security(deps): bump hono to 4.12.14 and vite override to ^7.3.2

[ndycode]

Summary

Fixes the 9 open Dependabot alerts on package-lock.json:

• hono 4.12.10 → 4.12.14 — closes alerts audit(ia): canonicalize command findability and docs taxonomy #16, fix: stabilize docs policy and clean-worktree validation #18, feat(api): add named-parameter overloads and contract docs #20, [AUD-D02] Add cross-process concurrency control for storage transactions #22, audit: deep full-surface hardening with atomic P1 fixes #24, docs: add ralph loop phased plan reference #26
  • toSSG path traversal, serveStatic repeated-slash bypass, setCookie validation, IPv4-mapped IPv6 ipRestriction, getCookie non-breaking space bypass, hono/jsx SSR HTML injection
• vite override ^7.3.1 → ^7.3.2 (transitive, dev-only via vitest) — closes alerts fix(storage): prevent re-login across PR worktrees #12, docs: deep documentation and repository professionalization audit #13, feat: unified overhaul — consolidate PRs #7, #8, #10, #11, #12, #13 #14
  • dev-server WebSocket arbitrary file read, optimized deps .map path traversal, server.fs.deny query bypass

Changes

• package.json: bump dependencies.hono, overrides.hono, overrides.vite.
• package-lock.json: regenerated via npm install --package-lock-only --ignore-scripts (minimal diff, only the two packages).

Validation

• npm run typecheck — clean
• npm run lint — clean
• npm test — 225 files, 3418/3418 tests pass
• No source or test changes required; both bumps are patch/minor within existing SemVer ranges.

note: greptile review for oc-chatgpt-multi-auth. cite files like lib/foo.ts:123. confirm regression tests + windows concurrency/token redaction coverage.

Greptile Summary

patches 9 dependabot alerts by pinning hono to 4.12.14 (6 CVEs: path traversal, cookie bypass, ipRestriction IPv4-mapped IPv6, JSX SSR injection) and raising the vite override to ^7.3.2 (3 dev-only CVEs). changes are minimal and correctly land in both dependencies and overrides for hono.

• MIN_HONO_FLOOR in test/lockfile-version-floor.test.ts is still "4.12.2" — the regression guard passes for any version in 4.12.2–4.12.13, all of which carry the patched CVEs. it should be updated to "4.12.14".
• no vitest floor coverage exists for the vite override, so a future regression below 7.3.2 would go undetected.

Confidence Score: 4/5

safe to merge after updating MIN_HONO_FLOOR in the floor test; vite gap is P2 but the core security bump is correct

one P1 finding: MIN_HONO_FLOOR is stale and would allow regressions to any CVE-affected version in 4.12.2–4.12.13 without failing the guard test; the fix is a one-liner. the vite floor gap is P2 and doesn't block merge.

test/lockfile-version-floor.test.ts — MIN_HONO_FLOOR needs updating to 4.12.14

Important Files Changed

Filename	Overview
package.json	bumps hono dependency and override to 4.12.14, vite override to ^7.3.2; both the dependency pin and override are consistent
package-lock.json	lock file regenerated cleanly; hono resolves to 4.12.14 and vite to 7.3.2 with valid integrity hashes

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Dependabot alerts #12-#26] --> B{Package}
    B -->|prod dep| C[hono 4.12.10]
    B -->|dev transitive| D[vite <7.3.2]
    C --> E[hono 4.12.14 CVE fixes: path traversal, cookie bypass, ipRestriction, JSX SSR injection]
    D --> F[vite 7.3.2 CVE fixes: WebSocket file read, .map traversal, fs.deny bypass]
    E --> G[package.json dependencies + overrides updated]
    F --> H[package.json overrides.vite updated]
    G --> I[package-lock.json regenerated]
    H --> I
    I --> J{Regression guard}
    J -->|MIN_HONO_FLOOR=4.12.2| K[stale — allows 4.12.2–4.12.13]
    J -->|vite floor| L[no test exists]

Loading

Comments Outside Diff (1)

1. test/lockfile-version-floor.test.ts, line 6 (link)

   Stale hono security floor

   MIN_HONO_FLOOR is still "4.12.2" — the floor test will pass for any version in the range 4.12.2–4.12.13, all of which carry the CVEs this PR is patching (path traversal, cookie bypass, IPv6 ipRestriction, JSX SSR injection). a future accidental downgrade to e.g. 4.12.5 would not be caught.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: test/lockfile-version-floor.test.ts
   Line: 6
   
   Comment:
   **Stale hono security floor**
   
   `MIN_HONO_FLOOR` is still `"4.12.2"` — the floor test will pass for any version in the range `4.12.2–4.12.13`, all of which carry the CVEs this PR is patching (path traversal, cookie bypass, IPv6 `ipRestriction`, JSX SSR injection). a future accidental downgrade to e.g. `4.12.5` would not be caught.
   
   
   
   How can I resolve this? If you propose a fix, please make it concise.

   

Prompt To Fix All With AI

This is a comment left during a code review.
Path: test/lockfile-version-floor.test.ts
Line: 6

Comment:
**Stale hono security floor**

`MIN_HONO_FLOOR` is still `"4.12.2"` — the floor test will pass for any version in the range `4.12.2–4.12.13`, all of which carry the CVEs this PR is patching (path traversal, cookie bypass, IPv6 `ipRestriction`, JSX SSR injection). a future accidental downgrade to e.g. `4.12.5` would not be caught.

```suggestion
const MIN_HONO_FLOOR = "4.12.14";
```

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: package.json
Line: 167

Comment:
**No vitest floor guard for vite override**

there's a floor test for `hono` and `rollup`, but none for `overrides.vite`. the three vite CVEs (WebSocket arbitrary file read, `.map` path traversal, `server.fs.deny` query bypass) are dev-only, but a future regression of the vite override below `7.3.2` would go undetected. worth adding a `MIN_VITE_FLOOR` assertion in `test/lockfile-version-floor.test.ts` alongside the existing checks.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "security(deps): bump hono to 4.12.14 and..." | Re-trigger Greptile}

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

[coderabbitai]

Warning

Rate limit exceeded

@ndycode has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 56 minutes and 44 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 56 minutes and 44 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 03be321a-4809-495a-b223-0ef0d97ce50f

📥 Commits

Reviewing files that changed from the base of the PR and between e275984 and 61d5f15.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security/deps-hono-vite-2026-04

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch security/deps-hono-vite-2026-04

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}