From fe570956b1bd069cd473fd701f0896cafcf5b649 Mon Sep 17 00:00:00 2001 From: Claude Date: Sat, 9 May 2026 13:08:55 +0000 Subject: [PATCH] chore: bump hono to ^4.12.18 to address security advisories Adds a scoped resolution to upgrade the transitive hono dependency (pulled in by @modelcontextprotocol/sdk) from 4.12.16 to 4.12.18, which patches: - GHSA-p77w-8qqv-26rm: Cache Middleware ignores Vary: Authorization / Vary: Cookie, leading to cross-user cache leakage - GHSA-qp7p-654g-cw7p: CSS Declaration Injection via style object values in JSX SSR - GHSA-hm8q-7f3q-5f36: Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify() https://claude.ai/code/session_015xVpZwz5P7vMFF9Bkc2MpX --- package.json | 3 ++- yarn.lock | 8 ++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index a663e9755a..eb441a0a88 100644 --- a/package.json +++ b/package.json @@ -389,7 +389,8 @@ "ip-address@npm:10.1.0": "^10.2.0", "minimatch@npm:9.0.1": "9.0.9", "lodash@npm:4.17.21": "^4.18.1", - "lodash-es@npm:4.17.23": "^4.18.1" + "lodash-es@npm:4.17.23": "^4.18.1", + "hono@npm:^4.11.4": "^4.12.18" }, "version": "1.7.1", "packageManager": "yarn@4.11.0" diff --git a/yarn.lock b/yarn.lock index af42c5f098..f0597d29ec 100644 --- a/yarn.lock +++ b/yarn.lock @@ -12555,10 +12555,10 @@ __metadata: languageName: node linkType: hard -"hono@npm:^4.11.4": - version: 4.12.16 - resolution: "hono@npm:4.12.16" - checksum: 10c0/3afee13722bf574780a641bd6d8812663c650fb7ac86df390f2d90293e1a6e2413aa9c45e4bc5b626a29c1b534fdb8353dd2151aab09bc4a95cd277aad4bd5c7 +"hono@npm:^4.12.18": + version: 4.12.18 + resolution: "hono@npm:4.12.18" + checksum: 10c0/b0b9688fd9e41a1847b077d579dc0e92a28b67c247c6ee7d1e751c0bae269824c30c7773feff1a2874e40ea36a3d2f9d1fc5ba618a28ecdf2ca1b33ed2473864 languageName: node linkType: hard