Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade: hono, typescript #68

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

Laurry-gee
Copy link
Owner

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Name Versions Released on

hono
from 2.7.8 to 4.5.9 | 201 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 23 days ago
on 2024-08-26
typescript
from 4.9.5 to 5.5.4 | 595 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 2 months ago
on 2024-07-22

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
medium severity Arbitrary Code Injection
SNYK-JS-HONO-6129070
531 Proof of Concept
Release notes
Package name: hono
  • 4.5.9 - 2024-08-26

    What's Changed

    • test(types): broken test in future versions of typescript by @ m-shaka in #3310
    • fix(utils/color): Deno does not require permission for NO_COLOR by @ ryuapp in #3306
    • feat(jsx): improve type (MIME) attribute types by @ ssssota in #3305
    • feat(pretty-json): support custom query by @ nakasyou in #3300

    Full Changelog: v4.5.8...v4.5.9

  • 4.5.8 - 2024-08-22

    Security Fix for CSRF Protection Middleware

    Before this release, in versions 4.5.7 and below, the CSRF Protection Middleware did not treat requests including Content-Types with uppercase letters (e.g., Application/x-www-form-urlencoded) as potential attacks, allowing them to pass.

    This could cause unexpected behavior, leading to a vulnerability. If you are using the CSRF Protection Middleware, please upgrade to version 4.5.8 or higher immediately.

    For more details, see the report here: GHSA-rpfr-3m35-5vx5

  • 4.5.7 - 2024-08-21

    What's Changed

    • fix(jsx/dom): Fixed a bug that caused Script elements to turn into Style elements. by @ usualoma in #3294
    • perf(jsx/dom): improve performance by @ usualoma in #3288
    • feat(jsx): improve a-tag types with well known values by @ ssssota in #3287
    • fix(validator): Fixed a bug in hono/validator where URL Encoded Data could not be validated if the Content-Type included charset. by @ uttk in #3297
    • feat(jsx): improve target and formtarget attribute types by @ ssssota in #3299
    • docs(README): change Twitter to X by @ nakasyou in #3301
    • fix(client): replace optional params to url correctly by @ yusukebe in #3304
    • feat(jsx): improve input attribute types based on react by @ ssssota in #3302

    New Contributors

    Full Changelog: v4.5.6...v4.5.7

  • 4.5.6 - 2024-08-17

    What's Changed

    • fix(jsx): handle async component error explicitly and throw the error in the response by @ usualoma in #3274
    • fix(validator): support multipart headers without a separating space by @ Ernxst in #3286
    • fix(validator): Allow form data will mutliple values appended by @ nicksrandall in #3273
    • feat(jsx): improve meta-tag types with well known values by @ ssssota in #3276

    New Contributors

    Full Changelog: v4.5.5...v4.5.6

  • 4.5.5 - 2024-08-11

    What's Changed

    • fix(jsx): allow null, undefined, and boolean to be returned from function component by @ usualoma in #3241
    • feat(context): Add types for c.header by @ nakasyou in #3221
    • fix(jsx): fix draggable type to accept boolean by @ yasuaki640 in #3253
    • feat(context): add Context-Type types to c.header by @ nakasyou in #3255
    • fix(serve-static): supports directory contains . and not end / by @ yusukebe in #3256

    Full Changelog: v4.5.4...v4.5.5

  • 4.5.4 - 2024-08-06

    What's Changed

    • fix(jsx): corrects the type of 'draggable' attribute in intrinsic-elements.ts by @ yasuaki640 in #3224
    • feat(jsx): allow to merge CSSProperties declaration by @ jonasnobile in #3228
    • feat(client): Add WebSocket Provider Integration Tests and Enhance WebSocket Initialization by @ naporin0624 in #3213
    • fix(types): param in ValidationTargets supports optional param by @ yusukebe in #3229

    New Contributors

    Full Changelog: v4.5.3...v4.5.4

  • 4.5.3 - 2024-07-29

    What's Changed

    • fix(validator): Add double quotation marks to multipart checker regex by @ CPlusPatch in #3195
    • fix(validator): support application/json with a charset as JSON by @ yusukebe in #3199
    • fix(jsx): fix handling of SVG elements in JSX. by @ usualoma in #3204
    • fix(jsx/dom): fix performance issue with adding many new node listings by @ usualoma in #3205
    • fix(service-worker): refer to self.fetch correctly by @ yusukebe in #3200

    New Contributors

    Full Changelog: v4.5.2...v4.5.3

  • 4.5.2 - 2024-07-27

    What's Changed

    • fix(helper/adapter): don't check navigator is undefined by @ yusukebe in #3171
    • fix(types): handle readonly array correctly by @ m-shaka in #3172
    • Revert "fix(helper/adapter): don't check navigator is undefined by @ yusukebe in #3173
    • fix(type): degradation of generic type handling by @ m-shaka in #3138
    • fix:(csrf) fix typo of csrf middleware by @ yasuaki640 in #3178
    • feat(secure-headers): remove "X-Powered-By" should be an option by @ EdamAme-x in #3177

    Full Changelog: v4.5.1...v4.5.2

  • 4.5.1 - 2024-07-20

    What's Changed

    New Contributors

    Full Changelog: v4.5.0...v4.5.1

  • 4.5.0 - 2024-07-16

    Hono v4.5.0 is now available!

    We have added three new built-in middleware. Now Hono is bringing 20 built-in middleware!

    1. Basic Authentication
    2. Bearer Authentication
    3. Body Limit
    4. Cache
    5. Combine
    6. Compress
    7. CORS
    8. CSRF Protection
    9. ETag
    10. IP Restriction
    11. JSX Renderer
    12. JWT
    13. Logger
    14. Method Override
    15. Pretty JSON
    16. Request ID
    17. Secure Headers
    18. Timeout
    19. Timing
    20. Trailing Slash

    Amazing! These truly make Hono batteries-included framework.

    Let's go through the new features in this release.

    IP Restrict Middleware

    Introducing IP Restrict Middleware. This middleware limits access to resources based on the IP address of the user.

    import { Hono } from 'hono'
    import { getConnInfo } from 'hono/bun'
    import { ipRestriction } from 'hono/ip-restriction'

    const app = new Hono()

    app.use(
    '*',
    ipRestriction(getConnInfo, {
    denyList: [],
    allowList: ['127.0.0.1', '::1']
    })
    )

    Thanks @ nakasyou!

    Combine Middleware

    Introducing Combine Middleware. This middleware combines multiple middleware functions into a single middleware, allowing you to create complex access controls by combining it with middleware like IP Restriction.

    import { Hono } from 'hono'
    import { bearerAuth } from 'hono/bearer-auth'
    import { getConnInfo } from 'hono/cloudflare-workers'
    import { every, some } from 'hono/combine'
    import { ipRestriction } from 'hono/ip-restriction'
    import { rateLimit } from '@/my-rate-limit'

    const app = new Hono()

    app.use(
    '*',
    some(
    every(ipRestriction(getConnInfo, { allowList: ['192.168.0.2'] }), bearerAuth({ token })),
    // If both conditions are met, rateLimit will not execute.
    rateLimit()
    )
    )

    app.get('/', (c) => c.text('Hello Hono!'))

    Thanks @ usualoma!

    Request ID Middleware

    Introducing Request ID Middleware. This middleware generates a unique ID for each request, which you can use in your handlers.

    import { Hono } from 'hono'
    import { requestId } from 'hono/request-id'

    const app = new Hono()

    app.use('*', requestId())

    app.get('/', (c) => {
    return c.text(Your request id is <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">c</span><span class="pl-kos">.</span><span class="pl-en">get</span><span class="pl-kos">(</span><span class="pl-s">'requestId'</span><span class="pl-kos">)</span><span class="pl-kos">}</span></span>)
    })

    Thanks @ ryuapp!

    Service Worker Adapter

    A Service Worker adapter has been added, making it easier to run Hono applications as Service Workers.

    For example, the following code works perfectly in a browser!

    import { Hono } from 'hono'
    import { handle } from 'hono/service-worker'

    const app = new Hono().basePath('/sw')
    app.get('/', (c) => c.text('Hello World'))

    self.addEventListener('fetch', handle(app))

    Thanks @ nakasyou!

    Cloudflare Pages Middleware

    The Cloudflare Pages adapter now includes a handleMiddleware function, allowing many Hono middleware to run as Cloudflare Pages middleware.

    For example, to apply basic authentication, you can use the built-in middleware as shown below.

    // functions/_middleware.ts
    import { handleMiddleware } from 'hono/cloudflare-pages'
    import { basicAuth } from 'hono/basic-auth'

    export const onRequest = handleMiddleware(
    basicAuth({
    username: 'hono',
    password: 'acoolproject'
    })
    )

    Thanks @ BarryThePenguin!

    React 19 Compatibility

    Hono JSX now supports React 19 compatible APIs.

    For example, the following hooks have been added:

    • useFormStatus()
    • useActionState()
    • useOptimistic()

    Additionally, rendering metadata within the <head /> tag is now supported. You can include elements like <title>, <meta>, and <link> within your components.

    https://hono.dev/top-page" />
    <h1>Top Page</h1>
    <p>Hono is a great framework!</p>
    </article>
    )
    })">
    import { Hono } from 'hono'
    import { jsxRenderer } from 'hono/jsx-renderer'

    const app = new Hono()

    app.use(
    jsxRenderer(({ children }) => {
    return (
    <html>
    <head></head>
    <body>{children}</body>
    </html>
    )
    })
    )

    app.get('/top-page', (c) => {
    return c.render(
    <article>
    <title>Top Page!</title>
    <link rel="canonical" href="https://hono.dev/top-page" />
    <h1>Top Page</h1>
    <p>Hono is a great framework!</p>
    </article>
    )
    })

    The above will render the following HTML:

    <!DOCTYPE html>
    <html>
      <head>
        <title>Top Page!</title>
        <link rel="canonical" href="https://hono.dev/top-page" />
      </head>
      <body>
        <article>
          <h1>Top Page</h1>
          <p>Hono is a great framework!</p>
        </article>
      </body>
    </html>

    See all changes in this PR: #2960

    Thanks @ usualoma!

    @ hono/react-compat

    Plus, with the new @ hono/react-compat, you can alias the react or react-dom used in your project to hono/jsx without any configuration.

    npm install react@npm:@ hono/react-compat react-dom@npm:@ hono/react-compat

    Passing interface as Bindings/Variables

    You can now pass interface to Bindings or Variables. This allows you to use the type definitions generated by the wrangler types command directly.

    interface Env {
      MY_KV_NAMESPACE: KVNamespace
      MY_VAR: string
      MY_DB: D1Database
    }

    Previously, only type definitions using type could be passed to Bindings. Now, interfaces like the Env example above can be used with generics.

    const app = new Hono<{
      Bindings: Env
    }>()

    Thanks @ ottomated!

    Other features

    • JWT - use Signed Cookie in JWT Middleware #2989
    • Vercel - add getConnInfo for Vercel Adapter #3085
    • Lambda@Edge - add getConnInfo helper for Lambda@Edge #3099

    All Updates

    • feat(jsx/dom): export createRoot and hydrateRoot from jsx/dom/client as default by @ usualoma in #2929
    • feat(jsx/server): introduce jsx/dom/server module for compatibility with react-dom/server by @ usualoma in

Snyk has created this PR to upgrade:
  - hono from 2.7.8 to 4.5.9.
    See this package in npm: https://www.npmjs.com/package/hono
  - typescript from 4.9.5 to 5.5.4.
    See this package in npm: https://www.npmjs.com/package/typescript

See this project in Snyk:
https://app.snyk.io/org/laurry-gee/project/b5f5690f-a110-484e-85a4-d96c843d311a?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants