Skip to content

build(deps): bump hono from 4.12.7 to 4.12.14#3077

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/hono-4.12.12
Open

build(deps): bump hono from 4.12.7 to 4.12.14#3077
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/hono-4.12.12

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 8, 2026
edited
Loading

Bumps hono from 4.12.7 to 4.12.14.

Release notes

Sourced from hono's releases.

v4.12.14

Security fixes

This release includes fixes for the following security issues:

Improper handling of JSX attribute names in hono/jsx SSR

Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which could allow malformed attribute keys to corrupt the generated HTML output and inject unintended attributes or elements. GHSA-458j-xx4x-4375

Other changes

  • fix(aws-lambda): handle invalid header names in request processing (#4883) fa2c74fe

v4.12.13

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.12...v4.12.13

v4.12.12

Security fixes

This release includes fixes for the following security issues:

Middleware bypass via repeated slashes in serveStatic

Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (//) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c

Path traversal in toSSG() allows writing files outside the output directory

Affects: toSSG() for Static Site Generation. Fixes a path traversal issue where crafted ssgParams values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx

Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g

Missing validation of cookie name on write path in setCookie()

Affects: setCookie(), serialize(), and serializeSigned() from hono/cookie. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm

Non-breaking space prefix bypass in cookie name handling in getCookie()

Affects: getCookie() from hono/cookie. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4

... (truncated)

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 8, 2026
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 8, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
agents-api Ready Ready Preview, Comment Apr 14, 2026 6:19pm
agents-docs Ready Ready Preview, Comment Apr 14, 2026 6:19pm
agents-manage-ui Ready Ready Preview, Comment Apr 14, 2026 6:19pm

Request Review

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 8, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @inkeep/agents-manage-ui is 98.0% likely obfuscated

Confidence: 0.98

Location: Package overview

From: create-agents-template/package.jsonnpm/@inkeep/[email protected]

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@inkeep/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/hono-4.12.12 branch from dcedfd3 to fd2fea1 Compare April 9, 2026 02:37
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Apr 9, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 5f59e79

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 14, 2026

A matching internal PR is ready in inkeep/agents-private#95 for canonical review and merge.

  • Original author attribution is preserved as @dependabot[bot]
  • The internal PR is the authoritative merge surface
  • The public repo will pick up the merged change through the normal mirror sync

This comment will be updated as the bridge state changes.

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/hono-4.12.12 branch from fd2fea1 to b471d7c Compare April 14, 2026 18:15
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 16, 2026

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/hono-4.12.12 branch 3 times, most recently from c285f5e to ae5f276 Compare April 22, 2026 23:16
@dependabot
build(deps): bump hono from 4.12.7 to 4.12.14
5f59e79 
Bumps [hono](https://github.com/honojs/hono) from 4.12.7 to 4.12.14.
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.7...v4.12.14)

---
updated-dependencies:
- dependency-name: hono
  dependency-version: 4.12.12
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot Bot changed the title chore(deps): bump hono from 4.12.7 to 4.12.12 build(deps): bump hono from 4.12.7 to 4.12.14 Apr 25, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/hono-4.12.12 branch from ae5f276 to 5f59e79 Compare April 25, 2026 02:00
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 25, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​opentelemetry/​sdk-trace-node@​2.1.07210010095100
Added@​opentelemetry/​context-async-hooks@​2.1.0741008895100
Added@​inkeep/​agents-api@​0.59.4791007710090
Added@​inkeep/​agents-cli@​0.59.4781008810090
Added@​langfuse/​tracing@​4.0.1851008097100
Updated@​inkeep/​agents-manage-ui@​0.41.1 ⏵ 0.59.4801009710090
Added@​types/​node@​22.18.41001008196100
Addedtsx@​4.20.51001008185100
Addedlangfuse@​3.38.51001008492100
Added@​inkeep/​agents-sdk@​0.59.48610010010090
Updated@​hono/​vite-dev-server@​0.20.1 ⏵ 0.23.0100 +1100100 +189 -3100
Addedtypescript@​5.9.2100100909990
Updated@​hono/​zod-openapi@​1.2.0 ⏵ 1.2.310010010094 +1100
Updated@​opentelemetry/​core@​2.3.0 ⏵ 2.1.09910094 +194 -1100
Addeddotenv@​16.6.19910010094100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants