fix(deps): update dependency @hono/node-server to v1.19.13 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@hono/node-server	1.19.9 → 1.19.13

GitHub Vulnerability Alerts

CVE-2026-29087

Summary

When using @​hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization.

In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served.

Details

The routing layer and the node-server static handler normalize request paths differently. The router preserves %2F as a literal string when matching routes, while the static handler decodes %2F into / before resolving the filesystem path.

Example request:

• /admin%2Fsecret.html

This may:

• fail to match middleware intended for /admin/*, but
• still be resolved by the static handler as /admin/secret.html under the configured static root.

This does not allow access outside the configured static root and is not a path traversal vulnerability.

Impact

An unauthenticated attacker could bypass route-based authorization protections for protected static resources by supplying paths containing encoded slashes.

Applications relying solely on route-based middleware to protect static subpaths under the same static root may have exposed those resources.

CVE-2026-39406

Summary

A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path.

When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass.

Details

The routing layer and serveStatic handle repeated slashes differently.

For example:

• /admin/secret.txt => matches /admin/*
• //admin/secret.txt => may not match /admin/*

This inconsistency allows a request such as:

GET //admin/secret.txt

to bypass middleware registered on /admin/* and access protected files.

Impact

An attacker can access static files that are intended to be protected by route-based middleware by using repeated slashes in the request path.

This can lead to unauthorized access to sensitive files under the static root.

This issue affects applications that rely on serveStatic together with route-based middleware for access control.

---

Release Notes

honojs/node-server (@​hono/node-server)

v1.19.13

Compare Source

v1.19.12

Compare Source

What's Changed

• chore: ignore claude setting by @​yusukebe in #​314
• fix: request draining for early 413 responses by @​usualoma in #​329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[ArjixWasTaken]

We don't serve static resources, so this is not a fix.