fix(dev): handle multiple set-cookie headers correctly (#1075)

[Flo0806]

🔗 Linked issue

Fixes #1075
Fixes nuxt/nuxt#33430

Summary

The dev server was only sending the last cookie when multiple setCookie() calls were made in a server route. This violated RFC 6265 which requires each cookie to be sent in a separate Set-Cookie header and explicitly forbids combining them with commas.

Root Cause

1. sendWebResponse: Used headers.entries() which only returns a single combined value for set-cookie due to Web Standards Headers API limitations, even when multiple cookies exist
2. fetchWithNodeHttp: Incorrectly joined multiple cookie headers with .join(', '), causing browsers to reject them when cookies contained Expires dates (which include commas)

Solution

• Use getSetCookie() method (part of the Fetch API spec) to retrieve all cookies as separate array entries
• Use appendHeader() instead of setHeader() to add each cookie individually to the Node.js response
• Skip set-cookie when iterating through other headers to avoid duplicates

Changes

• ✅ Fix sendWebResponse to handle multiple cookies via getSetCookie()
• ✅ Fix fetchWithNodeHttp to append cookies individually (no comma joining)
• ✅ Add E2E test verifying 3 separate cookies are sent correctly
• ✅ All existing tests pass

Testing

pnpm test:unit

[github-actions]

📦 Bundle Size Comparison

📈 nuxi

Metric	Base	Head	Diff
Rendered	5077.04 KB	5077.62 KB	+0.58 KB (+0.01%)

📈 nuxt-cli

Metric	Base	Head	Diff
Rendered	106.79 KB	107.37 KB	+0.58 KB (+0.54%)

➡️ create-nuxt

Metric	Base	Head	Diff
Rendered	2178.73 KB	2178.73 KB	0.00 KB (0.00%)

[pkg-pr-new]

nuxt-cli-playground

npm i https://pkg.pr.new/create-nuxt@1079

npm i https://pkg.pr.new/nuxi@1079

npm i https://pkg.pr.new/@nuxt/cli@1079

commit: 0d9afca

[codecov-commenter]

Codecov Report

❌ Patch coverage is 0% with 22 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (main@4509643). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
packages/nuxi/src/dev/fetch.ts	0.00%	22 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1079   +/-   ##
=======================================
  Coverage        ?   25.53%           
=======================================
  Files           ?       81           
  Lines           ?     4542           
  Branches        ?      243           
=======================================
  Hits            ?     1160           
  Misses          ?     3350           
  Partials        ?       32           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[codspeed-hq]

CodSpeed Performance Report

Merging #1079 will not alter performance

_{Comparing Flo0806:fix/multiple-set-cookie-headers (0d9afca) with main (4509643)}

Summary

✅ 2 untouched

[danielroe]

thank you ❤️