Skip to content

build(deps): bump hono from 4.12.9 to 4.12.18 in /create-agents-template#3236

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/create-agents-template/hono-4.12.18
Open

build(deps): bump hono from 4.12.9 to 4.12.18 in /create-agents-template#3236
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/create-agents-template/hono-4.12.18

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 9, 2026
edited
Loading

Bumps hono from 4.12.9 to 4.12.18.

Release notes

Sourced from hono's releases.

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

... (truncated)

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 9, 2026
@dependabot dependabot Bot mentioned this pull request May 9, 2026
Closed
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 9, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: a6d7311

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 9, 2026
edited
Loading

Thanks for the contribution! Your PR has been mirrored into Inkeep's internal monorepo, where review and merge happen. Your commit attribution is preserved as @dependabot[bot].

What happens next:

  • An Inkeep maintainer will review the internal mirror PR.
  • Reviewer comments are not automatically mirrored back to this thread. If you don't hear from us within a few business days, please comment here to nudge — that's the right thing to do.
  • Once merged internally, the change will sync back to this repository and this PR will close automatically (don't be alarmed when it closes — that's how it lands).

For Inkeep maintainers (link goes to a private repo and is not accessible to external contributors): https://github.com/inkeep/agents-private/pull/710

See the repository's CONTRIBUTING.md for more context on how public PRs flow. This comment will be updated as the bridge state changes.

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 9, 2026
edited
Loading

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/create-agents-template/hono-4.12.18 branch from 49891b6 to 8633196 Compare May 14, 2026 00:06
@dependabot
build(deps): bump hono from 4.12.9 to 4.12.18 in /create-agents-template
a6d7311 
Bumps [hono](https://github.com/honojs/hono) from 4.12.9 to 4.12.18.
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.9...v4.12.18)

---
updated-dependencies:
- dependency-name: hono
  dependency-version: 4.12.18
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/create-agents-template/hono-4.12.18 branch from 8633196 to a6d7311 Compare May 14, 2026 14:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants