[Snyk] Upgrade hono from 4.1.3 to 4.6.5 #41
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade hono from 4.1.3 to 4.6.5.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 62 versions ahead of your current version.
The recommended version was released on a month ago.
Issues fixed by the recommended upgrade:
SNYK-JS-HONO-6672874
SNYK-JS-HONO-8220272
SNYK-JS-HONO-7814167
Release notes
Package name: hono
Security fix for CSRF Protection Middleware
This release includes a security fix for CSRF Protection Middleware. If you are using CSRF Protection Middleware, please upgrade this
hono
package immediately.Before this release, a request without a
Content-Type
header can bypass the protection. This fix does not allow it. See: GHSA-2234-fmw7-43wrWhat's Changed
v2
by @ yusukebe in #3506Access-Control-Allow-Origin
if there is no matching origin by @ uki00a in #3510New Contributors
Full Changelog: v4.6.4...v4.6.5
What's Changed
crypto-js
from dev dependencies by @ yusukebe in #3447createMiddleware
by @ yusukebe in #3498globalThis
by @ sapphi-red in #3500override
totoStringToBuffer
in classes extendingJSXNode
by @ yusukebe in #3505New Contributors
Full Changelog: v4.6.3...v4.6.4
This release has many new features, but each feature is small, so we've released it as a patch release.
What's Changed
runtime_tests
toruntime-tests
by @ yusukebe in #3419every
middleware work with short-circuiting middlewares by @ paolostyle in #3441renderToString
by @ usualoma in #3432New Contributors
Full Changelog: v4.6.2...v4.6.3
What's Changed
Full Changelog: v4.6.1...v4.6.2
What's Changed
New Contributors
Full Changelog: v4.6.0...v4.6.1
Hono v4.6.0 is now available!
One of the highlights of this release is the Context Storage Middleware. Let's introduce it.
Context Storage Middleware
Many users may have been waiting for this feature. The Context Storage Middleware uses
AsyncLocalStorage
to allow handling of the current Context object even outside of handlers.For example, let’s define a Hono app with a variable
message: string
.Variables: {
message: string
}
}
const app = new Hono<Env>()
To enable Context Storage Middleware, register
contextStorage()
as middleware at the top and set themessage
value.//...
app.use(contextStorage())
app.use(async (c, next) => {
c.set('message', 'Hello!')
await next()
})
getContext()
returns the current Context object, allowing you to get the value of themessage
variable outside the handler.app.get('/', (c) => {
return c.text(getMessage())
})
// Access the variable outside the handler.
const getMessage = () => {
return getContext<Env>().var.message
}
In the case of Cloudflare Workers, you can also access the
Bindings
outside the handler by using this middleware.Bindings: {
KV: KVNamespace
}
}
const app = new Hono<Env>()
app.use(contextStorage())
const setKV = (value: string) => {
return getContext<Env>().env.KV.put('key', value)
}
Thanks @ marceloverdijk !
New features
c.env.eventContext
in handleMiddleware #3332WSContext
#3337Content-Encoding
whenstream
is true #3355precompressed
option #3366Promise<string>
or (async)JSX.Element
instreamSSE
#3344onFound
option #3396Other changes
New Contributors
Full Changelog: v4.5.11...v4.6.0
What's Changed
Twitter
toX
by @ yusukebe in #3354New Contributors
Full Changelog: v4.5.10...v4.5.11
What's Changed
New Contributors
Full Changelog: v4.5.9...v4.5.10
What's Changed
NO_COLOR
by @ ryuapp in #3306type
(MIME) attribute types by @ ssssota in #3305Full Changelog: v4.5.8...v4.5.9
Security Fix for CSRF Protection Middleware
Before this release, in versions 4.5.7 and below, the CSRF Protection Middleware did not treat requests including
Content-Types
with uppercase letters (e.g.,Application/x-www-form-urlencoded
) as potential attacks, allowing them to pass.This could cause unexpected behavior, leading to a vulnerability. If you are using the CSRF Protection Middleware, please upgrade to version 4.5.8 or higher immediately.
For more details, see the report here: GHSA-rpfr-3m35-5vx5