chore(deps): bump the npm_and_yarn group across 7 directories with 9 updates

[dependabot]

Bumps the npm_and_yarn group with 4 updates in the / directory: hono, next, next-auth and better-auth.
Bumps the npm_and_yarn group with 2 updates in the /apps/api directory: hono and next.
Bumps the npm_and_yarn group with 2 updates in the /apps/app directory: next and ai.
Bumps the npm_and_yarn group with 1 update in the /apps/status directory: next.
Bumps the npm_and_yarn group with 2 updates in the /apps/www directory: next and better-auth.
Bumps the npm_and_yarn group with 1 update in the /packages/auth directory: better-auth.
Bumps the npm_and_yarn group with 1 update in the /packages/mail directory: better-auth.

Updates hono from 4.6.16 to 4.11.7

Release notes

Sourced from hono's releases.

v4.11.7

Security Release

This release includes security fixes for multiple vulnerabilities in Hono and related middleware. We recommend upgrading if you are using any of the affected components.

Components

IP Restriction Middleware

Fixed an IPv4 address validation bypass that could allow IP-based access control to be bypassed under certain configurations.

Cache Middleware

Fixed an issue where responses marked with Cache-Control: private or no-store could be cached, potentially leading to information disclosure on some runtimes.

Serve Static Middleware (Cloudflare Workers adapter)

Fixed an issue that could allow unintended access to internal asset keys when serving static files with user-controlled paths.

hono/jsx ErrorBoundary

Fixed a reflected Cross-Site Scripting (XSS) issue in the ErrorBoundary component that could occur when untrusted strings were rendered without proper escaping.

Recommendation

Users are encouraged to upgrade to this release, especially if they:

• Use IP Restriction Middleware
• Use Cache Middleware on Deno, Bun, or Node.js
• Use Serve Static Middleware with user-controlled paths on Cloudflare Workers
• Render untrusted data inside ErrorBoundary components

Security Advisories & CVEs

• IP Restriction Middleware – IPv4 address validation bypass

  • Advisory: GHSA-r354-f388-2fhh
  • CVE: CVE-2026-24398

• Cache Middleware ignores Cache-Control: private

  • Advisory: GHSA-6wqw-2p9w-4vw4
  • CVE: CVE-2026-24472

• Serve Static Middleware (Cloudflare Workers adapter) – Arbitrary key read

  • Advisory: GHSA-w332-q679-j88p
  • CVE: CVE-2026-24473

• hono/jsx ErrorBoundary – Cross-Site Scripting (XSS)

  • Advisory: GHSA-9r54-q6cx-xmh5
  • CVE: Pending

... (truncated)

Commits

• f7d272a 4.11.7
• 2cf6004 Merge commit from fork
• cf9a78d Merge commit from fork
• edbf6ee Merge commit from fork
• 12c5117 Merge commit from fork
• 7343487 4.11.6
• b6e5a97 feat(bun): export getBunServer (#4626)
• 2a9cd95 fix(sse): handle \r and \r\n line endings in writeSSE (#4644)
• 8078bbf docs: align CODE_OF_CONDUCT.md wording with Contributor Covenant (#4630)
• a5be555 refactor: use unique symbol for more accurate typing. (#4651)
• Additional commits viewable in compare view

Updates next from 15.2.0 to 15.5.10

Release notes

Sourced from next's releases.

v15.5.10

Please refer the following changelogs for more information about this security release:

• https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
• https://vercel.com/changelog/summary-of-cve-2026-23864

v15.4.11

Please see this changelog for more information about this security patch.

v15.3.9

Please see this changelog for more information about this security patch.

v15.2.9

Please see this changelog for more information about this security patch.

Commits

• 60a2aa9 v15.5.10
• e5b834d fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (#88588)
• 39a2f6a feat(next/image)!: add images.maximumResponseBody config (#88183)
• bf9f084 Sync DoS mitigations for React Flight
• c5de33e v15.5.9
• dd23399 Backport facebook/react#35351 for 15.5.8 (#87086)
• 7526cd6 v15.5.8
• 1e9ec41 Update React Version (#41)
• 16141e5 Update React Version (#30)
• e01e589 Backport Next.js changes to v15.5.8 (#23)
• Additional commits viewable in compare view

Updates next-auth from 5.0.0-beta.25 to 5.0.0-beta.30

Release notes

Sourced from next-auth's releases.

next-auth@5.0.0-beta.29

What's Changed

• fix: always check typeof BroadcastChannel by @​maiconcarraro in nextauthjs/next-auth#12937
• fix(providers): enable OIDC capabilities for Keycloak by @​jvllmr in nextauthjs/next-auth#12964
• Fix typo: succesful -> successful by @​changeworld in nextauthjs/next-auth#12973
• Fix undefined providerId by @​Regloom in nextauthjs/next-auth#12947
• docs: fix typo profie -> profile by @​changeworld in nextauthjs/next-auth#12987
• docs: Fix typo initalization -> initialization by @​changeworld in nextauthjs/next-auth#12989
• docs: Fix typo depencies -> dependencies by @​changeworld in nextauthjs/next-auth#12983
• docs: add missing "key" prop for form element in providerMap iterator by @​frshaad in nextauthjs/next-auth#13023
• chore(docs): fix typo Minmum -> Minimum by @​changeworld in nextauthjs/next-auth#13007
• chore(docs): fix typo Avaliable Scopes -> Available Scopes by @​changeworld in nextauthjs/next-auth#13009
• fix(adapter): transistion to surrealdb@^1.0.0 by @​dvanmali in nextauthjs/next-auth#11911
• Fix(provider): Mailgun region selection by @​benhovinga in nextauthjs/next-auth#13027
• fix(next-auth): add missing middleware wrapper type to auth function by @​k-taro56 in nextauthjs/next-auth#13026
• Update extending-the-session.mdx by @​adriancuadrado in nextauthjs/next-auth#13064
• fix(adapters): handle P2025 errors without importing Prisma namespace by @​karl-barbour in nextauthjs/next-auth#13061
• chore(docs): Fix syntax error in RBAC guide by @​benhovinga in nextauthjs/next-auth#12733
• fix(provider): Microsoft Entra ID by @​benhovinga in nextauthjs/next-auth#12616
• Update index.ts by @​adriancuadrado in nextauthjs/next-auth#13066

New Contributors

• @​maiconcarraro made their first contribution in nextauthjs/next-auth#12937
• @​jvllmr made their first contribution in nextauthjs/next-auth#12964
• @​Regloom made their first contribution in nextauthjs/next-auth#12947
• @​frshaad made their first contribution in nextauthjs/next-auth#13023
• @​dvanmali made their first contribution in nextauthjs/next-auth#11911
• @​adriancuadrado made their first contribution in nextauthjs/next-auth#13064
• @​karl-barbour made their first contribution in nextauthjs/next-auth#13061

Full Changelog: https://github.com/nextauthjs/next-auth/compare/next-auth@5.0.0-beta.28...next-auth@5.0.0-beta.29

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by himself_65, a new releaser for next-auth since your current version.

Updates ai from 4.0.30 to 4.3.19

Commits

• 63d5f66 Version Packages (#8895)
• 930399b Backport: fix(ai): download files when intermediate file cannot be downloaded...
• 7ca78f1 Backport: feat(provider/gateway): Add new Qwen models to Gateway model string...
• 1cfc209 Backport: feat(provider/openai): OpenAILanguageModelOptions type (#8858)
• 347b7ec ci: rename v5.0 branch to release-v*
• 85909a9 Backport: chore(ai): update test message (#8875)
• c56822d Backport: fix(ai): update uiMessageChunkSchema to satisfy the `UIMessageChu...
• 1461adf Backport: chore(examples): remove redundant OpenAI reasoning examples (#8871)
• 6bd07df Version Packages (#8853)
• a45d61a ci(release): remove incorrect changeset bump for @ai-sdk/baseten
• Additional commits viewable in compare view

Updates better-auth from 1.1.21 to 1.4.5

Release notes

Sourced from better-auth's releases.

v1.4.5-beta.2

   🐞 Bug Fixes

• Add helper types to exports  -  by @​himself65 in better-auth/better-auth#6479 (9b556)

    View changes on GitHub

v1.4.4

   🚀 Features

• cli: Better-auth-command  -  by @​Ridhim-RR in better-auth/better-auth#6362 (5e06f)
• scim: Add support to parse custom scim+json media type  -  by @​jonathansamines in better-auth/better-auth#6365 (6e9ec)

   🐞 Bug Fixes

• Customizing fields should be optional for rate limit options  -  by @​ceolinwill in better-auth/better-auth#6398 (115c9)
• Chunk account data cookie when exceeding limit  -  by @​jslno in better-auth/better-auth#6393 (c9eca)
• Remove applying user-agent by default  -  by @​Bekacru in better-auth/better-auth#6417 (34d7d)
• Additional fields default values should apply when creating session  -  by @​Bekacru in better-auth/better-auth#5763 (d5713)
• Return null early if userid isn't defined  -  by @​Bekacru in better-auth/better-auth#6418 (e4508)
• logger: Log level priority  -  by @​danielfinke in better-auth/better-auth#6411 (4c25b)
• mcp: Return origin url as authorization server  -  by @​jslno in better-auth/better-auth#6397 (594bb)
• multi-session: Endpoints breaks with invalid signatures  -  by @​ping-maxwell in better-auth/better-auth#6342 (9433e)
• oidc-provider: Resolve getSignedCookie return type  -  by @​bytaesu in better-auth/better-auth#6346 (425dd)

    View changes on GitHub

v1.4.4-beta.3

   🚀 Features

• Lint dependencies  -  by @​jonathansamines in better-auth/better-auth#6309 (efaef)
• cli: Better-auth-command  -  by @​Ridhim-RR in better-auth/better-auth#6362 (1abd7)
• one-tap: Add fedcm support  -  by @​jslno in better-auth/better-auth#6380 (fd23c)
• scim: Add support to parse custom scim+json media type  -  by @​jonathansamines in better-auth/better-auth#6365 (a91a8)

   🐞 Bug Fixes

• Customizing fields should be optional for rate limit options  -  by @​ceolinwill in better-auth/better-auth#6398 (9abd8)
• Chunk account data cookie when exceeding limit  -  by @​jslno in better-auth/better-auth#6393 (57d36)
• Remove applying user-agent by default  -  by @​Bekacru in better-auth/better-auth#6417 (0617b)
• Improve error handling for unsupported additionalFields on generate  -  by @​Kinfe123 in better-auth/better-auth#3977 (39eb6)
• Return null early if userid isn't defined  -  by @​Bekacru in better-auth/better-auth#6418 (022ce)
• Additional fields default values should apply when creating session  -  by @​Bekacru in better-auth/better-auth#5763 (76998)
• Preserve user ID in cookie cache during stateless sessions  -  by @​GautamBytes in better-auth/better-auth#6452 (a25fb)
• expo:
  • Dismiss auth session on android to prevent invalid state error  -  by @​GautamBytes in better-auth/better-auth#6388 (3a133)
• logger:
  • Log level priority  -  by @​danielfinke in better-auth/better-auth#6411 (fa01c)
• mcp:
  • Return origin url as authorization server  -  by @​jslno in better-auth/better-auth#6397 (86c8d)

... (truncated)

Commits

• 2000fd6 chore: release v1.4.5
• fcab5a8 fix: add helper types to exports (#6479)
• c666670 chore: release v1.4.5-beta.1
• fd72560 fix(db-adapter): string[] and number[] fieldTypes incorrectly parsed for plug...
• 189dedd chore: release v1.4.4-beta.3
• 6269a33 chore: release v1.4.4-beta.2
• 52c15d4 chore: fix validation errors in unit tests (#6466)
• a25fb65 fix: preserve user ID in cookie cache during stateless sessions (#6452)
• 5cbe0a5 chore: enforce imports to use node: protocol (#6461)
• fbe51c8 chore: add spell checker (#6319)
• Additional commits viewable in compare view

Updates js-yaml from 3.14.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

• 9963d36 3.14.2 released
• 10d3c8e dist rebuild
• 5278870 fix prototype pollution in merge (<<) (#731)
• See full diff in compare view

Updates jws from 3.2.2 to 4.0.1

Release notes

Sourced from jws's releases.

v4.0.1

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 2.0.1, addressing a compatibility issue for Node >= 25.

v4.0.0

No release notes provided.

v3.2.3

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 1.4.2, addressing a compatibility issue for Node >= 25.

Changelog

Sourced from jws's changelog.

[4.0.1]

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 2.0.1, adressing a compatibility issue for Node >= 25.

[3.2.3]

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

• BREAKING: jwt.verify now requires an algorithm parameter, and jws.createVerify requires an algorithm option. The "alg" field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted by jwt.verify. See https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ for details.

2.0.0 - 2015-01-30

Changed

• BREAKING: Default payload encoding changed from binary to utf8. utf8 is a is a more sensible default than binary because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. ([6b6de48])

• Code reorganization, thanks [@​fearphage]! (7880050)

Added

• Option in all relevant methods for encoding. For those few users that might be depending on a binary encoding of the messages, this is for them. ([6b6de48])

... (truncated)

Commits

• 34c45b2 Merge commit from fork
• 49bc39b version 4.0.1
• d42350c Enhance tests for HMAC streaming sign and verify
• 5cb007c Improve secretOrKey initialization in VerifyStream
• f9a2e1c Improve secret handling in SignStream
• b9fb8d3 Merge pull request #102 from auth0/SRE-57-Upload-opslevel-yaml
• 95b75ee Upload OpsLevel YAML
• 8857ee7 test: remove unused variable (#96)
• 1389f6d v4.0.0
• e4593f1 jwa@^2.0.0
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jws since your current version.

Updates qs from 6.14.0 to 6.15.0

Changelog

Sourced from qs's changelog.

6.15.0

• [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
• [Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

6.14.1

• [Fix] ensure arrayLimit applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

Commits

• d9b4c66 v6.15.0
• cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...
• 88e1563 [Fix] duplicates option should not apply to bracket notation keys
• 9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main
• 85cc8ca v6.12.5
• ffc12aa v6.11.4
• 0506b11 [actions] update reusable workflows
• 6a37faf [actions] update reusable workflows
• 8e8df5a [Fix] fix regressions from robustness refactor
• d60bab3 v6.10.7
• Additional commits viewable in compare view

Updates validator from 13.12.0 to 13.15.26

Release notes

Sourced from validator's releases.

13.15.26

Fixes, New Locales and Enhancements

• #2535 isHexColor: add require_hashtag option @​Numbers0689
• #2633 isURL: handle possible bypass with URL-encoded content @​WikiRik
• #2634 isIBAN: improve IR locale @​ds1371dani
• Doc fixes and others:
  • #2640 @​WikiRik

New Contributors

• @​ds1371dani made their first contribution in validatorjs/validator.js#2634
• @​Numbers0689 made their first contribution in validatorjs/validator.js#2535

Full Changelog: validatorjs/validator.js@13.15.23...13.15.26

13.15.23

Fixes, New Locales and Enhancements

• Doc fixes and others:
  • #2631 @​WikiRik

Full Changelog: validatorjs/validator.js@13.15.22...13.15.23

13.15.22

Fixes, New Locales and Enhancements

• #2622 isURL: fix regression with hostnames with ports @​mbtools
• #2616 isLength: improve handling Unicode variation selectors @​koral--
• Doc fixes and others:
  • #2621 @​mbtools

New Contributors

• @​mbtools made their first contribution in validatorjs/validator.js#2622
• @​koral-- made their first contribution in validatorjs/validator.js#2616

Full Changelog: validatorjs/validator.js@13.15.20...13.15.22

13.15.20

Fixes, New Locales and Enhancements

• #2556 isMobilePhone: add ar-QA locale @​WardKhaddour
• #2576 isAlpha/isAlphanuneric: add Indic locales (ta-IN, te-IN, kn-IN, ml-IN, gu-IN, pa-IN, or-IN) @​avadootharajesh
• #2574 isBase64: improve padding regex @​KrayzeeKev
• #2584 isVAT: improve FR locale @​iamAmer
• #2608 isURL: improve protocol detection. Resolves CVE-2025-56200 @​theofidry
• Doc fixes and others:
  • #2563 @​stoneLeaf
  • #2581 @​camillobruni

... (truncated)

Changelog

Sourced from validator's changelog.

13.15.26

Fixes, New Locales and Enhancements

• #2535 isHexColor: add require_hashtag option @​Numbers0689
• #2633 isURL: handle possible bypass with URL-encoded content @​WikiRik
• #2634 isIBAN: improve IR locale @​ds1371dani
• Doc fixes and others:
  • #2640 @​WikiRik

13.15.23

Fixes, New Locales and Enhancements

• Doc fixes and others:
  • #2631 @​WikiRik

13.15.22

Fixes, New Locales and Enhancements

• #2622 isURL: fix regression with hostnames with ports @​mbtools
• #2616 isLength: improve handling Unicode variation selectors @​koral--
• Doc fixes and others:
  • #2621 @​mbtools

13.15.20

Fixes, New Locales and Enhancements

• #2556 isMobilePhone: add ar-QA locale @​WardKhaddour
• #2576 isAlpha/isAlphanuneric: add Indic locales (ta-IN, te-IN, kn-IN, ml-IN, gu-IN, pa-IN, or-IN) @​avadootharajesh
• #2574 isBase64: improve padding regex @​KrayzeeKev
• #2584 isVAT: improve FR locale @​iamAmer
• #2608 isURL: improve protocol detection. Resolves CVE-2025-56200 @​theofidry
• Doc fixes and others:
  • #2563 @​stoneLeaf
  • #2581 @​camillobruni

13.15.15

Fixes, New Locales and Enhancements

• isMobilePhone
  • #2514 improve el-CY locale @​rezk2ll
  • #2512 improve pt-AO locale @​renaldodev
  • #2502 improve ar-OM locale @​tomcastro
• #2089 isIP: allow usage of option object @​pixelbucket-dev
• #2526 isPassportNumber: improve CA locale @​evanbechtol
• #2491 isBase64: improve validation based on RFC4648 @​aseyfpour

... (truncated)

Commits

• 784e52a docs(matches): add ReDoS note to README (#2640)
• 6531047 fix(isHexColor): add require_hashtag option (#2535)
• f605a9c fix(isURL): handle possible bypass with URL-encoded content (#2633)
• a165ebe fix(isIBAN): improve IR locale (#2634)
• 9113304 fix(build): move to trusted publishing (#2631)
• f2b5c17 maintenance: 2511 release (#2627)
• d457eca fix(isLength): correctly handle Unicode variation selectors (#2616)
• f2e3633 docs: add install instructions to contibution guide (#2621)
• cf40145 fix: URL validation for hostnames with ports (no protocol) (#2622)
• 4af6124 maintenance: 2510 release (#2585)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for validator since your current version.

Updates hono from 4.6.16 to 4.11.7

Release notes

Sourced from hono's releases.

v4.11.7

Security Release

This release includes security fixes for multiple vulnerabilities in Hono and related middleware. We recommend upgrading if you are using any of the affected components.

Components

IP Restriction Middleware

Fixed an IPv4 address validation bypass that could allow IP-based access control to be bypassed under certain configurations.

Cache Middleware

Fixed an issue where responses marked with Cache-Control: private or no-store could be cached, potentially leading to information disclosure on some runtimes.

Serve Static Middleware (Cloudflare Workers adapter)

Fixed an issue that could allow unintended access to internal asset keys when serving static files with user-controlled paths.

hono/jsx ErrorBoundary

Fixed a reflected Cross-Site Scripting (XSS) issue in the ErrorBoundary component that could occur when untrusted strings were rendered without proper escaping.

Recommendation

Users are encouraged to upgrade to this release, especially if they:

• Use IP Restriction Middleware
• Use Cache Middleware on Deno, Bun, or Node.js
• Use Serve Static Middleware with user-controlled paths on Cloudflare Workers
• Render untrusted data inside ErrorBoundary components

Security Advisories & CVEs

• IP Restriction Middleware – IPv4 address validation bypass

  • Advisory: GHSA-r354-f388-2fhh
  • CVE: CVE-2026-24398

• Cache Middleware ignores Cache-Control: private

  • Advisory: GHSA-6wqw-2p9w-4vw4
  • CVE: CVE-2026-24472

• Serve Static Middleware (Cloudflare Workers adapter) – Arbitrary key read

  • Advisory: GHSA-w332-q679-j88p
  • CVE: CVE-2026-24473

• hono/jsx ErrorBoundary – Cross-Site Scripting (XSS)

  • Advisory: GHSA-9r54-q6cx-xmh5
  • CVE: Pending

... (truncated)

Commits

• f7d272a 4.11.7
• 2cf6004 Merge commit from fork
• cf9a78d Merge commit from fork
• edbf6ee Merge commit from fork
• 12c5117 Merge commit from fork
• 7343487 4.11.6
• b6e5a97 feat(bun): export getBunServer (#4626)
• 2a9cd95 fix(sse): handle \r an...

  Description has been truncated