Skip to content

chore(deps-dev): bump hono from 4.12.23 to 4.12.27 in /test/angular-ng-boosted#1102

Merged
jacques-lebourgeois merged 2 commits into
mainfrom
dependabot/npm_and_yarn/test/angular-ng-boosted/hono-4.12.26
Jul 3, 2026
Merged

chore(deps-dev): bump hono from 4.12.23 to 4.12.27 in /test/angular-ng-boosted#1102
jacques-lebourgeois merged 2 commits into
mainfrom
dependabot/npm_and_yarn/test/angular-ng-boosted/hono-4.12.26

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 20, 2026

Copy link
Copy Markdown
Contributor

Bumps hono from 4.12.23 to 4.12.27.

Release notes

Sourced from hono's releases.

v4.12.27

Security fixes

This release includes fixes for the following security issues:

hono/jsx does not isolate context per request

Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj

Server-Side XSS via JSX escaping bypass in cx()

Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59

API Gateway v1 adapter can drop a repeated request header value

Affects: hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g. 203.0.113.1 dropped when 203.0.113.10 is present) — affecting logic such as X-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvc


Users of hono/jsx/hono/jsx-renderer, hono/css (cx()), or the hono/aws-lambda API Gateway v1 / VPC Lattice adapters are encouraged to upgrade.

v4.12.26

What's Changed

Full Changelog: honojs/hono@v4.12.25...v4.12.26

v4.12.25

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

... (truncated)

Commits
  • 97c6fe1 4.12.27
  • aa92177 Merge commit from fork
  • cd3f6f7 Merge commit from fork
  • d4853a8 fix(jsx): make merged context-isolation tests pass tsc type check (#5037)
  • 6735fea fix(jsx): cast awaitedFallback through unknown to fix Deno type check (#5036)
  • fab3b13 Merge commit from fork
  • 9f0dadf ci: use npm Staged publishing (#5035)
  • 27b7992 4.12.26
  • d29982c chore: replace arg and glob with Bun native APIs in build script
  • 16215d5 chore: remove unused devcontainer and gitpod configs (#5029)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for hono since your current version.


@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 20, 2026
@netlify

netlify Bot commented Jun 20, 2026

Copy link
Copy Markdown

Deploy Preview for ods-charts ready!

Name Link
🔨 Latest commit 2c9bf72
🔍 Latest deploy log https://app.netlify.com/projects/ods-charts/deploys/6a47d958e51e4d0008ceff97
😎 Deploy Preview https://deploy-preview-1102--ods-charts.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@dependabot dependabot Bot changed the title chore(deps-dev): bump hono from 4.12.23 to 4.12.26 in /test/angular-ng-boosted chore(deps-dev): bump hono from 4.12.23 to 4.12.27 in /test/angular-ng-boosted Jul 3, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/test/angular-ng-boosted/hono-4.12.26 branch from 05596ec to b0c9d46 Compare July 3, 2026 14:20
Bumps [hono](https://github.com/honojs/hono) from 4.12.23 to 4.12.27.
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.23...v4.12.27)

---
updated-dependencies:
- dependency-name: hono
  dependency-version: 4.12.26
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@jacques-lebourgeois jacques-lebourgeois force-pushed the dependabot/npm_and_yarn/test/angular-ng-boosted/hono-4.12.26 branch from b0c9d46 to 3a29371 Compare July 3, 2026 15:26
@jacques-lebourgeois jacques-lebourgeois self-assigned this Jul 3, 2026
@jacques-lebourgeois jacques-lebourgeois merged commit ffdb01d into main Jul 3, 2026
5 checks passed
@jacques-lebourgeois jacques-lebourgeois deleted the dependabot/npm_and_yarn/test/angular-ng-boosted/hono-4.12.26 branch July 3, 2026 15:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant