Improvements:

* Added fallback for WeakSet
* Disable fallbacks for ESM exports
* Improved fuzzing coverage

Author: corrideat

esbuild.ts

@@ -47,6 +47,10 @@ await Promise.all(
 			outExtension: {
 				'.js': format === 'esm' ? '.mjs' : '.cjs',
 			},
+			define: {
+				...buildOptionsBase.define,
+				'import.meta.format': JSON.stringify(format),
+			},
 		});
 	}),
 );

fuzz/package.json

@@ -5,7 +5,9 @@
   "type": "commonjs",
   "scripts": {
     "start": "jsfuzz src/index.cjs corpus",
-    "report": "nyc report --per-file --exclude-after-remap=false"
+    "start:fast": "jsfuzz src/fast.cjs corpus",
+    "report": "nyc report --per-file --exclude-after-remap=false",
+    "report:html": "nyc report --reporter=html --per-file --exclude-after-remap=false"
   },
   "devDependencies": {
     "jsfuzz": "^1.0.15"

fuzz/src/fast.cjs

@@ -0,0 +1,20 @@
+/* Copyright © 2025 Apeleg Limited. All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+/* eslint-disable @typescript-eslint/no-require-imports */
+
+const fuzzFactory = require('./fuzzFactory.cjs');
+const fuzz = fuzzFactory(require);
+
+module.exports = { fuzz };

fuzz/src/fuzzFactory.cjs

@@ -0,0 +1,47 @@
+/* Copyright © 2025 Apeleg Limited. All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+function fuzzFactory(require, pre, post) {
+	return function (buf) {
+		if (buf.length < 1) return;
+
+		pre?.(buf);
+
+		// This line for coverage purposes (use all getters)
+		void { ...require('../../dist/index.cjs') };
+
+		const {
+			fuzz: negotiateMediaType,
+		} = require('./negotiateMediaType.cjs');
+		const { fuzz: parseAcceptHeader } = require('./parseAcceptHeader.cjs');
+		const { fuzz: parseMediaType } = require('./parseMediaType.cjs');
+
+		switch (buf[0] & 0b1100_0000) {
+			case 0b0000_0000:
+				negotiateMediaType(buf);
+				break;
+			case 0b0100_0000:
+				parseAcceptHeader(buf);
+				break;
+			case 0b1000_0000:
+				parseMediaType(buf);
+				break;
+		}
+
+		post?.(buf);
+	};
+}
+
+module.exports = fuzzFactory;

fuzz/src/index.cjs

@@ -13,24 +13,115 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 /* eslint-disable @typescript-eslint/no-require-imports */
-const { fuzz: negotiateMediaType } = require('./negotiateMediaType.cjs');
-const { fuzz: parseAcceptHeader } = require('./parseAcceptHeader.cjs');
-const { fuzz: parseMediaType } = require('./parseMediaType.cjs');
-
-function fuzz(buf) {
-	if (buf.length < 1) return;
-
-	switch (buf[0] & 0b11000000) {
-		case 0b00000000:
-			negotiateMediaType(buf);
-			break;
-		case 0b01000000:
-			parseAcceptHeader(buf);
-			break;
-		case 0b10000000:
-			parseMediaType(buf);
-			break;
+
+const fuzzFactory = require('./fuzzFactory.cjs');
+
+const {
+	enableSet,
+	isSetEnabled,
+	enableStringIncludes,
+	isStringIncludesEnabled,
+	enableWeakMap,
+	isWeakMapEnabled,
+} = (() => {
+	const { Set, WeakMap } = globalThis;
+	const { includes: String_includes } = String.prototype;
+
+	let SetEnabled = true,
+		StringIncludesEnabled = true,
+		WeakMapEnabled = true;
+
+	const enableSet = (v) => {
+		SetEnabled = v;
+	};
+	const isSetEnabled = () => SetEnabled;
+	const enableStringIncludes = (v) => {
+		StringIncludesEnabled = v;
+	};
+	const isStringIncludesEnabled = () => StringIncludesEnabled;
+	const enableWeakMap = (v) => {
+		WeakMapEnabled = v;
+	};
+	const isWeakMapEnabled = () => WeakMapEnabled;
+
+	Object.defineProperties(globalThis, {
+		Set: {
+			get: () => {
+				return SetEnabled ? Set : undefined;
+			},
+		},
+		WeakMap: {
+			get: () => {
+				return WeakMapEnabled ? WeakMap : undefined;
+			},
+		},
+	});
+
+	Object.defineProperties(String.prototype, {
+		includes: {
+			get: () => {
+				return StringIncludesEnabled ? String_includes : undefined;
+			},
+		},
+	});
+
+	return {
+		enableSet,
+		isSetEnabled,
+		enableStringIncludes,
+		isStringIncludesEnabled,
+		enableWeakMap,
+		isWeakMapEnabled,
+	};
+})();
+
+function hotRequire(id) {
+	delete require.cache[require.resolve(id)];
+
+	const SetEnabled = isSetEnabled();
+	const WeakMapEnabled = isWeakMapEnabled();
+	const StringIncludesEnabled = isStringIncludesEnabled();
+
+	enableSet(true);
+	enableWeakMap(true);
+	enableStringIncludes(true);
+
+	try {
+		return require(id);
+	} finally {
+		enableSet(SetEnabled);
+		enableWeakMap(WeakMapEnabled);
+		enableStringIncludes(StringIncludesEnabled);
 	}
 }
 
+const fuzz = (() => {
+	const map = Object.create(null);
+
+	const getFeatureKey = () => {
+		return [isSetEnabled, isWeakMapEnabled, isStringIncludesEnabled]
+			.map((v) => +!!v())
+			.join('');
+	};
+
+	const require_ = (id) => {
+		const key = getFeatureKey();
+		if (!Object.hasOwn(map, key)) {
+			map[key] = Object.create(null);
+		}
+		const resolved = require.resolve(id);
+		if (!Object.hasOwn(map[key], resolved)) {
+			map[key][resolved] = hotRequire(resolved);
+		}
+
+		return map[key][resolved];
+	};
+
+	return fuzzFactory(require_, (buf) => {
+		enableSet(!(buf[0] & 0b0010_0000));
+		enableWeakMap(!(buf[0] & 0b0001_0000));
+		enableStringIncludes(!(buf[0] & 0b0000_1000));
+	});
+})();
+
 module.exports = { fuzz };

fuzz/src/parseAcceptHeader.cjs

@@ -13,7 +13,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 /* eslint-disable @typescript-eslint/no-require-imports */
-const { parseAcceptHeader } = require('../../dist/index.cjs');
+const { parseAcceptHeader, parseMediaType } = require('../../dist/index.cjs');
 
 function fuzz(buf) {
 	if (buf.length < 1) return;
@@ -22,7 +22,8 @@ function fuzz(buf) {
 	const typesOnly = !!(buf[0] & 0b01);
 	const permissive = !!(buf[0] & 0b10);
 
-	parseAcceptHeader(accept, typesOnly, permissive);
+	const parsedTypes = parseAcceptHeader(accept, typesOnly, permissive);
+	parsedTypes.forEach((type) => parseMediaType(type, permissive));
 }
 
 module.exports = { fuzz };

package-lock.json

@@ -1,6 +1,6 @@
 {
 	"name": "@apeleghq/http-media-type-negotiator",
-	"version": "1.0.2",
+	"version": "1.0.3",
 	"description": "RFC‑aware HTTP media type negotiator - parses and normalises Accept headers and media types (RFC 9110), supports q-value ranking, wildcard matching, and a permissive mode for real‑world headers.",
 	"type": "module",
 	"main": "dist/index.cjs",

package.json

@@ -0,0 +1,5 @@
+/* eslint-disable @typescript-eslint/naming-convention */
+
+interface ImportMeta {
+	readonly format: 'esm' | 'cjs' | 'iife';
+}

src/global.d.ts

@@ -17,6 +17,7 @@ import { $subtype, $type } from './constants.js';
 import normaliseMediaType from './normaliseMediaType.js';
 import parseAcceptHeader from './parseAcceptHeader.js';
 import parseMediaType, { type TMediaType } from './parseMediaType.js';
+import { wm } from './utils.js';
 
 const QVALUE_REGEX = /^(?:(?:0(?:\.\d{1,3})?)|(?:1(?:\.0{1,3})?))$/;
 const DEFAULT_Q = 1000;
@@ -124,7 +125,7 @@ const negotiateMediaTypeFactory = (availableMediaTypes: string[]) => {
 		return () => null;
 	}
 
-	const mapToOriginal = new Map<TMediaType, string>();
+	const mapToOriginal = wm<TMediaType, string>();
 	const parsedAvailableTypes = availableMediaTypes.map((mediaType) => {
 		const value = normaliseMediaType(parseMediaType(mediaType));
 		mapToOriginal.set(value, mediaType);
@@ -136,7 +137,7 @@ const negotiateMediaTypeFactory = (availableMediaTypes: string[]) => {
 			return availableMediaTypes[0];
 		}
 
-		const qMap = new WeakMap<TMediaType, number>();
+		const qMap = wm<TMediaType, number>();
 
 		const parsedAcceptableTypes = parseAcceptHeader(
 			accept,
@@ -164,10 +165,7 @@ const negotiateMediaTypeFactory = (availableMediaTypes: string[]) => {
 				return qb - qa;
 			}) as TMediaType[];
 
-		const map = new WeakMap<
-			TMediaType,
-			(typeof parsedAvailableTypes)[number]
-		>();
+		const map = wm<TMediaType, (typeof parsedAvailableTypes)[number]>();
 
 		// First pass: remove media types that aren't possible
 		const overlappingTypes = parsedAcceptableTypes.filter(