Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade hono from 2.7.8 to 4.6.3 #148

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Upgrade hono from 2.7.8 to 4.6.3 #148

wants to merge 1 commit into from
+1 −1

Conversation

Laurry-gee
Copy link
Owner

snyk-top-banner

Snyk has created this PR to upgrade hono from 2.7.8 to 4.6.3.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

  • The recommended version is 207 versions ahead of your current version.

  • The recommended version was released on 23 days ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
medium severity Arbitrary Code Injection
SNYK-JS-HONO-6129070		 531 Proof of Concept
medium severity Improper Control of Generation of Code ('Code Injection')
SNYK-JS-HONO-6129121		 531 Proof of Concept
medium severity Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
SNYK-JS-HONO-6672874		 531 Proof of Concept
low severity Cross-Site Request Forgery (CSRF)
SNYK-JS-HONO-7814167		 531 Proof of Concept
Release notes
Package name: hono
  • 4.6.3 - 2024-09-24

    This release has many new features, but each feature is small, so we've released it as a patch release.

    What's Changed

    • chore: rename runtime_tests to runtime-tests by @ yusukebe in #3419
    • ci: Type check perf by @ m-shaka in #3406
    • refactor(jsx/streaming): Clarified the type of renderToReadableStream. by @ usualoma in #3434
    • perf(types): use homomorphic mapped type to reduce conditional branches by @ m-shaka in #3440
    • ci: prettify type check result and rm a comment by @ m-shaka in #3442
    • fix(types): useSyncExternalStore type by @ codehz in #3437
    • fix(combine/every): make every middleware work with short-circuiting middlewares by @ paolostyle in #3441
    • feat(secureHeader): add CSP Report-Only mode support by @ isoppp in #3413
    • feat(jwt): make JwtVariables generic for improved type safety by @ TinsFox in #3428
    • feat(request): Make request.ts available throught JSR for frameworks that need to instantiate HonoRequest by @ Sorikairox in #3425
    • feat(jsx/precompile): Normalization and stringification of attribute values as renderToString by @ usualoma in #3432
    • feat(serve-static): support absolute root by @ yusukebe in #3420

    New Contributors

    Full Changelog: v4.6.2...v4.6.3

  • 4.6.2 - 2024-09-17

    What's Changed

    • chore(lint): ESLint v9 by @ yusukebe in #3393
    • perf(serve-static): performance optimization for precompressed feature by @ usualoma in #3414
    • fix(serve-static): use application/octet-stream if the mime type is not detected by @ usualoma in #3415

    Full Changelog: v4.6.1...v4.6.2

  • 4.6.1 - 2024-09-11

    What's Changed

    • fix(build): improve addExtension esbuild plugin by @ kt3k in #3405

    New Contributors

    Full Changelog: v4.6.0...v4.6.1

  • 4.6.0 - 2024-09-11

    Hono v4.6.0 is now available!

    One of the highlights of this release is the Context Storage Middleware. Let's introduce it.

    Context Storage Middleware

    Many users may have been waiting for this feature. The Context Storage Middleware uses AsyncLocalStorage to allow handling of the current Context object even outside of handlers.

    For example, let’s define a Hono app with a variable message: string.

    type Env = {
    Variables: {
    message: string
    }
    }

    const app = new Hono<Env>()

    To enable Context Storage Middleware, register contextStorage() as middleware at the top and set the message value.

    import { contextStorage } from 'hono/context-storage'

    //...

    app.use(contextStorage())

    app.use(async (c, next) => {
    c.set('message', 'Hello!')
    await next()
    })

    getContext() returns the current Context object, allowing you to get the value of the message variable outside the handler.

    import { getContext } from 'hono/context-storage'

    app.get('/', (c) => {
    return c.text(getMessage())
    })

    // Access the variable outside the handler.
    const getMessage = () => {
    return getContext<Env>().var.message
    }

    In the case of Cloudflare Workers, you can also access the Bindings outside the handler by using this middleware.

    type Env = {
    Bindings: {
    KV: KVNamespace
    }
    }

    const app = new Hono<Env>()

    app.use(contextStorage())

    const setKV = (value: string) => {
    return getContext<Env>().env.KV.put('key', value)
    }

    Thanks @ marceloverdijk !

    New features

    • feat(secureHeader): add Permissions-Policy header to secure headers middleware #3314
    • feat(cloudflare-pages): enable c.env.eventContext in handleMiddleware #3332
    • feat(websocket): Add generics type to WSContext #3337
    • feat(jsx-renderer): set Content-Encoding when stream is true #3355
    • feat(serveStatic): add precompressed option #3366
    • feat(helper/streaming): Support Promise<string> or (async) JSX.Element in streamSSE #3344
    • feat(context): make fetch Response headers mutable #3318
    • feat(serve-static): add onFound option #3396
    • feat(basic-auth): added custom response message option #3371
    • feat(bearer-auth): added custom response message options #3372

    Other changes

    • chore(jsx-renderer): fix typo in JSDoc by @ taga3s in #3378
    • chore(deno): use the latest jsr libraries for testing by @ ryuapp in #3375
    • fix(secure-headers): optimize getPermissionsPolicyDirectives function by @ kbkn3 in #3398
    • fix(bearer-auth): typo by @ yusukebe in #3404

    New Contributors

    Full Changelog: v4.5.11...v4.6.0

  • 4.5.11 - 2024-09-03

    What's Changed

    New Contributors

    Full Changelog: v4.5.10...v4.5.11

  • 4.5.10 - 2024-08-31

    What's Changed

    New Contributors

    Full Changelog: v4.5.9...v4.5.10

  • 4.5.9 - 2024-08-26

    What's Changed

    • test(types): broken test in future versions of typescript by @ m-shaka in #3310
    • fix(utils/color): Deno does not require permission for NO_COLOR by @ ryuapp in #3306
    • feat(jsx): improve type (MIME) attribute types by @ ssssota in #3305
    • feat(pretty-json): support custom query by @ nakasyou in #3300

    Full Changelog: v4.5.8...v4.5.9

  • 4.5.8 - 2024-08-22

    Security Fix for CSRF Protection Middleware

    Before this release, in versions 4.5.7 and below, the CSRF Protection Middleware did not treat requests including Content-Types with uppercase letters (e.g., Application/x-www-form-urlencoded) as potential attacks, allowing them to pass.

    This could cause unexpected behavior, leading to a vulnerability. If you are using the CSRF Protection Middleware, please upgrade to version 4.5.8 or higher immediately.

    For more details, see the report here: GHSA-rpfr-3m35-5vx5

  • 4.5.7 - 2024-08-21

    What's Changed

    • fix(jsx/dom): Fixed a bug that caused Script elements to turn into Style elements. by @ usualoma in #3294
    • perf(jsx/dom): improve performance by @ usualoma in #3288
    • feat(jsx): improve a-tag types with well known values by @ ssssota in #3287
    • fix(validator): Fixed a bug in hono/validator where URL Encoded Data could not be validated if the Content-Type included charset. by @ uttk in #3297
    • feat(jsx): improve target and formtarget attribute types by @ ssssota in #3299
    • docs(README): change Twitter to X by @ nakasyou in #3301
    • fix(client): replace optional params to url correctly by @ yusukebe in #3304
    • feat(jsx): improve input attribute types based on react by @ ssssota in #3302

    New Contributors

    Full Changelog: v4.5.6...v4.5.7

  • 4.5.6 - 2024-08-17

    What's Changed

    • fix(jsx): handle async component error explicitly and throw the error in the response by @ usualoma in #3274
    • fix(validator): support multipart headers without a separating space by @ Ernxst in #3286
    • fix(validator): Allow form data will mutliple values appended by @ nicksrandall in #3273
    • feat(jsx): improve meta-tag types with well known values by @ ssssota in #3276

    New Contributors

    Full Changelog: v4.5.5...v4.5.6

  • 4.5.5 - 2024-08-11
  • 4.5.4 - 2024-08-06
  • 4.5.3 - 2024-07-29
  • 4.5.2 - 2024-07-27
  • 4.5.1 - 2024-07-20
  • 4.5.0 - 2024-07-16
  • 4.5.0-rc.2 - 2024-06-29
  • 4.5.0-rc.1 - 2024-06-12
  • 4.4.13 - 2024-07-11
  • 4.4.12 - 2024-07-06
  • 4.4.11 - 2024-07-03
  • 4.4.10 - 2024-06-29
  • 4.4.9 - 2024-06-27
  • 4.4.8 - 2024-06-24
  • 4.4.7 - 2024-06-19
  • 4.4.6 - 2024-06-13
  • 4.4.5 - 2024-06-11
  • 4.4.4 - 2024-06-06
  • 4.4.3 - 2024-06-03
  • 4.4.2 - 2024-05-30
  • 4.4.1 - 2024-05-30
  • 4.4.0 - 2024-05-27
  • 4.4.0-rc.1 - 2024-05-24
  • 4.3.11 - 2024-05-24
  • 4.3.10 - 2024-05-23
  • 4.3.9 - 2024-05-21
  • 4.3.8 - 2024-05-19
  • 4.3.7 - 2024-05-15
  • 4.3.6 - 2024-05-12
  • 4.3.5 - 2024-05-12
  • 4.3.4 - 2024-05-09
  • 4.3.3 - 2024-05-08
  • 4.3.2 - 2024-05-04
  • 4.3.1 - 2024-05-04
  • 4.3.0 - 2024-05-03
  • 4.2.9 - 2024-04-29
  • 4.2.8 - 2024-04-26
  • 4.2.7 - 2024-04-23
  • 4.2.6 - 2024-04-22
  • 4.2.5 - 2024-04-18
  • 4.2.4 - 2024-04-13
  • 4.2.3 - 2024-04-09
  • 4.2.2 - 2024-04-05
  • 4.2.1 - 2024-04-03
  • 4.2.0 - 2024-04-02
  • 4.2.0-rc.1 - 2024-03-31
  • 4.1.7 - 2024-03-31
  • 4.1.6 - 2024-03-31
  • 4.1.5 - 2024-03-27
  • 4.1.4 - 2024-03-25
  • 4.1.3 - 2024-03-20
  • 4.1.2 - 2024-03-18
  • 4.1.1 - 2024-03-17
  • 4.1.0 - 2024-03-11
  • 4.1.0-rc.1 - 2024-03-04
  • 4.0.10 - 2024-03-05
  • 4.0.9 - 2024-03-03
  • 4.0.8 - 2024-02-28
  • 4.0.7 - 2024-02-25
  • 4.0.6 - 2024-02-24
  • 4.0.5 - 2024-02-20
  • 4.0.4 - 2024-02-17
  • 4.0.3 - 2024-02-16
  • 4.0.2 - 2024-02-14
  • 4.0.1 - 2024-02-11
  • 4.0.0 - 2024-02-09
  • 4.0.0-rc.4 - 2024-02-03
  • 4.0.0-rc.3 - 2024-01-27
  • 4.0.0-rc.2 - 2024-01-21
  • 4.0.0-rc.1 - 2024-01-18
  • 4.0.0-rc.0 - 2024-01-10
  • 3.12.12 - 2024-02-07
  • 3.12.11 - 2024-02-05
  • 3.12.10 - 2024-02-02
  • 3.12.9 - 2024-01-31
  • 3.12.8 - 2024-01-27
  • 3.12.7 - 2024-01-25
  • 3.12.6 - 2024-01-18
  • 3.12.5 - 2024-01-16
  • 3.12.4 - 2024-01-15
  • 3.12.3 - 2024-01-12
  • 3.12.2 - 2024-01-11
  • 3.12.1 - 2024-01-09
  • 3.12.0 - 2024-01-04
  • 3.11.12 - 2024-01-01
  • 3.11.11 - 2023-12-26
  • 3.11.10 - 2023-12-24
  • 3.11.9 - 2023-12-21
  • 3.11.8 - 2023-12-16
  • 3.11.7 - 2023-12-14
  • 3.11.6 - 2023-12-13
  • 3.11.5 - 2023-12-13
  • 3.11.4 - 2023-12-09
  • 3.11.3 - 2023-12-07
  • 3.11.2 - 2023-12-05
  • 3.11.1 - 2023-12-04
  • 3.11.0 - 2023-12-04
  • 3.10.5 - 2023-12-03
  • 3.10.4 - 2023-12-01
  • 3.10.3 - 2023-11-28
  • 3.10.2 - 2023-11-21
  • 3.10.1 - 2023-11-15
  • 3.10.0 - 2023-11-13
  • 3.10.0-rc.2 - 2023-11-08
  • 3.10.0-rc.1 - 2023-11-06
  • 3.9.2 - 2023-11-03
  • 3.9.1 - 2023-10-31
  • 3.9.0 - 2023-10-27
  • 3.9.0-rc.1 - 2023-10-26
  • 3.8.4 - 2023-10-26
  • 3.8.3 - 2023-10-22
  • 3.8.2 - 2023-10-21
  • 3.8.1 - 2023-10-18
  • 3.8.0 - 2023-10-17
  • 3.8.0-rc.3 - 2023-10-16 ...

@snyk-bot
feat: upgrade hono from 2.7.8 to 4.6.3
10813e3 
Snyk has created this PR to upgrade hono from 2.7.8 to 4.6.3.

See this package in npm:
hono

See this project in Snyk:
https://app.snyk.io/org/laurry-gee/project/b5f5690f-a110-484e-85a4-d96c843d311a?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Laurry-gee @snyk-bot