Skip to content

Commit

Permalink
Update dependency @hono/node-server to v1.10.1 [SECURITY] (#42)
Browse files Browse the repository at this point in the history 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [@hono/node-server](https://togithub.com/honojs/node-server) |
[`1.10.0` ->
`1.10.1`](https://renovatebot.com/diffs/npm/@hono%2fnode-server/1.10.0/1.10.1)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/@hono%2fnode-server/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@hono%2fnode-server/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@hono%2fnode-server/1.10.0/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@hono%2fnode-server/1.10.0/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-32652](https://togithub.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx)

### Impact

The application hangs when receiving a Host header with a value that
`@hono/node-server` can't handle well. Invalid values are those that
cannot be parsed by the `URL` as a hostname such as an empty string,
slashes `/`, and other strings.

For example, if you have a simple application:

```ts
import { serve } from '@​hono/node-server'
import { Hono } from 'hono'

const app = new Hono()

app.get('/', (c) => c.text('Hello'))

serve(app)
```

Sending a request with a Host header with an empty value to it:

```
curl localhost:3000/ -H "Host: "
```

The results:

```
node:internal/url:775
    this.#updateContext(bindingUrl.parse(input, base));
                                   ^

TypeError: Invalid URL
    at new URL (node:internal/url:775:36)
    at newRequest (/Users/yusuke/work/h/159/node_modules/@​hono/node-server/dist/index.js:137:17)
    at Server.<anonymous> (/Users/yusuke/work/h/159/node_modules/@&#8203;hono/node-server/dist/index.js:399:17)
    at Server.emit (node:events:514:28)
    at Server.emit (node:domain:488:12)
    at parserOnIncoming (node:_http_server:1143:12)
    at HTTPParser.parserOnHeadersComplete (node:_http_common:119:17) {
  code: 'ERR_INVALID_URL',
  input: 'http:///'
}
```

### Patches

The version `1.10.1` includes the fix for this issue. But, you should
use `1.11.0`, which has other fixes related to this issue.
[https://github.com/honojs/node-server/issues/160](https://togithub.com/honojs/node-server/issues/160)
[https://github.com/honojs/node-server/issues/161](https://togithub.com/honojs/node-server/issues/161)

### Workarounds

Nothing. Upgrade your `@hono/node-server`.

### References


[https://github.com/honojs/node-server/issues/159](https://togithub.com/honojs/node-server/issues/159)

---

### Release Notes

<details>
<summary>honojs/node-server (@&#8203;hono/node-server)</summary>

###
[`v1.10.1`](https://togithub.com/honojs/node-server/releases/tag/v1.10.1)

[Compare
Source](https://togithub.com/honojs/node-server/compare/v1.10.0...v1.10.1)

#### What's Changed

- fix: catch ERR_INVALID_URL error in listener by
[@&#8203;usualoma](https://togithub.com/usualoma) in
[https://github.com/honojs/node-server/pull/162](https://togithub.com/honojs/node-server/pull/162)

**Full Changelog**:
honojs/node-server@v1.10.0...v1.10.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone America/Chicago,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/autoblocksai/cli).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMDEuNCIsInVwZGF0ZWRJblZlciI6IjM3LjMwMS40IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
  • Loading branch information
@renovate
renovate[bot] authored Apr 19, 2024
1 parent 6977b97 commit aaa420f
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit aaa420f

Please sign in to comment.