on-headers is vulnerable to http response header manipulation
A bug in on-headers versions < 1.1.0 may result in response headers being inadvertently modified when an array is passed to response.writeHead()
Advisories for Npm/On-Headers package
2025
A bug in on-headers versions < 1.1.0 may result in response headers being inadvertently modified when an array is passed to response.writeHead()