fix(deps): patch security vulnerabilities in hono, dependency-cruiser, and transitive deps (#1104)

jeanduplessis · web-flow · commit 0b6da65c1cd5 · 2026-03-16T11:22:26.000+02:00
diff --git a/.gitignore b/.gitignore
@@ -89,6 +89,7 @@ run-milvus-test.sh
 
 # Git worktrees
 .worktrees/
+.gw.yml
 
 supabase/.temp
 
diff --git a/cloud-agent-next/src/server.ts b/cloud-agent-next/src/server.ts
@@ -85,14 +85,19 @@ app.all('/sessions/:userId/:sessionId/ingest', async (c: Context<HonoContext>) =
     return c.text('Expected WebSocket upgrade', 426);
   }
 
+  const rawUserId = c.req.param('userId');
+  const sessionId = c.req.param('sessionId');
+  if (!rawUserId || !sessionId) {
+    return c.text('Missing route params', 400);
+  }
+
   let userId: string;
   try {
-    userId = decodeURIComponent(c.req.param('userId'));
+    userId = decodeURIComponent(rawUserId);
   } catch {
     return c.text('Invalid userId encoding', 400);
   }
 
-  const sessionId = c.req.param('sessionId');
   const authHeader = c.req.header('Authorization');
   const authResult = await validateKiloToken(authHeader ?? null, c.env.NEXTAUTH_SECRET);
   if (!authResult.success) {
@@ -116,14 +121,21 @@ const MAX_LOG_UPLOAD_BYTES = 50 * 1024 * 1024; // 50 MB
 app.put(
   '/sessions/:userId/:sessionId/logs/:executionId/:filename',
   async (c: Context<HonoContext>) => {
+    const rawUserId = c.req.param('userId');
+    const filename = c.req.param('filename');
+    const sessionId = c.req.param('sessionId');
+    const executionId = c.req.param('executionId');
+    if (!rawUserId || !filename || !sessionId || !executionId) {
+      return c.text('Missing route params', 400);
+    }
+
     let userId: string;
     try {
-      userId = decodeURIComponent(c.req.param('userId'));
+      userId = decodeURIComponent(rawUserId);
     } catch {
       return c.text('Invalid userId encoding', 400);
     }
 
-    const filename = c.req.param('filename');
     if (!ALLOWED_LOG_FILENAMES.has(filename)) {
       return c.text('Invalid filename', 400);
     }
@@ -151,8 +163,6 @@ app.put(
       return c.text('Request body too large', 413);
     }
 
-    const sessionId = c.req.param('sessionId');
-    const executionId = c.req.param('executionId');
     const safeUserId = encodeURIComponent(userId);
     const safeSessionId = encodeURIComponent(sessionId);
     const safeExecutionId = encodeURIComponent(executionId);
diff --git a/cloudflare-ai-attribution/src/ai-attribution.worker.ts b/cloudflare-ai-attribution/src/ai-attribution.worker.ts
@@ -2,7 +2,7 @@
  * Cloudflare Worker entry point for AI Attributions Tracking
  */
 
-import { Hono } from 'hono';
+import { Hono, type MiddlewareHandler } from 'hono';
 import { useWorkersLogger } from 'workers-tagged-logger';
 import { AttributionTrackerDO, getAttributionTrackerDO } from './dos/AttributionTracker.do';
 import { logger } from './util/logger';
@@ -30,7 +30,11 @@ export type HonoContext = {
 
 const app = new Hono<HonoContext>();
 
-app.use('*', useWorkersLogger('ai-attribution'));
+// TODO: remove cast once workers-tagged-logger publishes a version compiled against hono >=4.12.7
+// workers-tagged-logger@1.0.0 was compiled against an older hono whose Handler
+// type is structurally incompatible with hono >=4.12.7 (missing [GET_MATCH_RESULT]).
+// The runtime middleware is fully compatible; only the .d.ts is stale.
+app.use('*', useWorkersLogger('ai-attribution') as unknown as MiddlewareHandler);
 
 // Health check endpoint (no auth required)
 app.get('/health', c => {
diff --git a/cloudflare-deploy-infra/builder/src/index.ts b/cloudflare-deploy-infra/builder/src/index.ts
@@ -180,6 +180,7 @@ app.post('/deploy-archive', async (c: Context<HonoEnv>) => {
 // Route: GET /deploy/:buildId/status
 app.get('/deploy/:buildId/status', async (c: Context<HonoEnv>) => {
   const buildId = c.req.param('buildId');
+  if (!buildId) return c.json({ error: 'Missing buildId' }, 400);
 
   // Get Durable Object stub
   const id = c.env.DeploymentOrchestrator.idFromName(buildId);
@@ -201,6 +202,7 @@ app.get('/deploy/:buildId/status', async (c: Context<HonoEnv>) => {
 // Route: GET /deploy/:buildId/events
 app.get('/deploy/:buildId/events', async (c: Context<HonoEnv>) => {
   const buildId = c.req.param('buildId');
+  if (!buildId) return c.json({ error: 'Missing buildId' }, 400);
 
   // Get Durable Object stub
   const id = c.env.DeploymentOrchestrator.idFromName(buildId);
@@ -222,6 +224,7 @@ app.get('/deploy/:buildId/events', async (c: Context<HonoEnv>) => {
 // Route: DELETE /deploy/:buildId
 app.delete('/deploy/:buildId', async (c: Context<HonoEnv>) => {
   const buildId = c.req.param('buildId');
+  if (!buildId) return c.json({ error: 'Missing buildId' }, 400);
 
   // Get Durable Object stub
   const id = c.env.DeploymentOrchestrator.idFromName(buildId);
@@ -246,6 +249,7 @@ app.delete('/deploy/:buildId', async (c: Context<HonoEnv>) => {
  */
 app.delete('/worker/:slug', async (c: Context<HonoEnv>) => {
   const slug = c.req.param('slug');
+  if (!slug) return c.json({ error: 'Missing slug' }, 400);
 
   // Validate slug format
   try {
diff --git a/cloudflare-gastown/src/middleware/analytics.middleware.ts b/cloudflare-gastown/src/middleware/analytics.middleware.ts
@@ -96,10 +96,10 @@ export async function instrumented(
       route,
       error,
       userId: c.get('kiloUserId') || c.get('agentJWT')?.userId,
-      townId: c.req.param('townId') as string | undefined,
-      rigId: c.req.param('rigId') as string | undefined,
-      agentId: c.req.param('agentId') as string | undefined,
-      beadId: c.req.param('beadId') as string | undefined,
+      townId: c.req.param('townId'),
+      rigId: c.req.param('rigId'),
+      agentId: c.req.param('agentId'),
+      beadId: c.req.param('beadId'),
       durationMs,
     });
   }
diff --git a/cloudflare-webhook-agent-ingest/src/index.ts b/cloudflare-webhook-agent-ingest/src/index.ts
@@ -1,4 +1,4 @@
-import { Hono } from 'hono';
+import { Hono, type MiddlewareHandler } from 'hono';
 import { useWorkersLogger } from 'workers-tagged-logger';
 import { TriggerDO } from './dos/TriggerDO';
 import { logger } from './util/logger';
@@ -18,7 +18,11 @@ export type HonoContext = {
 
 const app = new Hono<HonoContext>();
 
-app.use('*', useWorkersLogger('webhook-agent'));
+// TODO: remove cast once workers-tagged-logger publishes a version compiled against hono >=4.12.7
+// workers-tagged-logger@1.0.0 was compiled against an older hono whose Handler
+// type is structurally incompatible with hono >=4.12.7 (missing [GET_MATCH_RESULT]).
+// The runtime middleware is fully compatible; only the .d.ts is stale.
+app.use('*', useWorkersLogger('webhook-agent') as unknown as MiddlewareHandler);
 
 app.get('/health', c => {
   return c.json(
diff --git a/package.json b/package.json
@@ -160,7 +160,7 @@
     "@types/react-dom": "^19.2.2",
     "@typescript/native-preview": "7.0.0-dev.20251019.1",
     "babel-plugin-react-compiler": "^1.0.0",
-    "dependency-cruiser": "^17.3.1",
+    "dependency-cruiser": "^17.3.8",
     "dotenv": "^17.2.3",
     "eslint": "catalog:",
     "eslint-config-prettier": "^10.1.8",
@@ -197,7 +197,9 @@
       "fast-xml-parser": ">=5.3.4",
       "vite": ">=6.4.1",
       "qs": ">=6.14.1",
-      "serialize-javascript": ">=7.0.3"
+      "serialize-javascript": ">=7.0.3",
+      "hono": "^4.12.7",
+      "undici@^6": "^6.24.1"
     }
   }
 }
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml

Original file line number	Diff line number	Diff line change
`@@ -160,7 +160,7 @@`
`160`	`160`	`"@types/react-dom": "^19.2.2",`
`161`	`161`	`"@typescript/native-preview": "7.0.0-dev.20251019.1",`
`162`	`162`	`"babel-plugin-react-compiler": "^1.0.0",`
`163`		`- "dependency-cruiser": "^17.3.1",`
	`163`	`+ "dependency-cruiser": "^17.3.8",`
`164`	`164`	`"dotenv": "^17.2.3",`
`165`	`165`	`"eslint": "catalog:",`
`166`	`166`	`"eslint-config-prettier": "^10.1.8",`
`@@ -197,7 +197,9 @@`
`197`	`197`	`"fast-xml-parser": ">=5.3.4",`
`198`	`198`	`"vite": ">=6.4.1",`
`199`	`199`	`"qs": ">=6.14.1",`
`200`		`- "serialize-javascript": ">=7.0.3"`
	`200`	`+ "serialize-javascript": ">=7.0.3",`
	`201`	`+ "hono": "^4.12.7",`
	`202`	`+ "undici@^6": "^6.24.1"`
`201`	`203`	`}`
`202`	`204`	`}`
`203`	`205`	`}`