chore(deps): bump hono from 4.11.10 to 4.12.4 in /server by dependabot[bot] · Pull Request #882 · useautumn/autumn

dependabot · 2026-03-04T21:08:02Z

Bumps hono from 4.11.10 to 4.12.4.

Release notes

v4.12.4

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

Middleware Bypass in Serve Static

Affects: Serve Static middleware. Fixes inconsistent URL decoding that could allow protected static resources to be accessed without triggering route-based middleware. GHSA-q5qw-h33p-qvwr

Users who uses Strreaming Helper, Cookie utility, and Serve Static are strongly encouraged to upgrade to this version.

Other changes

fix(client): preserve route schema in ApplyGlobalResponse by @agumy in honojs/hono#4777

fix(utils/url): specify the return type of tryDecodeURI by @yusukebe in honojs/hono#4779

New Contributors

@agumy made their first contribution in honojs/hono#4777

Full Changelog: honojs/hono@v4.12.3...v4.12.4

v4.12.3

What's Changed

fix(validator): prevent type diff bug in form data parsing by @EdamAme-x in honojs/hono#4753

fix(jwt): use Math.floor instead of bitwise OR for safe timestamp by @EdamAme-x in honojs/hono#4754

fix(jwt): fix JwtVariables for ContextVariableMap by @yusukebe in honojs/hono#4764

fix(types): remove DOM type dependencies from ClientResponse and request method by @YevheniiKotyrlo in honojs/hono#4768

fix(types): correct middleware types by @hmnd in honojs/hono#4774

fix(jwt): prevent memory leak by avoiding mutation of options object by @EdamAme-x in honojs/hono#4759

New Contributors

@YevheniiKotyrlo made their first contribution in honojs/hono#4768

@hmnd made their first contribution in honojs/hono#4774

Full Changelog: honojs/hono@v4.12.2...v4.12.3

v4.12.2

Security fix

Fixed incorrect handling of X-Forwarded-For in the AWS Lambda adapter behind ALB that could allow IP-based access control bypass. The detail: GHSA-xh87-mx6m-69f3

... (truncated)

Commits

19d20d2 4.12.4
44ae0c8 Merge commit from fork
f4123ed Merge commit from fork
80a9837 fix(utils/url): specify the return type of tryDecodeURI (#4779)
6a0607a Merge commit from fork
0768232 fix(client): preserve route schema in ApplyGlobalResponse (#4777)
790c57b 4.12.3
bda46ac fix(jwt): prevent memory leak by avoiding mutation of options object (#4759)
0f505f4 fix(types): correct middleware types (#4774)
eb9c112 fix(types): remove DOM type dependencies from ClientResponse and request meth...
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by cubic

Upgrade Hono in the server from 4.11.10 to 4.12.4 to apply upstream security fixes and minor stability/type improvements. This reduces risk of injection and middleware bypass.

Dependencies
- Bump hono: 4.11.10 → 4.12.4.
- Pulls security patches for SSE field injection, cookie attribute injection, static middleware bypass, and ALB X-Forwarded-For handling.

^{Written for commit 6f5b749. Summary will update on new commits.}

Greptile Summary

This PR bumps the hono dependency in server/package.json from version 4.11.10 to 4.12.4, incorporating four security advisories and several bug fixes across the intermediate releases.

Key changes:

[Bug fixes] SSE Control Field Injection (GHSA-p6xx-57qc-3wxr): Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry fields of streamSSE().
[Bug fixes] Cookie Attribute Injection (GHSA-5pq2-9x2x-5p6w): Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options of setCookie().
[Bug fixes] Serve Static Middleware Bypass (GHSA-q5qw-h33p-qvwr): Fixes inconsistent URL decoding that could allow protected static resources to be accessed without triggering route-based middleware.
[Bug fixes] X-Forwarded-For AWS Lambda fix (GHSA-xh87-mx6m-69f3): Fixes incorrect handling of X-Forwarded-For in the AWS Lambda adapter behind ALB that could allow IP-based access control bypass.
[Bug fixes] JWT memory leak fix, safer timestamp handling with Math.floor, and type/middleware corrections across 4.12.1–4.12.3.

Confidence Score: 5/5

This PR is safe to merge — it is a security-focused patch bump with no breaking changes.
The change is a single-line version bump from a minor/patch release of hono, driven entirely by security advisories. The project does not appear to directly use the most affected APIs (streamSSE, setCookie, or serveStatic) based on a codebase search, but upgrading is still the correct action. No API-breaking changes are introduced in this version range.
No files require special attention.

Important Files Changed

Filename	Overview
server/package.json	Bumps `hono` from 4.11.10 to 4.12.4; a straightforward single-line version bump addressing multiple security advisories and bug fixes.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[hono 4.11.10] -->|bump| B[hono 4.12.4]
    B --> C[Security Fixes]
    B --> D[Bug Fixes]
    C --> C1[SSE Control Field Injection\nGHSA-p6xx-57qc-3wxr]
    C --> C2[Cookie Attribute Injection\nGHSA-5pq2-9x2x-5p6w]
    C --> C3[Serve Static Middleware Bypass\nGHSA-q5qw-h33p-qvwr]
    C --> C4[X-Forwarded-For AWS Lambda\nGHSA-xh87-mx6m-69f3]
    D --> D1[JWT memory leak fix]
    D --> D2[JWT timestamp safety fix]
    D --> D3[Middleware type fixes]
    D --> D4[Form data parsing fix]

_{Last reviewed commit: 6f5b749}

Bumps [hono](https://github.com/honojs/hono) from 4.11.10 to 4.12.4. - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.11.10...v4.12.4) --- updated-dependencies: - dependency-name: hono dependency-version: 4.12.4 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>

vercel · 2026-03-04T21:08:05Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
autumn-vite	Ready	Preview, Comment	Mar 4, 2026 9:09pm

cubic-dev-ai

No issues found across 1 file

Confidence score: 5/5

Automated review surfaced no issues in the provided summaries.
No files require special attention.

dependabot bot requested review from ay-rod and johnyeocx as code owners March 4, 2026 21:08

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 4, 2026

vercel bot deployed to Preview March 4, 2026 21:09 View deployment

cubic-dev-ai bot reviewed Mar 4, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump hono from 4.11.10 to 4.12.4 in /server#882

chore(deps): bump hono from 4.11.10 to 4.12.4 in /server#882
dependabot[bot] wants to merge 1 commit intodevfrom
dependabot/npm_and_yarn/server/hono-4.12.4

dependabot bot commented on behalf of github Mar 4, 2026 •

edited by greptile-apps bot

Loading

Uh oh!

vercel bot commented Mar 4, 2026 •

edited

Loading

Uh oh!

cubic-dev-ai bot left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Mar 4, 2026 • edited by greptile-apps bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v4.12.4

Security fixes

SSE Control Field Injection

Cookie Attribute Injection in setCookie()

Middleware Bypass in Serve Static

Other changes

New Contributors

v4.12.3

What's Changed

New Contributors

v4.12.2

Security fix

Summary by cubic

Greptile Summary

Confidence Score: 5/5

Important Files Changed

Flowchart

Uh oh!

vercel bot commented Mar 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot bot commented on behalf of github Mar 4, 2026 •

edited by greptile-apps bot

Loading

Cookie Attribute Injection in `setCookie()`

vercel bot commented Mar 4, 2026 •

edited

Loading