security(http): revoke object URL after downloadRequest click

[Goosterhof]

Summary

Closes Sapper M1 finding L7a — downloadRequest doesn't revoke the object URL.

The bug

downloadRequest creates a blob URL for the anchor's href but never calls URL.revokeObjectURL(). The browser holds the blob reference until the page navigates away. In long-running SPAs that trigger many downloads, this accumulates memory — not a security issue (classified Low by Sapper), but a resource leak with a one-line fix.

The fix

link.click();
window.URL.revokeObjectURL(link.href);  // new

The download itself captures its own blob reference during the synchronous click(), so revoking immediately after does not interrupt it.

Scope note — previewRequest not fixed here

previewRequest has the same issue, but its remediation requires changing the return type from Promise<string> to Promise<{ url: string; revoke: () => void }> — a breaking API change for every consumer rendering a preview. That's an API design decision, not a security fix. Deferred to a separate issue.

Tests

New case in downloadRequest:

• Verifies window.URL.revokeObjectURL is called exactly once with the same URL that was assigned to link.href.

Module-level test setup updated: added revokeObjectURL: vi.fn() to the window.URL stub so the new method is callable in all tests.

All 8 local gates pass: format, lint, build, typecheck, lint:pkg, 100% coverage, 95.45% mutation (threshold 90%).

Release

Bumps @script-development/fs-http to 0.1.2.

PR #28 (streamRequest credentials) merged first and took 0.1.1.

Test plan

• CI check job passes
• Ally review
• Merge triggers publish (0.1.2)
• Spot-check npm: new fs-http version present

🤖 Generated with Claude Code

[cloudflare-workers-and-pages]

Deploying fs-packages with    Cloudflare Pages

Latest commit:	058eeb0
Status:	✅  Deploy successful!
Preview URL:	https://160e46cc.fs-packages.pages.dev
Branch Preview URL:	https://security-download-request-re.fs-packages.pages.dev

View logs