-string parsing on the request hot path: the array-notation regex now runs only when []= is present, and the prototype-pollution segment check skips its per-parameter allocation for normal keys. Behavior is identical, including __proto__/prototype/constructor filtering. (#53)

Internal

• Landing page modernized; added regression and query-parser tests (suite: 71 passing, query parser at 100% line coverage).
• Removed the TRON donate address from the README Support section. (#54)

Full changelog: BackendStack21/0http@v5.0.0...v5.0.1

v5.0.0 — Safe-by-default error handler

Breaking Change

DEFAULT_ERROR_HANDLER is now safe-by-default. Error details are only exposed when NODE_ENV=development.

NODE_ENV	Before (v4.x)	After (v5.0)
unset	❌ leaks err.message	✅ Internal Server Error
production	✅ safe	✅ safe
development	❌ leaks	✅ leaks (by design)
staging	❌ leaks	✅ safe
testing	❌ leaks	✅ safe

If your app relies on error messages in non-development environments, set NODE_ENV=development or provide a custom errorHandler in router config.

Security

Comprehensive penetration test suite added (tooling/pentest.js) — 48 vectors across 10 categories:

• 13 prototype pollution vectors — all blocked (direct, encoded, double-encoded, nested)
• 8 path traversal vectors — all blocked (dot-dot, null byte, quad-dot)
• 6 DoS vectors — all resilient (large queries, cache exhaustion, deep nesting)
• 5 information disclosure vectors — all safe
• 6 method confusion and cache vectors — all clean
• 3 request tampering vectors — all protected

Changed Files

• lib/router/sequential.js — flipped error handler condition + Content-Type header
• tests/nested-routers.test.js — updated error expectations
• tests/router-coverage.test.js — updated error expectations
• tests/v4.4.test.js — added NODE_ENV-unset test

... (truncated)

Commits

• eabbfce chore: prep v5.0.1 — bump version, remove TRON donate address (#54)
• 3e0d4ff perf: cut query-string parsing cost on the request hot path (#53)
• 11ea6e1 fix: honor prioRequestsProcessing default and stop sharing cached params (#52)
• 8e0277c chore: update footer copyright to 2026
• 35eba84 feat: replace TypeScript card with Minimal, Fast, Secure card
• 259c95a fix: fade-in animations apply inline styles directly
• fedf927 chore: remove benchmarks section from landing page
• 8d3622a feat: modernize landing page with shared design system
• e18834c fix: revert self-dep to ^4.4.0 (v5.0.0 not on npm yet)
• f05bd15 chore: bump to v5.0.0 — breaking change
• Additional commits viewable in compare view