fix(deps): update dependency elysia to v1.4.18 [security]#33

Open

renovate[bot] wants to merge 1 commit intomainfrom

renovate/npm-elysia-vulnerability

Contributor

renovate bot commented Dec 10, 2025 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
elysia	`1.1.17` → `1.4.18`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-66457

Arbitrary code execution from cookie config. If dynamic cookies are enabled (ie there exists a schema for cookies), the cookie config is injected into the compiled route without first being sanitised.

Availability of this exploit is generally low, as it requires write access to either the Elysia app's source code (in which case the vulnerability is meaningless) or write access to the cookie config (perhaps where it is assumed to be provisioned by the environment).

However when combined with GHSA-hxj9-33pp-j2cc, this vulnerability allows for a full RCE chain.

Impact

aot enabled (default)
cookie schema passed to route
Cookie config controllable eg. via env

Example of vulnerable code

new Elysia({
	cookie: {
		secrets: `' + console.log('pwned from secrets') + '`
	},
})
	.get("/", () => "hello world", {
		cookie: t.Cookie({
			foo: t.Any(),
		}),
	})

POC: https://github.com/sportshead/elysia-poc

Patches

Patched by 1.4.17 (https://github.com/elysiajs/elysia/pull/1564)

Reference commit:

https://github.com/elysiajs/elysia/pull/1564/commits/26935bf76ebc43b4a43d48b173fc853de43bb51e
https://github.com/elysiajs/elysia/pull/1564/commits/3af978663e437dccc6c1a2a3aff4b74e1574849e

Workarounds

Sanitize cookie-related env input

const overrideUnsafeQuote = (value: string) =>
	// '`' + value + '`'
	'`' + value.replace(/'/g, '\\`').replace(/\${/g, '$\\{') + '`'

Release Notes

elysiajs/elysia (elysia)

`v1.4.18`

Security:

use JSON.stringify over custom escape implementation

`v1.4.17`

Improvement:

#1573 Server is always resolved to any when @types/bun is missing
#1568 optimize cookie value comparison using FNV-1a hash
#1549 Set-Cookie headers not sent when errors are thrown
#1579 HEAD to handle Promise value

Security:

cookie injection, prototype pollution, and RCE

Bug fix:

#1550 excess property checking
allow cookie.sign to be string

Change:

#1584 change customError property to unknown
#1556 prevent sending set-cookie header when cookie value is not modified
#1563 standard schema on websocket
conditional parseQuery parameter
conditional pass c.request to handler for streaming response
fix missing contentType type on parser

`v1.4.16`

Improvement:

ValidationError: add messageValue as an alias of errorValue
ValidationError.detail now accept optional 2nd parameter allowUnsafeValidatorDetails
macro: add introspect
prevent redundant route compilation
merge multiple macro resolve response

Bug fix:

#1543 respect toResponse() method on Error classes
#1537 websocket: ping/pong not being called
#1536 export ExtractErrorFromHandle
#1535 skip response validation for generators and streams
#1531 typo in ElysiaTypeCustomErrorCallback: valdation to validation
#1528 error in parsing request body validation errors with Zod
#1527 bracket handling in exact mirror
#1524 head request handler not working

`v1.4.15`

Bug fix:

1.4.14 regression with Eden Treaty, and OpenAPI type gen

`v1.4.14`

Feature:

#1520, #1522 async handlers crash on HEAD request
#1510 strict status response
#1503 add t.NumericEnum() for numeric enum query handling
#1450 call onAfterResponse when onError returns a value
remove redundant Prettify
prettify response for OpenAPI type gen
conditional apply macro context in type level
improve type performance in general

Change:

remove Prettify2, Partial2

`v1.4.13`

Feature:

#1453 add allowUnsafeValidationDetails for disabling unsafe validation details in production mode
allow rapid stream in non browser mode or ELYSIA_RAPID_STREAM is set
afterResponse now wait for generator stream to finish
trace of handle, and afterResponse now wait for generator stream to finish

Bug fix:

#1502, #1501 afterHandle doesn't update status
#1500 export InvalidFileType from root
#1495 request server hook parameters are typed as any (Bun 1.3.0)
#1483 handle standard schema validators in ValidationError.all
#1459 fix strictPath behavior when aot: false is set
#1455 graceful shutdown not awaiting server.stop
#1499 fails when merging with t.Optional schema
remove encoding chunk from native static response in Bun adapter

Change:

make @types/bun an optional dependency

`v1.4.12`

Improvement:

named macro function callback
adjust build script

`v1.4.11`

Bug fix:

#1469 incorrect ping, pong type signature
#1467 better error union handling in onError
#1463 responseValue is undefined in afterHandle when beforeHandle returns status
#1460 compressed response in mapResponse is corrupted if status !== 200
#1456 add response type check for stream
#1451 cookie validation is not running when there's no body schema
make file-type non optional dependency to fix default build problem

`v1.4.10`

Bug fix:

#1406 enforce return type in OptionalHandler
static handlers in Bun 1.3
conditional use crypto randomUUID if not available (eg. iOS Safari)

Change:

Elysia.file readstream value is now IIFE to re-read

`v1.4.9`

Improvement:

add Cloudflare Worker test
add Sucrose.Settings
#1443 add knip for detecting deadcode

`v1.4.8`

Improvement:

automatically clear up sucrose cache when not used
remove Bun.hash from checksum calculation

Change:

make file-type optional to reduce bundle size
#1432 missing context (set) in mapResponse for ElysiaFile
#1435 missing cookies in SSE

`v1.4.7`

Feature:

experimental adapter/cloudflare-worker
add ElysiaAdapter.beforeCompile

Change:

do not prettify routes when using guard, group
use process.getBuiltinModule instead of dynamic import for file
Elysia.file.value on Web Standard Adapter now is not a promise

`v1.4.6`

Improvement:

#1406 strictly check for 200 inline status code
coerce union status value and return type
add BunHTMLBundleLike to Elysia inline handler
#1405 prevent Elysia from being a dependency of itself
#1416 check if object is frozen before merging, add try-catch to prevent crash
#1419 guard doesn't apply scoped/global schema to object macro
#1425 DELETE doesn't inherit derive/resolve type

Change:

#1409 onTransform now doesn't include type as it isn't validated yet, creating confusion

Bug fix:

#1410 handle union derive/resolve property
probably fix mergeDeep attempted to assign to readonly property
derive/resolve inherit type in inline handler

`v1.4.5`

Improvement:

soundness for guard, group
overwrite primitive value if collide (intersectIfObject)

Bug fix:

standard schema incorrectly validate cookie and coercion
merge nested guard, group standalone schema properly

Breaking Change:

no longer coerce type for .model with t.Ref by default

`v1.4.4`

Bug fix:

merge schema in GET method
remove accidental console.log

`v1.4.3`

Bug fix:

mapValueError should return all possible value both in dev environment and production environment
inline lifecycle get method doesn't inherit Singleton

`v1.4.2`

#1683 response validation returns 500 instead of 422 for nested schemas in dynamic mode

`v1.4.1`

Security:

reject invalid cookie signature when using cookie rotation

Improvement

#1609 calling afterResponse with aot: false
#1607, #1606, #1139 data coercion on nested form data
#1604 save lazy compilation of Elysia.fetch for up to 45x performance improvement
#1588, #1587 add seen weakset during mergeDeep

Bug fix:

#1614 Cloudflare Worker with dynamic path
add set immediate fallback
#1597 safeParse, parse to static type
#1596 handle context pass to function with sub context
#1591, #1590 merge set.headers without duplicating Response
#1546 override group prefix type
#1526 default error handler doesn't work in Cloudflare Workers
handle group with empty prefix in type-level

`v1.4.0`

Feature:

standard validator
macro schema, macro extension, macro detail
lifecycle type soundness
type inference reduced by ~11%
#861 missing HEAD method when register route with GET

Improvement

#861 automatically add HEAD method when defining GET route

Change

ObjectString/ArrayString no longer produce default value by default due to security reasons
Cookie now dynamically parse when format is likely JSON
export fileType for external file type validation for accurate response

Breaking Change

remove macro v1 due to non type soundness
remove error function, use status instead
deprecation notice for response in mapResponse, afterResponse, use responseValue instead
remove reference array model by string eg. user[], use t.Array(t.Ref('user')) instead

`v1.3.21`

Bug fix:

#1356 webSocket validation error handling in BunAdapter
#1358 allow overriding websocket handler with listen options
#1365 check if the plugin.constructor (fix import module in Bun 1.2.21)
#1367 .trace hooks (onAfterResponse, etc...) not being called
#1369 don't block microtask queue in SSE

`v1.3.20`

Change:

mime is undefined when using Elysia.file in Web Standard Adapter

`v1.3.19`

Change:

#1357 return Response proxy as-is

Bug fix:

elysiajs/node#45 detect Response polyfill on Node

`v1.3.18`

Bug fix:

ReadableStream is not pass to handleStream in mapCompactResponse, and mapEarlyResponse

`v1.3.17`

Bug fix:

#1353 normalize encodeSchema with Transform

`v1.3.16`

Improvement:

sse now infer type
sse now accepts ReadableStream to return stream as text/event-stream
refactor SSE handler
support returning ReadableStream from generator or async generator

Change:

sse no longer include generated id by default

Bug fix:

static response now use callback clone instead of bind

`v1.3.15`

Bug fix:

ValidationError.detail only handle custom error

`v1.3.14`

Improvement:

custom error on production mode
add ValidationError.withDetail
add withDetail for additional error information

`v1.3.13`

Bug fix:

important performance degration, exact mirror normalize doesn't apply correctly
normalize optional property with special character

Change:

update exact-mirror to 0.1.6

`v1.3.12`

Bug fix:

#1348 onAfterResponse runs twice if NotFoundError thrown and onError provided

`v1.3.11`

Bug fix:

#1346 cannot declare 'mep' twice

`v1.3.10`

Bug fix:

#1028 query array nuqs format in dynamic mode
unwrap t.Import in dynamic mode

`v1.3.9`

Feature:

#932 add t.ArrayBuffer, t.Uint8Array

Bug fix:

#459 route prefix should give type error when prefix is not start with '/'
#669 add nullable field to t.Nullable for OpenAPI 3.0 spec
#711 set default headers for non-aot
#713 NotFoundError doesn't call onAfterResponse hook
#771 skip body parsing if Content-Type is present but body is not
#747 mapResponse inside mapError override error value
#812 check for minItems length before array validation
#833 cookie signing doesn't work in dynamic mode
#859 clean non-root additionalProperties
#924 decode path param
#985 Nullable accept options
#1028 string | string[] query parameter, reference array
#1120 cannot set multiple cookies when response is a file
#1124 validate url encoded query
#1158 prevent side-effect from guard merge
#1162 handle encoded space in array query string
#1267 parse without contentType headers throw Bad Request
#1274 support .use(undefined | false) for conditional plugin
#1276 mapResponse with set inference produce invalid instruction
#1268 using number instead of stringifed value for reporting validation error
#1288 handle array query string in dynamic mode
#1294 return status from derive and resolve shouldn't call onError
#1297, #1325 fix HTML imported pages in compiled apps
#1319 fix array of plugin usage causes incorrect path aggregation
#1323 don't duplicate error from plugin
#1327 ensure that t.Date value is Date in Encode
dynamic handle should handle named parser
instanceof ElysiaCustomStatusResponse should return true when import from root Elysia module

Improvement:

remove finally from compose
NotFoundError should parse query if inferred
#853 Bun Static response now handle pre-compute onRequest, and onError
prettify ElysiaWS type
export ElysiaCustomStatusResponse
handle type-level status check in after response

Change:

status no longer make value as readonly
afterResponse now call after response by scheduling setImmediate
update memoirist to 0.4.0
update exact-mirror to 0.1.5

`v1.3.8`

Improvement:

ElysiaFile doesn't inherits set.headers eg. cors
[Web Standard] automatically set Content-Type, Content-Range of ElysiaFile

Bug fix:

#1316 fix context type when multiple macros are selected
#1306 preserve type narrowing in getSchemaValidator
add set to handleFile when file is ElysiaFile
[Web Standard] inherit set.status for ElysiaFile
make ElysiaAdapter.stop optional

`v1.3.7`

Bug fix:

#1314 coerce TransformDecodeError to ValidationError
#1313 onRequest not firing
#1311 [Exact Mirror] handle property starts with a number
#1310 webSocket fails to connect when inside group and guard
#1309 encode is not called when using dynamic handler
#1304 remove response body from HTTP 101, 204, 205, 304, 307, 308

Change:

update exact mirror to 0.1.3
warn when stop is called instead of throwing an error

`v1.3.6`

Improvement:

#1263 bun adapter add qi to routes that need query from guard
#1270 add Symbol.dispose
#1089 add stop function to ElysiaAdapter type

Bug fix:

#1126 websocket errors not catching
#1281 automatically enforce additional properties in nested schema (eg. array)
Dynamic handle decode signed cookie secret instead of accidental hardcoded value

`v1.3.5`

Bug fix:

#1255 regression in serving an imported HTML file
#1251 property 'status' does not exist onError function
#1247 ensure WebSockets get routed properly without AoT compilation
#1246 property 'timeout' does not exist on type 'Server'
#1245 error on onAfterHandle (no property 'response')
#1239 t.Files validator breaks for response schema
#1187, #1169 websocket beforeLoad not being executed

`v1.3.4`

Feature:

sse helper

Bug fix:

#1237 ws in a group merge error
#1235 errors not handled correctly in resolve hook on dynamic mode
#1234 optional path parameters can't follow required ones
#1232 t.Files fails with array of files

Change:

When yield is not sse, content-type is set to either text/plain or application/json based on the response type

`v1.3.3`

Bug fix:

mapResponseContext is not passed to compose
await ElysiaFile when not using Bun
export adapter/utils

`v1.3.2`

Bug fix:

safely unwrap t.Record

`v1.3.1`

Change:

#1357 return Response proxy as-is

Bug fix:

elysiajs/node#45 detect Response polyfill on Node

`v1.3.0`

Feature:

add exactMirror
add systemRouter config
standalone Validator
add Elysia.Ref for referencing schema with autocompletion instead of t.Ref
support Ref inside inline schema
add sucrose cache
new validation t.Form, t.NoValidate
use file-type to check file type
add INVALID_FILE_TYPE error
add sanitize options

Improvement:

encodeSchema now stable and enabled by default
optimize types
reduce redundant type check when using Encode
optimize isAsync
unwrap Definition['typebox'] by default to prevent unnecessary UnwrapTypeModule call
Elysia.form can now be type check
refactor type-system
refactor _types into ~Types
using aot compilation to check for custom Elysia type, eg. Numeric
refactor app.router.static, and move static router code generation to compile phase
optimize memory usage on add, _use, and some utility functions
improve start up time on multiple route
dynamically create cookie validator as needed in compilation process
reduce object cloning
optimize start index for finding delimiter of a content type header
Promise can now be a static response
ParseError now keeps stack trace
refactor parseQuery and parseQueryFromURL
add config options to mount
recompile automatically after async modules is mounted
support macro on when hook has function
support resolve macro on ws
#1146 add support to return web API's File from handler
#1165 skip non-numeric status codes in response schema validation
#1177 cookie does not sign when an error is thrown

Bug fix:

Response returned from onError is using octet stream
unintentional memory allocation when using mergeObjectArray
handle empty space on Date query

Change:

only provide c.request to mapResponse when maybeStream is true
use plain object for routeTree instead of Map
remove compressHistoryHook and decompressHistoryHook
webstandard handler now return text/plain if not on Bun
use non const value for decorate unless explicitly specified
Elysia.mount now set detail.hide = true by default

Breaking Change:

remove as('plugin') in favor of as('scoped')
remove root index for Eden Treaty
remove websocket from ElysiaAdapter
remove inference.request

`v1.2.25`

Bug fix:

#1108 use validation response instead of return type when schema is provided
#1105, #1003 invalid parsing body with missed fields if used object model

`v1.2.24`

Bug fix:

200 object response is not inferring type in type-level
#1091 route is not defined when using trace

`v1.2.23`

Bug fix:

#1087 websocket to parse string array
#1088 infinite loop when inference body is empty

`v1.2.22`

Bug fix:

#1074 hasTransform doesn't detect Transform on root
#873 encode before type check

`v1.2.21`

Bug fix:

#671 Transform inside t.Intersect isn't detected

`v1.2.20`

Bug fix:

#671 Transform query schema check fails
model type

`v1.2.19`

Bug fix:

#1078 array string default to '[]' instead of undefined

`v1.2.18`

Bug fix:

duplicated static route may cause index conflict resulting in incorrect route

`v1.2.17`

Bug fix:

.mount doesn't return pass entire request

`v1.2.16`

Improvement:

AfterHandler infer response type

Change:

#1068 update @sinclair/typebox to 0.34.27

Bug fix:

#1075 nested async plugins mismatch routes to handlers
#1073 file type validation not working
#1070 .mount is mutating the incoming request method
mount path is incorrect when using prefix with trailing *
#873 add experimental.encodeSchema for custom Transform Encode type

`v1.2.15`

Bug fix:

#1067 recompile async plugin once registered
#1052 webSocket errors not getting catched by error handler
#1038 incorrect type inference with deferred modules leads to TypeErrors in runtime
#1015 using a model by name in route query leads to type mispatch, yet validation succeeds if doesn't use Ref
#1047 ampersand in URL search params is discarded
detect Transform inside t.Array in hasTransform

Improvement:

add test cases for hasTransform
hasTransform now supports Union, Intersect
remove redundant decodeURIComponent in nested query

`v1.2.14`

Feature:

parse nuqs string array format if query is specified as t.Array(t.String())

Improvement:

handle recursive nested async plugin
Response now handle proxy streaming
#971 wrap import("fs/promises") AND wrap import("fs") in try-catch to avoid error (silly me, tee-hee~)
handle nested array property swap for replaceSchemaType

Breaking Change:

[Internal] Elysia.modules now return void

`v1.2.13`

Improvement:

#977 use Registry instead of TypeSystem
remove redundant switch-case for path mapping when strictPath is disabled and path is overlapped
remove redundant allocation for nativeStaticHanlder when strictPath path is overlapped

Bug fix:

#1062 correctly set t.Date() defaults
#1050 app.onRequest(ctx => {ctx.server}): Can't find variable: getServer
#1040 undefined route context on aot=false
#1017 replace t.Number() for Type.Integer()
#976 error responses with aot: false
#975 await nested async plugins
#971 wrap import("fs/promises") in try-catch to avoid error
discord file format doesn't check for '*' format

`v1.2.12`

Bug fix:

warn when non-existing macro is used
parser doesn't generate optimize instruction

`v1.2.11`

Feature:

Reduce memory usage:
- Compressed lifecycle event
- Avoid unnecessary declaration in compose.ts
- Lazily build radix tree for dynamic router

Change:

Update TypeBox to 0.34.15

Bug fix:

#1039 Elysia fails to start with an error inside its own code when using decorate twice with Object.create(null)
#1005 Parsing malformed body with NODE_ENV 'production' results in UNKNOWN error
#1037 Validation errors in production throw undefined is not an object (evaluating 'error2.schema')
#1036 Support Bun HTML import

`v1.2.10`

Feature:

add shorthand property for macro function

Improvement:

use deuri instead of fast-decode-uri-component
#985 MaybeEmpty and Nullable should have options args

Bug fix:

Macro function doesn't inherits local/scoped derive and resolve in type-level

`v1.2.9`

Bug fix:

Resolve macro unintentionally return instead of assign new context

`v1.2.8`

Bug fix:

#966 generic error somehow return 200

`v1.2.7`

Bug fix:

macro doesn't work with guard
#981 unable to deference schema, create default, and coerce value
#966 error's value return as-if when thrown
#964 InvalidCookieSignature errors are not caught by onError
#952 onAfterResponse does not provide mapped response value unless aot is disabled
mapResponse.response is {} if no response schema is provided
Response doesn't reconcile when handler return Response is used with mapResponse
onError now accepts error as number when Elysia.error is thrown (but not returned)

`v1.2.6`

Bug fix:

mapResponse with onError caused compilation error

`v1.2.5`

Bug fix:

define universal/file in package export

`v1.2.4`

Bug fix:

performance regression from eager access abortSignal

`v1.2.3`

Bug fix:

#973 Parsing malformed body results in UNKNOWN-Error instead of ParseError
#971 remove top level import, use dynamic import instead
#969 Invalid context on .onStart, .onStop
#965 [Composer] failed to generate optimized handler. Unexpected identifier 'mapCompactResponse'
#962 fix schema default value when AOT is of
decorator name with space is not working

`v1.2.2`

Bug fix:

#1108 use validation response instead of return type when schema is provided
#1105, #1003 invalid parsing body with missed fields if used object model

`v1.2.1`

Bug fix:

#1078 array string default to '[]' instead of undefined

`v1.2.0`

Feature:

Commitment to Universal Runtime Support
- Node Adapter
- Web Standard Adapter
- Bun Adapter
- Universal Utilities
Name parser
Add resolve support to Macro
Improve WebSocket
- Support ping, pong and latest Bun feature
- Match type declaration with Bun
- Support for return, yield
- Match Context type
- Performance Improvement
  - Entire rewrite
  - bind over getter return
Infer 422 validation
Compilation minification
Validation Stuff
- t.MaybeArray
Typebox Module & Nested model
- Inline module

Improvement:

Memory Usage
- [Internal] Register loosePath in compilation process to reduce memory usage and reduce registration time from O(2n) to O(n)
Try to accept and coerce different version of Elysia plugin
Event Listener now infers path parameter automatically based on scope
Add ‘scoped’ to bulk as for casting type to ‘scoped’ similar to ‘plugin’

Change:

Update cookie to 1.0.1
Update TypeBox to 0.33
content-length now accept number

Breaking Change:

[Internal] Remove router internal property static.http.staticHandlers
[Internal] Router history compile now link with history composed

`v1.1.27`

Bug fix:

#963 array parser on query string when AOT is off
#961 literal handler when AOT is off

`v1.1.26`

Bug fix:

#907, #872, #926 BooleanString is not behave correctly if property is not provided
#929 Non-ASCII characters cause querystring index to be incorrectly slice
#912 handle JavaScript date numeric offset

`v1.1.25`

Bug fix:

#908 boolean-string converted to string
#905 avoid response normailization side effects

Change:

don't minify identifiers in bun bundle

`v1.1.24`

Security:

#891 Upgrade Cookie to 0.7.x to fix CVE-2024-47764

Bug fix:

#885 unwrap transform errors
#903 typebox object schemas without properties key

`v1.1.23`

Bug fix:

Handle object with .then even if it's not promise (looking at you, Drizzle)

`v1.1.22`

Bug fix:

Fix set-cookie to resent if value is accessed even without set

`v1.1.21`

Improvement:

infer 200 response from handle if not specified

`v1.1.20`

Bug fix:

merge guard and not specified hook responses status

`v1.1.19`

Bug fix:

unable to return error from derive/resolve

`v1.1.18`

Breaking change:

remove automatic conversion of 1-level deep object with file field to formdata
- migration: wrap a response with formdata
(internal): remove ELYSIA_RESPONSE symbol
(internal) error now use class ElysiaCustomStatusResponse instead of plain object

Improvement:

Optimize object type response mapping performance

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

changeset-bot bot commented Dec 10, 2025 •

edited

Loading

⚠️ No Changeset found

Latest commit: 33f17bf

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

renovate bot force-pushed the renovate/npm-elysia-vulnerability branch from 7294840 to c8fb2eb Compare

December 31, 2025 15:51


          fix(deps): update dependency elysia to v1.4.18 [security]

33f17bf

renovate bot force-pushed the renovate/npm-elysia-vulnerability branch from c8fb2eb to 33f17bf Compare

February 2, 2026 21:33

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet