deps(deps): bump the production-dependencies group across 1 directory with 6 updates

[dependabot]

Bumps the production-dependencies group with 6 updates in the / directory:

Package	From	To
@hono/node-server	1.17.0	1.19.11
@hono/node-ws	1.2.0	1.3.0
@hono/oauth-providers	0.8.2	0.8.5
dotenv	17.2.0	17.3.1
hono-sessions	0.8.0	0.8.1
ws	8.18.3	8.19.0

Updates @hono/node-server from 1.17.0 to 1.19.11

Release notes

Sourced from @​hono/node-server's releases.

v1.19.11

What's Changed

• fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @​usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

v1.19.9

What's Changed

• fix(globals): Stop overwriting global.fetch by @​usualoma in honojs/node-server#295

Full Changelog: honojs/node-server@v1.19.8...v1.19.9

v1.19.8

What's Changed

• docs: add guide for listening to UNIX domain socket by @​TransparentLC in honojs/node-server#292
• fix(serve-static): Use Readable.toWeb in serveStatic by @​otya128 in honojs/node-server#293

New Contributors

• @​TransparentLC made their first contribution in honojs/node-server#292
• @​otya128 made their first contribution in honojs/node-server#293

Full Changelog: honojs/node-server@v1.19.7...v1.19.8

v1.19.7

What's Changed

• fix: Fix for hono issue 4563 - incorrect content-length after following symlink by @​tshmieldev in honojs/node-server#290
• chore: add configVersion to bun.lock by @​yusukebe in honojs/node-server#291

New Contributors

• @​tshmieldev made their first contribution in honojs/node-server#290

Full Changelog: honojs/node-server@v1.19.6...v1.19.7

v1.19.6

What's Changed

• fix(serve-static): fix onFound timing by @​usualoma in honojs/node-server#286

Full Changelog: honojs/node-server@v1.19.5...v1.19.6

v1.19.5

... (truncated)

Commits

• ecd4d6b 1.19.11
• c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
• 2f8ca36 1.19.10
• 455015b Merge commit from fork
• cc05c48 chore: add benchmark for comparing with npm and local (dev) (#305)
• 58c4412 chore: Adding LICENSE file with MIT license referenced in README.md (#297)
• b1daa4c docs(readme): add @​usualoma as an author (#300)
• 26f5e89 1.19.9
• 2d729e7 fix(globals): Stop overwriting global.fetch (#295)
• 9b72ddf 1.19.8
• Additional commits viewable in compare view

Updates @hono/node-ws from 1.2.0 to 1.3.0

Release notes

Sourced from @​hono/node-ws's releases.

@​hono/node-ws@​1.3.0

Minor Changes

• #1583 56f2f5a6daba0f7526e7875a75c03c5a05195b5e Thanks @​krzysztofciombor-solidstudio! - Allow custom HTTPException in node-ws upgrade

Changelog

Sourced from @​hono/node-ws's changelog.

1.3.0

Minor Changes

• #1583 56f2f5a6daba0f7526e7875a75c03c5a05195b5e Thanks @​krzysztofciombor-solidstudio! - Allow custom HTTPException in node-ws upgrade

Commits

• 2c026b9 Version Packages (#1686)
• 56f2f5a feat(node-ws): allow custom http exception status code for node-ws (#1583)
• 1f8372e chore(typescript): add @tsconfig/strictest (#1679)
• 49db969 chore(eslint): update suppressions (#1678)
• 63d40ec chore(eslint): suppress existing violations (#1666)
• 8cf4327 chore: upgrade hono to 4.11.3 (#1668)
• 3773043 chore: upgrade vitest to v4 (#1651)
• 04875b3 chore(deps-dev): bump hono from 4.10.3 to 4.10.7 (#1594)
• 2444422 fix(publish): set access public with cli args (#1611)
• dc468a0 refactor: replace tsup with tsdown (#1528)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​hono/node-ws since your current version.

Updates @hono/oauth-providers from 0.8.2 to 0.8.5

Release notes

Sourced from @​hono/oauth-providers's releases.

@​hono/oauth-providers@​0.8.5

Patch Changes

• #1404 fce74aeda2958faa4d0ed17dfcfe7cbbb74287fa Thanks @​sushichan044! - fix: enable CSRF protection for MSEntra ID authentication

  Fixed a bug where the state parameter was not being passed to the MSEntra AuthFlow constructor. As a result, CSRF protection now properly works for MSEntra ID authentication, ensuring that authentication requests are protected against Cross-Site Request Forgery attacks.

@​hono/oauth-providers@​0.8.4

Patch Changes

• #1372 1980a66370d4afc8d552ac08bd25af0c87b49112 Thanks @​mrdear! - fixed github email request content-type

@​hono/oauth-providers@​0.8.3

Patch Changes

• #1364 ba19e66f6d086089e15b04bc866c7ebf9cd43409 Thanks @​rxliuli! - handle refersh_token on googleAuth

Changelog

Sourced from @​hono/oauth-providers's changelog.

0.8.5

Patch Changes

• #1404 fce74aeda2958faa4d0ed17dfcfe7cbbb74287fa Thanks @​sushichan044! - fix: enable CSRF protection for MSEntra ID authentication

  Fixed a bug where the state parameter was not being passed to the MSEntra AuthFlow constructor. As a result, CSRF protection now properly works for MSEntra ID authentication, ensuring that authentication requests are protected against Cross-Site Request Forgery attacks.

0.8.4

Patch Changes

• #1372 1980a66370d4afc8d552ac08bd25af0c87b49112 Thanks @​mrdear! - fixed github email request content-type

0.8.3

Patch Changes

• #1364 ba19e66f6d086089e15b04bc866c7ebf9cd43409 Thanks @​rxliuli! - handle refersh_token on googleAuth

Commits

• 81307aa Version Packages (#1407)
• fce74ae fix(oauth-providers): pass missing state param to MSEntra AuthFlow (#1404)
• a521233 chore(deps-dev): bump msw from 2.7.3 to 2.10.5 (#1402)
• b319d97 Version Packages (#1383)
• 1980a66 fix(oauth-providers): github oauth (#1372)
• d5edb90 Version Packages (#1369)
• ba19e66 fix(oauth-providers): Fix/1340 (#1364)
• 6e53f6e test: vitest include (#1297)
• 08981e9 Version Packages (#1286)
• a370c73 refactor(release): version jsr without sponge (#1284)
• Additional commits viewable in compare view

Updates dotenv from 17.2.0 to 17.3.1

Changelog

Sourced from dotenv's changelog.

17.3.1 (2026-02-12)

Changed

• Fix as2 example command in README and update spanish README

17.3.0 (2026-02-12)

Added

• Add a new README section on dotenv’s approach to the agentic future.

Changed

• Rewrite README to get humans started more quickly with less noise while simultaneously making more accessible for llms and agents to go deeper into details.

17.2.4 (2026-02-05)

Changed

• Make DotenvPopulateInput accept NodeJS.ProcessEnv type (#915)

• Give back to dotenv by checking out my newest project vestauth. It is auth for agents. Thank you for using my software.

17.2.3 (2025-09-29)

Changed

• Fixed typescript error definition (#912)

17.2.2 (2025-09-02)

Added

• 🙏 A big thank you to new sponsor Tuple.app - the premier screen sharing app for developers on macOS and Windows. Go check them out. It's wonderful and generous of them to give back to open source by sponsoring dotenv. Give them some love back.

17.2.1 (2025-07-24)

Changed

• Fix clickable tip links by removing parentheses (#897)

Commits

• 7bc16a4 17.3.1
• 27303fd update README-es
• 6379eb2 update README
• b6d7339 fix spelling
• 5febe35 17.3.0
• f61f383 changelog 🪵
• dec94ad update README
• 4856950 update README
• 6351887 update README
• 23bd017 update README
• Additional commits viewable in compare view

Updates hono-sessions from 0.8.0 to 0.8.1

Release notes

Sourced from hono-sessions's releases.

v0.8.1

What's Changed

• Fix type mismatch when Hono upgrades by configuring Hono as a peer dependency by @​fjorgemota in jcs224/hono_sessions#38
• Allow cookie prefixes

New Contributors

• @​fjorgemota made their first contribution in jcs224/hono_sessions#38

Full Changelog: jcs224/hono_sessions@v0.8.0...v0.8.1

Commits

• 9d0ab3a version 0.8.1
• 5d115cb Merge pull request #38 from fjorgemota/fix/type-mismatch
• 5535926 allow prefix in cookie to work, fixes #35
• c72aeda Remove section about TypeScript errors
• ff3a09d Register hono as a peer dependency in built NPM package
• 2480e7c Add constant DIST_DIR to determine where to save the package for NPM
• See full diff in compare view

Updates ws from 8.18.3 to 8.19.0

Release notes

Sourced from ws's releases.

8.19.0

Features

• Added the closeTimeout option (#2308).

Bug fixes

• Handled a forthcoming breaking change in Node.js core (19984854).

Commits

• 61349ec [dist] 8.19.0
• 3f9ffc6 [feature] Introduce the closeTimeout option (#2308)
• 1998485 [fix] Ensure all remaining data is read as a single chunk
• 726c373 [doc] Sort options alphabetically
• b151f1e [ci] Update actions/checkout action to v6
• dabdd5b [ci] Update actions/setup-node action to v6
• 86eac5b [ci] Test on node 25
• 1891e14 [ci] Update actions/setup-node action to v5
• aa28c77 [ci] Update actions/checkout action to v5
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions