chore(deps): bump the production-dependencies group across 1 directory with 2 updates

[dependabot]

Bumps the production-dependencies group with 2 updates in the / directory: electron-updater and hono.

Updates electron-updater from 6.8.3 to 6.8.9

Release notes

Sourced from electron-updater's releases.

electron-updater@6.8.9

Patch Changes

• Fix: holistic field detection for sha256 hash redaction [#9834](https://github.com/electron-userland/electron-builder/tree/HEAD/packages/electron-updater/issues/9834) 22a7532 @​mmaietta

198c10c 22a7532

• builder-util-runtime@9.7.0

electron-updater@6.8.8

Patch Changes

• Fix(updater): ensure full changelog includes only release notes up to the latest release [#9573](https://github.com/electron-userland/electron-builder/tree/HEAD/packages/electron-updater/issues/9573) ac45083 @​AbdulrhmanGoni
• Fix: harden the auto-update flow relative paths in PATH, path traversals, and environment variable intercepts [#9796](https://github.com/electron-userland/electron-builder/tree/HEAD/packages/electron-updater/issues/9796) 2dc409f @​mmaietta
• Chore: extracting helper function to add coverage in MacUpdater test suite [#9794](https://github.com/electron-userland/electron-builder/tree/HEAD/packages/electron-updater/issues/9794) d664ed0 @​mmaietta

59efef1

• builder-util-runtime@9.6.3

electron-updater@6.8.7

Patch Changes

d6a5aee 4866737

• builder-util-runtime@9.6.2

... (truncated)

Changelog

Sourced from electron-updater's changelog.

6.8.9

Patch Changes

• Fix: holistic field detection for sha256 hash redaction [#9834](https://github.com/electron-userland/electron-builder/tree/HEAD/packages/electron-updater/issues/9834) 22a7532 @​mmaietta

198c10c 22a7532

• builder-util-runtime@9.7.0

6.8.8

Patch Changes

• Fix(updater): ensure full changelog includes only release notes up to the latest release [#9573](https://github.com/electron-userland/electron-builder/tree/HEAD/packages/electron-updater/issues/9573) ac45083 @​AbdulrhmanGoni
• Fix: harden the auto-update flow relative paths in PATH, path traversals, and environment variable intercepts [#9796](https://github.com/electron-userland/electron-builder/tree/HEAD/packages/electron-updater/issues/9796) 2dc409f @​mmaietta
• Chore: extracting helper function to add coverage in MacUpdater test suite [#9794](https://github.com/electron-userland/electron-builder/tree/HEAD/packages/electron-updater/issues/9794) d664ed0 @​mmaietta

59efef1

• builder-util-runtime@9.6.3

6.8.7

Patch Changes

d6a5aee 4866737

... (truncated)

Commits

• bed3a9c chore(deploy): Release v26.15.0 (electron-updater@6.8.9) (#9825)
• 22a7532 fix: holistic field detection for \<text> (sha256 hash) redaction (#9834)
• ffd11c7 chore(deploy): Release v26.13.0 (electron-updater@6.8.8) (#9793)
• ac45083 fix(updater): ensure full changelog includes only release notes up to the lat...
• d664ed0 chore: expand test coverage for updater and Windows build targets (#9794)
• 2dc409f fix: harden the auto-update flow from relative paths and env var intercepts (...
• 2c8c71a chore(deploy): Release v26.12.1 (electron-updater@6.8.7) (#9782)
• 9120507 chore(deploy): Release v26.11.0 (electron-updater@6.8.6) (#9726)
• d846315 chore(docs): docusaurus migration (#9744)
• bea19a5 chore(deps): update dependency electron to v39 [security] (#9693)
• Additional commits viewable in compare view

Updates hono from 4.12.18 to 4.12.27

Release notes

Sourced from hono's releases.

v4.12.27

Security fixes

This release includes fixes for the following security issues:

hono/jsx does not isolate context per request

Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj

Server-Side XSS via JSX escaping bypass in cx()

Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59

API Gateway v1 adapter can drop a repeated request header value

Affects: hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g. 203.0.113.1 dropped when 203.0.113.10 is present) — affecting logic such as X-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvc

---

Users of hono/jsx/hono/jsx-renderer, hono/css (cx()), or the hono/aws-lambda API Gateway v1 / VPC Lattice adapters are encouraged to upgrade.

v4.12.26

What's Changed

• fix(lambda-edge): satisfy Deno lib types for Content-Length body encoding by @​yusukebe in honojs/hono#5013
• ci: publish to npm from CI with OIDC trusted publishing by @​yusukebe in honojs/hono#5028
• chore: remove unused devcontainer and gitpod configs by @​yusukebe in honojs/hono#5029
• chore: replace arg and glob with Bun native APIs in build script by @​yusukebe in honojs/hono#5030

Full Changelog: honojs/hono@v4.12.25...v4.12.26

v4.12.25

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

... (truncated)

Commits

• 97c6fe1 4.12.27
• aa92177 Merge commit from fork
• cd3f6f7 Merge commit from fork
• d4853a8 fix(jsx): make merged context-isolation tests pass tsc type check (#5037)
• 6735fea fix(jsx): cast awaitedFallback through unknown to fix Deno type check (#5036)
• fab3b13 Merge commit from fork
• 9f0dadf ci: use npm Staged publishing (#5035)
• 27b7992 4.12.26
• d29982c chore: replace arg and glob with Bun native APIs in build script
• 16215d5 chore: remove unused devcontainer and gitpod configs (#5029)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for hono since your current version.

[github-actions]

E2E coverage (strict mode)

Metric	This PR	main	Δ
Live coverage	78.24% (2949/3769)	78.24% (2949/3769)	±0.00pp (+0)
Scaffold-only	93	—	—
Manual-residue	727	—	—
Passing TC-IDs this run	0	—	—

Live coverage unchanged.
Definitions: live = inline tc() / tcRange() in non-fixme test() calls. Scaffold-only = test.fixme() placeholders. Manual-residue = explicitly excluded from automation (see e2e/web/manual-residue.ts).
Full report in the e2e-coverage-${{ run_id }} artifact.