Skip to content

fix: Update hono and @hono/node-server to resolve high severity vulnerabilities#731

Merged
hatayama merged 1 commit into
mainfrom
feature/hatayama/fix-audit
Mar 5, 2026
Merged

fix: Update hono and @hono/node-server to resolve high severity vulnerabilities#731
hatayama merged 1 commit into
mainfrom
feature/hatayama/fix-audit

Conversation

@hatayama
Copy link
Copy Markdown
Owner

@hatayama hatayama commented Mar 5, 2026
edited by cubic-dev-ai Bot
Loading

Summary

  • Update hono from 4.12.2 to 4.12.5
  • Update @hono/node-server from 1.19.9 to 1.19.11
  • Fixes 2 high severity vulnerabilities detected by npm audit

Vulnerabilities Fixed

hono <= 4.12.3

@hono/node-server < 1.19.10

Changes

  • Only Packages/src/TypeScriptServer~/package-lock.json is modified (transitive dependency update via @modelcontextprotocol/sdk)

Test plan

  • npm audit --audit-level=moderate reports 0 vulnerabilities
  • No changes to direct dependencies or application code

Summary by cubic

Updated Hono and @hono/node-server to patch high-severity vulnerabilities flagged by npm audit. Only the TypeScriptServer package-lock was changed; npm audit (moderate) now reports 0 vulnerabilities.

  • Dependencies

    • hono: 4.12.2 -> 4.12.5
    • @hono/node-server: 1.19.9 -> 1.19.11

  • Bug Fixes

    • hono: fixes cookie attribute injection, SSE control field injection, and arbitrary file access
    • @hono/node-server: fixes authorization bypass via encoded slashes

Written for commit 5a2bbd8. Summary will update on new commits.

@hatayama
fix: Update hono and @hono/node-server to fix high severity vulnerabi…
5a2bbd8 
…lities

npm audit fix to resolve:
- hono 4.12.2 -> 4.12.5 (cookie injection, SSE injection, file access)
- @hono/node-server 1.19.9 -> 1.19.11 (auth bypass via encoded slashes)
@hatayama hatayama merged commit 135044a into main Mar 5, 2026
2 checks passed
@hatayama hatayama deleted the feature/hatayama/fix-audit branch March 5, 2026 15:57
@github-actions github-actions Bot mentioned this pull request Mar 5, 2026
Merged
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Mar 5, 2026
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

@github-actions github-actions Bot mentioned this pull request Mar 15, 2026
Closed
@github-actions github-actions Bot mentioned this pull request May 1, 2026
Closed
This was referenced May 10, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hatayama