chore(deps): update dependency @hono/node-server to v1.19.13 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@hono/node-server	1.13.8 → 1.19.13

GitHub Vulnerability Alerts

CVE-2026-29087

Summary

When using @​hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization.

In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served.

Details

The routing layer and the node-server static handler normalize request paths differently. The router preserves %2F as a literal string when matching routes, while the static handler decodes %2F into / before resolving the filesystem path.

Example request:

• /admin%2Fsecret.html

This may:

• fail to match middleware intended for /admin/*, but
• still be resolved by the static handler as /admin/secret.html under the configured static root.

This does not allow access outside the configured static root and is not a path traversal vulnerability.

Impact

An unauthenticated attacker could bypass route-based authorization protections for protected static resources by supplying paths containing encoded slashes.

Applications relying solely on route-based middleware to protect static subpaths under the same static root may have exposed those resources.

CVE-2026-39406

Summary

A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path.

When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass.

Details

The routing layer and serveStatic handle repeated slashes differently.

For example:

• /admin/secret.txt => matches /admin/*
• //admin/secret.txt => may not match /admin/*

This inconsistency allows a request such as:

GET //admin/secret.txt

to bypass middleware registered on /admin/* and access protected files.

Impact

An attacker can access static files that are intended to be protected by route-based middleware by using repeated slashes in the request path.

This can lead to unauthorized access to sensitive files under the static root.

This issue affects applications that rely on serveStatic together with route-based middleware for access control.

---

Release Notes

honojs/node-server (@​hono/node-server)

v1.19.13

Compare Source

v1.19.12

Compare Source

What's Changed

• chore: ignore claude setting by @​yusukebe in #​314
• fix: request draining for early 413 responses by @​usualoma in #​329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

Compare Source

What's Changed

• fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @​usualoma in #​309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Compare Source

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

v1.19.9

Compare Source

What's Changed

• fix(globals): Stop overwriting global.fetch by @​usualoma in #​295

Full Changelog: honojs/node-server@v1.19.8...v1.19.9

v1.19.8

Compare Source

What's Changed

• docs: add guide for listening to UNIX domain socket by @​TransparentLC in #​292
• fix(serve-static): Use Readable.toWeb in serveStatic by @​otya128 in #​293

New Contributors

• @​TransparentLC made their first contribution in #​292
• @​otya128 made their first contribution in #​293

Full Changelog: honojs/node-server@v1.19.7...v1.19.8

v1.19.7

Compare Source

What's Changed

• fix: Fix for hono issue 4563 - incorrect content-length after following symlink by @​tshmieldev in #​290
• chore: add configVersion to bun.lock by @​yusukebe in #​291

New Contributors

• @​tshmieldev made their first contribution in #​290

Full Changelog: honojs/node-server@v1.19.6...v1.19.7

v1.19.6

Compare Source

v1.19.5

Compare Source

What's Changed

• fix: cancel a readable stream if a writable stream is closed before a readable stream is closed. by @​usualoma in #​280

Full Changelog: honojs/node-server@v1.19.4...v1.19.5

v1.19.4

Compare Source

What's Changed

• fix(serve-static): Add error handling in createStreamBody by @​thongdoan in #​278

New Contributors

• @​thongdoan made their first contribution in #​278

Full Changelog: honojs/node-server@v1.19.3...v1.19.4

v1.19.3

Compare Source

What's Changed

• fix: Refactor promise check for response handling by @​kay-is in #​277

New Contributors

• @​kay-is made their first contribution in #​277

Full Changelog: honojs/node-server@v1.19.2...v1.19.3

v1.19.2

Compare Source

What's Changed

• fix: better handle range parse to avoid NaN error by @​zwpaper in #​276

New Contributors

• @​zwpaper made their first contribution in #​276

Full Changelog: honojs/node-server@v1.19.1...v1.19.2

v1.19.1

Compare Source

What's Changed

• fix: Keep lightweight request even if accessing method, url or headers by @​usualoma in #​274
• chore: add packageManager field in package.json by @​yusukebe in #​275

Full Changelog: honojs/node-server@v1.19.0...v1.19.1

v1.19.0

Compare Source

What's Changed

• feat: add log when directory does not exists by @​Its-Just-Nans in #​273

New Contributors

• @​Its-Just-Nans made their first contribution in #​273

Full Changelog: honojs/node-server@v1.18.2...v1.19.0

v1.18.2

Compare Source

What's Changed

• fix: Skip content-length assignment when transfer-encoding is chunked. by @​usualoma in #​271

Full Changelog: honojs/node-server@v1.18.1...v1.18.2

v1.18.1

Compare Source

What's Changed

• fix(listener): Limit retries to a maximum of three. by @​usualoma in #​267

Full Changelog: honojs/node-server@v1.18.0...v1.18.1

v1.18.0

Compare Source

What's Changed

• feat: always respond res.body by @​usualoma in #​262
• ci: add Node.js v24 for CI by @​yusukebe in #​263
• fix(listener): In Node.js v24, some response bodies are not read to the end until the next task queue. by @​usualoma in #​265

Full Changelog: honojs/node-server@v1.17.1...v1.18.0

v1.17.1

Compare Source

What's Changed

• fix: handle client disconnection without canceling stream by @​yusukebe in #​258
• fix: improve serve-static function by @​usualoma in #​261

Full Changelog: honojs/node-server@v1.17.0...v1.17.1

v1.17.0

Compare Source

What's Changed

• docs: separate description of autoCleanupIncoming by @​usualoma in #​255
• chore: rename server_socket.test.ts to server-socket.test.ts by @​yusukebe in #​256
• feat(serve-static): support absolute path by @​yusukebe in #​257

Full Changelog: honojs/node-server@v1.16.0...v1.17.0

v1.16.0

Compare Source

What's Changed

• feat: Clean up the incoming object if the request is not completely finished. by @​usualoma in #​252

Full Changelog: honojs/node-server@v1.15.0...v1.16.0

v1.15.0

Compare Source

What's Changed

• feat(serve-static): pass context to rewriteRequestPath by @​yusukebe in #​247

Full Changelog: honojs/node-server@v1.14.4...v1.15.0

v1.14.4

Compare Source

What's Changed

• fix: flush headers before sending data via readable stream by @​usualoma in #​245

Full Changelog: honojs/node-server@v1.14.3...v1.14.4

v1.14.3

Compare Source

What's Changed

• fix: set RequestError name properly by @​yusukebe in #​243

Full Changelog: honojs/node-server@v1.14.2...v1.14.3

v1.14.2

Compare Source

What's Changed

• perf: keep using the lightweight Response object when retrieving headers, status, and ok, and then drop the getInternalBody function. by @​usualoma in #​242

Full Changelog: honojs/node-server@v1.14.1...v1.14.2

v1.14.1

Compare Source

What's Changed

• fix: Handle Response Errors Correctly by @​jpulec in #​236

New Contributors

• @​jpulec made their first contribution in #​236

Full Changelog: honojs/node-server@v1.14.0...v1.14.1

v1.14.0

Compare Source

What's Changed

• chore: use Bun as a package manager by @​yusukebe in #​224
• fix: #​230 use node:fs specifier prefix vs. fs import by @​firxworx in #​231
• feat: accept absolute-form URI for request-target by @​usualoma in #​232
• fix: fix the return type of responseViaCache by @​yusukebe in #​234

New Contributors

• @​firxworx made their first contribution in #​231

Full Changelog: honojs/node-server@v1.13.8...v1.14.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

built with Refined Cloudflare Pages Action

⚡ Cloudflare Pages Deployment

Name	Status	Preview	Last Commit
enclosed	✅ Ready (View Log)	Visit Preview	195b806
enclosed-docs	✅ Ready (View Log)	Visit Preview	195b806

[github-actions]

built with Refined Cloudflare Pages Action

⚡ Cloudflare Pages Deployment

Name	Status	Preview	Last Commit
enclosed-docs	🔨 Building (View Log)		4bbfeff

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud