fix(deps): bump hono to 4.12.23 (security) — release 6.3.1

[ndycode]

Summary

Security patch release 6.3.1: bumps hono 4.12.18 → 4.12.23 to clear four moderate advisories.

hono is a transitive dependency of @openauthjs/openauth (peer ^4.0.0), pinned in this repo via overrides. Version 4.12.18 was affected by:

• GHSA-f577-qrjj-4474 — JWT middleware accepts any Authorization scheme
• GHSA-3hrh-pfw6-9m5x — Set-Cookie injection via cookie helper
• GHSA-xrhx-7g5j-rcj5 — IPv6 deny-rule bypass
• GHSA-2gcr-mfcq-wcc3 — mount-prefix routing on percent-encoded paths

All fixed in 4.12.21; this bumps the direct pin + override to 4.12.23 (latest patch).

Impact

• npm audit --omit=dev: 0 vulnerabilities (was 2 moderate).
• No source change — hono is used only inside @openauthjs/openauth's OAuth flow, and 4.12.23 satisfies its ^4.0.0 peer range.
• Verified the published 6.3.0 artifact installs/loads cleanly in a clean-room (npm install + ESM imports + bin + plugin init with 21 tools); this only swaps the dep version.

Version bump (6.3.0 → 6.3.1, patch)

package.json, .release-please-manifest.json, .codex-plugin/plugin.json in lockstep.

Verification

• npm test: 96 files, 2487 passed, 1 skipped
• npm run build / typecheck / lint: clean
• npm run audit:ci: passes (prod 0 @ high)
• npm publish --dry-run: oc-codex-multi-auth-6.3.1.tgz, 465 kB, 430 files

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Released patch version 6.3.1 with dependency updates

note: greptile review for oc-chatgpt-multi-auth. cite files like lib/foo.ts:123. confirm regression tests + windows concurrency/token redaction coverage.

Greptile Summary

pure dependency security patch: bumps hono 4.12.18 → 4.12.23 and version-tags the package to 6.3.1. no source files touched.

• hono is pinned both as a direct dependency and in overrides (for @openauthjs/openauth's transitive pull); both entries are updated in lockstep across package.json and package-lock.json, clearing four cves: JWT scheme bypass, Set-Cookie injection, IPv6 deny-rule bypass, and percent-encoded mount-prefix routing.
• version 6.3.1 is propagated consistently to package.json, package-lock.json, .codex-plugin/plugin.json, and .release-please-manifest.json.

Confidence Score: 5/5

safe to merge — no source changes, only a targeted dependency version bump with consistent updates across all manifest files.

all four changed files touch only version strings and the hono dep entry. the dependencies pin and the overrides pin are kept in sync at 4.12.23, the lock file integrity hash is the correct sha512 format and resolves to the published tarball on npmjs.org, and the 6.3.1 version tag is consistent across every manifest. no logic, auth, token-handling, or filesystem paths are affected.

no files require special attention.

Important Files Changed

Filename	Overview
package.json	hono bumped 4.12.18→4.12.23 in both dependencies and overrides; version tag updated to 6.3.1 — changes are consistent and correct.
package-lock.json	lock file regenerated for hono 4.12.23; resolved url and sha512 integrity hash updated, format is valid (88-char base64), no other dependency entries touched.
.codex-plugin/plugin.json	version field bumped 6.3.0→6.3.1 to match package.json — straightforward metadata sync.
.release-please-manifest.json	release-please manifest updated from 6.3.0 to 6.3.1 — no issues.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["oc-codex-multi-auth\n(direct dep: hono 4.12.23)"] -->|OAuth flow| B["@openauthjs/openauth\npeer: hono ^4.0.0"]
    B -->|resolved via overrides| C["hono 4.12.23\n(was 4.12.18)"]

    C -->|fixes| D["GHSA-f577: JWT scheme bypass"]
    C -->|fixes| E["GHSA-3hrh: Set-Cookie injection"]
    C -->|fixes| F["GHSA-xrhx: IPv6 deny-rule bypass"]
    C -->|fixes| G["GHSA-2gcr: percent-encoded mount prefix"]

    style D fill:#d4edda,stroke:#28a745
    style E fill:#d4edda,stroke:#28a745
    style F fill:#d4edda,stroke:#28a745
    style G fill:#d4edda,stroke:#28a745

Loading

_{Reviews (1): Last reviewed commit: "fix(deps): bump hono 4.12.18 -> 4.12.23 ..." | Re-trigger Greptile}

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ad7dffcc-f4e3-44f6-a431-56b14ed8e084

📥 Commits

Reviewing files that changed from the base of the PR and between 258cba8 and 9fe01c6.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• .codex-plugin/plugin.json
• .release-please-manifest.json
• package.json

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

---

📝 Walkthrough

Walkthrough

This PR releases patch version 6.3.1 by bumping the version field in three manifest files (plugin.json, release-please-manifest.json, package.json) from 6.3.0 to 6.3.1, and updates the hono dependency in package.json overrides from 4.12.18 to 4.12.23.

Changes

Patch Release 6.3.1

Layer / File(s)	Summary
Version bump to 6.3.1 .codex-plugin/plugin.json, .release-please-manifest.json, package.json	Version fields updated from 6.3.0 to 6.3.1 across all three manifests to mark the patch release.
Hono dependency update package.json	Hono dependency in overrides section updated from 4.12.18 to 4.12.23.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• ndycode/oc-codex-multi-auth#167: Previous release version bump that modified the same manifest files in lockstep (6.2.0 → 6.3.0).
• ndycode/oc-codex-multi-auth#106: Prior hono dependency update in package.json overrides to a patched version.
• ndycode/oc-codex-multi-auth#97: Earlier hono dependency management changes in package.json overrides.

Poem

🐰 A hop and a bump, version takes flight,
Six-three-one shines bright, hono set right,
Manifests dance in synchronized cheer,
Patch release ready, the path crystal clear! ✨

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/hono-security-6.3.1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}