chore(deps): update dependency hono to v4.12.29#256
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
c9c00e4 to
10755fd
Compare
10755fd to
c0e4287
Compare
6b9a9d1 to
29cb5c1
Compare
29cb5c1 to
781107f
Compare
781107f to
5a4607f
Compare
5a4607f to
6fa01c5
Compare
6fa01c5 to
56e33ef
Compare
56e33ef to
84d3442
Compare
84d3442 to
0dcc9e4
Compare
0dcc9e4 to
26944c7
Compare
26944c7 to
3d6076c
Compare
3d6076c to
0d8d4bd
Compare
bc158d9 to
ccd429a
Compare
ccd429a to
c646e56
Compare
c646e56 to
161ea4e
Compare
161ea4e to
6f72394
Compare
0da1139 to
8e9f37e
Compare
8e9f37e to
70c0029
Compare
70c0029 to
6cb87bd
Compare
6cb87bd to
374d034
Compare
374d034 to
47581e1
Compare
47581e1 to
85a6403
Compare
85a6403 to
ecacbf3
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.12.14→4.12.29Release Notes
honojs/hono (hono)
v4.12.29Compare Source
What's Changed
compatibilityDateby @yusukebe in #5100*as a match by @yusukebe in #5084New Contributors
Full Changelog: honojs/hono@v4.12.28...v4.12.29
v4.12.28Compare Source
What's Changed
*.tsbuildinfoby @yusukebe in #5066devDependenciesby @yusukebe in #5085New Contributors
Full Changelog: honojs/hono@v4.12.27...v4.12.28
v4.12.27Compare Source
Security fixes
This release includes fixes for the following security issues:
hono/jsx does not isolate context per request
Affects:
hono/jsx,hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, souseContext()/useRequestContext()read after anawaitin an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfjServer-Side XSS via JSX escaping bypass in cx()
Affects:
hono/css.cx()marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSXclassattribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59API Gateway v1 adapter can drop a repeated request header value
Affects:
hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g.203.0.113.1dropped when203.0.113.10is present) — affecting logic such asX-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvcUsers of
hono/jsx/hono/jsx-renderer,hono/css(cx()), or thehono/aws-lambdaAPI Gateway v1 / VPC Lattice adapters are encouraged to upgrade.v4.12.26Compare Source
What's Changed
Full Changelog: honojs/hono@v4.12.25...v4.12.26
v4.12.25Compare Source
Security fixes
This release includes fixes for the following security issues:
CORS Middleware reflects any Origin with credentials when
origindefaults to the wildcardAffects:
hono/cors. Fixes the wildcard origin reflecting the requestOriginand sendingAccess-Control-Allow-Credentials: truewhencredentials: trueis set without an explicitorigin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qcBody Limit Middleware can be bypassed on AWS Lambda by understating
Content-LengthAffects:
hono/body-limiton AWS Lambda (hono/aws-lambda,hono/lambda-edge). Fixes the request being built with the client-declaredContent-Lengthwhile the body is delivered fully buffered, where a client could declare a smallContent-Lengthwith a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2Path traversal in
serve-staticon Windows via encoded backslash (%5C)Affects:
serveStaticon Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to\was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44AWS Lambda adapter merges multiple
Set-Cookieheaders into one value, dropping cookies on ALB single-header and LatticeAffects:
hono/aws-lambda. Fixes multipleSet-Cookieresponse headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xfLambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest
Affects:
hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such asX-Forwarded-Forreached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8pv4.12.24Compare Source
What's Changed
Full Changelog: honojs/hono@v4.12.23...v4.12.24
v4.12.23Compare Source
What's Changed
COMPRESSIBLE_CONTENT_TYPE_REGEXre-export by @na-trium-144 in #4961::by @yusukebe in #4971Full Changelog: honojs/hono@v4.12.22...v4.12.23
v4.12.22Compare Source
What's Changed
New Contributors
Full Changelog: honojs/hono@v4.12.21...v4.12.22
v4.12.21Compare Source
Security fixes
This release includes fixes for the following security issues:
app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
Affects:
app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3IP Restriction bypasses static deny rules for non-canonical IPv6
Affects:
hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
Affects:
hono/cookie. Fixes missing validation ofsameSiteandpriorityoptions against injection characters (;,\r,\n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5xJWT middleware accepts any Authorization scheme, not only Bearer
Affects:
hono/jwt,hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474Users who use
app.mount(),hono/ip-restriction,hono/cookie, orhono/jwt/hono/jwkare encouraged to upgrade to this version.v4.12.20Compare Source
What's Changed
New Contributors
Full Changelog: honojs/hono@v4.12.19...v4.12.20
v4.12.19Compare Source
What's Changed
bytes()by @yusukebe in #4921@hono/node-serverto v2 and fix abort handling by @yusukebe in #4940New Contributors
Full Changelog: honojs/hono@v4.12.18...v4.12.19
v4.12.18Compare Source
Security fixes
This release includes fixes for the following security issues:
Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
Affects: Cache Middleware. Fixes missing cache-skip handling for
Vary: AuthorizationandVary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rmCSS Declaration Injection via Style Object Values in JSX SSR
Affects: hono/jsx. Fixes a missing CSS-context escape for
styleobject values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7pImproper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
Affects:
hono/utils/jwt. Fixes improper validation ofexp,nbf, andiatclaims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.
v4.12.17Compare Source
What's Changed
atom+xmlandrss+xmltodefaultExtensionMapby @yuintei in #4899New Contributors
Full Changelog: honojs/hono@v4.12.16...v4.12.17
v4.12.16Compare Source
Security fixes
This release includes fixes for the following security issues:
Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection
Affects: hono/jsx. Fixes missing validation of JSX tag names when using
jsx()orcreateElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432bodyLimit() can be bypassed for chunked / unknown-length requests
Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v
v4.12.15Compare Source
What's Changed
New Contributors
Full Changelog: honojs/hono@v4.12.14...v4.12.15
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.