From df620e66185930650b4cf6e5fcb3971425557ddd Mon Sep 17 00:00:00 2001 From: Dan Draper Date: Tue, 5 May 2026 18:57:33 +1000 Subject: [PATCH] chore(deps): bump hono to 4.12.14 + @hono/node-server to 1.19.13 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patches 7 medium-severity advisories on hono / @hono/node-server, all consumed transitively here via @modelcontextprotocol/sdk@1.29.0: - GHSA-vrm6-9wfh-7r9p (#90, @hono/node-server) — middleware bypass via repeated slashes in serveStatic, patched in 1.19.13 - GHSA-8wjg-2qrw-6cf2 (#91) — same root cause in hono itself, patched in 4.12.12 - GHSA-2vgw-pq57-xx9c (#92) — path traversal in toSSG() - GHSA-87xc-2fmq-h3xv (#93) — missing cookie-name validation in setCookie() - GHSA-fvm4-fc8h-pcg5 (#94) — incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 - GHSA-cv2m-gx9q-9pf4 (#95) — non-breaking-space prefix bypass in getCookie() name handling - GHSA-458j-xx4x-4375 (#97) — improper JSX attribute name handling allowing HTML injection in hono/jsx SSR, patched in 4.12.14 4.12.14 covers all of them. Added overrides ">=4.12.14" / ">=1.19.13" to keep future resolves on the patched line. Surgical lockfile edit covers the package def + integrity for both, plus the snapshot key peer-hash references. --- package.json | 4 +++- pnpm-lock.yaml | 18 +++++++++--------- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/package.json b/package.json index 5bf16a9c..dce4da15 100644 --- a/package.json +++ b/package.json @@ -103,6 +103,8 @@ "picomatch@^2": ">=2.3.2", "rollup@>=4.0.0 <4.59.0": ">=4.59.0", "drizzle-orm": ">=0.45.2", - "postcss": ">=8.5.10" + "postcss": ">=8.5.10", + "hono": ">=4.12.14", + "@hono/node-server": ">=1.19.13" } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index dd03a7d4..1f4987a7 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -1124,8 +1124,8 @@ packages: cpu: [x64] os: [win32] - '@hono/node-server@1.19.12': - resolution: {integrity: sha512-txsUW4SQ1iilgE0l9/e9VQWmELXifEFvmdA1j6WFh/aFPj99hIntrSsq/if0UWyGVkmrRPKA1wCeP+UCr1B9Uw==} + '@hono/node-server@1.19.13': + resolution: {integrity: sha512-TsQLe4i2gvoTtrHje625ngThGBySOgSK3Xo2XRYOdqGN1teR8+I7vchQC46uLJi8OF62YTYA3AhSpumtkhsaKQ==} engines: {node: '>=18.14.1'} peerDependencies: hono: ^4 @@ -2189,8 +2189,8 @@ packages: resolution: {integrity: sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==} engines: {node: '>= 0.4'} - hono@4.12.9: - resolution: {integrity: sha512-wy3T8Zm2bsEvxKZM5w21VdHDDcwVS1yUFFY6i8UobSsKfFceT7TOwhbhfKsDyx7tYQlmRM5FLpIuYvNFyjctiA==} + hono@4.12.14: + resolution: {integrity: sha512-am5zfg3yu6sqn5yjKBNqhnTX7Cv+m00ox+7jbaKkrLMRJ4rAdldd1xPd/JzbBWspqaQv6RSTrgFN95EsfhC+7w==} engines: {node: '>=16.9.0'} http-errors@2.0.1: @@ -3832,9 +3832,9 @@ snapshots: '@esbuild/win32-x64@0.25.12': optional: true - '@hono/node-server@1.19.12(hono@4.12.9)': + '@hono/node-server@1.19.13(hono@4.12.14)': dependencies: - hono: 4.12.9 + hono: 4.12.14 '@img/colour@1.0.0': optional: true @@ -3980,7 +3980,7 @@ snapshots: '@modelcontextprotocol/sdk@1.29.0(zod@4.3.6)': dependencies: - '@hono/node-server': 1.19.12(hono@4.12.9) + '@hono/node-server': 1.19.13(hono@4.12.14) ajv: 8.18.0 ajv-formats: 3.0.1(ajv@8.18.0) content-type: 1.0.5 @@ -3990,7 +3990,7 @@ snapshots: eventsource-parser: 3.0.6 express: 5.2.1 express-rate-limit: 8.3.2(express@5.2.1) - hono: 4.12.9 + hono: 4.12.14 jose: 6.2.2 json-schema-typed: 8.0.2 pkce-challenge: 5.0.1 @@ -4771,7 +4771,7 @@ snapshots: dependencies: function-bind: 1.1.2 - hono@4.12.9: {} + hono@4.12.14: {} http-errors@2.0.1: dependencies: