chore(deps): update dependency @hono/node-server to v1.19.10 [security] - autoclosed by renovate[bot] · Pull Request #873 · graasp/graasp-library

renovate · 2026-03-04T23:03:53Z

This PR contains the following updates:

Package	Change	Age	Confidence
@hono/node-server	`1.19.2` → `1.19.10`

GitHub Vulnerability Alerts

CVE-2026-29087

Summary

When using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization.

In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served.

Details

The routing layer and the node-server static handler normalize request paths differently. The router preserves %2F as a literal string when matching routes, while the static handler decodes %2F into / before resolving the filesystem path.

Example request:

/admin%2Fsecret.html

This may:

fail to match middleware intended for /admin/*, but
still be resolved by the static handler as /admin/secret.html under the configured static root.

This does not allow access outside the configured static root and is not a path traversal vulnerability.

Impact

An unauthenticated attacker could bypass route-based authorization protections for protected static resources by supplying paths containing encoded slashes.

Applications relying solely on route-based middleware to protect static subpaths under the same static root may have exposed those resources.

Release Notes

honojs/node-server (@hono/node-server)

`v1.19.10`

Compare Source

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

`v1.19.9`

Compare Source

What's Changed

fix(globals): Stop overwriting global.fetch by @usualoma in #295

Full Changelog: honojs/node-server@v1.19.8...v1.19.9

`v1.19.8`

Compare Source

What's Changed

docs: add guide for listening to UNIX domain socket by @TransparentLC in #292
fix(serve-static): Use Readable.toWeb in serveStatic by @otya128 in #293

New Contributors

@TransparentLC made their first contribution in #292
@otya128 made their first contribution in #293

Full Changelog: honojs/node-server@v1.19.7...v1.19.8

`v1.19.7`

Compare Source

What's Changed

fix: Fix for hono issue 4563 - incorrect content-length after following symlink by @tshmieldev in #290
chore: add configVersion to bun.lock by @yusukebe in #291

New Contributors

@tshmieldev made their first contribution in #290

Full Changelog: honojs/node-server@v1.19.6...v1.19.7

`v1.19.6`

Compare Source

`v1.19.5`

Compare Source

What's Changed

fix: cancel a readable stream if a writable stream is closed before a readable stream is closed. by @usualoma in #280

Full Changelog: honojs/node-server@v1.19.4...v1.19.5

`v1.19.4`

Compare Source

What's Changed

fix(serve-static): Add error handling in createStreamBody by @thongdoan in #278

New Contributors

@thongdoan made their first contribution in #278

Full Changelog: honojs/node-server@v1.19.3...v1.19.4

`v1.19.3`

Compare Source

What's Changed

fix: Refactor promise check for response handling by @kay-is in #277

New Contributors

@kay-is made their first contribution in #277

Full Changelog: honojs/node-server@v1.19.2...v1.19.3

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday ( * 0-4,22-23 * * 1-5 ), Only on Sunday and Saturday ( * * * * 0,6 ) (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

sonarqubecloud · 2026-03-04T23:04:35Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

chore(deps): update dependency @hono/node-server to v1.19.10 [security]

5174aba

renovate bot added the dependencies Pull requests that update a dependency file label Mar 4, 2026

renovate bot changed the title ~~chore(deps): update dependency @hono/node-server to v1.19.10 [security]~~ chore(deps): update dependency @hono/node-server to v1.19.10 [security] - autoclosed Mar 27, 2026

renovate bot closed this Mar 27, 2026

renovate bot deleted the renovate/npm-hono-node-server-vulnerability branch March 27, 2026 02:45

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency @hono/node-server to v1.19.10 [security] - autoclosed#873

chore(deps): update dependency @hono/node-server to v1.19.10 [security] - autoclosed#873
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-hono-node-server-vulnerability

renovate bot commented Mar 4, 2026 •

edited

Loading

Uh oh!

sonarqubecloud bot commented Mar 4, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate bot commented Mar 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Summary

Details

Impact

Release Notes

Security Fix

What's Changed

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

What's Changed

New Contributors

What's Changed

New Contributors

Configuration

Uh oh!

sonarqubecloud bot commented Mar 4, 2026

Quality Gate passed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate bot commented Mar 4, 2026 •

edited

Loading