-
-
Notifications
You must be signed in to change notification settings - Fork 615
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
perf(jsx/dom): improve performance #3288
Conversation
…ct.defineProperties` is too slow
…er how many times it is called.
… children" is not used
@yusukebe Would you please review? |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #3288 +/- ##
==========================================
+ Coverage 96.24% 96.31% +0.07%
==========================================
Files 151 151
Lines 15293 15368 +75
Branches 2662 2700 +38
==========================================
+ Hits 14718 14801 +83
+ Misses 575 567 -8 ☔ View full report in Codecov by Sentry. |
Minor refactorings and tests are added. |
Thanks. I'll review this. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Looks good to me!
Yes. You are right. In my environment, the scores were Preact, hono/jsx, and React in order of speed, but similar to yours. This score is reasonable. For example, optimizing the building step to minify build code size efficiently may be possible, but we don't have to do it since it would only be a small improvement. Anyway, thank you for the awesome improvement! |
You're welcome! It's nice to see that the benchmark effort resulted in these improvements. I'll update the benchmark based on the new version. |
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [hono](https://hono.dev/) ([source](https://github.com/honojs/hono)) | [`4.5.5` -> `4.5.8`](https://renovatebot.com/diffs/npm/hono/4.5.5/4.5.8) | [![age](https://developer.mend.io/api/mc/badges/age/npm/hono/4.5.8?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/hono/4.5.8?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/hono/4.5.5/4.5.8?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/hono/4.5.5/4.5.8?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-43787](https://github.com/honojs/hono/security/advisories/GHSA-rpfr-3m35-5vx5) ### Summary Hono CSRF middleware can be bypassed using crafted Content-Type header. ### Details MIME types are case insensitive, but `isRequestedByFormElementRe` only matches lower-case. https://github.com/honojs/hono/blob/b0af71fbcc6dbe44140ea76f16d68dfdb32a99a0/src/middleware/csrf/index.ts#L16-L17 As a result, attacker can bypass csrf middleware using upper-case form-like MIME type, such as "Application/x-www-form-urlencoded". ### PoC ```html <html> <head> <title>CSRF Test</title> <script defer> document.addEventListener("DOMContentLoaded", () => { document.getElementById("btn").addEventListener("click", async () => { const res = await fetch("http://victim.example.com/test", { method: "POST", credentials: "include", headers: { "Content-Type": "Application/x-www-form-urlencoded", }, }); }); }); </script> </head> <body> <h1>CSRF Test</h1> <button id="btn">Click me!</button> </body> </html> ``` ### Impact Bypass csrf protection implemented with hono csrf middleware. ### Discussion I'm not sure that omitting csrf checks for Simple POST request is a good idea. CSRF prevention and CORS are different concepts even though CORS can prevent CSRF in some cases. --- ### Release Notes <details> <summary>honojs/hono (hono)</summary> ### [`v4.5.8`](https://github.com/honojs/hono/releases/tag/v4.5.8) [Compare Source](https://github.com/honojs/hono/compare/v4.5.7...v4.5.8) ##### Security Fix for CSRF Protection Middleware Before this release, in versions 4.5.7 and below, the CSRF Protection Middleware did not treat requests including `Content-Types` with uppercase letters (e.g., `Application/x-www-form-urlencoded`) as potential attacks, allowing them to pass. This could cause unexpected behavior, leading to a vulnerability. If you are using the CSRF Protection Middleware, please upgrade to version 4.5.8 or higher immediately. For more details, see the report here: GHSA-rpfr-3m35-5vx5 ### [`v4.5.7`](https://github.com/honojs/hono/releases/tag/v4.5.7) [Compare Source](https://github.com/honojs/hono/compare/v4.5.6...v4.5.7) #### What's Changed - fix(jsx/dom): Fixed a bug that caused Script elements to turn into Style elements. by [@​usualoma](https://github.com/usualoma) in [https://github.com/honojs/hono/pull/3294](https://github.com/honojs/hono/pull/3294) - perf(jsx/dom): improve performance by [@​usualoma](https://github.com/usualoma) in [https://github.com/honojs/hono/pull/3288](https://github.com/honojs/hono/pull/3288) - feat(jsx): improve a-tag types with well known values by [@​ssssota](https://github.com/ssssota) in [https://github.com/honojs/hono/pull/3287](https://github.com/honojs/hono/pull/3287) - fix(validator): Fixed a bug in hono/validator where URL Encoded Data could not be validated if the Content-Type included charset. by [@​uttk](https://github.com/uttk) in [https://github.com/honojs/hono/pull/3297](https://github.com/honojs/hono/pull/3297) - feat(jsx): improve `target` and `formtarget` attribute types by [@​ssssota](https://github.com/ssssota) in [https://github.com/honojs/hono/pull/3299](https://github.com/honojs/hono/pull/3299) - docs(README): change Twitter to X by [@​nakasyou](https://github.com/nakasyou) in [https://github.com/honojs/hono/pull/3301](https://github.com/honojs/hono/pull/3301) - fix(client): replace optional params to url correctly by [@​yusukebe](https://github.com/yusukebe) in [https://github.com/honojs/hono/pull/3304](https://github.com/honojs/hono/pull/3304) - feat(jsx): improve input attribute types based on react by [@​ssssota](https://github.com/ssssota) in [https://github.com/honojs/hono/pull/3302](https://github.com/honojs/hono/pull/3302) #### New Contributors - [@​uttk](https://github.com/uttk) made their first contribution in [https://github.com/honojs/hono/pull/3297](https://github.com/honojs/hono/pull/3297) **Full Changelog**: honojs/hono@v4.5.6...v4.5.7 ### [`v4.5.6`](https://github.com/honojs/hono/releases/tag/v4.5.6) [Compare Source](https://github.com/honojs/hono/compare/v4.5.5...v4.5.6) #### What's Changed - fix(jsx): handle async component error explicitly and throw the error in the response by [@​usualoma](https://github.com/usualoma) in [https://github.com/honojs/hono/pull/3274](https://github.com/honojs/hono/pull/3274) - fix(validator): support multipart headers without a separating space by [@​Ernxst](https://github.com/Ernxst) in [https://github.com/honojs/hono/pull/3286](https://github.com/honojs/hono/pull/3286) - fix(validator): Allow form data will mutliple values appended by [@​nicksrandall](https://github.com/nicksrandall) in [https://github.com/honojs/hono/pull/3273](https://github.com/honojs/hono/pull/3273) - feat(jsx): improve meta-tag types with well known values by [@​ssssota](https://github.com/ssssota) in [https://github.com/honojs/hono/pull/3276](https://github.com/honojs/hono/pull/3276) #### New Contributors - [@​Ernxst](https://github.com/Ernxst) made their first contribution in [https://github.com/honojs/hono/pull/3286](https://github.com/honojs/hono/pull/3286) - [@​ssssota](https://github.com/ssssota) made their first contribution in [https://github.com/honojs/hono/pull/3276](https://github.com/honojs/hono/pull/3276) **Full Changelog**: honojs/hono@v4.5.5...v4.5.6 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone America/Chicago, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/autoblocksai/cli). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4yNi4xIiwidXBkYXRlZEluVmVyIjoiMzguMjYuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
#3264
Key changes
use for-loop instead of recursion for
findInsertBefore
0dadfbcAs @ryuapp pointed out in #3203, the implementation with recursive calls did not perform well and sometimes resulted in errors when there were a large number of elements, so it was modified so that recursive calls were not made.
assign type and ref to node object directly.
Object.defineProperties
is too slow 7fd73efreactElement.type
reactElement.ref
https://github.com/honojs/hono/compare/main...usualoma:hono:perf/jsx-dom?expand=1#diff-c9b14c1b74662b399c25e6dc0c870408c466e1c96e39a1d429903b2a3d0db51fL11-L20
The code to make the following properties referential is for React compatibility, but the implementation using
Object.defineProperties
was very expensive. This change is not pretty, but it is an acceptable redundancy when considered as a trade-off for improved performance.Reduce recalculation and reapplication when properties are unchanged
In some cases, DOM attributes were being reassigned even when there were no changes to the properties, so reassignment is no longer performed when it is unnecessary.
benchmark
Based on this branch (thank you very much @aminya!),
https://github.com/aminya/js-framework-benchmark/tree/hono
The following changes were added and benchmarked in my environment.
Performance for creation or update is roughly equivalent to React, with smaller file sizes and memory usage, which is an expected result since "hono/jsx" aims for "an implementation with a React-compatible API that is small enough to be practical with a small amount of code".
The author should do the following, if applicable
bun run format:fix && bun run lint:fix
to format the code