Bump hono from 4.12.4 to 4.12.12 in /backend/src/mithrandir#1073
Bump hono from 4.12.4 to 4.12.12 in /backend/src/mithrandir#1073dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [hono](https://github.com/honojs/hono) from 4.12.4 to 4.12.12. - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.4...v4.12.12) --- updated-dependencies: - dependency-name: hono dependency-version: 4.12.12 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
dependabot
Bot
added
dependencies
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — straightforward security patch bumping hono to address multiple CVEs.
Extended reasoning...
Overview
This PR updates hono from 4.12.4 to 4.12.12 in backend/src/mithrandir, touching only package.json and package-lock.json. The diff is a mechanical version bump with no logic changes.
Security Risks
The upgrade is a security fix release addressing five vulnerabilities (middleware bypass via repeated slashes, path traversal in toSSG(), IPv4-mapped IPv6 bypass in ipRestriction(), missing cookie name validation on write path, and non-breaking space prefix bypass in getCookie()). Upgrading eliminates these risks; not upgrading would leave them open.
Level of Scrutiny
Low — this is a Dependabot-generated patch-level dependency update. The change is entirely confined to package manifest files with no application logic touched.
Other Factors
No bugs were found by the automated review. No prior reviews exist on this PR. The lock file integrity hash is updated consistently with the new version, and the semver range (^4.12.12) is correct.
|
Superseded by #1083. |
dependabot
Bot
deleted the
dependabot/npm_and_yarn/backend/src/mithrandir/hono-4.12.12
branch
Bumps hono from 4.12.4 to 4.12.12.
Release notes
Sourced from hono's releases.
... (truncated)
Commits
c37ba264.12.12cc067c8Merge commit from forka586cd7Merge commit from fork48fa223Merge commit from forkb470278Merge commit from fork9aff14bMerge commit from fork2c403c64.12.11f82aba8feat(css): add classNameSlug option to createCssContext (#4834)9f374a54.12.10a8c56a6docs(ip-restriction): add clear JSDoc examples and param types (#4851)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.