Skip to content

v3.11.7
Compare
Choose a tag to compare
@yusukebe yusukebe released this 14 Dec 01:32
· 564 commits to main since this release
v3.11.7
8edb160

Security Update

This release includes a security patch that fixes the vulnerability in TrieRouter.

If you are using the default preset or hono/quick, or specifying the router as TrieRouter, you must upgrade to this version 3.11.7 immediately.

How to upgrade

For Deno

Just increment the version specifier to v3.11.7.

import { Hono } from 'https://deno.land/x/hono@v3.11.7/mod.ts'
import { serveStatic } from 'https://deno.land/x/hono@v3.11.7/middleware.ts'

For Node.js

Upgrade the hono package via npm:

npm install hono

// OR

yarn add hono

// OR

pnpm up hono

You may not update the hono package with npm update, so please use npm install.

The vulnerability detail

The clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources.

TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter.

The advisory: GHSA-f6gv-hh8j-q8vq

Our Approach to Security

If you discover such a vulnerability, please contact us immediately. We will respond immediately; we have enabled GitHub's private vulnerability reporting feature, so please use that.

https://github.com/honojs/hono/security/advisories

Thanks.

Full Changelog: v3.11.6...v3.11.7

Assets 2
Loading