Security fixes
This release includes fixes for the following security issues:
SSE Control Field Injection
Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr
Cookie Attribute Injection in setCookie()
Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w
Middleware Bypass in Serve Static
Affects: Serve Static middleware. Fixes inconsistent URL decoding that could allow protected static resources to be accessed without triggering route-based middleware. GHSA-q5qw-h33p-qvwr
Users who uses Strreaming Helper, Cookie utility, and Serve Static are strongly encouraged to upgrade to this version.
Other changes
- fix(client): preserve route schema in ApplyGlobalResponse by @agumy in #4777
- fix(utils/url): specify the return type of
tryDecodeURIby @yusukebe in #4779
New Contributors
Full Changelog: v4.12.3...v4.12.4