Update dependency hono to v4.10.3 [SECURITY] #489
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.10.2->4.10.3GitHub Vulnerability Alerts
GHSA-q7jf-gf43-6x6p
Summary
A flaw in the CORS middleware allowed request
Varyheaders to be reflected into the response, enabling attacker-controlledVaryvalues and potentially affecting cache behavior.Details
The middleware previously copied the
Varyheader from the request whenoriginwas not set to"*". SinceVaryis a response header that should only be managed by the server, this could allow an attacker to influence caching behavior or cause inconsistent CORS handling.Most environments will see impact only when shared caches or proxies rely on the
Varyheader. The practical effect varies by configuration.Impact
May cause cache key pollution and inconsistent CORS enforcement in certain setups. No direct confidentiality, integrity, or availability impact in default configurations.
Resolution
Update to the latest patched release. The CORS middleware has been corrected to handle
Varyexclusively as a response header.Release Notes
honojs/hono (hono)
v4.10.3Compare Source
Securiy Fix
A security issue in the CORS middleware has been fixed. In some cases, a request header could affect the Vary response header. Please update to the latest version if you are using the CORS middleware.
What's Changed
=by @ryuapp in #4478New Contributors
Full Changelog: honojs/hono@v4.10.2...v4.10.3
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.