Skip to content

Bump hono from 4.12.7 to 4.12.18 in /frontend#1484

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/frontend/hono-4.12.18
Open

Bump hono from 4.12.7 to 4.12.18 in /frontend#1484
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/frontend/hono-4.12.18

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 8, 2026

Copy link
Copy Markdown
Contributor

Bumps hono from 4.12.7 to 4.12.18.

Release notes

Sourced from hono's releases.

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36


Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

... (truncated)

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 8, 2026
@netlify

netlify Bot commented May 8, 2026

Copy link
Copy Markdown

Deploy Preview for storyteller-docs ready!

Name Link
🔨 Latest commit ba7f32f
🔍 Latest deploy log https://app.netlify.com/projects/storyteller-docs/deploys/69fde5e40f6ffa0008bd74a6
😎 Deploy Preview https://deploy-preview-1484--storyteller-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify

netlify Bot commented May 8, 2026

Copy link
Copy Markdown

Deploy Preview for genhub-website ready!

Name Link
🔨 Latest commit ba7f32f
🔍 Latest deploy log https://app.netlify.com/projects/genhub-website/deploys/69fde5e4fd69480008ea4473
😎 Deploy Preview https://deploy-preview-1484--genhub-website.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify

netlify Bot commented May 8, 2026

Copy link
Copy Markdown

Deploy Preview for artcraft-website ready!

Name Link
🔨 Latest commit ba7f32f
🔍 Latest deploy log https://app.netlify.com/projects/artcraft-website/deploys/69fde5e4ed907d0008a41537
😎 Deploy Preview https://deploy-preview-1484--artcraft-website.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Bumps [hono](https://github.com/honojs/hono) from 4.12.7 to 4.12.18.
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.7...v4.12.18)

---
updated-dependencies:
- dependency-name: hono
  dependency-version: 4.12.18
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/frontend/hono-4.12.18 branch from 040fe16 to ba7f32f Compare May 8, 2026 13:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants