[Snyk] Upgrade hono from 4.2.7 to 4.5.9

[priyanshukumar397]

Snyk has created this PR to upgrade hono from 4.2.7 to 4.5.9.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 41 versions ahead of your current version.

• The recommended version was released on 21 days ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Cross-Site Request Forgery (CSRF) SNYK-JS-HONO-7814167	436	Proof of Concept

Release notes

Package name: hono

• 4.5.9 - 2024-08-26
  

  What's Changed

  • test(types): broken test in future versions of typescript by @ m-shaka in #3310
  • fix(utils/color): Deno does not require permission for NO_COLOR by @ ryuapp in #3306
  • feat(jsx): improve type (MIME) attribute types by @ ssssota in #3305
  • feat(pretty-json): support custom query by @ nakasyou in #3300

  Full Changelog: v4.5.8...v4.5.9

• 4.5.8 - 2024-08-22
  

  Security Fix for CSRF Protection Middleware

  Before this release, in versions 4.5.7 and below, the CSRF Protection Middleware did not treat requests including Content-Types with uppercase letters (e.g., Application/x-www-form-urlencoded) as potential attacks, allowing them to pass.

  This could cause unexpected behavior, leading to a vulnerability. If you are using the CSRF Protection Middleware, please upgrade to version 4.5.8 or higher immediately.

  For more details, see the report here: GHSA-rpfr-3m35-5vx5

• 4.5.7 - 2024-08-21
  

  What's Changed

  • fix(jsx/dom): Fixed a bug that caused Script elements to turn into Style elements. by @ usualoma in #3294
  • perf(jsx/dom): improve performance by @ usualoma in #3288
  • feat(jsx): improve a-tag types with well known values by @ ssssota in #3287
  • fix(validator): Fixed a bug in hono/validator where URL Encoded Data could not be validated if the Content-Type included charset. by @ uttk in #3297
  • feat(jsx): improve target and formtarget attribute types by @ ssssota in #3299
  • docs(README): change Twitter to X by @ nakasyou in #3301
  • fix(client): replace optional params to url correctly by @ yusukebe in #3304
  • feat(jsx): improve input attribute types based on react by @ ssssota in #3302

  New Contributors

  • @ uttk made their first contribution in #3297

  Full Changelog: v4.5.6...v4.5.7

• 4.5.6 - 2024-08-17
  

  What's Changed

  • fix(jsx): handle async component error explicitly and throw the error in the response by @ usualoma in #3274
  • fix(validator): support multipart headers without a separating space by @ Ernxst in #3286
  • fix(validator): Allow form data will mutliple values appended by @ nicksrandall in #3273
  • feat(jsx): improve meta-tag types with well known values by @ ssssota in #3276

  New Contributors

  • @ Ernxst made their first contribution in #3286
  • @ ssssota made their first contribution in #3276

  Full Changelog: v4.5.5...v4.5.6

• 4.5.5 - 2024-08-11
  

  What's Changed

  • fix(jsx): allow null, undefined, and boolean to be returned from function component by @ usualoma in #3241
  • feat(context): Add types for c.header by @ nakasyou in #3221
  • fix(jsx): fix draggable type to accept boolean by @ yasuaki640 in #3253
  • feat(context): add Context-Type types to c.header by @ nakasyou in #3255
  • fix(serve-static): supports directory contains . and not end / by @ yusukebe in #3256

  Full Changelog: v4.5.4...v4.5.5

• 4.5.4 - 2024-08-06
  

  What's Changed

  • fix(jsx): corrects the type of 'draggable' attribute in intrinsic-elements.ts by @ yasuaki640 in #3224
  • feat(jsx): allow to merge CSSProperties declaration by @ jonasnobile in #3228
  • feat(client): Add WebSocket Provider Integration Tests and Enhance WebSocket Initialization by @ naporin0624 in #3213
  • fix(types): param in ValidationTargets supports optional param by @ yusukebe in #3229

  New Contributors

  • @ jonasnobile made their first contribution in #3228

  Full Changelog: v4.5.3...v4.5.4

• 4.5.3 - 2024-07-29
  

  What's Changed

  • fix(validator): Add double quotation marks to multipart checker regex by @ CPlusPatch in #3195
  • fix(validator): support application/json with a charset as JSON by @ yusukebe in #3199
  • fix(jsx): fix handling of SVG elements in JSX. by @ usualoma in #3204
  • fix(jsx/dom): fix performance issue with adding many new node listings by @ usualoma in #3205
  • fix(service-worker): refer to self.fetch correctly by @ yusukebe in #3200

  New Contributors

  • @ CPlusPatch made their first contribution in #3195

  Full Changelog: v4.5.2...v4.5.3

• 4.5.2 - 2024-07-27
  

  What's Changed

  • fix(helper/adapter): don't check navigator is undefined by @ yusukebe in #3171
  • fix(types): handle readonly array correctly by @ m-shaka in #3172
  • Revert "fix(helper/adapter): don't check navigator is undefined by @ yusukebe in #3173
  • fix(type): degradation of generic type handling by @ m-shaka in #3138
  • fix:(csrf) fix typo of csrf middleware by @ yasuaki640 in #3178
  • feat(secure-headers): remove "X-Powered-By" should be an option by @ EdamAme-x in #3177

  Full Changelog: v4.5.1...v4.5.2

• 4.5.1 - 2024-07-20
  

  What's Changed

  • chore: remove rimraf and use bun shell by @ nakasyou in #3146
  • chore: moving the setup file of vitest by @ EdamAme-x in #3157
  • fix(middleware/jwt): Changed the jwt-secret type to SignatureKey by @ JulesVerner in #3167
  • feat(bearer-auth): Allow empty bearer-auth middleware prefixes by @ prevostc in #3161
  • chore(factory): remove @ experimental from createApp by @ yusukebe in #3164
  • fix(client): support array values for query in ws by @ yusukebe in #3169
  • fix(validator): ignore content-type mismatches by @ yusukebe in #3165

  New Contributors

  • @ JulesVerner made their first contribution in #3167
  • @ prevostc made their first contribution in #3161

  Full Changelog: v4.5.0...v4.5.1

• 4.5.0 - 2024-07-16
  

  Hono v4.5.0 is now available!

  We have added three new built-in middleware. Now Hono is bringing 20 built-in middleware!

  1. Basic Authentication
  2. Bearer Authentication
  3. Body Limit
  4. Cache
  5. Combine
  6. Compress
  7. CORS
  8. CSRF Protection
  9. ETag
  10. IP Restriction
  11. JSX Renderer
  12. JWT
  13. Logger
  14. Method Override
  15. Pretty JSON
  16. Request ID
  17. Secure Headers
  18. Timeout
  19. Timing
  20. Trailing Slash

  Amazing! These truly make Hono batteries-included framework.

  Let's go through the new features in this release.

  IP Restrict Middleware

  Introducing IP Restrict Middleware. This middleware limits access to resources based on the IP address of the user.

  import { Hono } from 'hono'
  import { getConnInfo } from 'hono/bun'
  import { ipRestriction } from 'hono/ip-restriction'

  const app = new Hono()

  app.use(
  '*',
  ipRestriction(getConnInfo, {
  denyList: [],
  allowList: ['127.0.0.1', '::1']
  })
  )

  Thanks @ nakasyou!

  Combine Middleware

  Introducing Combine Middleware. This middleware combines multiple middleware functions into a single middleware, allowing you to create complex access controls by combining it with middleware like IP Restriction.

  import { Hono } from 'hono'
  import { bearerAuth } from 'hono/bearer-auth'
  import { getConnInfo } from 'hono/cloudflare-workers'
  import { every, some } from 'hono/combine'
  import { ipRestriction } from 'hono/ip-restriction'
  import { rateLimit } from '@/my-rate-limit'

  const app = new Hono()

  app.use(
  '*',
  some(
  every(ipRestriction(getConnInfo, { allowList: ['192.168.0.2'] }), bearerAuth({ token })),
  // If both conditions are met, rateLimit will not execute.
  rateLimit()
  )
  )

  app.get('/', (c) => c.text('Hello Hono!'))

  Thanks @ usualoma!

  Request ID Middleware

  Introducing Request ID Middleware. This middleware generates a unique ID for each request, which you can use in your handlers.

  import { Hono } from 'hono'
  import { requestId } from 'hono/request-id'

  const app = new Hono()

  app.use('*', requestId())

  app.get('/', (c) => {
  return c.text(Your request id is <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">c</span><span class="pl-kos">.</span><span class="pl-en">get</span><span class="pl-kos">(</span><span class="pl-s">'requestId'</span><span class="pl-kos">)</span><span class="pl-kos">}</span></span>)
  })

  Thanks @ ryuapp!

  Service Worker Adapter

  A Service Worker adapter has been added, making it easier to run Hono applications as Service Workers.

  For example, the following code works perfectly in a browser!

  import { Hono } from 'hono'
  import { handle } from 'hono/service-worker'

  const app = new Hono().basePath('/sw')
  app.get('/', (c) => c.text('Hello World'))

  self.addEventListener('fetch', handle(app))

  Thanks @ nakasyou!

  Cloudflare Pages Middleware

  The Cloudflare Pages adapter now includes a handleMiddleware function, allowing many Hono middleware to run as Cloudflare Pages middleware.

  For example, to apply basic authentication, you can use the built-in middleware as shown below.

  // functions/_middleware.ts
  import { handleMiddleware } from 'hono/cloudflare-pages'
  import { basicAuth } from 'hono/basic-auth'

  export const onRequest = handleMiddleware(
  basicAuth({
  username: 'hono',
  password: 'acoolproject'
  })
  )

  Thanks @ BarryThePenguin!

  React 19 Compatibility

  Hono JSX now supports React 19 compatible APIs.

  For example, the following hooks have been added:

  • useFormStatus()
  • useActionState()
  • useOptimistic()

  Additionally, rendering metadata within the <head /> tag is now supported. You can include elements like <title>, <meta>, and <link> within your components.

  https://hono.dev/top-page" />
  <h1>Top Page</h1>
  <p>Hono is a great framework!</p>
  </article>
  )
  })">

  import { Hono } from 'hono'
  
  import { jsxRenderer } from 'hono/jsx-renderer'
  
  const app = new Hono()
  app.use(
  
  jsxRenderer(({ children }) => {
  
  return (
  
  <html>
  
  <head></head>
  
  <body>{children}</body>
  
  </html>
  
  )
  
  })
  
  )
  app.get('/top-page', (c) => {
  
  return c.render(
  
  <article>
  
  <title>Top Page!</title>
  
  <link rel="canonical" href="https://hono.dev/top-page" />
  
  <h1>Top Page</h1>
  
  <p>Hono is a great framework!</p>
  
  </article>
  
  )
  
  })

  The above will render the following HTML:

  <!DOCTYPE html>
  <html>
    <head>
      <title>Top Page!</title>
      <link rel="canonical" href="https://hono.dev/top-page" />
    </head>
    <body>
      <article>
        <h1>Top Page</h1>
        <p>Hono is a great framework!</p>
      </article>
    </body>
  </html>

  See all changes in this PR: #2960

  Thanks @ usualoma!

  @ hono/react-compat

  Plus, with the new @ hono/react-compat, you can alias the react or react-dom used in your project to hono/jsx without any configuration.

  npm install react@npm:@ hono/react-compat react-dom@npm:@ hono/react-compat

  Passing interface as Bindings/Variables

  You can now pass interface to Bindings or Variables. This allows you to use the type definitions generated by the wrangler types command directly.

  interface Env {
    MY_KV_NAMESPACE: KVNamespace
    MY_VAR: string
    MY_DB: D1Database
  }

  Previously, only type definitions using type could be passed to Bindings. Now, interfaces like the Env example above can be used with generics.

  const app = new Hono<{
    Bindings: Env
  }>()

  Thanks @ ottomated!

  Other features

  • JWT - use Signed Cookie in JWT Middleware #2989
  • Vercel - add getConnInfo for Vercel Adapter #3085
  • Lambda@Edge - add getConnInfo helper for Lambda@Edge #3099

  All Updates

  • feat(jsx/dom): export createRoot and hydrateRoot from jsx/dom/client as default by @ usualoma in #2929
  • feat(jsx/server): introduce jsx/dom/server module for compatibility with react-dom/server by @ usualoma in #2930
  • feat(jsx/dom): Improve compatibility React (useCallback, React.StrictMode) by @ usualoma in

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 14 days.

[github-actions]

Closed as inactive. Feel free to reopen if this PR is still being worked on.