emberjs
fix(deps): update dependency hono to v3.11.7 [security]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| hono (source) | 3.11.4 -> 3.11.7 |
GitHub Vulnerability Alerts
CVE-2023-50710
Impact
The clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources.
TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter.
The code to reproduce it. The server side application:
import { Hono } from 'hono'
import { TrieRouter } from 'hono/router/trie-router'
const wait = async (ms: number) => {
return new Promise((resolve) => {
setTimeout(resolve, ms)
})
}
const app = new Hono({ router: new TrieRouter() })
app.use('*', async (c, next) => {
await wait(Math.random() * 200)
return next()
})
app.get('/modules/:id/versions/:version', async (c) => {
const id = c.req.param('id')
const version = c.req.param('version')
console.log('path', c.req.path)
console.log('version', version)
return c.json({
id,
version,
})
})
export default app
The client code which makes requests to the server application:
const examples = [
'http://localhost:8787/modules/first/versions/first',
'http://localhost:8787/modules/second/versions/second',
'http://localhost:8787/modules/third/versions/third',
]
const test = () => {
for (const example of examples) {
fetch(example)
.then((response) => response.json())
.then((data) => {
const splitted = example.split('/')
const expected = splitted[splitted.length - 1]
if (expected !== data.version) {
console.error(`Error: exprected ${expected} but got ${data.version} - url was ${example}`)
}
})
}
}
test()
The results:
Error: exprected second but got third - url was http://localhost:8787/modules/second/versions/second
Error: exprected first but got third - url was http://localhost:8787/modules/first/versions/first
Patches
"v3.11.7" includes the change to fix this issue.
Workarounds
Don't use TrieRouter directly.
// DON'T USE TrieRouter
import { TrieRouter } from 'hono/router/trie-router'
const app = new Hono({ router: new TrieRouter() })
References
Router options on the Hono website: https://hono.dev/api/hono#router-option
Release Notes
honojs/hono (hono)
v3.11.7
Security Update
This release includes a security patch that fixes the vulnerability in TrieRouter.
If you are using the default preset or hono/quick, or specifying the router as TrieRouter, you must upgrade to this version 3.11.7 immediately.
How to upgrade
For Deno
Just increment the version specifier to v3.11.7.
import { Hono } from 'https://deno.land/x/[email protected]/mod.ts'
import { serveStatic } from 'https://deno.land/x/[email protected]/middleware.ts'
For Node.js
Upgrade the hono package via npm:
npm install hono
// OR
yarn add hono
// OR
pnpm up hono
You may not update the hono package with npm update, so please use npm install.
The vulnerability detail
The clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources.
TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter.
The advisory: https://github.com/honojs/hono/security/advisories/GHSA-f6gv-hh8j-q8vq
Our Approach to Security
If you discover such a vulnerability, please contact us immediately. We will respond immediately; we have enabled GitHub's private vulnerability reporting feature, so please use that.
https://github.com/honojs/hono/security/advisories
Thanks.
Full Changelog: https://github.com/honojs/hono/compare/v3.11.6...v3.11.7
v3.11.6
What's Changed
- fix(context): set
statuscorrectly by @yusukebe in https://github.com/honojs/hono/pull/1814
Full Changelog: https://github.com/honojs/hono/compare/v3.11.5...v3.11.6
v3.11.5
What's Changed
- fix(context): set headers values correctly by @yusukebe in https://github.com/honojs/hono/pull/1808
- docs(readme): update
hono/tinysize by @ryuapp in https://github.com/honojs/hono/pull/1809 - fix(context):
c.json()allows object and returns JSONParsed<T> by @yusukebe in https://github.com/honojs/hono/pull/1806
New Contributors
- @ryuapp made their first contribution in https://github.com/honojs/hono/pull/1809
Full Changelog: https://github.com/honojs/hono/compare/v3.11.4...v3.11.5
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}