Skip to content

chore(deps): bump the npm_and_yarn group across 1 directory with 2 updates#122

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-23e931cb1e
Closed

chore(deps): bump the npm_and_yarn group across 1 directory with 2 updates#122
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-23e931cb1e

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 8, 2026

Bumps the npm_and_yarn group with 1 update in the / directory: hono.

Updates hono from 4.12.7 to 4.12.16

Release notes

Sourced from hono's releases.

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.14...v4.12.15

v4.12.14

Security fixes

This release includes fixes for the following security issues:

Improper handling of JSX attribute names in hono/jsx SSR

Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which could allow malformed attribute keys to corrupt the generated HTML output and inject unintended attributes or elements. GHSA-458j-xx4x-4375

Other changes

  • fix(aws-lambda): handle invalid header names in request processing (#4883) fa2c74fe

v4.12.13

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.12...v4.12.13

v4.12.12

Security fixes

This release includes fixes for the following security issues:

... (truncated)

Commits

Updates nitro from 3.0.260311-beta to 3.0.260429-beta

Release notes

Sourced from nitro's releases.

v3.0.260429-beta

compare changes

[!IMPORTANT] This release patches two medium-severity vulnerabilities in proxy and redirect route rules. Users relying on either are strongly encouraged to upgrade. See GHSA-5w89-w975-hf9q and GHSA-9phm-9p8f-hw5m for details.

🚀 Enhancements

  • tracing: Enable tracing channels for unstorage (#4226)

🩹 Fixes

  • Accept ipv4-mapped ipv6 loopback in vfs handler (#4212)
  • route-rules: Reject out-of-scope requests (#4222)
  • route-rules: Prevent open redirect via protocol-relative url bypass (#4236)
  • vite: Route browser asset loads to vite when sec-fetch-dest is absent (#4238)

💅 Refactors

  • Use built-in escapeRegExp util (#4109)

📖 Documentation

  • cache: Add invalidation usage (#4216)
  • Improve jsdocs (#4199)

📦 Build

  • Shim oxc-parser via rolldown/utils (#4237)

🌊 Types

  • vite: Make experimental.vite type optional (#4225)

Preset Changes

  • cloudflare: Add missing types for cloudflare.wrangler.observability.traces (#4220)
  • vercel: Enable shouldAddSourcemapSupport when sourcemap is enabled (#4232)

❤️ Contributors

v3.0.260415-beta

... (truncated)

Commits
  • c467f13 v3.0.260429-beta
  • 1281d4b chore: update release script
  • 6016153 fix(vite): route browser asset loads to vite when sec-fetch-dest is absent (#...
  • a9305f0 presets(vercel): enable shouldAddSourcemapSupport when sourcemap is enabled...
  • a027ae8 build: shim oxc-parser via rolldown/utils (#4237)
  • f92e684 chore: apply automated updates
  • 112e215 chore: basic dist-diff script
  • 932f628 chore: ignore vite7 from pnpm outdated
  • 705069f chore: update deps
  • bc1dd9d fix(route-rules): prevent open redirect via protocol-relative url bypass (#4236)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump the npm_and_yarn group across 1 directory with 2 up…
da6b73d 
…dates

Bumps the npm_and_yarn group with 1 update in the / directory: [hono](https://github.com/honojs/hono).


Updates `hono` from 4.12.7 to 4.12.16
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.7...v4.12.16)

Updates `nitro` from 3.0.260311-beta to 3.0.260429-beta
- [Release notes](https://github.com/nitrojs/nitro/releases)
- [Changelog](https://github.com/nitrojs/nitro/blob/main/changelog.config.ts)
- [Commits](nitrojs/nitro@v3.0.260311-beta...v3.0.260429-beta)

---
updated-dependencies:
- dependency-name: hono
  dependency-version: 4.12.16
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: nitro
  dependency-version: 3.0.260429-beta
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 8, 2026
@chatgpt-codex-connector
Copy link
Copy Markdown

chatgpt-codex-connector Bot commented May 8, 2026

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 8, 2026

Superseded by #123.

@dependabot dependabot Bot closed this May 8, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/npm_and_yarn-23e931cb1e branch May 8, 2026 23:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants