From 9280c6b3da7ac29b8ab1d7a5ac282a104179a26d Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 22 Aug 2024 17:38:15 +0000
Subject: [PATCH] Update dependency hono to v4.5.8 [SECURITY] (#130)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [hono](https://hono.dev/) ([source](https://togithub.com/honojs/hono))
| [`4.5.5` ->
`4.5.8`](https://renovatebot.com/diffs/npm/hono/4.5.5/4.5.8) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/hono/4.5.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/hono/4.5.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/hono/4.5.5/4.5.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/hono/4.5.5/4.5.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
### GitHub Vulnerability Alerts
####
[CVE-2024-43787](https://togithub.com/honojs/hono/security/advisories/GHSA-rpfr-3m35-5vx5)
### Summary
Hono CSRF middleware can be bypassed using crafted Content-Type header.
### Details
MIME types are case insensitive, but `isRequestedByFormElementRe` only
matches lower-case.
https://github.com/honojs/hono/blob/b0af71fbcc6dbe44140ea76f16d68dfdb32a99a0/src/middleware/csrf/index.ts#L16-L17
As a result, attacker can bypass csrf middleware using upper-case
form-like MIME type, such as "Application/x-www-form-urlencoded".
### PoC
```html
CSRF Test
CSRF Test
```
### Impact
Bypass csrf protection implemented with hono csrf middleware.
### Discussion
I'm not sure that omitting csrf checks for Simple POST request is a good
idea.
CSRF prevention and CORS are different concepts even though CORS can
prevent CSRF in some cases.
---
### Release Notes
honojs/hono (hono)
### [`v4.5.8`](https://togithub.com/honojs/hono/releases/tag/v4.5.8)
[Compare
Source](https://togithub.com/honojs/hono/compare/v4.5.7...v4.5.8)
##### Security Fix for CSRF Protection Middleware
Before this release, in versions 4.5.7 and below, the CSRF Protection
Middleware did not treat requests including `Content-Types` with
uppercase letters (e.g., `Application/x-www-form-urlencoded`) as
potential attacks, allowing them to pass.
This could cause unexpected behavior, leading to a vulnerability. If you
are using the CSRF Protection Middleware, please upgrade to version
4.5.8 or higher immediately.
For more details, see the report here:
https://github.com/honojs/hono/security/advisories/GHSA-rpfr-3m35-5vx5
### [`v4.5.7`](https://togithub.com/honojs/hono/releases/tag/v4.5.7)
[Compare
Source](https://togithub.com/honojs/hono/compare/v4.5.6...v4.5.7)
#### What's Changed
- fix(jsx/dom): Fixed a bug that caused Script elements to turn into
Style elements. by [@usualoma](https://togithub.com/usualoma) in
[https://github.com/honojs/hono/pull/3294](https://togithub.com/honojs/hono/pull/3294)
- perf(jsx/dom): improve performance by
[@usualoma](https://togithub.com/usualoma) in
[https://github.com/honojs/hono/pull/3288](https://togithub.com/honojs/hono/pull/3288)
- feat(jsx): improve a-tag types with well known values by
[@ssssota](https://togithub.com/ssssota) in
[https://github.com/honojs/hono/pull/3287](https://togithub.com/honojs/hono/pull/3287)
- fix(validator): Fixed a bug in hono/validator where URL Encoded Data
could not be validated if the Content-Type included charset. by
[@uttk](https://togithub.com/uttk) in
[https://github.com/honojs/hono/pull/3297](https://togithub.com/honojs/hono/pull/3297)
- feat(jsx): improve `target` and `formtarget` attribute types by
[@ssssota](https://togithub.com/ssssota) in
[https://github.com/honojs/hono/pull/3299](https://togithub.com/honojs/hono/pull/3299)
- docs(README): change Twitter to X by
[@nakasyou](https://togithub.com/nakasyou) in
[https://github.com/honojs/hono/pull/3301](https://togithub.com/honojs/hono/pull/3301)
- fix(client): replace optional params to url correctly by
[@yusukebe](https://togithub.com/yusukebe) in
[https://github.com/honojs/hono/pull/3304](https://togithub.com/honojs/hono/pull/3304)
- feat(jsx): improve input attribute types based on react by
[@ssssota](https://togithub.com/ssssota) in
[https://github.com/honojs/hono/pull/3302](https://togithub.com/honojs/hono/pull/3302)
#### New Contributors
- [@uttk](https://togithub.com/uttk) made their first
contribution in
[https://github.com/honojs/hono/pull/3297](https://togithub.com/honojs/hono/pull/3297)
**Full Changelog**:
https://github.com/honojs/hono/compare/v4.5.6...v4.5.7
### [`v4.5.6`](https://togithub.com/honojs/hono/releases/tag/v4.5.6)
[Compare
Source](https://togithub.com/honojs/hono/compare/v4.5.5...v4.5.6)
#### What's Changed
- fix(jsx): handle async component error explicitly and throw the error
in the response by [@usualoma](https://togithub.com/usualoma) in
[https://github.com/honojs/hono/pull/3274](https://togithub.com/honojs/hono/pull/3274)
- fix(validator): support multipart headers without a separating space
by [@Ernxst](https://togithub.com/Ernxst) in
[https://github.com/honojs/hono/pull/3286](https://togithub.com/honojs/hono/pull/3286)
- fix(validator): Allow form data will mutliple values appended by
[@nicksrandall](https://togithub.com/nicksrandall) in
[https://github.com/honojs/hono/pull/3273](https://togithub.com/honojs/hono/pull/3273)
- feat(jsx): improve meta-tag types with well known values by
[@ssssota](https://togithub.com/ssssota) in
[https://github.com/honojs/hono/pull/3276](https://togithub.com/honojs/hono/pull/3276)
#### New Contributors
- [@Ernxst](https://togithub.com/Ernxst) made their first
contribution in
[https://github.com/honojs/hono/pull/3286](https://togithub.com/honojs/hono/pull/3286)
- [@ssssota](https://togithub.com/ssssota) made their first
contribution in
[https://github.com/honojs/hono/pull/3276](https://togithub.com/honojs/hono/pull/3276)
**Full Changelog**:
https://github.com/honojs/hono/compare/v4.5.5...v4.5.6
---
### Configuration
📅 **Schedule**: Branch creation - "" in timezone America/Chicago,
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
â™» **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View the
[repository job log](https://developer.mend.io/github/autoblocksai/cli).
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
package-lock.json | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/package-lock.json b/package-lock.json
index 6c50542..14b6fab 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -2782,9 +2782,9 @@
}
},
"node_modules/hono": {
- "version": "4.5.5",
- "resolved": "https://registry.npmjs.org/hono/-/hono-4.5.5.tgz",
- "integrity": "sha512-fXBXHqaVfimWofbelLXci8pZyIwBMkDIwCa4OwZvK+xVbEyYLELVP4DfbGaj1aEM6ZY3hHgs4qLvCO2ChkhgQw==",
+ "version": "4.5.8",
+ "resolved": "https://registry.npmjs.org/hono/-/hono-4.5.8.tgz",
+ "integrity": "sha512-pqpSlcdqGkpTTRpLYU1PnCz52gVr0zVR9H5GzMyJWuKQLLEBQxh96q45QizJ2PPX8NATtz2mu31/PKW/Jt+90Q==",
"license": "MIT",
"engines": {
"node": ">=16.0.0"