fix(jsx/dom): remove lookbehind assertion in event regexp #2524
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
usualoma
changed the title
|
Thanks! Merging now. |
nicolewhite
pushed a commit
to autoblocksai/cli
that referenced
this pull request
Apr 24, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [hono](https://hono.dev/) ([source](https://togithub.com/honojs/hono)) | [`4.1.4` -> `4.2.7`](https://renovatebot.com/diffs/npm/hono/4.1.4/4.2.7) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-32869](https://togithub.com/honojs/hono/security/advisories/GHSA-3mpf-rcc7-5347) ### Summary When using serveStatic with deno, it is possible to directory traverse where main.ts is located. My environment is configured as per this tutorial https://hono.dev/getting-started/deno ### PoC ```bash $ tree . ├── deno.json ├── deno.lock ├── main.ts ├── README.md └── static └── a.txt ``` source ```jsx import { Hono } from 'https://deno.land/x/hono@v4.2.6/mod.ts' import { serveStatic } from 'https://deno.land/x/hono@v4.2.6/middleware.ts' const app = new Hono() app.use('/static/*', serveStatic({ root: './' })) Deno.serve(app.fetch) ``` request ```bash curl localhost:8000/static/%2e%2e/main.ts ``` response is content of main.ts ### Impact Unexpected files are retrieved. --- ### Release Notes <details> <summary>honojs/hono (hono)</summary> ### [`v4.2.7`](https://togithub.com/honojs/hono/releases/tag/v4.2.7) [Compare Source](https://togithub.com/honojs/hono/compare/v4.2.6...v4.2.7) This release fixes "[Restricted Directory Traversal in serveStatic with deno](https://togithub.com/honojs/hono/security/advisories/GHSA-3mpf-rcc7-5347)". **Full Changelog**: honojs/hono@v4.2.6...v4.2.7 ### [`v4.2.6`](https://togithub.com/honojs/hono/releases/tag/v4.2.6) [Compare Source](https://togithub.com/honojs/hono/compare/v4.2.5...v4.2.6) #### What's Changed - refactor(adapter/aws): Optimize multiple call of same conditions with polymorphism by [@​exoego](https://togithub.com/exoego) in [honojs/hono#2521 - fix(sse): close sse stream on end by [@​domeccleston](https://togithub.com/domeccleston) in [honojs/hono#2529 - fix(client): Don't show `$ws` when not used WebSockets by [@​nakasyou](https://togithub.com/nakasyou) in [honojs/hono#2532 - refactor(ssg): update utils.ts by [@​eltociear](https://togithub.com/eltociear) in [honojs/hono#2519 #### New Contributors - [@​domeccleston](https://togithub.com/domeccleston) made their first contribution in [honojs/hono#2529 - [@​eltociear](https://togithub.com/eltociear) made their first contribution in [honojs/hono#2519 **Full Changelog**: honojs/hono@v4.2.5...v4.2.6 ### [`v4.2.5`](https://togithub.com/honojs/hono/releases/tag/v4.2.5) [Compare Source](https://togithub.com/honojs/hono/compare/v4.2.4...v4.2.5) #### What's Changed - fix(client): Allow calling toString and valueOf on the proxy object by [@​ibash](https://togithub.com/ibash) in [honojs/hono#2510 - fix(adapter): handle multi value headers in AWS Lambda by [@​exoego](https://togithub.com/exoego) in [honojs/hono#2494 - fix(client): shuold not remove tailing slash from top-level URL by [@​yusukebe](https://togithub.com/yusukebe) in [honojs/hono#2523 - fix(jsx/dom): remove lookbehind assertion in event regexp by [@​usualoma](https://togithub.com/usualoma) in [honojs/hono#2524 #### New Contributors - [@​ibash](https://togithub.com/ibash) made their first contribution in [honojs/hono#2510 **Full Changelog**: honojs/hono@v4.2.4...v4.2.5 ### [`v4.2.4`](https://togithub.com/honojs/hono/releases/tag/v4.2.4) [Compare Source](https://togithub.com/honojs/hono/compare/v4.2.3...v4.2.4) ##### What's Changed - fix(jwt): Make JWT Header `typ` Field Optional to Enhance Compatibility by [@​naporin0624](https://togithub.com/naporin0624) in [honojs/hono#2488 - fix(testing): set `baseUrl` for `testClient` by [@​yusukebe](https://togithub.com/yusukebe) in [honojs/hono#2496 - fix(validator): Default use to `OutputTypeExcludeResponseType` when `InputType` is unknown by [@​nagasawaryoya](https://togithub.com/nagasawaryoya) in [honojs/hono#2500 - refactor(trie-router): parentPatterns is updated but never queried by [@​exoego](https://togithub.com/exoego) in [honojs/hono#2503 - refactor: Remove redundant initializer by [@​exoego](https://togithub.com/exoego) in [honojs/hono#2502 - refactor(cloudflare-workers): Suppress eslint noise by [@​exoego](https://togithub.com/exoego) in [honojs/hono#2504 - fix(jsx): Add catch to async function's promise by [@​mwilkins91](https://togithub.com/mwilkins91) in [honojs/hono#2471 ##### New Contributors - [@​nagasawaryoya](https://togithub.com/nagasawaryoya) made their first contribution in [honojs/hono#2500 - [@​exoego](https://togithub.com/exoego) made their first contribution in [honojs/hono#2503 - [@​mwilkins91](https://togithub.com/mwilkins91) made their first contribution in [honojs/hono#2471 **Full Changelog**: honojs/hono@v4.2.3...v4.2.4 ### [`v4.2.3`](https://togithub.com/honojs/hono/releases/tag/v4.2.3) [Compare Source](https://togithub.com/honojs/hono/compare/v4.2.2...v4.2.3) #### What's Changed - fix(ssg): use response header to mark as disabled routes for SSG by [@​usualoma](https://togithub.com/usualoma) in [honojs/hono#2477 - fix(trailing-slash): export types in `package.json` correctly by [@​yusukebe](https://togithub.com/yusukebe) in [honojs/hono#2483 - fix(client): fix websocket client protocol by [@​naporin0624](https://togithub.com/naporin0624) in [honojs/hono#2479 **Full Changelog**: honojs/hono@v4.2.2...v4.2.3 ### [`v4.2.2`](https://togithub.com/honojs/hono/releases/tag/v4.2.2) [Compare Source](https://togithub.com/honojs/hono/compare/v4.2.1...v4.2.2) #### What's Changed - feat(jsx-renderer): pass the context as 2nd arg by [@​yusukebe](https://togithub.com/yusukebe) in [honojs/hono#2459 - feat(client): accept a function that provides dynamic headers to hc by [@​niko-gardenanet](https://togithub.com/niko-gardenanet) in [honojs/hono#2461 - fix(client): infer `null` correctly by [@​yusukebe](https://togithub.com/yusukebe) in [honojs/hono#2469 #### New Contributors - [@​niko-gardenanet](https://togithub.com/niko-gardenanet) made their first contribution in [honojs/hono#2461 **Full Changelog**: honojs/hono@v4.2.1...v4.2.2 ### [`v4.2.1`](https://togithub.com/honojs/hono/releases/tag/v4.2.1) [Compare Source](https://togithub.com/honojs/hono/compare/v4.2.0...v4.2.1) #### What's Changed - fix(jws): Only import necessary helper (not all helpers) by [@​nicksrandall](https://togithub.com/nicksrandall) in [honojs/hono#2458 #### New Contributors - [@​nicksrandall](https://togithub.com/nicksrandall) made their first contribution in [honojs/hono#2458 **Full Changelog**: honojs/hono@v4.2.0...v4.2.1 ### [`v4.2.0`](https://togithub.com/honojs/hono/releases/tag/v4.2.0) [Compare Source](https://togithub.com/honojs/hono/compare/v4.1.7...v4.2.0) Hono v4.2.0 is now available! Let's take a look at the new features. #### Added more algorithms for JWT The number of algorithms that JWT util can handle has increased from only 3 to 13! This means that JWT util now implements many of the algorithms supported by JWT. - HS256 - HS384 - HS512 - RS256 - RS384 - RS512 - PS256 - PS384 - PS512 - ES256 - ES384 - ES512 - EdDSA You can use these algorithms from the JWT middleware or JWT helpers. Thanks [@​Code-Hex](https://togithub.com/Code-Hex)! #### Method Override Middleware [Method Override Middleware](https://hono.dev/middleware/builtin/method-override) has been added. This middleware override the method of the real request with the specified method. HTML `form` does not allow you to send a DELETE method request. Instead, by sending an input with `name` as `_method` and a value of `DELETE`, you can call the handler registered in `app.delete()`. ```ts const app = new Hono() // If no options are specified, the value of `_method` in the form, // e.g. DELETE, is used as the method. app.use('/posts', methodOverride({ app })) app.delete('/posts', (c) => { // .... }) ``` #### Trailing Slash Middleware [Trailing Slash Middleware](https://hono.dev/middleware/builtin/trailing-slash) resolves the handling of Trailing Slashes in GET requests. You can use `appendTrailingSlash` and `trimTrailingSlash` functions. For example, it redirects a GET request to `/about/me` to `/about/me/`. ```ts import { Hono } from 'hono' import { appendTrailingSlash } from 'hono/trailing-slash' const app = new Hono({ strict: true }) app.use(appendTrailingSlash()) app.get('/about/me/', (c) => c.text('With Trailing Slash')) ``` Thanks [@​rnmeow](https://togithub.com/rnmeow)! #### Other features - SSG Helper - Support `extensionMap` [honojs/hono#2382 - JSX/DOM - Add `userId` hook [honojs/hono#2389 - JWT Middleware - Improve error handling [honojs/hono#2406 - Request - Cache the body for re-using [honojs/hono#2416 - JWT Util - Add type helper to `payload` [honojs/hono#2424 - CORS Middleware - Pass context to `options.origin` function [honojs/hono#2436 - Cache Middleware - Support for the `vary` header option [honojs/hono#2426 - HTTP Exception - Add `cause` option [honojs/hono#2224 - Logger - Support `NO_COLOR` [honojs/hono#2228 - JWT Middleware - Add `JwtTokenInvalid` object as `cause` when JWT is invalid [honojs/hono#2448 - Bearer Auth Middleware - Add `verifyToken` option [honojs/hono#2449 - Basic Auth Middleware - Add `verifyUser` option [honojs/hono#2450 #### All Updates - feat(jwt): supported RS256, RS384, RS512 algorithm for JWT by [@​Code-Hex](https://togithub.com/Code-Hex) in [honojs/hono#2339 - added remain algorithm for JWT by [@​Code-Hex](https://togithub.com/Code-Hex) in [honojs/hono#2352 - acceptable CryptoKey in JWT sign and verify by [@​Code-Hex](https://togithub.com/Code-Hex) in [honojs/hono#2373 - feat(ssg): Support `extentionMap` by [@​watany-dev](https://togithub.com/watany-dev) in [honojs/hono#2382 - feat(jwt): support remaining algorithms by [@​yusukebe](https://togithub.com/yusukebe) in [honojs/hono#2368 - feat(jsx): add useId hook by [@​usualoma](https://togithub.com/usualoma) in [honojs/hono#2389 - feat(middleware/jwt): improve error handling by [@​tfkhdyt](https://togithub.com/tfkhdyt) in [honojs/hono#2406 - feat(request): cache body for reusing by [@​yusukebe](https://togithub.com/yusukebe) in [honojs/hono#2416 - feat(jwt): Add type helper to `payload` by [@​nakasyou](https://togithub.com/nakasyou) in [honojs/hono#2424 - feat: introduce Method Override Middleware by [@​yusukebe](https://togithub.com/yusukebe) in [honojs/hono#2420 - feat(middleware/cors): pass context to options.origin function by [@​okmr-d](https://togithub.com/okmr-d) in [honojs/hono#2436 - feat: support for `vary` header in cache middleware by [@​naporin0624](https://togithub.com/naporin0624) in [honojs/hono#2426 - feat: add middlewares resolve trailing slashes on GET request by [@​rnmeow](https://togithub.com/rnmeow) in [honojs/hono#2408 - test: stub `crypto` if not exist by [@​yusukebe](https://togithub.com/yusukebe) in [honojs/hono#2445 - feat(jwt): literal typed `alg` option value by [@​yusukebe](https://togithub.com/yusukebe) in [honojs/hono#2446 - test(ssg): add test for content-type includes `;` by [@​yusukebe](https://togithub.com/yusukebe) in [honojs/hono#2447 - feat(jwt): add `JwtTokenInvalid` object as `cause` when JWT is invalid by [@​yusukebe](https://togithub.com/yusukebe) in [honojs/hono#2448 - feat(bearer-auth): add `verifyToken` option by [@​yusukebe](https://togithub.com/yusukebe) in [honojs/hono#2449 - feat(basic-auth): add `verifyUser` option by [@​yusukebe](https://togithub.com/yusukebe) in [honojs/hono#2450 - Next by [@​yusukebe](https://togithub.com/yusukebe) in [honojs/hono#2454 #### New Contributors - [@​tfkhdyt](https://togithub.com/tfkhdyt) made their first contribution in [honojs/hono#2406 - [@​okmr-d](https://togithub.com/okmr-d) made their first contribution in [honojs/hono#2436 - [@​naporin0624](https://togithub.com/naporin0624) made their first contribution in [honojs/hono#2426 - [@​rnmeow](https://togithub.com/rnmeow) made their first contribution in [honojs/hono#2408 **Full Changelog**: honojs/hono@v4.1.7...v4.2.0 ### [`v4.1.7`](https://togithub.com/honojs/hono/releases/tag/v4.1.7) [Compare Source](https://togithub.com/honojs/hono/compare/v4.1.6...v4.1.7) #### What's Changed - fix(cache): check `globalThis.caches` by [@​yusukebe](https://togithub.com/yusukebe) in [honojs/hono#2444 **Full Changelog**: honojs/hono@v4.1.6...v4.1.7 ### [`v4.1.6`](https://togithub.com/honojs/hono/releases/tag/v4.1.6) [Compare Source](https://togithub.com/honojs/hono/compare/v4.1.5...v4.1.6) #### What's Changed - chore(benchmark): add "loop" script by [@​yusukebe](https://togithub.com/yusukebe) in [honojs/hono#2431 - fix(cache): not enabled if `caches` is not defined by [@​yusukebe](https://togithub.com/yusukebe) in [honojs/hono#2443 **Full Changelog**: honojs/hono@v4.1.5...v4.1.6 ### [`v4.1.5`](https://togithub.com/honojs/hono/releases/tag/v4.1.5) [Compare Source](https://togithub.com/honojs/hono/compare/v4.1.4...v4.1.5) #### What's Changed - perf: Don't use `Arrap.prototype.map` if it is not needed return value by [@​nakasyou](https://togithub.com/nakasyou) in [honojs/hono#2419 - fix(aws-lambda): handle response without body ([#​2401](https://togithub.com/honojs/hono/issues/2401)) by [@​KnisterPeter](https://togithub.com/KnisterPeter) in [honojs/hono#2413 - fix(validator): `await` cached contents by [@​yusukebe](https://togithub.com/yusukebe) in [honojs/hono#2430 #### New Contributors - [@​KnisterPeter](https://togithub.com/KnisterPeter) made their first contribution in [honojs/hono#2413 **Full Changelog**: honojs/hono@v4.1.4...v4.1.5 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone America/Chicago, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/autoblocksai/cli). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMTMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjMxMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
](https://renovatebot.com){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fixes #2517
Author should do the followings, if applicable
yarn denoifyto generate files for Deno