Security Update
This release includes a security patch that fixes the vulnerability in TrieRouter.
If you are using the default preset or hono/quick, or specifying the router as TrieRouter, you must upgrade to this version 3.11.7 immediately.
How to upgrade
For Deno
Just increment the version specifier to v3.11.7.
import { Hono } from 'https://deno.land/x/hono@v3.11.7/mod.ts'
import { serveStatic } from 'https://deno.land/x/hono@v3.11.7/middleware.ts'For Node.js
Upgrade the hono package via npm:
npm install hono
// OR
yarn add hono
// OR
pnpm up honoYou may not update the hono package with npm update, so please use npm install.
The vulnerability detail
The clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources.
TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter.
The advisory: GHSA-f6gv-hh8j-q8vq
Our Approach to Security
If you discover such a vulnerability, please contact us immediately. We will respond immediately; we have enabled GitHub's private vulnerability reporting feature, so please use that.
https://github.com/honojs/hono/security/advisories
Thanks.
Full Changelog: v3.11.6...v3.11.7