[Snyk] Upgrade: , hono

[priyanshukumar397]

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

@hono/node-server
from 1.11.0 to 1.12.1 | 7 versions ahead of your current version | a month ago
on 2024-08-19
hono
from 4.2.7 to 4.5.9 | 41 versions ahead of your current version | 22 days ago
on 2024-08-26

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Cross-Site Request Forgery (CSRF) SNYK-JS-HONO-7814167	436	Proof of Concept

Release notes

Package name: @hono/node-server

• 1.12.1 - 2024-08-19
  

  What's Changed

  • fix: return response from res.body if internal data is not ready to be returned directly by @ usualoma in #188

  Full Changelog: v1.12.0...v1.12.1

• 1.12.0 - 2024-07-03
  

  What's Changed

  • fix(serve-static): supports extension less files by @ yusukebe in #183
  • feat: implement ConnInfo helper by @ nakasyou in #180

  New Contributors

  • @ nakasyou made their first contribution in #180

  Full Changelog: v1.11.5...v1.12.0

• 1.11.5 - 2024-07-02
  

  What's Changed

  • fix: make hono as external to build by @ yusukebe in #182

  Full Changelog: v1.11.4...v1.11.5

• 1.11.4 - 2024-06-20
  

  What's Changed

  • Expose ServerType from './types' by @ raighneweng in #178

  New Contributors

  • @ raighneweng made their first contribution in #178

  Full Changelog: v1.11.3...v1.11.4

• 1.11.3 - 2024-06-13
  

  What's Changed

  • Update readme with an example of proper "root" when using serveStatic by @ brettimus in #173
  • fix: avoid error when using TRACE method by @ usualoma in #175

  New Contributors

  • @ brettimus made their first contribution in #173

  Full Changelog: v1.11.2...v1.11.3

• 1.11.2 - 2024-05-30
  

  What's Changed

  • ci: include tests for node 22 version by @ Jayllyz in #170
  • fix: memory leak by AbortController by @ usualoma in #172

  New Contributors

  • @ Jayllyz made their first contribution in #170

  Full Changelog: v1.11.1...v1.11.2

• 1.11.1 - 2024-04-26
  

  What's Changed

  • Update Request to work with ReadableStream polyfills by @ nicksrandall in #164
  • refactor(serve-static): use c.req.path instead of url.pathname by @ yusukebe in #166

  New Contributors

  • @ nicksrandall made their first contribution in #164

  Full Changelog: v1.11.0...v1.11.1

• 1.11.0 - 2024-04-19
  

  What's Changed

  • feat: validate incoming host header by @ usualoma in #163

  Full Changelog: v1.10.1...v1.11.0

from @hono/node-server GitHub release notes

Package name: hono

• 4.5.9 - 2024-08-26
  

  What's Changed

  • test(types): broken test in future versions of typescript by @ m-shaka in #3310
  • fix(utils/color): Deno does not require permission for NO_COLOR by @ ryuapp in #3306
  • feat(jsx): improve type (MIME) attribute types by @ ssssota in #3305
  • feat(pretty-json): support custom query by @ nakasyou in #3300

  Full Changelog: v4.5.8...v4.5.9

• 4.5.8 - 2024-08-22
  

  Security Fix for CSRF Protection Middleware

  Before this release, in versions 4.5.7 and below, the CSRF Protection Middleware did not treat requests including Content-Types with uppercase letters (e.g., Application/x-www-form-urlencoded) as potential attacks, allowing them to pass.

  This could cause unexpected behavior, leading to a vulnerability. If you are using the CSRF Protection Middleware, please upgrade to version 4.5.8 or higher immediately.

  For more details, see the report here: GHSA-rpfr-3m35-5vx5

• 4.5.7 - 2024-08-21
  

  What's Changed

  • fix(jsx/dom): Fixed a bug that caused Script elements to turn into Style elements. by @ usualoma in #3294
  • perf(jsx/dom): improve performance by @ usualoma in #3288
  • feat(jsx): improve a-tag types with well known values by @ ssssota in #3287
  • fix(validator): Fixed a bug in hono/validator where URL Encoded Data could not be validated if the Content-Type included charset. by @ uttk in #3297
  • feat(jsx): improve target and formtarget attribute types by @ ssssota in #3299
  • docs(README): change Twitter to X by @ nakasyou in #3301
  • fix(client): replace optional params to url correctly by @ yusukebe in #3304
  • feat(jsx): improve input attribute types based on react by @ ssssota in #3302

  New Contributors

  • @ uttk made their first contribution in #3297

  Full Changelog: v4.5.6...v4.5.7

• 4.5.6 - 2024-08-17
  

  What's Changed

  • fix(jsx): handle async component error explicitly and throw the error in the response by @ usualoma in #3274
  • fix(validator): support multipart headers without a separating space by @ Ernxst in #3286
  • fix(validator): Allow form data will mutliple values appended by @ nicksrandall in #3273
  • feat(jsx): improve meta-tag types with well known values by @ ssssota in #3276

  New Contributors

  • @ Ernxst made their first contribution in #3286
  • @ ssssota made their first contribution in #3276

  Full Changelog: v4.5.5...v4.5.6

• 4.5.5 - 2024-08-11
  

  What's Changed

  • fix(jsx): allow null, undefined, and boolean to be returned from function component by @ usualoma in #3241
  • feat(context): Add types for c.header by @ nakasyou in #3221
  • fix(jsx): fix draggable type to accept boolean by @ yasuaki640 in #3253
  • feat(context): add Context-Type types to c.header by @ nakasyou in #3255
  • fix(serve-static): supports directory contains . and not end / by @ yusukebe in #3256

  Full Changelog: v4.5.4...v4.5.5

• 4.5.4 - 2024-08-06
  

  What's Changed

  • fix(jsx): corrects the type of 'draggable' attribute in intrinsic-elements.ts by @ yasuaki640 in #3224
  • feat(jsx): allow to merge CSSProperties declaration by @ jonasnobile in #3228
  • feat(client): Add WebSocket Provider Integration Tests and Enhance WebSocket Initialization by @ naporin0624 in #3213
  • fix(types): param in ValidationTargets supports optional param by @ yusukebe in #3229

  New Contributors

  • @ jonasnobile made their first contribution in #3228

  Full Changelog: v4.5.3...v4.5.4

• 4.5.3 - 2024-07-29
  

  What's Changed

  • fix(validator): Add double quotation marks to multipart checker regex by @ CPlusPatch in #3195
  • fix(validator): support application/json with a charset as JSON by @ yusukebe in #3199
  • fix(jsx): fix handling of SVG elements in JSX. by @ usualoma in #3204
  • fix(jsx/dom): fix performance issue with adding many new node listings by @ usualoma in #3205
  • fix(service-worker): refer to self.fetch correctly by @ yusukebe in #3200

  New Contributors

  • @ CPlusPatch made their first contribution in #3195

  Full Changelog: v4.5.2...v4.5.3

• 4.5.2 - 2024-07-27
  

  What's Changed

  • fix(helper/adapter): don't check navigator is undefined by @ yusukebe in #3171
  • fix(types): handle readonly array correctly by @ m-shaka in #3172
  • Revert "fix(helper/adapter): don't check navigator is undefined by @ yusukebe in #3173
  • fix(type): degradation of generic type handling by @ m-shaka in #3138
  • fix:(csrf) fix typo of csrf middleware by @ yasuaki640 in #3178
  • feat(secure-headers): remove "X-Powered-By" should be an option by @ EdamAme-x in #3177

  Full Changelog: v4.5.1...v4.5.2

• 4.5.1 - 2024-07-20
  

  What's Changed

  • chore: remove rimraf and use bun shell by @ nakasyou in #3146
  • chore: moving the setup file of vitest by @ EdamAme-x in #3157
  • fix(middleware/jwt): Changed the jwt-secret type to SignatureKey by @ JulesVerner in #3167
  • feat(bearer-auth): Allow empty bearer-auth middleware prefixes by @ prevostc in #3161
  • chore(factory): remove @ experimental from createApp by @ yusukebe in #3164
  • fix(client): support array values for query in ws by @ yusukebe in #3169
  • fix(validator): ignore content-type mismatches by @ yusukebe in #3165

  New Contributors

  • @ JulesVerner made their first contribution in #3167
  • @ prevostc made their first contribution in #3161

  Full Changelog: v4.5.0...v4.5.1

• 4.5.0 - 2024-07-16
  

  Hono v4.5.0 is now available!

  We have added three new built-in middleware. Now Hono is bringing 20 built-in middleware!

  1. Basic Authentication
  2. Bearer Authentication
  3. Body Limit
  4. Cache
  5. Combine
  6. Compress
  7. CORS
  8. CSRF Protection
  9. ETag
  10. IP Restriction
  11. JSX Renderer
  12. JWT
  13. Logger
  14. Method Override
  15. Pretty JSON
  16. Request ID
  17. Secure Headers
  18. Timeout
  19. Timing
  20. Trailing Slash

  Amazing! These truly make Hono batteries-included framework.

  Let's go through the new features in this release.

  IP Restrict Middleware

  Introducing IP Restrict Middleware. This middleware limits access to resources based on the IP address of the user.

  import { Hono } from 'hono'
  import { getConnInfo } from 'hono/bun'
  import { ipRestriction } from 'hono/ip-restriction'

  const app = new Hono()

  app.use(
  '*',
  ipRestriction(getConnInfo, {
  denyList: [],
  allowList: ['127.0.0.1', '::1']
  })
  )

  Thanks @ nakasyou!

  Combine Middleware

  Introducing Combine Middleware. This middleware combines multiple middleware functions into a single middleware, allowing you to create complex access controls by combining it with middleware like IP Restriction.

  import { Hono } from 'hono'
  import { bearerAuth } from 'hono/bearer-auth'
  import { getConnInfo } from 'hono/cloudflare-workers'
  import { every, some } from 'hono/combine'
  import { ipRestriction } from 'hono/ip-restriction'
  import { rateLimit } from '@/my-rate-limit'

  const app = new Hono()

  app.use(
  '*',
  some(
  every(ipRestriction(getConnInfo, { allowList: ['192.168.0.2'] }), bearerAuth({ token })),
  // If both conditions are met, rateLimit will not execute.
  rateLimit()
  )
  )

  app.get('/', (c) => c.text('Hello Hono!'))

  Thanks @ usualoma!

  Request ID Middleware

  Introducing Request ID Middleware. This middleware generates a unique ID for each request, which you can use in your handlers.

  import { Hono } from 'hono'
  import { requestId } from 'hono/request-id'

  const app = new Hono()

  app.use('*', requestId())

  app.get('/', (c) => {
  return c.text(Your request id is <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">c</span><span class="pl-kos">.</span><span class="pl-en">get</span><span class="pl-kos">(</span><span class="pl-s">'requestId'</span><span class="pl-kos">)</span><span class="pl-kos">}</span></span>)
  })

  Thanks @ ryuapp!

  Service Worker Adapter

  A Service Worker adapter has been added, making it easier to run Hono applications as Service Workers.

  For example, the following code works perfectly in a browser!

  import { Hono } from 'hono'
  import { handle } from 'hono/service-worker'

  const app = new Hono().basePath('/sw')
  app.get('/', (c) => c.text('Hello World'))

  self.addEventListener('fetch', handle(app))

  Thanks @ nakasyou!

  Cloudflare Pages Middleware

  The Cloudflare Pages adapter now includes a handleMiddleware function, allowing many Hono middleware to run as Cloudflare Pages middleware.

  For example, to apply basic authentication, you can use the built-in middleware as shown below.

  // functions/_middleware.ts
  import { handleMiddleware } from 'hono/cloudflare-pages'
  import { basicAuth } from 'hono/basic-auth'

  export const onRequest = handleMiddleware(
  basicAuth({
  username: 'hono',
  password: 'acoolproject'
  }</spa...

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 14 days.

[github-actions]

Closed as inactive. Feel free to reopen if this PR is still being worked on.