Update dependency hono to v4.2.7 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
hono (source)	4.1.4 -> 4.2.7

GitHub Vulnerability Alerts

CVE-2024-32869

Summary

When using serveStatic with deno, it is possible to directory traverse where main.ts is located.

My environment is configured as per this tutorial
https://hono.dev/getting-started/deno

PoC

$ tree
.
├── deno.json
├── deno.lock
├── main.ts
├── README.md
└── static
    └── a.txt

source

import { Hono } from 'https://deno.land/x/hono@v4.2.6/mod.ts'
import { serveStatic } from 'https://deno.land/x/hono@v4.2.6/middleware.ts'

const app = new Hono()
app.use('/static/*', serveStatic({ root: './' }))

Deno.serve(app.fetch)

request

curl localhost:8000/static/%2e%2e/main.ts

response is content of main.ts

Impact

Unexpected files are retrieved.

---

Release Notes

honojs/hono (hono)

v4.2.7

Compare Source

This release fixes "Restricted Directory Traversal in serveStatic with deno".

Full Changelog: honojs/hono@v4.2.6...v4.2.7

v4.2.6

Compare Source

What's Changed

• refactor(adapter/aws): Optimize multiple call of same conditions with polymorphism by @​exoego in https://github.com/honojs/hono/pull/2521
• fix(sse): close sse stream on end by @​domeccleston in https://github.com/honojs/hono/pull/2529
• fix(client): Don't show $ws when not used WebSockets by @​nakasyou in https://github.com/honojs/hono/pull/2532
• refactor(ssg): update utils.ts by @​eltociear in https://github.com/honojs/hono/pull/2519

New Contributors

• @​domeccleston made their first contribution in https://github.com/honojs/hono/pull/2529
• @​eltociear made their first contribution in https://github.com/honojs/hono/pull/2519

Full Changelog: honojs/hono@v4.2.5...v4.2.6

v4.2.5

Compare Source

What's Changed

• fix(client): Allow calling toString and valueOf on the proxy object by @​ibash in https://github.com/honojs/hono/pull/2510
• fix(adapter): handle multi value headers in AWS Lambda by @​exoego in https://github.com/honojs/hono/pull/2494
• fix(client): shuold not remove tailing slash from top-level URL by @​yusukebe in https://github.com/honojs/hono/pull/2523
• fix(jsx/dom): remove lookbehind assertion in event regexp by @​usualoma in https://github.com/honojs/hono/pull/2524

New Contributors

• @​ibash made their first contribution in https://github.com/honojs/hono/pull/2510

Full Changelog: honojs/hono@v4.2.4...v4.2.5

v4.2.4

Compare Source

What's Changed

• fix(jwt): Make JWT Header typ Field Optional to Enhance Compatibility by @​naporin0624 in https://github.com/honojs/hono/pull/2488
• fix(testing): set baseUrl for testClient by @​yusukebe in https://github.com/honojs/hono/pull/2496
• fix(validator): Default use to OutputTypeExcludeResponseType when InputType is unknown by @​nagasawaryoya in https://github.com/honojs/hono/pull/2500
• refactor(trie-router): parentPatterns is updated but never queried by @​exoego in https://github.com/honojs/hono/pull/2503
• refactor: Remove redundant initializer by @​exoego in https://github.com/honojs/hono/pull/2502
• refactor(cloudflare-workers): Suppress eslint noise by @​exoego in https://github.com/honojs/hono/pull/2504
• fix(jsx): Add catch to async function's promise by @​mwilkins91 in https://github.com/honojs/hono/pull/2471

New Contributors

• @​nagasawaryoya made their first contribution in https://github.com/honojs/hono/pull/2500
• @​exoego made their first contribution in https://github.com/honojs/hono/pull/2503
• @​mwilkins91 made their first contribution in https://github.com/honojs/hono/pull/2471

Full Changelog: honojs/hono@v4.2.3...v4.2.4

v4.2.3

Compare Source

What's Changed

• fix(ssg): use response header to mark as disabled routes for SSG by @​usualoma in https://github.com/honojs/hono/pull/2477
• fix(trailing-slash): export types in package.json correctly by @​yusukebe in https://github.com/honojs/hono/pull/2483
• fix(client): fix websocket client protocol by @​naporin0624 in https://github.com/honojs/hono/pull/2479

Full Changelog: honojs/hono@v4.2.2...v4.2.3

v4.2.2

Compare Source

What's Changed

• feat(jsx-renderer): pass the context as 2nd arg by @​yusukebe in https://github.com/honojs/hono/pull/2459
• feat(client): accept a function that provides dynamic headers to hc by @​niko-gardenanet in https://github.com/honojs/hono/pull/2461
• fix(client): infer null correctly by @​yusukebe in https://github.com/honojs/hono/pull/2469

New Contributors

• @​niko-gardenanet made their first contribution in https://github.com/honojs/hono/pull/2461

Full Changelog: honojs/hono@v4.2.1...v4.2.2

v4.2.1

Compare Source

What's Changed

• fix(jws): Only import necessary helper (not all helpers) by @​nicksrandall in https://github.com/honojs/hono/pull/2458

New Contributors

• @​nicksrandall made their first contribution in https://github.com/honojs/hono/pull/2458

Full Changelog: honojs/hono@v4.2.0...v4.2.1

v4.2.0

Compare Source

Hono v4.2.0 is now available! Let's take a look at the new features.

Added more algorithms for JWT

The number of algorithms that JWT util can handle has increased from only 3 to 13! This means that JWT util now implements many of the algorithms supported by JWT.

• HS256
• HS384
• HS512
• RS256
• RS384
• RS512
• PS256
• PS384
• PS512
• ES256
• ES384
• ES512
• EdDSA

You can use these algorithms from the JWT middleware or JWT helpers. Thanks @​Code-Hex!

Method Override Middleware

Method Override Middleware has been added. This middleware override the method of the real request with the specified method.

HTML form does not allow you to send a DELETE method request. Instead, by sending an input with name as _method and a value of DELETE, you can call the handler registered in app.delete().

const app = new Hono()

// If no options are specified, the value of `_method` in the form,
// e.g. DELETE, is used as the method.
app.use('/posts', methodOverride({ app }))

app.delete('/posts', (c) => {
  // ....
})

Trailing Slash Middleware

Trailing Slash Middleware resolves the handling of Trailing Slashes in GET requests. You can use appendTrailingSlash and trimTrailingSlash functions.

For example, it redirects a GET request to /about/me to /about/me/.

import { Hono } from 'hono'
import { appendTrailingSlash } from 'hono/trailing-slash'

const app = new Hono({ strict: true })

app.use(appendTrailingSlash())
app.get('/about/me/', (c) => c.text('With Trailing Slash'))

Thanks @​rnmeow!

Other features

• SSG Helper - Support extensionMap https://github.com/honojs/hono/pull/2382
• JSX/DOM - Add userId hook https://github.com/honojs/hono/pull/2389
• JWT Middleware - Improve error handling https://github.com/honojs/hono/pull/2406
• Request - Cache the body for re-using https://github.com/honojs/hono/pull/2416
• JWT Util - Add type helper to payload https://github.com/honojs/hono/pull/2424
• CORS Middleware - Pass context to options.origin function https://github.com/honojs/hono/pull/2436
• Cache Middleware - Support for the vary header option https://github.com/honojs/hono/pull/2426
• HTTP Exception - Add cause option https://github.com/honojs/hono/pull/2224
• Logger - Support NO_COLOR https://github.com/honojs/hono/pull/2228
• JWT Middleware - Add JwtTokenInvalid object as cause when JWT is invalid https://github.com/honojs/hono/pull/2448
• Bearer Auth Middleware - Add verifyToken option https://github.com/honojs/hono/pull/2449
• Basic Auth Middleware - Add verifyUser option https://github.com/honojs/hono/pull/2450

All Updates

• feat(jwt): supported RS256, RS384, RS512 algorithm for JWT by @​Code-Hex in https://github.com/honojs/hono/pull/2339
• added remain algorithm for JWT by @​Code-Hex in https://github.com/honojs/hono/pull/2352
• acceptable CryptoKey in JWT sign and verify by @​Code-Hex in https://github.com/honojs/hono/pull/2373
• feat(ssg): Support extentionMap by @​watany-dev in https://github.com/honojs/hono/pull/2382
• feat(jwt): support remaining algorithms by @​yusukebe in https://github.com/honojs/hono/pull/2368
• feat(jsx): add useId hook by @​usualoma in https://github.com/honojs/hono/pull/2389
• feat(middleware/jwt): improve error handling by @​tfkhdyt in https://github.com/honojs/hono/pull/2406
• feat(request): cache body for reusing by @​yusukebe in https://github.com/honojs/hono/pull/2416
• feat(jwt): Add type helper to payload by @​nakasyou in https://github.com/honojs/hono/pull/2424
• feat: introduce Method Override Middleware by @​yusukebe in https://github.com/honojs/hono/pull/2420
• feat(middleware/cors): pass context to options.origin function by @​okmr-d in https://github.com/honojs/hono/pull/2436
• feat: support for vary header in cache middleware by @​naporin0624 in https://github.com/honojs/hono/pull/2426
• feat: add middlewares resolve trailing slashes on GET request by @​rnmeow in https://github.com/honojs/hono/pull/2408
• test: stub crypto if not exist by @​yusukebe in https://github.com/honojs/hono/pull/2445
• feat(jwt): literal typed alg option value by @​yusukebe in https://github.com/honojs/hono/pull/2446
• test(ssg): add test for content-type includes ; by @​yusukebe in https://github.com/honojs/hono/pull/2447
• feat(jwt): add JwtTokenInvalid object as cause when JWT is invalid by @​yusukebe in https://github.com/honojs/hono/pull/2448
• feat(bearer-auth): add verifyToken option by @​yusukebe in https://github.com/honojs/hono/pull/2449
• feat(basic-auth): add verifyUser option by @​yusukebe in https://github.com/honojs/hono/pull/2450
• Next by @​yusukebe in https://github.com/honojs/hono/pull/2454

New Contributors

• @​tfkhdyt made their first contribution in https://github.com/honojs/hono/pull/2406
• @​okmr-d made their first contribution in https://github.com/honojs/hono/pull/2436
• @​naporin0624 made their first contribution in https://github.com/honojs/hono/pull/2426
• @​rnmeow made their first contribution in https://github.com/honojs/hono/pull/2408

Full Changelog: honojs/hono@v4.1.7...v4.2.0

v4.1.7

Compare Source

What's Changed

• fix(cache): check globalThis.caches by @​yusukebe in https://github.com/honojs/hono/pull/2444

Full Changelog: honojs/hono@v4.1.6...v4.1.7

v4.1.6

Compare Source

What's Changed

• chore(benchmark): add "loop" script by @​yusukebe in https://github.com/honojs/hono/pull/2431
• fix(cache): not enabled if caches is not defined by @​yusukebe in https://github.com/honojs/hono/pull/2443

Full Changelog: honojs/hono@v4.1.5...v4.1.6

v4.1.5

Compare Source

What's Changed

• perf: Don't use Arrap.prototype.map if it is not needed return value by @​nakasyou in https://github.com/honojs/hono/pull/2419
• fix(aws-lambda): handle response without body (#​2401) by @​KnisterPeter in https://github.com/honojs/hono/pull/2413
• fix(validator): await cached contents by @​yusukebe in https://github.com/honojs/hono/pull/2430

New Contributors

• @​KnisterPeter made their first contribution in https://github.com/honojs/hono/pull/2413

Full Changelog: honojs/hono@v4.1.4...v4.1.5

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/Chicago, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.