Security fix for CSRF Protection Middleware
This release includes a security fix for CSRF Protection Middleware. If you are using CSRF Protection Middleware, please upgrade this hono package immediately.
Before this release, a request without a Content-Type header can bypass the protection. This fix does not allow it. See: GHSA-2234-fmw7-43wr
What's Changed
- perf(types): replace intersection with union to get better perf by @m-shaka in #3443
- ci: use Deno
v2by @yusukebe in #3506 - ci: use Deno v2 for a test running for deno by @nakasyou in #3509
- fix(types): rm ExcludeEmptyObject to fix massively increased type instantiations by @m-shaka in #3507
- fix(cors): avoid setting
Access-Control-Allow-Originif there is no matching origin by @uki00a in #3510 - feat(powered-by): optional server name by @PatrickJS in #3492
- fix(factory): revert PR #3498 by @yusukebe in #3515
- fix(build): remove private fields by @nakasyou in #3514
New Contributors
- @uki00a made their first contribution in #3510
- @PatrickJS made their first contribution in #3492
Full Changelog: v4.6.4...v4.6.5