Skip to content

chore(deps): bump hono, @hono/node-server and unstorage#474

Open
NickAldewereld wants to merge 1 commit into
CorentinTh:mainfrom
NickAldewereld:chore/deps-security-bump
Open

chore(deps): bump hono, @hono/node-server and unstorage#474
NickAldewereld wants to merge 1 commit into
CorentinTh:mainfrom
NickAldewereld:chore/deps-security-bump

Conversation

@NickAldewereld

Copy link
Copy Markdown

Bumps three runtime dependencies of app-server past published advisories in their serve-static / CORS handling:

  • @hono/node-server 1.13.8 → 1.19.14 — auth bypass for protected static paths via encoded slashes in the serve-static middleware. The Node server uses serveStatic to serve ./public.
  • hono 4.7.5 → 4.12.28 — serveStatic file-access and CORS wildcard+credentials reflection advisories.
  • unstorage 1.15.0 → 1.17.5.

All three move within the existing semver ranges in package.json (^1.12.1, ^4.5.8, ^1.10.2) — the lockfile was just stale. No source changes. Lint, typecheck, tests and build pass.

…rsions

Addresses published advisories in the serve-static / CORS paths
(@hono/node-server encoded-slash auth bypass, hono serveStatic file
access + CORS reflection). Versions move within the existing semver
ranges; the lockfile was just stale.
@sonarqubecloud

sonarqubecloud Bot commented Jul 8, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant