fix(static): add vary: accept-encoding for assets with compressed version

[paulcrussell]

🔗 Linked issue

#3077

❓ Type of change

• 📖 Documentation (updates to the documentation, readme, or JSdoc annotations)
• 🐞 Bug fix (a non-breaking change that fixes an issue)
• 👌 Enhancement (improving an existing functionality like performance)
• ✨ New feature (a non-breaking change that adds functionality)
• 🧹 Chore (updates to the build process or auxiliary tools and libraries)
• ⚠️ Breaking change (fix or feature that would cause existing functionality to change)

📚 Description

The build process produces compressed public assets based on nitro option 'compressPublicAssets' if those assets are present then it means the response may 'Vary' based on Accept-Encoding request header.

Currently the 'Vary' based on Accept-Encoding request header is included only if the Accept-Encoding request header exists. This introduces a problem that the Vary header can get omitted if the client sends a request without Accept-Encoding header. This would cause the server to respond with a uncompressed file that would then be cached in shared caches and served to everyone.

Shifting the logic so that the header is always sent if the server is optionally configured to return uncompressed, gz or br public assets removes the possibility for a client to poison the cache for all.

Resolves #3077

📝 Checklist

• I have linked an issue or discussion.
• I have updated the documentation accordingly.

[paulcrussell]

@pi0 I've updated the commit to fix the failing tests.

[vercel]

@pi0 is attempting to deploy a commit to the Nitro Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pi0]

Sorry, this got delayed and thanks for adding tests!

I have locally investigated. We can reduce runtime overhead (of iteration and resolving for all static assets) by instead, flagging static assets that have a compressed variant with encoding: null build-time and then add vary header for them. It will cover tests.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/nitrojs/nitro/nitropack@3443

commit: 5f24a94