YTMD/youtube-music
1
0
Fork 0
Code Issues 445 Pull requests 34 Projects Releases 87 Packages Wiki Activity Actions

fix(deps): update dependency hono to v4.9.7 [security] #3880

Open
renovate[bot] wants to merge 1 commit from renovate/npm-hono-vulnerability into master
pull from: renovate/npm-hono-vulnerability
merge into: YTMD:master
Conversation 0 Commits 1 Files changed 2 +28 -126
renovate[bot] commented 2025-09-13 04:05:28 +00:00 (Migrated from github.com)
Copy link

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package Change Age Confidence
hono (source) 4.9.6 -> 4.9.7 age confidence

GitHub Vulnerability Alerts

CVE-2025-59139

Summary

A flaw in the bodyLimit middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present.

Details

The middleware previously prioritized the Content-Length header even when a Transfer-Encoding: chunked header was also included. According to the HTTP specification, Content-Length must be ignored in such cases. This discrepancy could allow oversized request bodies to bypass the configured limit.

Most standards-compliant runtimes and reverse proxies may reject such malformed requests with 400 Bad Request, so the practical impact depends on the runtime and deployment environment.

Impact

If body size limits are used as a safeguard against large or malicious requests, this flaw could allow attackers to send oversized request bodies. The primary risk is denial of service (DoS) due to excessive memory or CPU consumption when handling very large requests.

Resolution

The implementation has been updated to align with the HTTP specification, ensuring that Transfer-Encoding takes precedence over Content-Length. The issue is fixed in Hono v4.9.7, and all users should upgrade immediately.

Release Notes

honojs/hono (hono)

v4.9.7

Compare Source

Security

  • Fixed an issue in the bodyLimit middleware where the body size limit could be bypassed when both Content-Length and Transfer-Encoding headers were present. If you are using this middleware, please update immediately. Security Advisory

What's Changed

New Contributors

Full Changelog: https://github.com/honojs/hono/compare/v4.9.6...v4.9.7

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more [here](https://redirect.github.com/renovatebot/renovate/discussions/37842). This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [hono](https://hono.dev) ([source](https://redirect.github.com/honojs/hono)) | [`4.9.6` -> `4.9.7`](https://renovatebot.com/diffs/npm/hono/4.9.6/4.9.7) | [![age](https://developer.mend.io/api/mc/badges/age/npm/hono/4.9.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/hono/4.9.6/4.9.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-59139](https://redirect.github.com/honojs/hono/security/advisories/GHSA-92vj-g62v-jqhh) ### Summary A flaw in the `bodyLimit` middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present. ### Details The middleware previously prioritized the `Content-Length` header even when a `Transfer-Encoding: chunked` header was also included. According to the HTTP specification, `Content-Length` must be ignored in such cases. This discrepancy could allow oversized request bodies to bypass the configured limit. Most standards-compliant runtimes and reverse proxies may reject such malformed requests with `400 Bad Request`, so the practical impact depends on the runtime and deployment environment. ### Impact If body size limits are used as a safeguard against large or malicious requests, this flaw could allow attackers to send oversized request bodies. The primary risk is denial of service (DoS) due to excessive memory or CPU consumption when handling very large requests. ### Resolution The implementation has been updated to align with the HTTP specification, ensuring that `Transfer-Encoding` takes precedence over `Content-Length`. The issue is fixed in Hono v4.9.7, and all users should upgrade immediately. --- ### Release Notes <details> <summary>honojs/hono (hono)</summary> ### [`v4.9.7`](https://redirect.github.com/honojs/hono/releases/tag/v4.9.7) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.9.6...v4.9.7) #### Security - Fixed an issue in the `bodyLimit` middleware where the body size limit could be bypassed when both `Content-Length` and `Transfer-Encoding` headers were present. If you are using this middleware, please update immediately. [Security Advisory](https://redirect.github.com/honojs/hono/security/advisories/GHSA-92vj-g62v-jqhh) #### What's Changed - fix(client): Fix `parseResponse` not parsing json in react native by [@&#8203;lr0pb](https://redirect.github.com/lr0pb) in [#&#8203;4399](https://redirect.github.com/honojs/hono/pull/4399) - chore: add `.tool-versions` file by [@&#8203;3w36zj6](https://redirect.github.com/3w36zj6) in [#&#8203;4397](https://redirect.github.com/honojs/hono/pull/4397) - chore: update `bun install` commands to use `--frozen-lockfile` by [@&#8203;3w36zj6](https://redirect.github.com/3w36zj6) in [#&#8203;4398](https://redirect.github.com/honojs/hono/pull/4398) - test(jwk): Add tests of JWK token verification by [@&#8203;buckett](https://redirect.github.com/buckett) in [#&#8203;4402](https://redirect.github.com/honojs/hono/pull/4402) #### New Contributors - [@&#8203;lr0pb](https://redirect.github.com/lr0pb) made their first contribution in [#&#8203;4399](https://redirect.github.com/honojs/hono/pull/4399) - [@&#8203;buckett](https://redirect.github.com/buckett) made their first contribution in [#&#8203;4402](https://redirect.github.com/honojs/hono/pull/4402) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.9.6...v4.9.7> </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/th-ch/youtube-music). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS45Ny4xMCIsInVwZGF0ZWRJblZlciI6IjQxLjk3LjEwIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin renovate/npm-hono-vulnerability:renovate/npm-hono-vulnerability
git switch renovate/npm-hono-vulnerability

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch master
git merge --no-ff renovate/npm-hono-vulnerability
git switch renovate/npm-hono-vulnerability
git rebase master
git switch master
git merge --ff-only renovate/npm-hono-vulnerability
git switch renovate/npm-hono-vulnerability
git rebase master
git switch master
git merge --no-ff renovate/npm-hono-vulnerability
git switch master
git merge --squash renovate/npm-hono-vulnerability
git switch master
git merge --ff-only renovate/npm-hono-vulnerability
git switch master
git merge renovate/npm-hono-vulnerability
git push origin master
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
awaiting-reply

Awaiting reply

  
breaking changes

   
bug

Something isn't working

  
cannot-reproduce

Bug cannot be reproduced

  
dependencies

Pull requests that update a dependency file

  
documentation

   
duplicate

This issue or pull request already exists

  
electron-issue

It's an Electron or Electron related dependencies issue (not YTM-Desktop issue)

  
enhancement

New feature or request

  
fix-available

A fix to the issue is available in a new version

  
good first issue

Good for newcomers

  
help wanted

Extra attention is needed

  
invalid

This doesn't seem right

  
javascript

Pull requests that update javascript code

  
need more information

Need more information about the issue

  
need rebase

This plugin need rebase

  
official-youtube-music-issue

It's an YouTube's issue (not YTM-Desktop issue)

  
plugin request

An issue/discussion requesting for a new plugin or new functionality to an existing plugin.

  
question

Further information is requested

  
release

Release

  
security

   
stale

   
Status: blocked

There are something to do before this

  
typo

   
wontfix

This will not be worked on

  
ytmd-issue

An issue/discussion about ytm desktop, unrelated to th-ch/youtube-music

No labels
awaiting-reply
breaking changes
bug
cannot-reproduce
dependencies
documentation
duplicate
electron-issue
enhancement
fix-available
good first issue
help wanted
invalid
javascript
need more information
need rebase
official-youtube-music-issue
plugin request
question
release
security
stale
Status: blocked
typo
wontfix
ytmd-issue
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: YTMD/youtube-music#3880
No description provided.
Delete branch "renovate/npm-hono-vulnerability"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?