Version of hono included via downstream dependency opencontrol has multiple vulnerabilities

[gadamson-upco]

Note: This duplicates anomalyco/opencontrol#48, posting here as it impacts all recent sst versions? Delete whichever one isn't needed.

The version of hono included as a dependency in opencontrol has two open vulnerabilities, one medium severity and one high:

• Hono has Body Limit Middleware Bypass - GHSA-92vj-g62v-jqhh
• Hono Improper Authorization vulnerability - GHSA-m732-5p4w-x69g

Because SST also includes opencontrol, it seems like this impacts all recent versions of SST.

sst@3.17.19
  └─┬ opencontrol@0.0.6
    └── hono@4.7.4

[smith558]

This should be fixed asap. It's now 2 moderate and 1 high severity security vulnerabilities:

• Hono has Body Limit Middleware Bypass - GHSA-92vj-g62v-jqhh
• Hono Improper Authorization vulnerability - GHSA-m732-5p4w-x69g
• Hono vulnerable to Vary Header Injection leading to potential CORS Bypass - GHSA-q7jf-gf43-6x6p

[smith558]

@jayair security issue

[matthew-heath]

Another high vuln issue to add to this hono one - anomalyco/opencontrol#51.

Could be fixed as part of anomalyco/opencontrol#49 if anyone is able to review/assist with versioning back to the main sst library through opencontrol.

[dottodot]

This is still coming up as a security issue in 3.17.25

[vimtor]

i left a reviewing in the underlying issue in the opencontrol codebase

if anyone helps me test it i will move the sst part faster