From e38009634d9decbc8a19659e732eeeffb55ebde1 Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Sat, 9 May 2026 21:25:03 +0000
Subject: [PATCH 1/4] fix: upgrade hono to ^4.12.18 to address CVE-2026-44457

Co-authored-by: Brendan Kellam <brendan@sourcebot.dev>
---
 package.json | 2 +-
 yarn.lock    | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package.json b/package.json
index 63eae0429..4ba77e2db 100644
--- a/package.json
+++ b/package.json
@@ -49,7 +49,7 @@
         "brace-expansion@npm:^5.0.2": "^5.0.5",
         "brace-expansion@npm:^1.1.7": "^1.1.13",
         "@react-email/preview-server/next": "^16.2.3",
-        "@modelcontextprotocol/sdk/hono": "^4.12.14",
+        "@modelcontextprotocol/sdk/hono": "^4.12.18",
         "@modelcontextprotocol/sdk/@hono/node-server": "^1.19.13",
         "langsmith@npm:>=0.5.0 <1.0.0": "^0.5.19",
         "markdown-it@npm:^14.1.0": "^14.1.1",
diff --git a/yarn.lock b/yarn.lock
index 0f7a4f949..9190ab03d 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -14608,10 +14608,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"hono@npm:^4.12.14":
-  version: 4.12.14
-  resolution: "hono@npm:4.12.14"
-  checksum: 10c0/78de4c98a9a3da0f067e38dcc4bd27f0d82b45d146ac39f5ca688515ee482c0a2e704d2ac6c1ee91ad17596b7c52b3e4b9483acd9c238d42f6ebcb43414a71b6
+"hono@npm:^4.12.18":
+  version: 4.12.18
+  resolution: "hono@npm:4.12.18"
+  checksum: 10c0/b0b9688fd9e41a1847b077d579dc0e92a28b67c247c6ee7d1e751c0bae269824c30c7773feff1a2874e40ea36a3d2f9d1fc5ba618a28ecdf2ca1b33ed2473864
   languageName: node
   linkType: hard
 

From 146e09ba6ba8b1c4d1c6a07b4eee96e5a2787203 Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Sat, 9 May 2026 21:25:58 +0000
Subject: [PATCH 2/4] docs: add CHANGELOG entry for CVE-2026-44457 fix

Co-authored-by: Brendan Kellam <brendan@sourcebot.dev>
---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 081d4c8d6..d3d6db32b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Fixed blame gutter commit navigation to use the file path as it existed at the attributing commit, so clicking a blame line whose commit predates a rename resolves to the correct historical path. [#1178](https://github.com/sourcebot-dev/sourcebot/pull/1178)
 - Bumped transitive `fast-uri` dependency to `^3.1.2`. [#1181](https://github.com/sourcebot-dev/sourcebot/pull/1181)
 - Upgraded `simple-git` to `3.36.0` to address CVE-2026-6951. [#1183](https://github.com/sourcebot-dev/sourcebot/pull/1183)
+- Upgraded `hono` to `^4.12.18` to address CVE-2026-44457. [#1186](https://github.com/sourcebot-dev/sourcebot/pull/1186)
 
 ### Changed
 - Reduced the log verbosity of the worker by changing various log messages from info to debug. [#1179](https://github.com/sourcebot-dev/sourcebot/pull/1179)

From ef2a9f4b4210fbcc971f73705a563cf28e125dbf Mon Sep 17 00:00:00 2001
From: Brendan Kellam <brendan@sourcebot.dev>
Date: Sat, 9 May 2026 14:51:53 -0700
Subject: [PATCH 3/4] docs: add CHANGELOG entries for CVE-2026-44455, 44456,
 44458

Consolidates SOU-1068, SOU-1069, SOU-1071 into this PR (already addressing
SOU-1070 / CVE-2026-44457). Same hono 4.12.14 -> 4.12.18 bump fixes all four.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d3d6db32b..59cca5513 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,7 +12,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Fixed blame gutter commit navigation to use the file path as it existed at the attributing commit, so clicking a blame line whose commit predates a rename resolves to the correct historical path. [#1178](https://github.com/sourcebot-dev/sourcebot/pull/1178)
 - Bumped transitive `fast-uri` dependency to `^3.1.2`. [#1181](https://github.com/sourcebot-dev/sourcebot/pull/1181)
 - Upgraded `simple-git` to `3.36.0` to address CVE-2026-6951. [#1183](https://github.com/sourcebot-dev/sourcebot/pull/1183)
+- Upgraded `hono` to `^4.12.18` to address CVE-2026-44455. [#1186](https://github.com/sourcebot-dev/sourcebot/pull/1186)
+- Upgraded `hono` to `^4.12.18` to address CVE-2026-44456. [#1186](https://github.com/sourcebot-dev/sourcebot/pull/1186)
 - Upgraded `hono` to `^4.12.18` to address CVE-2026-44457. [#1186](https://github.com/sourcebot-dev/sourcebot/pull/1186)
+- Upgraded `hono` to `^4.12.18` to address CVE-2026-44458. [#1186](https://github.com/sourcebot-dev/sourcebot/pull/1186)
 
 ### Changed
 - Reduced the log verbosity of the worker by changing various log messages from info to debug. [#1179](https://github.com/sourcebot-dev/sourcebot/pull/1179)

From 47dfee81e0b5381d835ff3c6ec9f45bca8d3d238 Mon Sep 17 00:00:00 2001
From: Brendan Kellam <brendan@sourcebot.dev>
Date: Sat, 9 May 2026 14:58:31 -0700
Subject: [PATCH 4/4] docs: collapse hono CVE CHANGELOG entries into a single
 line

Per the updated convention in CLAUDE.md (one CHANGELOG line per PR, not
per CVE), the four sibling hono CVEs share one comma-separated entry.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 CHANGELOG.md | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 59cca5513..2d747c754 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,10 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Fixed blame gutter commit navigation to use the file path as it existed at the attributing commit, so clicking a blame line whose commit predates a rename resolves to the correct historical path. [#1178](https://github.com/sourcebot-dev/sourcebot/pull/1178)
 - Bumped transitive `fast-uri` dependency to `^3.1.2`. [#1181](https://github.com/sourcebot-dev/sourcebot/pull/1181)
 - Upgraded `simple-git` to `3.36.0` to address CVE-2026-6951. [#1183](https://github.com/sourcebot-dev/sourcebot/pull/1183)
-- Upgraded `hono` to `^4.12.18` to address CVE-2026-44455. [#1186](https://github.com/sourcebot-dev/sourcebot/pull/1186)
-- Upgraded `hono` to `^4.12.18` to address CVE-2026-44456. [#1186](https://github.com/sourcebot-dev/sourcebot/pull/1186)
-- Upgraded `hono` to `^4.12.18` to address CVE-2026-44457. [#1186](https://github.com/sourcebot-dev/sourcebot/pull/1186)
-- Upgraded `hono` to `^4.12.18` to address CVE-2026-44458. [#1186](https://github.com/sourcebot-dev/sourcebot/pull/1186)
+- Upgraded `hono` to `^4.12.18` to address CVE-2026-44455, CVE-2026-44456, CVE-2026-44457, CVE-2026-44458. [#1186](https://github.com/sourcebot-dev/sourcebot/pull/1186)
 
 ### Changed
 - Reduced the log verbosity of the worker by changing various log messages from info to debug. [#1179](https://github.com/sourcebot-dev/sourcebot/pull/1179)