github-starred/yaak
2
0
Fork 0
mirror of https://github.com/mountain-loop/yaak.git synced 2026-05-06 18:16:03 -05:00
Code Issues 71 Packages Projects Releases 101 Wiki Activity

[PR #442] [MERGED] Bump hono from 4.12.4 to 4.12.14 #1300

New Issue
Closed
opened 2026-04-26 00:19:41 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-26 00:19:41 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/mountain-loop/yaak/pull/442
Author: @dependabot[bot]
Created: 4/16/2026
Status: Merged
Merged: 4/23/2026
Merged by: @gschier

Base: mainHead: dependabot/npm_and_yarn/hono-4.12.14

📝 Commits (1)

  • 54fcfe5 Bump hono from 4.12.4 to 4.12.14

📊 Changes

2 files changed (+5 additions, -5 deletions)

View changed files

📝 package-lock.json (+4 -4)
📝 plugins-external/mcp-server/package.json (+1 -1)

📄 Description

Bumps hono from 4.12.4 to 4.12.14.

Release notes

Sourced from hono's releases.

v4.12.14

Security fixes

This release includes fixes for the following security issues:

Improper handling of JSX attribute names in hono/jsx SSR

Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which could allow malformed attribute keys to corrupt the generated HTML output and inject unintended attributes or elements. GHSA-458j-xx4x-4375

Other changes

  • fix(aws-lambda): handle invalid header names in request processing (#4883) fa2c74fe

v4.12.13

What's Changed

New Contributors

Full Changelog: https://github.com/honojs/hono/compare/v4.12.12...v4.12.13

v4.12.12

Security fixes

This release includes fixes for the following security issues:

Middleware bypass via repeated slashes in serveStatic

Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (//) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c

Path traversal in toSSG() allows writing files outside the output directory

Affects: toSSG() for Static Site Generation. Fixes a path traversal issue where crafted ssgParams values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx

Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g

Missing validation of cookie name on write path in setCookie()

Affects: setCookie(), serialize(), and serializeSigned() from hono/cookie. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm

Non-breaking space prefix bypass in cookie name handling in getCookie()

Affects: getCookie() from hono/cookie. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4

... (truncated)

Commits

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/mountain-loop/yaak/pull/442 **Author:** [@dependabot[bot]](https://github.com/apps/dependabot) **Created:** 4/16/2026 **Status:** ✅ Merged **Merged:** 4/23/2026 **Merged by:** [@gschier](https://github.com/gschier) **Base:** `main` ← **Head:** `dependabot/npm_and_yarn/hono-4.12.14` --- ### 📝 Commits (1) - [`54fcfe5`](https://github.com/mountain-loop/yaak/commit/54fcfe5d88a5dd2e04afcd32da69fc2c44c3ac60) Bump hono from 4.12.4 to 4.12.14 ### 📊 Changes **2 files changed** (+5 additions, -5 deletions) <details> <summary>View changed files</summary> 📝 `package-lock.json` (+4 -4) 📝 `plugins-external/mcp-server/package.json` (+1 -1) </details> ### 📄 Description Bumps [hono](https://github.com/honojs/hono) from 4.12.4 to 4.12.14. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/honojs/hono/releases">hono's releases</a>.</em></p> <blockquote> <h2>v4.12.14</h2> <h2>Security fixes</h2> <p>This release includes fixes for the following security issues:</p> <h3>Improper handling of JSX attribute names in hono/jsx SSR</h3> <p>Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which could allow malformed attribute keys to corrupt the generated HTML output and inject unintended attributes or elements. GHSA-458j-xx4x-4375</p> <h2>Other changes</h2> <ul> <li>fix(aws-lambda): handle invalid header names in request processing (<a href="https://redirect.github.com/honojs/hono/issues/4883">#4883</a>) fa2c74fe</li> </ul> <h2>v4.12.13</h2> <h2>What's Changed</h2> <ul> <li>fix(types): infer response type from last handler in app.on 9-/10-handler overloads by <a href="https://github.com/T4ko0522"><code>@​T4ko0522</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4865">honojs/hono#4865</a></li> <li>feat(trailing-slash): add <code>skip</code> option by <a href="https://github.com/yusukebe"><code>@​yusukebe</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4862">honojs/hono#4862</a></li> <li>feat(cache): add <code>onCacheNotAvailable</code> option by <a href="https://github.com/yusukebe"><code>@​yusukebe</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4876">honojs/hono#4876</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/T4ko0522"><code>@​T4ko0522</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4865">honojs/hono#4865</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/honojs/hono/compare/v4.12.12...v4.12.13">https://github.com/honojs/hono/compare/v4.12.12...v4.12.13</a></p> <h2>v4.12.12</h2> <h2>Security fixes</h2> <p>This release includes fixes for the following security issues:</p> <h3>Middleware bypass via repeated slashes in serveStatic</h3> <p>Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (<code>//</code>) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c</p> <h3>Path traversal in toSSG() allows writing files outside the output directory</h3> <p>Affects: <code>toSSG()</code> for Static Site Generation. Fixes a path traversal issue where crafted <code>ssgParams</code> values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx</p> <h3>Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses</h3> <p>Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. <code>::ffff:127.0.0.1</code>) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g</p> <h3>Missing validation of cookie name on write path in setCookie()</h3> <p>Affects: <code>setCookie()</code>, <code>serialize()</code>, and <code>serializeSigned()</code> from <code>hono/cookie</code>. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm</p> <h3>Non-breaking space prefix bypass in cookie name handling in getCookie()</h3> <p>Affects: <code>getCookie()</code> from <code>hono/cookie</code>. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4</p> <hr /> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/honojs/hono/commit/cf2d2b7edcf07adef2db7614557f4d7f9e2be7ba"><code>cf2d2b7</code></a> 4.12.14</li> <li><a href="https://github.com/honojs/hono/commit/66daa2edef8965544c04fcad82c596ab2acdb5ee"><code>66daa2e</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/fa2c74fe5c3ce996d025d9d97bf5670c207bb82e"><code>fa2c74f</code></a> fix(aws-lambda): handle invalid header names in request processing (<a href="https://redirect.github.com/honojs/hono/issues/4883">#4883</a>)</li> <li><a href="https://github.com/honojs/hono/commit/3779927c17201dc6bfd20697f0e1ec65407da779"><code>3779927</code></a> 4.12.13</li> <li><a href="https://github.com/honojs/hono/commit/faa6c46a1aa3a8b792b29e20fc93bcd6d2a4d720"><code>faa6c46</code></a> feat(cache): add <code>onCacheNotAvailable</code> option (<a href="https://redirect.github.com/honojs/hono/issues/4876">#4876</a>)</li> <li><a href="https://github.com/honojs/hono/commit/f23e97b7f300bcb8571ae864010b8f7cdb5d0d5d"><code>f23e97b</code></a> feat(trailing-slash): add <code>skip</code> option (<a href="https://redirect.github.com/honojs/hono/issues/4862">#4862</a>)</li> <li><a href="https://github.com/honojs/hono/commit/1aa32fb91e7bc1366811d80ebcce61ec0d0c68cb"><code>1aa32fb</code></a> fix(types): infer response type from last handler in app.on 9- and 10-handler...</li> <li><a href="https://github.com/honojs/hono/commit/c37ba26da9709ad03b803d1972773ed864b7e60d"><code>c37ba26</code></a> 4.12.12</li> <li><a href="https://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0"><code>cc067c8</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/a586cd72e3f6122792e631ecf1817e5cabb803ec"><code>a586cd7</code></a> Merge commit from fork</li> <li>Additional commits viewable in <a href="https://github.com/honojs/hono/compare/v4.12.4...v4.12.14">compare view</a></li> </ul> </details> <br /> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-26 00:19:41 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
pull-request
Mirrored from GitHub Pull Request
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/yaak#1300
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?