fix: upgrade hono to ^4.12.18 to address CVE-2026-44458

[brendan-kellam]

Fixes SOU-1071

Summary

Upgraded hono from v4.12.14 to v4.12.18 via yarn resolution to address CVE-2026-44458.

CVE Details

CVE-2026-44458: Hono JSX SSR CSS declaration injection via style object values

The JSX renderer in hono v4.12.14 and earlier escapes style attribute object values for HTML context but not for CSS context. This allows characters that act as CSS declaration boundaries (;, comment markers, block delimiters) to extend a value beyond its assigned property, potentially injecting additional CSS declarations into the rendered style attribute.

Impact

An attacker who can control a style object value or property name during server-side JSX rendering may inject arbitrary CSS declarations, potentially enabling:

• Full-viewport overlays for phishing
• Outbound requests to attacker-controlled hosts via url(...)
• Layout/visibility manipulation

Remediation

Updated the existing yarn resolution for @modelcontextprotocol/sdk/hono from ^4.12.14 to ^4.12.18.

Dependencies Affected

hono is pulled in transitively via:

• @sourcebot/web → @modelcontextprotocol/sdk@1.29.0 → hono@4.12.14
• @sourcebot/web → @react-grab/mcp@0.1.29 → @modelcontextprotocol/sdk@1.27.1 → hono@4.12.14

After resolution, both paths now use hono@4.12.18.

References

• Dependabot alert
• GHSA-qp7p-654g-cw7p

Linear Issue: SOU-1071

  

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 95cf4c12-dfde-47f2-9ea7-ddd1a45bcb21

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/fix-cve-hono-1071-0227

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

License Audit

⚠️ Status: PASS

Metric	Count
Total packages	2070
Resolved (non-standard)	11
Unresolved	0
Strong copyleft	0
Weak copyleft	39

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-wasm32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
dompurify	3.4.0	(MPL-2.0 OR Apache-2.0)
lightningcss	1.32.0	MPL-2.0
lightningcss-android-arm64	1.32.0	MPL-2.0
lightningcss-darwin-arm64	1.32.0	MPL-2.0
lightningcss-darwin-x64	1.32.0	MPL-2.0
lightningcss-freebsd-x64	1.32.0	MPL-2.0
lightningcss-linux-arm-gnueabihf	1.32.0	MPL-2.0
lightningcss-linux-arm64-gnu	1.32.0	MPL-2.0
lightningcss-linux-arm64-musl	1.32.0	MPL-2.0
lightningcss-linux-x64-gnu	1.32.0	MPL-2.0
lightningcss-linux-x64-musl	1.32.0	MPL-2.0
lightningcss-win32-arm64-msvc	1.32.0	MPL-2.0
lightningcss-win32-x64-msvc	1.32.0	MPL-2.0

Resolved Packages (11)

Package	Version	Original	Resolved	Source
@react-grab/cli	0.1.23	UNKNOWN	MIT	LICENSE file in the published npm tarball (registry.npmjs.org/@react-grab/cli/-/cli-0.1.23.tgz) — MIT License, Copyright (c) 2025 Aiden Bai
@react-grab/cli	0.1.29	UNKNOWN	MIT	LICENSE file in the published npm tarball (registry.npmjs.org/@react-grab/cli/-/cli-0.1.29.tgz) — MIT License, Copyright (c) 2025 Aiden Bai
@react-grab/mcp	0.1.29	UNKNOWN	MIT	LICENSE file in the published npm tarball (registry.npmjs.org/@react-grab/mcp/-/mcp-0.1.29.tgz) — MIT License, Copyright (c) 2025 Aiden Bai
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	LICENSE file in GitHub repo livebook-dev/codemirror-lang-elixir is the Apache License 2.0; current package.json on main also declares license: Apache-2.0
element-source	0.0.3	UNKNOWN	MIT	LICENSE file in the published npm tarball (registry.npmjs.org/element-source/-/element-source-0.0.3.tgz) — MIT License, Copyright (c) 2026 Aiden Bai
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	LICENSE file in GitHub repo livebook-dev/lezer-elixir is the Apache License 2.0; current package.json on main also declares license: Apache-2.0
map-stream	0.1.0	UNKNOWN	MIT	GitHub License API for dominictarr/map-stream returns spdx_id: MIT (LICENCE file at root); package.json on master declares license: MIT
memorystream	0.3.1	UNKNOWN	MIT	LICENSE file in GitHub repo JSBizon/node-memorystream is the standard MIT License; package.json on master declares licenses: [{type: MIT, url: ...}]
pause-stream	0.0.11	["MIT","Apache2"]	(MIT OR Apache-2.0)	Extracted from license array object in oss-licenses.json; verified against GitHub repo dominictarr/pause-stream — LICENSE states 'Dual Licensed MIT and Apache 2', current package.json declares license: '(Apache-2.0 OR MIT)'
posthog-js	1.369.0	SEE LICENSE IN LICENSE	Apache-2.0	LICENSE file in GitHub repo PostHog/posthog-js is the Apache License 2.0 (Copyright 2020 Posthog / Hiberly, Inc.; Copyright 2015 Mixpanel, Inc.)
valid-url	1.0.9	UNKNOWN	MIT	LICENSE file in GitHub repo ogt/valid-url states 'This software is released under the MIT license' (Copyright (c) 2013 Odysseas Tsatalos and oDesk Corporation)

[brendan-kellam]

Closing as duplicate — consolidated into #1186, which addresses all four sibling hono CVEs (44455–44458) with the same 4.12.14 → 4.12.18 bump.