Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update dependency hono to v4.2.7 [SECURITY] (#45)
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [hono](https://hono.dev/) ([source](https://togithub.com/honojs/hono)) | [`4.1.4` -> `4.2.7`](https://renovatebot.com/diffs/npm/hono/4.1.4/4.2.7) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-32869](https://togithub.com/honojs/hono/security/advisories/GHSA-3mpf-rcc7-5347) ### Summary When using serveStatic with deno, it is possible to directory traverse where main.ts is located. My environment is configured as per this tutorial https://hono.dev/getting-started/deno ### PoC ```bash $ tree . ├── deno.json ├── deno.lock ├── main.ts ├── README.md └── static └── a.txt ``` source ```jsx import { Hono } from 'https://deno.land/x/[email protected]/mod.ts' import { serveStatic } from 'https://deno.land/x/[email protected]/middleware.ts' const app = new Hono() app.use('/static/*', serveStatic({ root: './' })) Deno.serve(app.fetch) ``` request ```bash curl localhost:8000/static/%2e%2e/main.ts ``` response is content of main.ts ### Impact Unexpected files are retrieved. --- ### Release Notes <details> <summary>honojs/hono (hono)</summary> ### [`v4.2.7`](https://togithub.com/honojs/hono/releases/tag/v4.2.7) [Compare Source](https://togithub.com/honojs/hono/compare/v4.2.6...v4.2.7) This release fixes "[Restricted Directory Traversal in serveStatic with deno](https://togithub.com/honojs/hono/security/advisories/GHSA-3mpf-rcc7-5347)". **Full Changelog**: honojs/hono@v4.2.6...v4.2.7 ### [`v4.2.6`](https://togithub.com/honojs/hono/releases/tag/v4.2.6) [Compare Source](https://togithub.com/honojs/hono/compare/v4.2.5...v4.2.6) #### What's Changed - refactor(adapter/aws): Optimize multiple call of same conditions with polymorphism by [@​exoego](https://togithub.com/exoego) in [https://github.com/honojs/hono/pull/2521](https://togithub.com/honojs/hono/pull/2521) - fix(sse): close sse stream on end by [@​domeccleston](https://togithub.com/domeccleston) in [https://github.com/honojs/hono/pull/2529](https://togithub.com/honojs/hono/pull/2529) - fix(client): Don't show `$ws` when not used WebSockets by [@​nakasyou](https://togithub.com/nakasyou) in [https://github.com/honojs/hono/pull/2532](https://togithub.com/honojs/hono/pull/2532) - refactor(ssg): update utils.ts by [@​eltociear](https://togithub.com/eltociear) in [https://github.com/honojs/hono/pull/2519](https://togithub.com/honojs/hono/pull/2519) #### New Contributors - [@​domeccleston](https://togithub.com/domeccleston) made their first contribution in [https://github.com/honojs/hono/pull/2529](https://togithub.com/honojs/hono/pull/2529) - [@​eltociear](https://togithub.com/eltociear) made their first contribution in [https://github.com/honojs/hono/pull/2519](https://togithub.com/honojs/hono/pull/2519) **Full Changelog**: honojs/hono@v4.2.5...v4.2.6 ### [`v4.2.5`](https://togithub.com/honojs/hono/releases/tag/v4.2.5) [Compare Source](https://togithub.com/honojs/hono/compare/v4.2.4...v4.2.5) #### What's Changed - fix(client): Allow calling toString and valueOf on the proxy object by [@​ibash](https://togithub.com/ibash) in [https://github.com/honojs/hono/pull/2510](https://togithub.com/honojs/hono/pull/2510) - fix(adapter): handle multi value headers in AWS Lambda by [@​exoego](https://togithub.com/exoego) in [https://github.com/honojs/hono/pull/2494](https://togithub.com/honojs/hono/pull/2494) - fix(client): shuold not remove tailing slash from top-level URL by [@​yusukebe](https://togithub.com/yusukebe) in [https://github.com/honojs/hono/pull/2523](https://togithub.com/honojs/hono/pull/2523) - fix(jsx/dom): remove lookbehind assertion in event regexp by [@​usualoma](https://togithub.com/usualoma) in [https://github.com/honojs/hono/pull/2524](https://togithub.com/honojs/hono/pull/2524) #### New Contributors - [@​ibash](https://togithub.com/ibash) made their first contribution in [https://github.com/honojs/hono/pull/2510](https://togithub.com/honojs/hono/pull/2510) **Full Changelog**: honojs/hono@v4.2.4...v4.2.5 ### [`v4.2.4`](https://togithub.com/honojs/hono/releases/tag/v4.2.4) [Compare Source](https://togithub.com/honojs/hono/compare/v4.2.3...v4.2.4) ##### What's Changed - fix(jwt): Make JWT Header `typ` Field Optional to Enhance Compatibility by [@​naporin0624](https://togithub.com/naporin0624) in [https://github.com/honojs/hono/pull/2488](https://togithub.com/honojs/hono/pull/2488) - fix(testing): set `baseUrl` for `testClient` by [@​yusukebe](https://togithub.com/yusukebe) in [https://github.com/honojs/hono/pull/2496](https://togithub.com/honojs/hono/pull/2496) - fix(validator): Default use to `OutputTypeExcludeResponseType` when `InputType` is unknown by [@​nagasawaryoya](https://togithub.com/nagasawaryoya) in [https://github.com/honojs/hono/pull/2500](https://togithub.com/honojs/hono/pull/2500) - refactor(trie-router): parentPatterns is updated but never queried by [@​exoego](https://togithub.com/exoego) in [https://github.com/honojs/hono/pull/2503](https://togithub.com/honojs/hono/pull/2503) - refactor: Remove redundant initializer by [@​exoego](https://togithub.com/exoego) in [https://github.com/honojs/hono/pull/2502](https://togithub.com/honojs/hono/pull/2502) - refactor(cloudflare-workers): Suppress eslint noise by [@​exoego](https://togithub.com/exoego) in [https://github.com/honojs/hono/pull/2504](https://togithub.com/honojs/hono/pull/2504) - fix(jsx): Add catch to async function's promise by [@​mwilkins91](https://togithub.com/mwilkins91) in [https://github.com/honojs/hono/pull/2471](https://togithub.com/honojs/hono/pull/2471) ##### New Contributors - [@​nagasawaryoya](https://togithub.com/nagasawaryoya) made their first contribution in [https://github.com/honojs/hono/pull/2500](https://togithub.com/honojs/hono/pull/2500) - [@​exoego](https://togithub.com/exoego) made their first contribution in [https://github.com/honojs/hono/pull/2503](https://togithub.com/honojs/hono/pull/2503) - [@​mwilkins91](https://togithub.com/mwilkins91) made their first contribution in [https://github.com/honojs/hono/pull/2471](https://togithub.com/honojs/hono/pull/2471) **Full Changelog**: honojs/hono@v4.2.3...v4.2.4 ### [`v4.2.3`](https://togithub.com/honojs/hono/releases/tag/v4.2.3) [Compare Source](https://togithub.com/honojs/hono/compare/v4.2.2...v4.2.3) #### What's Changed - fix(ssg): use response header to mark as disabled routes for SSG by [@​usualoma](https://togithub.com/usualoma) in [https://github.com/honojs/hono/pull/2477](https://togithub.com/honojs/hono/pull/2477) - fix(trailing-slash): export types in `package.json` correctly by [@​yusukebe](https://togithub.com/yusukebe) in [https://github.com/honojs/hono/pull/2483](https://togithub.com/honojs/hono/pull/2483) - fix(client): fix websocket client protocol by [@​naporin0624](https://togithub.com/naporin0624) in [https://github.com/honojs/hono/pull/2479](https://togithub.com/honojs/hono/pull/2479) **Full Changelog**: honojs/hono@v4.2.2...v4.2.3 ### [`v4.2.2`](https://togithub.com/honojs/hono/releases/tag/v4.2.2) [Compare Source](https://togithub.com/honojs/hono/compare/v4.2.1...v4.2.2) #### What's Changed - feat(jsx-renderer): pass the context as 2nd arg by [@​yusukebe](https://togithub.com/yusukebe) in [https://github.com/honojs/hono/pull/2459](https://togithub.com/honojs/hono/pull/2459) - feat(client): accept a function that provides dynamic headers to hc by [@​niko-gardenanet](https://togithub.com/niko-gardenanet) in [https://github.com/honojs/hono/pull/2461](https://togithub.com/honojs/hono/pull/2461) - fix(client): infer `null` correctly by [@​yusukebe](https://togithub.com/yusukebe) in [https://github.com/honojs/hono/pull/2469](https://togithub.com/honojs/hono/pull/2469) #### New Contributors - [@​niko-gardenanet](https://togithub.com/niko-gardenanet) made their first contribution in [https://github.com/honojs/hono/pull/2461](https://togithub.com/honojs/hono/pull/2461) **Full Changelog**: honojs/hono@v4.2.1...v4.2.2 ### [`v4.2.1`](https://togithub.com/honojs/hono/releases/tag/v4.2.1) [Compare Source](https://togithub.com/honojs/hono/compare/v4.2.0...v4.2.1) #### What's Changed - fix(jws): Only import necessary helper (not all helpers) by [@​nicksrandall](https://togithub.com/nicksrandall) in [https://github.com/honojs/hono/pull/2458](https://togithub.com/honojs/hono/pull/2458) #### New Contributors - [@​nicksrandall](https://togithub.com/nicksrandall) made their first contribution in [https://github.com/honojs/hono/pull/2458](https://togithub.com/honojs/hono/pull/2458) **Full Changelog**: honojs/hono@v4.2.0...v4.2.1 ### [`v4.2.0`](https://togithub.com/honojs/hono/releases/tag/v4.2.0) [Compare Source](https://togithub.com/honojs/hono/compare/v4.1.7...v4.2.0) Hono v4.2.0 is now available! Let's take a look at the new features. #### Added more algorithms for JWT The number of algorithms that JWT util can handle has increased from only 3 to 13! This means that JWT util now implements many of the algorithms supported by JWT. - HS256 - HS384 - HS512 - RS256 - RS384 - RS512 - PS256 - PS384 - PS512 - ES256 - ES384 - ES512 - EdDSA You can use these algorithms from the JWT middleware or JWT helpers. Thanks [@​Code-Hex](https://togithub.com/Code-Hex)! #### Method Override Middleware [Method Override Middleware](https://hono.dev/middleware/builtin/method-override) has been added. This middleware override the method of the real request with the specified method. HTML `form` does not allow you to send a DELETE method request. Instead, by sending an input with `name` as `_method` and a value of `DELETE`, you can call the handler registered in `app.delete()`. ```ts const app = new Hono() // If no options are specified, the value of `_method` in the form, // e.g. DELETE, is used as the method. app.use('/posts', methodOverride({ app })) app.delete('/posts', (c) => { // .... }) ``` #### Trailing Slash Middleware [Trailing Slash Middleware](https://hono.dev/middleware/builtin/trailing-slash) resolves the handling of Trailing Slashes in GET requests. You can use `appendTrailingSlash` and `trimTrailingSlash` functions. For example, it redirects a GET request to `/about/me` to `/about/me/`. ```ts import { Hono } from 'hono' import { appendTrailingSlash } from 'hono/trailing-slash' const app = new Hono({ strict: true }) app.use(appendTrailingSlash()) app.get('/about/me/', (c) => c.text('With Trailing Slash')) ``` Thanks [@​rnmeow](https://togithub.com/rnmeow)! #### Other features - SSG Helper - Support `extensionMap` [https://github.com/honojs/hono/pull/2382](https://togithub.com/honojs/hono/pull/2382) - JSX/DOM - Add `userId` hook [https://github.com/honojs/hono/pull/2389](https://togithub.com/honojs/hono/pull/2389) - JWT Middleware - Improve error handling [https://github.com/honojs/hono/pull/2406](https://togithub.com/honojs/hono/pull/2406) - Request - Cache the body for re-using [https://github.com/honojs/hono/pull/2416](https://togithub.com/honojs/hono/pull/2416) - JWT Util - Add type helper to `payload` [https://github.com/honojs/hono/pull/2424](https://togithub.com/honojs/hono/pull/2424) - CORS Middleware - Pass context to `options.origin` function [https://github.com/honojs/hono/pull/2436](https://togithub.com/honojs/hono/pull/2436) - Cache Middleware - Support for the `vary` header option [https://github.com/honojs/hono/pull/2426](https://togithub.com/honojs/hono/pull/2426) - HTTP Exception - Add `cause` option [https://github.com/honojs/hono/pull/2224](https://togithub.com/honojs/hono/pull/2224) - Logger - Support `NO_COLOR` [https://github.com/honojs/hono/pull/2228](https://togithub.com/honojs/hono/pull/2228) - JWT Middleware - Add `JwtTokenInvalid` object as `cause` when JWT is invalid [https://github.com/honojs/hono/pull/2448](https://togithub.com/honojs/hono/pull/2448) - Bearer Auth Middleware - Add `verifyToken` option [https://github.com/honojs/hono/pull/2449](https://togithub.com/honojs/hono/pull/2449) - Basic Auth Middleware - Add `verifyUser` option [https://github.com/honojs/hono/pull/2450](https://togithub.com/honojs/hono/pull/2450) #### All Updates - feat(jwt): supported RS256, RS384, RS512 algorithm for JWT by [@​Code-Hex](https://togithub.com/Code-Hex) in [https://github.com/honojs/hono/pull/2339](https://togithub.com/honojs/hono/pull/2339) - added remain algorithm for JWT by [@​Code-Hex](https://togithub.com/Code-Hex) in [https://github.com/honojs/hono/pull/2352](https://togithub.com/honojs/hono/pull/2352) - acceptable CryptoKey in JWT sign and verify by [@​Code-Hex](https://togithub.com/Code-Hex) in [https://github.com/honojs/hono/pull/2373](https://togithub.com/honojs/hono/pull/2373) - feat(ssg): Support `extentionMap` by [@​watany-dev](https://togithub.com/watany-dev) in [https://github.com/honojs/hono/pull/2382](https://togithub.com/honojs/hono/pull/2382) - feat(jwt): support remaining algorithms by [@​yusukebe](https://togithub.com/yusukebe) in [https://github.com/honojs/hono/pull/2368](https://togithub.com/honojs/hono/pull/2368) - feat(jsx): add useId hook by [@​usualoma](https://togithub.com/usualoma) in [https://github.com/honojs/hono/pull/2389](https://togithub.com/honojs/hono/pull/2389) - feat(middleware/jwt): improve error handling by [@​tfkhdyt](https://togithub.com/tfkhdyt) in [https://github.com/honojs/hono/pull/2406](https://togithub.com/honojs/hono/pull/2406) - feat(request): cache body for reusing by [@​yusukebe](https://togithub.com/yusukebe) in [https://github.com/honojs/hono/pull/2416](https://togithub.com/honojs/hono/pull/2416) - feat(jwt): Add type helper to `payload` by [@​nakasyou](https://togithub.com/nakasyou) in [https://github.com/honojs/hono/pull/2424](https://togithub.com/honojs/hono/pull/2424) - feat: introduce Method Override Middleware by [@​yusukebe](https://togithub.com/yusukebe) in [https://github.com/honojs/hono/pull/2420](https://togithub.com/honojs/hono/pull/2420) - feat(middleware/cors): pass context to options.origin function by [@​okmr-d](https://togithub.com/okmr-d) in [https://github.com/honojs/hono/pull/2436](https://togithub.com/honojs/hono/pull/2436) - feat: support for `vary` header in cache middleware by [@​naporin0624](https://togithub.com/naporin0624) in [https://github.com/honojs/hono/pull/2426](https://togithub.com/honojs/hono/pull/2426) - feat: add middlewares resolve trailing slashes on GET request by [@​rnmeow](https://togithub.com/rnmeow) in [https://github.com/honojs/hono/pull/2408](https://togithub.com/honojs/hono/pull/2408) - test: stub `crypto` if not exist by [@​yusukebe](https://togithub.com/yusukebe) in [https://github.com/honojs/hono/pull/2445](https://togithub.com/honojs/hono/pull/2445) - feat(jwt): literal typed `alg` option value by [@​yusukebe](https://togithub.com/yusukebe) in [https://github.com/honojs/hono/pull/2446](https://togithub.com/honojs/hono/pull/2446) - test(ssg): add test for content-type includes `;` by [@​yusukebe](https://togithub.com/yusukebe) in [https://github.com/honojs/hono/pull/2447](https://togithub.com/honojs/hono/pull/2447) - feat(jwt): add `JwtTokenInvalid` object as `cause` when JWT is invalid by [@​yusukebe](https://togithub.com/yusukebe) in [https://github.com/honojs/hono/pull/2448](https://togithub.com/honojs/hono/pull/2448) - feat(bearer-auth): add `verifyToken` option by [@​yusukebe](https://togithub.com/yusukebe) in [https://github.com/honojs/hono/pull/2449](https://togithub.com/honojs/hono/pull/2449) - feat(basic-auth): add `verifyUser` option by [@​yusukebe](https://togithub.com/yusukebe) in [https://github.com/honojs/hono/pull/2450](https://togithub.com/honojs/hono/pull/2450) - Next by [@​yusukebe](https://togithub.com/yusukebe) in [https://github.com/honojs/hono/pull/2454](https://togithub.com/honojs/hono/pull/2454) #### New Contributors - [@​tfkhdyt](https://togithub.com/tfkhdyt) made their first contribution in [https://github.com/honojs/hono/pull/2406](https://togithub.com/honojs/hono/pull/2406) - [@​okmr-d](https://togithub.com/okmr-d) made their first contribution in [https://github.com/honojs/hono/pull/2436](https://togithub.com/honojs/hono/pull/2436) - [@​naporin0624](https://togithub.com/naporin0624) made their first contribution in [https://github.com/honojs/hono/pull/2426](https://togithub.com/honojs/hono/pull/2426) - [@​rnmeow](https://togithub.com/rnmeow) made their first contribution in [https://github.com/honojs/hono/pull/2408](https://togithub.com/honojs/hono/pull/2408) **Full Changelog**: honojs/hono@v4.1.7...v4.2.0 ### [`v4.1.7`](https://togithub.com/honojs/hono/releases/tag/v4.1.7) [Compare Source](https://togithub.com/honojs/hono/compare/v4.1.6...v4.1.7) #### What's Changed - fix(cache): check `globalThis.caches` by [@​yusukebe](https://togithub.com/yusukebe) in [https://github.com/honojs/hono/pull/2444](https://togithub.com/honojs/hono/pull/2444) **Full Changelog**: honojs/hono@v4.1.6...v4.1.7 ### [`v4.1.6`](https://togithub.com/honojs/hono/releases/tag/v4.1.6) [Compare Source](https://togithub.com/honojs/hono/compare/v4.1.5...v4.1.6) #### What's Changed - chore(benchmark): add "loop" script by [@​yusukebe](https://togithub.com/yusukebe) in [https://github.com/honojs/hono/pull/2431](https://togithub.com/honojs/hono/pull/2431) - fix(cache): not enabled if `caches` is not defined by [@​yusukebe](https://togithub.com/yusukebe) in [https://github.com/honojs/hono/pull/2443](https://togithub.com/honojs/hono/pull/2443) **Full Changelog**: honojs/hono@v4.1.5...v4.1.6 ### [`v4.1.5`](https://togithub.com/honojs/hono/releases/tag/v4.1.5) [Compare Source](https://togithub.com/honojs/hono/compare/v4.1.4...v4.1.5) #### What's Changed - perf: Don't use `Arrap.prototype.map` if it is not needed return value by [@​nakasyou](https://togithub.com/nakasyou) in [https://github.com/honojs/hono/pull/2419](https://togithub.com/honojs/hono/pull/2419) - fix(aws-lambda): handle response without body ([#​2401](https://togithub.com/honojs/hono/issues/2401)) by [@​KnisterPeter](https://togithub.com/KnisterPeter) in [https://github.com/honojs/hono/pull/2413](https://togithub.com/honojs/hono/pull/2413) - fix(validator): `await` cached contents by [@​yusukebe](https://togithub.com/yusukebe) in [https://github.com/honojs/hono/pull/2430](https://togithub.com/honojs/hono/pull/2430) #### New Contributors - [@​KnisterPeter](https://togithub.com/KnisterPeter) made their first contribution in [https://github.com/honojs/hono/pull/2413](https://togithub.com/honojs/hono/pull/2413) **Full Changelog**: honojs/hono@v4.1.4...v4.1.5 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone America/Chicago, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/autoblocksai/cli). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMTMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjMxMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
](https://renovatebot.com){kind=link}
- Loading branch information
1 parent
787a98a
commit 899fef0