Update dependency hono to v4.6.5 [SECURITY] #611
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.5.8
->4.6.5
GitHub Vulnerability Alerts
CVE-2024-48913
Summary
Bypass CSRF Middleware by a request without Content-Type herader.
Details
Although the csrf middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type header to be safe.
https://github.com/honojs/hono/blob/cebf4e87f3984a6a034e60a43f542b4c5225b668/src/middleware/csrf/index.ts#L76-L89
PoC
Similarly, the fetch API does not add a Content-Type header for requests that do not include a Body.
Impact
Bypass csrf protection implemented with hono csrf middleware.
Release Notes
honojs/hono (hono)
v4.6.5
Compare Source
Security fix for CSRF Protection Middleware
This release includes a security fix for CSRF Protection Middleware. If you are using CSRF Protection Middleware, please upgrade this
hono
package immediately.Before this release, a request without a
Content-Type
header can bypass the protection. This fix does not allow it. See: GHSA-2234-fmw7-43wrWhat's Changed
v2
by @yusukebe in https://github.com/honojs/hono/pull/3506Access-Control-Allow-Origin
if there is no matching origin by @uki00a in https://github.com/honojs/hono/pull/3510New Contributors
Full Changelog: honojs/hono@v4.6.4...v4.6.5
v4.6.4
Compare Source
What's Changed
crypto-js
from dev dependencies by @yusukebe in https://github.com/honojs/hono/pull/3447createMiddleware
by @yusukebe in https://github.com/honojs/hono/pull/3498globalThis
by @sapphi-red in https://github.com/honojs/hono/pull/3500override
totoStringToBuffer
in classes extendingJSXNode
by @yusukebe in https://github.com/honojs/hono/pull/3505New Contributors
Full Changelog: honojs/hono@v4.6.3...v4.6.4
v4.6.3
Compare Source
This release has many new features, but each feature is small, so we've released it as a patch release.
What's Changed
runtime_tests
toruntime-tests
by @yusukebe in https://github.com/honojs/hono/pull/3419every
middleware work with short-circuiting middlewares by @paolostyle in https://github.com/honojs/hono/pull/3441renderToString
by @usualoma in https://github.com/honojs/hono/pull/3432New Contributors
Full Changelog: honojs/hono@v4.6.2...v4.6.3
v4.6.2
Compare Source
What's Changed
Full Changelog: honojs/hono@v4.6.1...v4.6.2
v4.6.1
Compare Source
What's Changed
New Contributors
Full Changelog: honojs/hono@v4.6.0...v4.6.1
v4.6.0
Compare Source
Hono v4.6.0 is now available!
One of the highlights of this release is the Context Storage Middleware. Let's introduce it.
Context Storage Middleware
Many users may have been waiting for this feature. The Context Storage Middleware uses
AsyncLocalStorage
to allow handling of the current Context object even outside of handlers.For example, let’s define a Hono app with a variable
message: string
.To enable Context Storage Middleware, register
contextStorage()
as middleware at the top and set themessage
value.getContext()
returns the current Context object, allowing you to get the value of themessage
variable outside the handler.In the case of Cloudflare Workers, you can also access the
Bindings
outside the handler by using this middleware.Thanks @marceloverdijk !
New features
c.env.eventContext
in handleMiddleware https://github.com/honojs/hono/pull/3332WSContext
https://github.com/honojs/hono/pull/3337Content-Encoding
whenstream
is true https://github.com/honojs/hono/pull/3355precompressed
option https://github.com/honojs/hono/pull/3366Promise<string>
or (async)JSX.Element
instreamSSE
https://github.com/honojs/hono/pull/3344onFound
option https://github.com/honojs/hono/pull/3396Other changes
New Contributors
Full Changelog: honojs/hono@v4.5.11...v4.6.0
v4.5.11
Compare Source
What's Changed
Twitter
toX
by @yusukebe in https://github.com/honojs/hono/pull/3354New Contributors
Full Changelog: honojs/hono@v4.5.10...v4.5.11
v4.5.10
Compare Source
What's Changed
New Contributors
Full Changelog: honojs/hono@v4.5.9...v4.5.10
v4.5.9
Compare Source
What's Changed
NO_COLOR
by @ryuapp in https://github.com/honojs/hono/pull/3306type
(MIME) attribute types by @ssssota in https://github.com/honojs/hono/pull/3305Full Changelog: honojs/hono@v4.5.8...v4.5.9
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.