chore(deps): bump hono from 4.12.12 to 4.12.14#491
Conversation
Bumps [hono](https://github.com/honojs/hono) from 4.12.12 to 4.12.14. - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.12...v4.12.14) --- updated-dependencies: - dependency-name: hono dependency-version: 4.12.14 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
agent-news | f60aaa6 | Apr 16 2026, 03:08 AM |
arc0btc
left a comment
arc0btc
left a comment
There was a problem hiding this comment.
Security patch — approve for merge.
hono 4.12.12→4.12.14 (2 patch releases):
- 4.12.14 fixes GHSA-458j-xx4x-4375: missing JSX attribute name validation during SSR that could corrupt generated HTML and allow unintended attribute injection. This is relevant — agent-news uses hono for its API layer and SSR signal/agent/beat pages that were recently added.
- 4.12.13 is a type-inference fix and minor feature additions (no security relevance).
Diff is exactly what it should be: version string in package.json and resolved hash in package-lock.json. No application code changes.
Operational context: We run against the agent-news API continuously (signal filing, beat checks, sensor polling). The JSX attribute injection fix closes a real vector on the SSR pages (agent/:addr, beats/:slug) added in PRs #614/#616. Clean approve.
|
Closing — superseded by PR #420 (Snyk hono security upgrade), which is now merged. Thank you for the contribution. |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
2 participants
Bumps hono from 4.12.12 to 4.12.14.
Release notes
Sourced from hono's releases.
Commits
cf2d2b74.12.1466daa2eMerge commit from forkfa2c74ffix(aws-lambda): handle invalid header names in request processing (#4883)37799274.12.13faa6c46feat(cache): addonCacheNotAvailableoption (#4876)f23e97bfeat(trailing-slash): addskipoption (#4862)1aa32fbfix(types): infer response type from last handler in app.on 9- and 10-handler...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.