search

inngest / inngest-js

The developer platform for easily building reliable workflows with zero infrastructure for TypeScript & JavaScript
https://www.inngest.com/
GNU General Public License v3.0
414 stars 41 forks source link

Update dependency hono to v4.2.7 [SECURITY] #553

Closed renovate[bot] closed 5 months ago

renovate[bot] commented 5 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
hono (source) 4.2.3 -> 4.2.7 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-32869

Summary

When using serveStatic with deno, it is possible to directory traverse where main.ts is located.

My environment is configured as per this tutorial https://hono.dev/getting-started/deno

PoC

$ tree
.
├── deno.json
├── deno.lock
├── main.ts
├── README.md
└── static
    └── a.txt

source

import { Hono } from 'https://deno.land/x/hono@v4.2.6/mod.ts'
import { serveStatic } from 'https://deno.land/x/hono@v4.2.6/middleware.ts'

const app = new Hono()
app.use('/static/*', serveStatic({ root: './' }))

Deno.serve(app.fetch)

request

curl localhost:8000/static/%2e%2e/main.ts

response is content of main.ts

Impact

Unexpected files are retrieved.

Release Notes

honojs/hono (hono) ### [`v4.2.7`](https://togithub.com/honojs/hono/releases/tag/v4.2.7) [Compare Source](https://togithub.com/honojs/hono/compare/v4.2.6...v4.2.7) This release fixes "[Restricted Directory Traversal in serveStatic with deno](https://togithub.com/honojs/hono/security/advisories/GHSA-3mpf-rcc7-5347)". **Full Changelog**: https://github.com/honojs/hono/compare/v4.2.6...v4.2.7 ### [`v4.2.6`](https://togithub.com/honojs/hono/releases/tag/v4.2.6) [Compare Source](https://togithub.com/honojs/hono/compare/v4.2.5...v4.2.6) #### What's Changed - refactor(adapter/aws): Optimize multiple call of same conditions with polymorphism by [@​exoego](https://togithub.com/exoego) in [https://github.com/honojs/hono/pull/2521](https://togithub.com/honojs/hono/pull/2521) - fix(sse): close sse stream on end by [@​domeccleston](https://togithub.com/domeccleston) in [https://github.com/honojs/hono/pull/2529](https://togithub.com/honojs/hono/pull/2529) - fix(client): Don't show `$ws` when not used WebSockets by [@​nakasyou](https://togithub.com/nakasyou) in [https://github.com/honojs/hono/pull/2532](https://togithub.com/honojs/hono/pull/2532) - refactor(ssg): update utils.ts by [@​eltociear](https://togithub.com/eltociear) in [https://github.com/honojs/hono/pull/2519](https://togithub.com/honojs/hono/pull/2519) #### New Contributors - [@​domeccleston](https://togithub.com/domeccleston) made their first contribution in [https://github.com/honojs/hono/pull/2529](https://togithub.com/honojs/hono/pull/2529) - [@​eltociear](https://togithub.com/eltociear) made their first contribution in [https://github.com/honojs/hono/pull/2519](https://togithub.com/honojs/hono/pull/2519) **Full Changelog**: https://github.com/honojs/hono/compare/v4.2.5...v4.2.6 ### [`v4.2.5`](https://togithub.com/honojs/hono/releases/tag/v4.2.5) [Compare Source](https://togithub.com/honojs/hono/compare/v4.2.4...v4.2.5) #### What's Changed - fix(client): Allow calling toString and valueOf on the proxy object by [@​ibash](https://togithub.com/ibash) in [https://github.com/honojs/hono/pull/2510](https://togithub.com/honojs/hono/pull/2510) - fix(adapter): handle multi value headers in AWS Lambda by [@​exoego](https://togithub.com/exoego) in [https://github.com/honojs/hono/pull/2494](https://togithub.com/honojs/hono/pull/2494) - fix(client): shuold not remove tailing slash from top-level URL by [@​yusukebe](https://togithub.com/yusukebe) in [https://github.com/honojs/hono/pull/2523](https://togithub.com/honojs/hono/pull/2523) - fix(jsx/dom): remove lookbehind assertion in event regexp by [@​usualoma](https://togithub.com/usualoma) in [https://github.com/honojs/hono/pull/2524](https://togithub.com/honojs/hono/pull/2524) #### New Contributors - [@​ibash](https://togithub.com/ibash) made their first contribution in [https://github.com/honojs/hono/pull/2510](https://togithub.com/honojs/hono/pull/2510) **Full Changelog**: https://github.com/honojs/hono/compare/v4.2.4...v4.2.5 ### [`v4.2.4`](https://togithub.com/honojs/hono/releases/tag/v4.2.4) [Compare Source](https://togithub.com/honojs/hono/compare/v4.2.3...v4.2.4) ##### What's Changed - fix(jwt): Make JWT Header `typ` Field Optional to Enhance Compatibility by [@​naporin0624](https://togithub.com/naporin0624) in [https://github.com/honojs/hono/pull/2488](https://togithub.com/honojs/hono/pull/2488) - fix(testing): set `baseUrl` for `testClient` by [@​yusukebe](https://togithub.com/yusukebe) in [https://github.com/honojs/hono/pull/2496](https://togithub.com/honojs/hono/pull/2496) - fix(validator): Default use to `OutputTypeExcludeResponseType` when `InputType` is unknown by [@​nagasawaryoya](https://togithub.com/nagasawaryoya) in [https://github.com/honojs/hono/pull/2500](https://togithub.com/honojs/hono/pull/2500) - refactor(trie-router): parentPatterns is updated but never queried by [@​exoego](https://togithub.com/exoego) in [https://github.com/honojs/hono/pull/2503](https://togithub.com/honojs/hono/pull/2503) - refactor: Remove redundant initializer by [@​exoego](https://togithub.com/exoego) in [https://github.com/honojs/hono/pull/2502](https://togithub.com/honojs/hono/pull/2502) - refactor(cloudflare-workers): Suppress eslint noise by [@​exoego](https://togithub.com/exoego) in [https://github.com/honojs/hono/pull/2504](https://togithub.com/honojs/hono/pull/2504) - fix(jsx): Add catch to async function's promise by [@​mwilkins91](https://togithub.com/mwilkins91) in [https://github.com/honojs/hono/pull/2471](https://togithub.com/honojs/hono/pull/2471) ##### New Contributors - [@​nagasawaryoya](https://togithub.com/nagasawaryoya) made their first contribution in [https://github.com/honojs/hono/pull/2500](https://togithub.com/honojs/hono/pull/2500) - [@​exoego](https://togithub.com/exoego) made their first contribution in [https://github.com/honojs/hono/pull/2503](https://togithub.com/honojs/hono/pull/2503) - [@​mwilkins91](https://togithub.com/mwilkins91) made their first contribution in [https://github.com/honojs/hono/pull/2471](https://togithub.com/honojs/hono/pull/2471) **Full Changelog**: https://github.com/honojs/hono/compare/v4.2.3...v4.2.4

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

changeset-bot[bot] commented 5 months ago

⚠️ No Changeset found

Latest commit: 67df6c1719331da096118bbddf109748b9e7b729

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR