fix(deps): update dependency @hono/node-server to v1.19.10 [security]#1974

Open

renovate[bot] wants to merge 1 commit intomainfrom

renovate/npm-hono-node-server-vulnerability

Contributor

renovate bot commented Mar 23, 2026

This PR contains the following updates:

Package	Change	Age	Confidence
@hono/node-server	`1.14.2` → `1.19.10`

GitHub Vulnerability Alerts

CVE-2026-29087

Summary

When using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization.

In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served.

Details

The routing layer and the node-server static handler normalize request paths differently. The router preserves %2F as a literal string when matching routes, while the static handler decodes %2F into / before resolving the filesystem path.

Example request:

/admin%2Fsecret.html

This may:

fail to match middleware intended for /admin/*, but
still be resolved by the static handler as /admin/secret.html under the configured static root.

This does not allow access outside the configured static root and is not a path traversal vulnerability.

Impact

An unauthenticated attacker could bypass route-based authorization protections for protected static resources by supplying paths containing encoded slashes.

Applications relying solely on route-based middleware to protect static subpaths under the same static root may have exposed those resources.

Release Notes

honojs/node-server (@hono/node-server)

`v1.19.10`

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

`v1.19.9`

What's Changed

fix(globals): Stop overwriting global.fetch by @usualoma in #295

Full Changelog: honojs/node-server@v1.19.8...v1.19.9

`v1.19.8`

What's Changed

docs: add guide for listening to UNIX domain socket by @TransparentLC in #292
fix(serve-static): Use Readable.toWeb in serveStatic by @otya128 in #293

New Contributors

@TransparentLC made their first contribution in #292
@otya128 made their first contribution in #293

Full Changelog: honojs/node-server@v1.19.7...v1.19.8

`v1.19.7`

What's Changed

fix: Fix for hono issue 4563 - incorrect content-length after following symlink by @tshmieldev in #290
chore: add configVersion to bun.lock by @yusukebe in #291

New Contributors

@tshmieldev made their first contribution in #290

Full Changelog: honojs/node-server@v1.19.6...v1.19.7

`v1.19.6`

`v1.19.5`

What's Changed

fix: cancel a readable stream if a writable stream is closed before a readable stream is closed. by @usualoma in #280

Full Changelog: honojs/node-server@v1.19.4...v1.19.5

`v1.19.4`

What's Changed

fix(serve-static): Add error handling in createStreamBody by @thongdoan in #278

New Contributors

@thongdoan made their first contribution in #278

Full Changelog: honojs/node-server@v1.19.3...v1.19.4

`v1.19.3`

What's Changed

fix: Refactor promise check for response handling by @kay-is in #277

New Contributors

@kay-is made their first contribution in #277

Full Changelog: honojs/node-server@v1.19.2...v1.19.3

`v1.19.2`

What's Changed

fix: better handle range parse to avoid NaN error by @zwpaper in #276

New Contributors

@zwpaper made their first contribution in #276

Full Changelog: honojs/node-server@v1.19.1...v1.19.2

`v1.19.1`

What's Changed

fix: Keep lightweight request even if accessing method, url or headers by @usualoma in #274
chore: add packageManager field in package.json by @yusukebe in #275

Full Changelog: honojs/node-server@v1.19.0...v1.19.1

`v1.19.0`

What's Changed

feat: add log when directory does not exists by @Its-Just-Nans in #273

New Contributors

@Its-Just-Nans made their first contribution in #273

Full Changelog: honojs/node-server@v1.18.2...v1.19.0

`v1.18.2`

What's Changed

fix: Skip content-length assignment when transfer-encoding is chunked. by @usualoma in #271

Full Changelog: honojs/node-server@v1.18.1...v1.18.2

`v1.18.1`

What's Changed

fix(listener): Limit retries to a maximum of three. by @usualoma in #267

Full Changelog: honojs/node-server@v1.18.0...v1.18.1

`v1.18.0`

What's Changed

feat: always respond res.body by @usualoma in #262
ci: add Node.js v24 for CI by @yusukebe in #263
fix(listener): In Node.js v24, some response bodies are not read to the end until the next task queue. by @usualoma in #265

Full Changelog: honojs/node-server@v1.17.1...v1.18.0

`v1.17.1`

What's Changed

fix: handle client disconnection without canceling stream by @yusukebe in #258
fix: improve serve-static function by @usualoma in #261

Full Changelog: honojs/node-server@v1.17.0...v1.17.1

`v1.17.0`

What's Changed

docs: separate description of autoCleanupIncoming by @usualoma in #255
chore: rename server_socket.test.ts to server-socket.test.ts by @yusukebe in #256
feat(serve-static): support absolute path by @yusukebe in #257

Full Changelog: honojs/node-server@v1.16.0...v1.17.0

`v1.16.0`

What's Changed

feat: Clean up the incoming object if the request is not completely finished. by @usualoma in #252

Full Changelog: honojs/node-server@v1.15.0...v1.16.0

`v1.15.0`

What's Changed

feat(serve-static): pass context to rewriteRequestPath by @yusukebe in #247

Full Changelog: honojs/node-server@v1.14.4...v1.15.0

`v1.14.4`

What's Changed

fix: flush headers before sending data via readable stream by @usualoma in #245

Full Changelog: honojs/node-server@v1.14.3...v1.14.4

`v1.14.3`

What's Changed

fix: set RequestError name properly by @yusukebe in #243

Full Changelog: honojs/node-server@v1.14.2...v1.14.3

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot requested review from SevInf and jkomyno

March 23, 2026 13:01

renovate bot changed the title ~~fix(deps): update dependency @hono/node-server to v1.19.10 [security]~~ fix(deps): update dependency @hono/node-server to v1.19.10 [security] - autoclosed

renovate bot closed this

renovate bot deleted the renovate/npm-hono-node-server-vulnerability branch

March 27, 2026 00:49

renovate bot changed the title ~~fix(deps): update dependency @hono/node-server to v1.19.10 [security] - autoclosed~~ fix(deps): update dependency @hono/node-server to v1.19.10 [security]

renovate bot reopened this

renovate bot force-pushed the renovate/npm-hono-node-server-vulnerability branch 2 times, most recently from 77e0543 to 5b42358 Compare

March 29, 2026 05:42


          fix(deps): update dependency @hono/node-server to v1.19.10 [security]

9221fd7

renovate bot force-pushed the renovate/npm-hono-node-server-vulnerability branch from 5b42358 to 9221fd7 Compare

April 1, 2026 16:42

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet