chore(deps): update dependency hono to v4.12.28#98
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
5973472 to
88f866b
Compare
88f866b to
587c427
Compare
587c427 to
87f8ca8
Compare
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



This PR contains the following updates:
4.12.23→4.12.28Release Notes
honojs/hono (hono)
v4.12.28Compare Source
What's Changed
*.tsbuildinfoby @yusukebe in #5066devDependenciesby @yusukebe in #5085New Contributors
Full Changelog: honojs/hono@v4.12.27...v4.12.28
v4.12.27Compare Source
Security fixes
This release includes fixes for the following security issues:
hono/jsx does not isolate context per request
Affects:
hono/jsx,hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, souseContext()/useRequestContext()read after anawaitin an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfjServer-Side XSS via JSX escaping bypass in cx()
Affects:
hono/css.cx()marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSXclassattribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59API Gateway v1 adapter can drop a repeated request header value
Affects:
hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g.203.0.113.1dropped when203.0.113.10is present) — affecting logic such asX-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvcUsers of
hono/jsx/hono/jsx-renderer,hono/css(cx()), or thehono/aws-lambdaAPI Gateway v1 / VPC Lattice adapters are encouraged to upgrade.v4.12.26Compare Source
What's Changed
Full Changelog: honojs/hono@v4.12.25...v4.12.26
v4.12.25Compare Source
Security fixes
This release includes fixes for the following security issues:
CORS Middleware reflects any Origin with credentials when
origindefaults to the wildcardAffects:
hono/cors. Fixes the wildcard origin reflecting the requestOriginand sendingAccess-Control-Allow-Credentials: truewhencredentials: trueis set without an explicitorigin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qcBody Limit Middleware can be bypassed on AWS Lambda by understating
Content-LengthAffects:
hono/body-limiton AWS Lambda (hono/aws-lambda,hono/lambda-edge). Fixes the request being built with the client-declaredContent-Lengthwhile the body is delivered fully buffered, where a client could declare a smallContent-Lengthwith a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2Path traversal in
serve-staticon Windows via encoded backslash (%5C)Affects:
serveStaticon Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to\was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44AWS Lambda adapter merges multiple
Set-Cookieheaders into one value, dropping cookies on ALB single-header and LatticeAffects:
hono/aws-lambda. Fixes multipleSet-Cookieresponse headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xfLambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest
Affects:
hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such asX-Forwarded-Forreached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8pv4.12.24Compare Source
What's Changed
Full Changelog: honojs/hono@v4.12.23...v4.12.24
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.