Skip to content

chore(deps): bump hono to 4.12.14 + @hono/node-server to 1.19.13#416

Merged
coderdan merged 1 commit intomainfrom
dan/bump-hono-4.12.14
May 6, 2026
Merged

chore(deps): bump hono to 4.12.14 + @hono/node-server to 1.19.13#416
coderdan merged 1 commit intomainfrom
dan/bump-hono-4.12.14

Conversation

@coderdan
Copy link
Copy Markdown
Contributor

@coderdan coderdan commented May 5, 2026

Summary

Closes 7 medium-severity Dependabot alerts on the hono ecosystem in one PR. All consumed transitively here via `@modelcontextprotocol/sdk@1.29.0`.

Alert GHSA Pkg Patched
#90 GHSA-vrm6-9wfh-7r9p @hono/node-server 1.19.13 — middleware bypass via repeated slashes in serveStatic
#91 GHSA-8wjg-2qrw-6cf2 hono 4.12.12 — same root cause
#92 GHSA-2vgw-pq57-xx9c hono 4.12.12 — path traversal in `toSSG()`
#93 GHSA-87xc-2fmq-h3xv hono 4.12.12 — missing cookie-name validation in `setCookie()`
#94 GHSA-fvm4-fc8h-pcg5 hono 4.12.12 — incorrect IP matching in `ipRestriction()` for IPv4-mapped IPv6
#95 GHSA-cv2m-gx9q-9pf4 hono 4.12.12 — non-breaking-space prefix bypass in `getCookie()`
#97 GHSA-458j-xx4x-4375 hono 4.12.14 — improper JSX attr handling, HTML injection in `hono/jsx` SSR

`hono@4.12.14` covers all (highest patched version mentioned). `@modelcontextprotocol/sdk@1.29.0`'s declared ranges (`hono: ^4.11.4`, `@hono/node-server: ^1.19.9`) accept the new versions.

Changes

  • Overrides added: `"hono": ">=4.12.14"` and `"@hono/node-server": ">=1.19.13"` so future resolves stay on the patched line.
  • Surgical `pnpm-lock.yaml` edit (no `pnpm install` regen, same reason as the lodash/next PRs):
    • `hono@4.12.9` → `hono@4.12.14` (def + integrity from `npm view`, all snapshot keys + dep refs).
    • `@hono/node-server@1.19.12` → `1.19.13` (def + integrity, snapshot key + dep refs).
    • Snapshot peer-hash refs like `@hono/node-server@1.19.12(hono@4.12.9)` updated to new versions.

Test plan

@coderdan coderdan requested a review from a team as a code owner May 5, 2026 08:57
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 5, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: df620e6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 5, 2026
edited
Loading

Warning

Rate limit exceeded

@coderdan has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 59 minutes and 1 second before requesting another review.

To continue reviewing without waiting, purchase usage credits in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2bc90650-9b97-46a5-8476-113d462c049d

📥 Commits

Reviewing files that changed from the base of the PR and between c630548 and df620e6.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • package.json
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dan/bump-hono-4.12.14

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderdan
chore(deps): bump hono to 4.12.14 + @hono/node-server to 1.19.13
df620e6 
Patches 7 medium-severity advisories on hono / @hono/node-server,
all consumed transitively here via @modelcontextprotocol/sdk@1.29.0:

- GHSA-vrm6-9wfh-7r9p (#90, @hono/node-server) — middleware bypass via
  repeated slashes in serveStatic, patched in 1.19.13
- GHSA-8wjg-2qrw-6cf2 (#91) — same root cause in hono itself,
  patched in 4.12.12
- GHSA-2vgw-pq57-xx9c (#92) — path traversal in toSSG()
- GHSA-87xc-2fmq-h3xv (#93) — missing cookie-name validation in
  setCookie()
- GHSA-fvm4-fc8h-pcg5 (#94) — incorrect IP matching in
  ipRestriction() for IPv4-mapped IPv6
- GHSA-cv2m-gx9q-9pf4 (#95) — non-breaking-space prefix bypass in
  getCookie() name handling
- GHSA-458j-xx4x-4375 (#97) — improper JSX attribute name handling
  allowing HTML injection in hono/jsx SSR, patched in 4.12.14

4.12.14 covers all of them. Added overrides ">=4.12.14" / ">=1.19.13"
to keep future resolves on the patched line. Surgical lockfile edit
covers the package def + integrity for both, plus the snapshot key
peer-hash references.
@coderdan coderdan force-pushed the dan/bump-hono-4.12.14 branch from d7111f4 to df620e6 Compare May 6, 2026 01:15
@coderdan coderdan merged commit 720cde4 into main May 6, 2026
7 checks passed
@coderdan coderdan deleted the dan/bump-hono-4.12.14 branch May 6, 2026 01:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@calvinbrewer calvinbrewer calvinbrewer approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@coderdan @calvinbrewer