Skip to content

Build(deps): Bump hono from 4.12.25 to 4.12.28 in /examples/node-gate-publisher in the npm-production group across 1 directory#69

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/examples/node-gate-publisher/npm-production-0d702bd59d
Open

Build(deps): Bump hono from 4.12.25 to 4.12.28 in /examples/node-gate-publisher in the npm-production group across 1 directory#69
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/examples/node-gate-publisher/npm-production-0d702bd59d

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 24, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm-production group with 1 update in the /examples/node-gate-publisher directory: hono.

Updates hono from 4.12.25 to 4.12.28

Release notes

Sourced from hono's releases.

v4.12.28

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.27...v4.12.28

v4.12.27

Security fixes

This release includes fixes for the following security issues:

hono/jsx does not isolate context per request

Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj

Server-Side XSS via JSX escaping bypass in cx()

Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59

API Gateway v1 adapter can drop a repeated request header value

Affects: hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g. 203.0.113.1 dropped when 203.0.113.10 is present) — affecting logic such as X-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvc


Users of hono/jsx/hono/jsx-renderer, hono/css (cx()), or the hono/aws-lambda API Gateway v1 / VPC Lattice adapters are encouraged to upgrade.

v4.12.26

What's Changed

Full Changelog: honojs/hono@v4.12.25...v4.12.26

Commits
  • 626b185 4.12.28
  • d6b1d32 docs(context-storage): fix JSDoc (#5086)
  • 45b081b fix(aws-lambda): detect V2 events by request context, not rawPath alone (#5033)
  • a05813c chore: bump devDependencies (#5085)
  • 872997d fix(bun): report the requested subprotocol on WSContext.protocol (#5059)
  • 82b321b fix: avoid circular dependency between body.ts and request.ts (#5071)
  • b20d422 fix(utils/body,validator): normalize Content-Type media type for case-insensi...
  • 9728702 chore: don't publish *.tsbuildinfo (#5066)
  • ed8795e docs(MIGRATION): fix req.raw.headers reference (property, not method) (#5047)
  • 03a9416 fix(serve-static): treat empty string content as found (#5062)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for hono since your current version.


@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 24, 2026
@dependabot dependabot Bot changed the title Build(deps): Bump hono from 4.12.25 to 4.12.27 in /examples/node-gate-publisher in the npm-production group Build(deps): Bump hono from 4.12.25 to 4.12.27 in /examples/node-gate-publisher in the npm-production group across 1 directory Jul 1, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/examples/node-gate-publisher/npm-production-0d702bd59d branch from 7814999 to 97bcb45 Compare July 1, 2026 04:55
Bumps the npm-production group with 1 update in the /examples/node-gate-publisher directory: [hono](https://github.com/honojs/hono).


Updates `hono` from 4.12.25 to 4.12.28
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.25...v4.12.28)

---
updated-dependencies:
- dependency-name: hono
  dependency-version: 4.12.27
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Build(deps): Bump hono from 4.12.25 to 4.12.27 in /examples/node-gate-publisher in the npm-production group across 1 directory Build(deps): Bump hono from 4.12.25 to 4.12.28 in /examples/node-gate-publisher in the npm-production group across 1 directory Jul 8, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/examples/node-gate-publisher/npm-production-0d702bd59d branch from 97bcb45 to 88919ea Compare July 8, 2026 04:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants