[PR #529] [MERGED] build(deps): bump hono from 4.12.16 to 4.12.18 #542

Closed
opened 2026-06-05 17:23:37 -04:00 by yindo · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/langchain-ai/deepagentsjs/pull/529
Author: @dependabot[bot]
Created: 5/9/2026
Status: Merged
Merged: 5/11/2026
Merged by: @jkennedyvz

Base: mainHead: dependabot/npm_and_yarn/hono-4.12.18


📝 Commits (1)

  • d1f2763 build(deps): bump hono from 4.12.16 to 4.12.18

📊 Changes

1 file changed (+8 additions, -7 deletions)

View changed files

📝 pnpm-lock.yaml (+8 -7)

📄 Description

Bumps hono from 4.12.16 to 4.12.18.

Release notes

Sourced from hono's releases.

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36


Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

New Contributors

Full Changelog: https://github.com/honojs/hono/compare/v4.12.16...v4.12.17

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/langchain-ai/deepagentsjs/pull/529 **Author:** [@dependabot[bot]](https://github.com/apps/dependabot) **Created:** 5/9/2026 **Status:** ✅ Merged **Merged:** 5/11/2026 **Merged by:** [@jkennedyvz](https://github.com/jkennedyvz) **Base:** `main` ← **Head:** `dependabot/npm_and_yarn/hono-4.12.18` --- ### 📝 Commits (1) - [`d1f2763`](https://github.com/langchain-ai/deepagentsjs/commit/d1f2763911fc2257f87a2c90192617ebe3374d2e) build(deps): bump hono from 4.12.16 to 4.12.18 ### 📊 Changes **1 file changed** (+8 additions, -7 deletions) <details> <summary>View changed files</summary> 📝 `pnpm-lock.yaml` (+8 -7) </details> ### 📄 Description Bumps [hono](https://github.com/honojs/hono) from 4.12.16 to 4.12.18. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/honojs/hono/releases">hono's releases</a>.</em></p> <blockquote> <h2>v4.12.18</h2> <h2>Security fixes</h2> <p>This release includes fixes for the following security issues:</p> <h3>Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage</h3> <p>Affects: Cache Middleware. Fixes missing cache-skip handling for <code>Vary: Authorization</code> and <code>Vary: Cookie</code>, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm</p> <h3>CSS Declaration Injection via Style Object Values in JSX SSR</h3> <p>Affects: hono/jsx. Fixes a missing CSS-context escape for <code>style</code> object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p</p> <h3>Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()</h3> <p>Affects: <code>hono/utils/jwt</code>. Fixes improper validation of <code>exp</code>, <code>nbf</code>, and <code>iat</code> claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36</p> <hr /> <p>Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.</p> <h2>v4.12.17</h2> <h2>What's Changed</h2> <ul> <li>fix(jsx): normalize SVG attributes on the <!-- raw HTML omitted --> root element by <a href="https://github.com/kfly8"><code>@​kfly8</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4893">honojs/hono#4893</a></li> <li>fix(ssg): add <code>atom+xml</code> and <code>rss+xml</code> to <code>defaultExtensionMap</code> by <a href="https://github.com/yuintei"><code>@​yuintei</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4899">honojs/hono#4899</a></li> <li>fix(cors): make origin optional in CORSOptions by <a href="https://github.com/truffle-dev"><code>@​truffle-dev</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4905">honojs/hono#4905</a></li> <li>fix(types): propagate middleware response types to app.on overloads by <a href="https://github.com/T4ko0522"><code>@​T4ko0522</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4906">honojs/hono#4906</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/kfly8"><code>@​kfly8</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4893">honojs/hono#4893</a></li> <li><a href="https://github.com/truffle-dev"><code>@​truffle-dev</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4905">honojs/hono#4905</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/honojs/hono/compare/v4.12.16...v4.12.17">https://github.com/honojs/hono/compare/v4.12.16...v4.12.17</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/honojs/hono/commit/f10dee89ced5956b73c1cdc416d6bc0fd54d63b7"><code>f10dee8</code></a> 4.12.18</li> <li><a href="https://github.com/honojs/hono/commit/a5bd9ebead279ed9d0239ecbd854f629edfc0e57"><code>a5bd9eb</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/58d3d3ad5656e007ed99da1b73865975952de5e9"><code>58d3d3a</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/568c2ecc1dd556894fad4dfa4a7ba499db6dba9c"><code>568c2ec</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/ff2b3d31df1be35f7d597a95dd3369402b6e87f2"><code>ff2b3d3</code></a> 4.12.17</li> <li><a href="https://github.com/honojs/hono/commit/52aaaf9714b06303ce5caa655b1d80675be687e9"><code>52aaaf9</code></a> fix(types): propagate middleware response types to app.on overloads (<a href="https://redirect.github.com/honojs/hono/issues/4906">#4906</a>)</li> <li><a href="https://github.com/honojs/hono/commit/76d5589e9b0569f4e74ec37e8dd6979455f70dfa"><code>76d5589</code></a> fix(cors): make origin optional in CORSOptions (<a href="https://redirect.github.com/honojs/hono/issues/4905">#4905</a>)</li> <li><a href="https://github.com/honojs/hono/commit/8f027e5574e91e3c7f263a728656e3888559e51a"><code>8f027e5</code></a> fix(ssg): add <code>atom+xml</code> and <code>rss+xml</code> to <code>defaultExtensionMap</code> (<a href="https://redirect.github.com/honojs/hono/issues/4899">#4899</a>)</li> <li><a href="https://github.com/honojs/hono/commit/bfba97ca7ea3d4541a3419f1749e5a1a3e8f1727"><code>bfba97c</code></a> fix(jsx): normalize SVG attributes on the &lt;svg&gt; root element (<a href="https://redirect.github.com/honojs/hono/issues/4893">#4893</a>)</li> <li>See full diff in <a href="https://github.com/honojs/hono/compare/v4.12.16...v4.12.18">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=hono&package-manager=npm_and_yarn&previous-version=4.12.16&new-version=4.12.18)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/deepagentsjs/network/alerts). </details> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
yindo added the pull-request label 2026-06-05 17:23:37 -04:00
yindo closed this issue 2026-06-05 17:23:37 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: langchain-ai/deepagentsjs#542