chore(deps): bump hono from 4.11.4 to 4.12.17 by dependabot[bot] · Pull Request #3385 · decentraland/builder

dependabot · 2026-04-15T22:34:27Z

Bumps hono from 4.11.4 to 4.12.17.

Release notes

v4.12.17

What's Changed

fix(jsx): normalize SVG attributes on the root element by @kfly8 in honojs/hono#4893

fix(ssg): add atom+xml and rss+xml to defaultExtensionMap by @yuintei in honojs/hono#4899

fix(cors): make origin optional in CORSOptions by @truffle-dev in honojs/hono#4905

fix(types): propagate middleware response types to app.on overloads by @T4ko0522 in honojs/hono#4906

New Contributors

@kfly8 made their first contribution in honojs/hono#4893

@truffle-dev made their first contribution in honojs/hono#4905

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

fix(jwt): support single-line PEM keys by @hiendv in honojs/hono#4889

New Contributors

@hiendv made their first contribution in honojs/hono#4889

Full Changelog: honojs/hono@v4.12.14...v4.12.15

v4.12.14

Security fixes

This release includes fixes for the following security issues:

Improper handling of JSX attribute names in hono/jsx SSR

Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which could allow malformed attribute keys to corrupt the generated HTML output and inject unintended attributes or elements. GHSA-458j-xx4x-4375

Other changes

fix(aws-lambda): handle invalid header names in request processing (#4883) fa2c74fe

v4.12.13

What's Changed

... (truncated)

Commits

ff2b3d3 4.12.17
52aaaf9 fix(types): propagate middleware response types to app.on overloads (#4906)
76d5589 fix(cors): make origin optional in CORSOptions (#4905)
8f027e5 fix(ssg): add atom+xml and rss+xml to defaultExtensionMap (#4899)
bfba97c fix(jsx): normalize SVG attributes on the <svg> root element (#4893)
90d4182 4.12.16
db05b96 Merge commit from fork
614b834 Merge commit from fork
027e3df fix(method-override): handle Content-Type with charset parameter (#4894)
f774f8d 4.12.15
Additional commits viewable in compare view

vercel · 2026-04-15T22:34:30Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
builder	Ready	Preview, Comment	May 5, 2026 4:16pm

Bumps [hono](https://github.com/honojs/hono) from 4.11.4 to 4.12.17. - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.11.4...v4.12.17) --- updated-dependencies: - dependency-name: hono dependency-version: 4.12.14 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-05-08T00:52:25Z

Superseded by #3401.

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 15, 2026

vercel Bot deployed to Preview April 15, 2026 22:36 View deployment

dependabot Bot force-pushed the dependabot/npm_and_yarn/hono-4.12.14 branch from 4def518 to efecb0d Compare April 16, 2026 20:02

vercel Bot deployed to Preview April 16, 2026 20:04 View deployment

dependabot Bot force-pushed the dependabot/npm_and_yarn/hono-4.12.14 branch from efecb0d to 09cfe0b Compare April 16, 2026 21:42

vercel Bot deployed to Preview April 16, 2026 21:45 View deployment

dependabot Bot changed the title ~~chore(deps): bump hono from 4.11.4 to 4.12.14~~ chore(deps): bump hono from 4.11.4 to 4.12.17 May 5, 2026

dependabot Bot force-pushed the dependabot/npm_and_yarn/hono-4.12.14 branch from 09cfe0b to 6f97d43 Compare May 5, 2026 16:14

vercel Bot deployed to Preview May 5, 2026 16:16 View deployment

dependabot Bot closed this May 8, 2026

dependabot Bot deleted the dependabot/npm_and_yarn/hono-4.12.14 branch May 8, 2026 00:52

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump hono from 4.11.4 to 4.12.17#3385

chore(deps): bump hono from 4.11.4 to 4.12.17#3385
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/hono-4.12.14

dependabot Bot commented on behalf of github Apr 15, 2026 •

edited

Loading

Uh oh!

vercel Bot commented Apr 15, 2026 •

edited

Loading

Uh oh!

dependabot Bot commented on behalf of github May 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Apr 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v4.12.17

What's Changed

New Contributors

v4.12.16

Security fixes

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

bodyLimit() can be bypassed for chunked / unknown-length requests

v4.12.15

What's Changed

New Contributors

v4.12.14

Security fixes

Improper handling of JSX attribute names in hono/jsx SSR

Other changes

v4.12.13

What's Changed

Uh oh!

vercel Bot commented Apr 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

dependabot Bot commented on behalf of github May 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github Apr 15, 2026 •

edited

Loading

vercel Bot commented Apr 15, 2026 •

edited

Loading