chore(deps): update dependency @hono/node-server to v1.19.10 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@hono/node-server	1.19.6 → 1.19.10

GitHub Vulnerability Alerts

CVE-2026-29087

Summary

When using @​hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization.

In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served.

Details

The routing layer and the node-server static handler normalize request paths differently. The router preserves %2F as a literal string when matching routes, while the static handler decodes %2F into / before resolving the filesystem path.

Example request:

• /admin%2Fsecret.html

This may:

• fail to match middleware intended for /admin/*, but
• still be resolved by the static handler as /admin/secret.html under the configured static root.

This does not allow access outside the configured static root and is not a path traversal vulnerability.

Impact

An unauthenticated attacker could bypass route-based authorization protections for protected static resources by supplying paths containing encoded slashes.

Applications relying solely on route-based middleware to protect static subpaths under the same static root may have exposed those resources.

---

Release Notes

honojs/node-server (@​hono/node-server)

v1.19.10

Compare Source

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

v1.19.9

Compare Source

What's Changed

• fix(globals): Stop overwriting global.fetch by @​usualoma in #​295

Full Changelog: honojs/node-server@v1.19.8...v1.19.9

v1.19.8

Compare Source

What's Changed

• docs: add guide for listening to UNIX domain socket by @​TransparentLC in #​292
• fix(serve-static): Use Readable.toWeb in serveStatic by @​otya128 in #​293

New Contributors

• @​TransparentLC made their first contribution in #​292
• @​otya128 made their first contribution in #​293

Full Changelog: honojs/node-server@v1.19.7...v1.19.8

v1.19.7

Compare Source

What's Changed

• fix: Fix for hono issue 4563 - incorrect content-length after following symlink by @​tshmieldev in #​290
• chore: add configVersion to bun.lock by @​yusukebe in #​291

New Contributors

• @​tshmieldev made their first contribution in #​290

Full Changelog: honojs/node-server@v1.19.6...v1.19.7

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.