fix(deps): bump hono + @hono/node-server to patch 7 medium CVEs#8
Merged
Conversation
Resolves 7 open Dependabot alerts (all medium severity) in the hono ecosystem by bumping hono ^4.12.9 -> ^4.12.14 and @hono/node-server ^1.19.12 -> ^1.19.13 (resolved 4.12.15 / 1.19.14). - #58 hono <4.12.14: HTML injection via JSX attribute names in hono/jsx SSR - #57 hono <4.12.12: NBSP prefix bypass in getCookie() - #56 hono <4.12.12: missing cookie name validation in setCookie() - #55 hono <4.12.12: incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 - #54 hono <4.12.12: serveStatic middleware bypass via repeated slashes - #53 hono <=4.12.11: path traversal in toSSG() - #52 @hono/node-server <1.19.13: serveStatic middleware bypass via repeated slashes Build, lint, and tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps
hono(^4.12.9 → ^4.12.14) and@hono/node-server(^1.19.12 → ^1.19.13) to clear all 7 open Dependabot alerts (all medium severity, all in the hono ecosystem). Resolved versions: hono 4.12.15, @hono/node-server 1.19.14.getCookie()setCookie()ipRestriction()for IPv4-mapped IPv6serveStaticmiddleware bypass via repeated slashestoSSG()serveStaticmiddleware bypass via repeated slashesNo major-version bumps; no API surface changes for the MCP server.
Test plan
npm installcleannpm run buildnpm testnpm run lintShould return
[].🤖 Generated with Claude Code
Note
Low Risk
Low risk patch-level dependency updates; primary impact is runtime behavior changes in the HTTP server framework, but no application code is modified.
Overview
Updates dependencies to newer patch releases:
hono(^4.12.9→^4.12.14, resolved to4.12.15) and@hono/node-server(^1.19.12→^1.19.13, resolved to1.19.14).No source changes; only
package.jsonandpackage-lock.jsonare updated to pull in the patched versions (intended to clear Hono ecosystem CVEs).Reviewed by Cursor Bugbot for commit 2b10ddf. Bugbot is set up for automated code reviews on this repo. Configure here.