Skip to content

fix(deps): bump hono to 4.12.5 to fix multiple vulnerabilities#19653

Merged
chargome merged 1 commit intodevelopfrom
fix/dependabot-alert-hono
Mar 5, 2026
Merged

fix(deps): bump hono to 4.12.5 to fix multiple vulnerabilities#19653
chargome merged 1 commit intodevelopfrom
fix/dependabot-alert-hono

Conversation

@chargome
Copy link
Member

@chargome chargome commented Mar 5, 2026

Fixes Dependabot alerts #1125, #1126, #1127, #1128, #1129, #1130.

  • CVE-2026-29045: Arbitrary file access via serveStatic (high)
  • Cookie Attribute Injection via setCookie() (medium)
  • SSE Control Field Injection via writeSSE() (medium)

@s1gr1d feel free to close this one if you want, but pls dismiss the alerts accordingly if this is the case

@chargome @claude
fix(deps): bump hono to 4.12.5 to fix multiple vulnerabilities
a7c9238 
Fixes Dependabot alerts #1125, #1126, #1127, #1128, #1129, #1130.
- CVE-2026-29045: Arbitrary file access via serveStatic (high)
- Cookie Attribute Injection via setCookie() (medium)
- SSE Control Field Injection via writeSSE() (medium)

Co-Authored-By: Claude Opus 4.6 <[email protected]>
@chargome chargome requested a review from s1gr1d March 5, 2026 11:58
@chargome chargome self-assigned this Mar 5, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Mar 5, 2026

size-limit report 📦

⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Path Size % Change Change
@sentry/browser 25.63 kB - -
@sentry/browser - with treeshaking flags 24.13 kB - -
@sentry/browser (incl. Tracing) 42.43 kB - -
@sentry/browser (incl. Tracing, Profiling) 47.09 kB - -
@sentry/browser (incl. Tracing, Replay) 81.25 kB - -
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags 70.87 kB - -
@sentry/browser (incl. Tracing, Replay with Canvas) 85.95 kB - -
@sentry/browser (incl. Tracing, Replay, Feedback) 98.21 kB - -
@sentry/browser (incl. Feedback) 42.44 kB - -
@sentry/browser (incl. sendFeedback) 30.3 kB - -
@sentry/browser (incl. FeedbackAsync) 35.35 kB - -
@sentry/browser (incl. Metrics) 26.8 kB - -
@sentry/browser (incl. Logs) 26.94 kB - -
@sentry/browser (incl. Metrics & Logs) 27.61 kB - -
@sentry/react 27.38 kB - -
@sentry/react (incl. Tracing) 44.77 kB - -
@sentry/vue 30.08 kB - -
@sentry/vue (incl. Tracing) 44.3 kB - -
@sentry/svelte 25.66 kB - -
CDN Bundle 28.17 kB - -
CDN Bundle (incl. Tracing) 43.26 kB - -
CDN Bundle (incl. Logs, Metrics) 29.01 kB - -
CDN Bundle (incl. Tracing, Logs, Metrics) 44.1 kB - -
CDN Bundle (incl. Replay, Logs, Metrics) 68.09 kB - -
CDN Bundle (incl. Tracing, Replay) 80.14 kB - -
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) 81 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) 85.65 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) 86.53 kB - -
CDN Bundle - uncompressed 82.35 kB - -
CDN Bundle (incl. Tracing) - uncompressed 128.07 kB - -
CDN Bundle (incl. Logs, Metrics) - uncompressed 85.19 kB - -
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed 130.9 kB - -
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed 208.85 kB - -
CDN Bundle (incl. Tracing, Replay) - uncompressed 244.95 kB - -
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed 247.77 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 257.86 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed 260.67 kB - -
@sentry/nextjs (client) 47.18 kB - -
@sentry/sveltekit (client) 42.89 kB - -
@sentry/node-core 52.25 kB +0.02% +8 B 🔺
@sentry/node 174.71 kB +0.01% +4 B 🔺
@sentry/node - without tracing 97.39 kB +0.02% +11 B 🔺
@sentry/aws-serverless 113.2 kB +0.01% +8 B 🔺

View base workflow run

@github-actions
Copy link
Contributor

github-actions bot commented Mar 5, 2026

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.
⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Scenario Requests/s % of Baseline Prev. Requests/s Change %
GET Baseline 9,556 - 9,406 +2%
GET With Sentry 1,738 18% 1,595 +9%
GET With Sentry (error only) 6,253 65% 6,122 +2%
POST Baseline 1,214 - 1,156 +5%
POST With Sentry 603 50% 555 +9%
POST With Sentry (error only) 1,064 88% 1,011 +5%
MYSQL Baseline 3,350 - 3,268 +3%
MYSQL With Sentry 471 14% 445 +6%
MYSQL With Sentry (error only) 2,759 82% 2,705 +2%

View base workflow run

@chargome chargome merged commit 2109509 into develop Mar 5, 2026
224 of 226 checks passed
@chargome chargome deleted the fix/dependabot-alert-hono branch March 5, 2026 13:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@s1gr1d s1gr1d s1gr1d approved these changes

Assignees

@chargome chargome

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chargome @s1gr1d