Hey, I just saw this CVE in a JS package and I wondered if this was an issue in aleph https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3
Hmmm, maybe. We strip out the query-params on a redirect, but it doesn't look like we alter the headers.