Skip to content

fix(security): bump hono override to >=4.12.21#393

Open
tkislan wants to merge 1 commit into
mainfrom
tk/resolve-dependency-vulnerabilities-2026-06-05
Open

fix(security): bump hono override to >=4.12.21#393
tkislan wants to merge 1 commit into
mainfrom
tk/resolve-dependency-vulnerabilities-2026-06-05

Conversation

@tkislan
Copy link
Copy Markdown
Contributor

@tkislan tkislan commented Jun 5, 2026
edited by coderabbitai Bot
Loading

Summary

Resolves 4 moderate pnpm audit vulnerabilities in hono (transitive via packages/mcp > @modelcontextprotocol/sdk > hono), all fixed in 4.12.21.

Advisory CVE CVSS3 Issue
GHSA-xrhx-7g5j-rcj5 CVE-2026-47674 5.3 ip-restriction middleware bypasses static deny rules for non-canonical IPv6
GHSA-3hrh-pfw6-9m5x CVE-2026-47675 4.3 cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
GHSA-f577-qrjj-4474 CVE-2026-47673 4.8 jwt/jwk middleware accepts any Authorization scheme, not only Bearer
GHSA-2gcr-mfcq-wcc3 CVE-2026-47676 5.3 app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Change

Bumps the existing pnpm.overrides floor in the root package.json from hono >=4.12.18 to hono >=4.12.21, following the established convention in this repo (#387, #368, #307, #295, #292, …). pnpm install resolves hono to 4.12.23.

-      "hono": ">=4.12.18",
+      "hono": ">=4.12.21",

Verification

  • pnpm auditNo known vulnerabilities found
  • pnpm typecheck → passes
  • pnpm test → 129 files, 2242/2242 tests pass
  • pnpm prettier:check → all formatted
  • pnpm biome:check → exit 0 (the 2 reported warnings are pre-existing on main, unrelated to this change)

Summary by CodeRabbit

  • Chores
    • Updated internal dependency constraints to support latest releases.

@tkislan
fix(security): bump hono override to >=4.12.21
3f30596 
Resolve 4 moderate pnpm audit vulnerabilities in hono (transitive via
packages/mcp > @modelcontextprotocol/sdk > hono), all fixed in 4.12.21:

- GHSA-xrhx-7g5j-rcj5 (CVE-2026-47674, CVSS 5.3): ip-restriction middleware
  bypasses static deny rules for non-canonical IPv6.
- GHSA-3hrh-pfw6-9m5x (CVE-2026-47675, CVSS 4.3): cookie helper does not
  sanitize sameSite and priority, allowing Set-Cookie injection.
- GHSA-f577-qrjj-4474 (CVE-2026-47673, CVSS 4.8): jwt/jwk middleware
  accepts any Authorization scheme, not only Bearer.
- GHSA-2gcr-mfcq-wcc3 (CVE-2026-47676, CVSS 5.3): app.mount() strips
  mount prefix using undecoded path, causing incorrect routing for
  percent-encoded paths.

Bump the existing pnpm.overrides floor for hono >=4.12.18 -> >=4.12.21
following the established convention in this repo (see #387, #368, #307,
#295, #292). pnpm install resolves hono to 4.12.23. After this change
`pnpm audit` reports no known vulnerabilities. `pnpm typecheck`,
`pnpm test` (2242 tests), and `pnpm prettier:check` all pass.
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Jun 5, 2026
edited
Loading

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1d1e1c34-d18a-4c4b-883a-f911505156a8

📥 Commits

Reviewing files that changed from the base of the PR and between 45874b9 and 3f30596.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • package.json
📝 Walkthrough

Walkthrough

The PR updates the pnpm.overrides constraint for the hono package in package.json, raising the minimum required version from >=4.12.18 to >=4.12.21. This change ensures the project uses a more recent version of the hono web framework.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

  • deepnote/deepnote#376: Prior PR that modified pnpm.overrides.hono; this PR applies an additional version bump.

Suggested reviewers

  • dinohamzic
  • saltenasl
🚥 Pre-merge checks | ✅ 6
✅ Passed checks (6 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed Title accurately summarizes the main change: bumping hono dependency override to address security vulnerabilities.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Updates Docs ✅ Passed PR is a security fix, not a feature implementation. Custom check applies only to features; dependency vulnerability updates don't require documentation changes.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov
Copy link
Copy Markdown

codecov Bot commented Jun 5, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.93%. Comparing base (45874b9) to head (3f30596).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #393   +/-   ##
=======================================
  Coverage   83.93%   83.93%           
=======================================
  Files         145      145           
  Lines        8018     8018           
  Branches     2227     2165   -62     
=======================================
  Hits         6730     6730           
  Misses       1287     1287           
  Partials        1        1

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@tkislan tkislan marked this pull request as ready for review June 5, 2026 13:46
@tkislan tkislan requested a review from a team as a code owner June 5, 2026 13:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tkislan