Skip to content

deps: bump the non-breaking group with 3 updates#28

Merged
UltimaPhoenix merged 1 commit into
mainfrom
dependabot/npm_and_yarn/non-breaking-047ade8468
Jun 28, 2026
Merged

deps: bump the non-breaking group with 3 updates#28
UltimaPhoenix merged 1 commit into
mainfrom
dependabot/npm_and_yarn/non-breaking-047ade8468

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 28, 2026

Copy link
Copy Markdown
Contributor

Bumps the non-breaking group with 3 updates: @hono/node-server, hono and @biomejs/biome.

Updates @hono/node-server from 2.0.5 to 2.0.6

Release notes

Sourced from @​hono/node-server's releases.

v2.0.6

What's Changed

Full Changelog: honojs/node-server@v2.0.5...v2.0.6

Commits
  • ff75c61 2.0.6
  • 814720f fix: preserve status and statusText when cloning a Response with live headers...
  • a76209a ci: use npm Staged publishing (#364)
  • 44c365a ci: publish to npm from CI with OIDC trusted publishing and bump np (#361)
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​hono/node-server since your current version.


Updates hono from 4.12.25 to 4.12.27

Release notes

Sourced from hono's releases.

v4.12.27

Security fixes

This release includes fixes for the following security issues:

hono/jsx does not isolate context per request

Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj

Server-Side XSS via JSX escaping bypass in cx()

Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59

API Gateway v1 adapter can drop a repeated request header value

Affects: hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g. 203.0.113.1 dropped when 203.0.113.10 is present) — affecting logic such as X-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvc


Users of hono/jsx/hono/jsx-renderer, hono/css (cx()), or the hono/aws-lambda API Gateway v1 / VPC Lattice adapters are encouraged to upgrade.

v4.12.26

What's Changed

Full Changelog: honojs/hono@v4.12.25...v4.12.26

Commits
  • 97c6fe1 4.12.27
  • aa92177 Merge commit from fork
  • cd3f6f7 Merge commit from fork
  • d4853a8 fix(jsx): make merged context-isolation tests pass tsc type check (#5037)
  • 6735fea fix(jsx): cast awaitedFallback through unknown to fix Deno type check (#5036)
  • fab3b13 Merge commit from fork
  • 9f0dadf ci: use npm Staged publishing (#5035)
  • 27b7992 4.12.26
  • d29982c chore: replace arg and glob with Bun native APIs in build script
  • 16215d5 chore: remove unused devcontainer and gitpod configs (#5029)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for hono since your current version.


Updates @biomejs/biome from 2.5.0 to 2.5.1

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.5.1

2.5.1

Patch Changes

  • #10722 f8a303d Thanks @​denbezrukov! - Fixed CSS formatter output for comments between import media queries.

    -@import url("print.css") print,
    -/* comment */
    -screen;
    +@import url("print.css") print, /* comment */ screen;
  • #10738 9fdc560 Thanks @​JamBalaya56562! - Fixed #9899: the json and json-pretty reporters now escape backslashes in a diagnostic's location.path. Previously, paths containing backslashes (such as Windows-style paths) were emitted unescaped, producing invalid JSON.

    -    "path": "src\account\setup-passkey.tsx",
    +    "path": "src\\account\\setup-passkey.tsx",
  • #10626 5f837df Thanks @​tom-groves! - Fixed #10625: biome migrate no longer emits an invalid trailing comma when a renamed rule (such as noConsoleLognoConsole) is the last member of its rule group. Previously this produced malformed output that aborted the migration of a strict-JSON biome.json with a parsing error.

  • #10535 c245f9d Thanks @​Mokto! - Fixed a false positive in noUnusedVariables for Svelte files where variables referenced inside {@html expr} blocks were incorrectly reported as unused.

  • #10668 a0f197e Thanks @​Netail! - The biome init command has been updated to include a more up-to-date URL to the first-party extensions page.

  • #10667 d8c3e87 Thanks @​Netail! - Fixed #10664: useErrorCause now correctly detects a shorthand property.

  • #10696 ef2373f Thanks @​ematipico! - Fixed #9566. Improved how the Biome Language Server loads multiple configuration files inside a workspace.

  • #10705 4ccb410 Thanks @​ematipico! - Fixed #10652. Biome plugins are now properly filtered when using --only and --skip flags.

  • #10669 aa0a6eb Thanks @​Netail! - Fixed #10651: useInlineScriptId now correctly trims trivia to detect if an id attribute has been set.

  • #10689 844b1be Thanks @​ematipico! - Fixed #10658. The issue was caused by the "Go-to definition" editor feature, which was enabled by default. The feature is now disabled by default. To work, the feature triggers the scanner to build the module graph. This caused memory leak issues in cases where Biome starts in the home directory to modify files.

    If you relied on this new feature, you must now turn on using the [editor settings] of the extension e.g. Zed and VSCode.

  • #10695 043fbb5 Thanks @​ematipico! - Fixed #10674. Biome now throws an error when the field level is missing from a rule option.

  • #10712 5941df2 Thanks @​Conaclos! - Improved the diagnostic and the documentation of useFlatMap.

  • #10615 23814f1 Thanks @​qwertycxz! - Improved the DX the JSON schema when it's used by certain code editors like VSCode.

  • #10688 ec69489 Thanks @​ematipico! - Fixed a bug where the Biome Daemon did not correctly shut down when the editor was closed during an in-progress operation, especially while scanning.

  • #10701 6c2e0d7 Thanks @​ematipico! - Fixed #10694. The Biome Language Server no longer prints an error when the user hovers a variable imported from node_modules.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.5.1

Patch Changes

  • #10722 f8a303d Thanks @​denbezrukov! - Fixed CSS formatter output for comments between import media queries.

    -@import url("print.css") print,
    -/* comment */
    -screen;
    +@import url("print.css") print, /* comment */ screen;
  • #10738 9fdc560 Thanks @​JamBalaya56562! - Fixed #9899: the json and json-pretty reporters now escape backslashes in a diagnostic's location.path. Previously, paths containing backslashes (such as Windows-style paths) were emitted unescaped, producing invalid JSON.

    -    "path": "src\account\setup-passkey.tsx",
    +    "path": "src\\account\\setup-passkey.tsx",
  • #10626 5f837df Thanks @​tom-groves! - Fixed #10625: biome migrate no longer emits an invalid trailing comma when a renamed rule (such as noConsoleLognoConsole) is the last member of its rule group. Previously this produced malformed output that aborted the migration of a strict-JSON biome.json with a parsing error.

  • #10535 c245f9d Thanks @​Mokto! - Fixed a false positive in noUnusedVariables for Svelte files where variables referenced inside {@html expr} blocks were incorrectly reported as unused.

  • #10668 a0f197e Thanks @​Netail! - The biome init command has been updated to include a more up-to-date URL to the first-party extensions page.

  • #10667 d8c3e87 Thanks @​Netail! - Fixed #10664: useErrorCause now correctly detects a shorthand property.

  • #10696 ef2373f Thanks @​ematipico! - Fixed #9566. Improved how the Biome Language Server loads multiple configuration files inside a workspace.

  • #10705 4ccb410 Thanks @​ematipico! - Fixed #10652. Biome plugins are now properly filtered when using --only and --skip flags.

  • #10669 aa0a6eb Thanks @​Netail! - Fixed #10651: useInlineScriptId now correctly trims trivia to detect if an id attribute has been set.

  • #10689 844b1be Thanks @​ematipico! - Fixed #10658. The issue was caused by the "Go-to definition" editor feature, which was enabled by default. The feature is now disabled by default. To work, the feature triggers the scanner to build the module graph. This caused memory leak issues in cases where Biome starts in the home directory to modify files.

    If you relied on this new feature, you must now turn on using the [editor settings] of the extension e.g. Zed and VSCode.

  • #10695 043fbb5 Thanks @​ematipico! - Fixed #10674. Biome now throws an error when the field level is missing from a rule option.

  • #10712 5941df2 Thanks @​Conaclos! - Improved the diagnostic and the documentation of useFlatMap.

  • #10615 23814f1 Thanks @​qwertycxz! - Improved the DX the JSON schema when it's used by certain code editors like VSCode.

  • #10688 ec69489 Thanks @​ematipico! - Fixed a bug where the Biome Daemon did not correctly shut down when the editor was closed during an in-progress operation, especially while scanning.

  • #10701 6c2e0d7 Thanks @​ematipico! - Fixed #10694. The Biome Language Server no longer prints an error when the user hovers a variable imported from node_modules.

  • #10681 888515b Thanks @​Conaclos! - Fixed useExportType that reported useless details in some diagnostics.

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the non-breaking group with 3 updates: [@hono/node-server](https://github.com/honojs/node-server), [hono](https://github.com/honojs/hono) and [@biomejs/biome](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome).


Updates `@hono/node-server` from 2.0.5 to 2.0.6
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](honojs/node-server@v2.0.5...v2.0.6)

Updates `hono` from 4.12.25 to 4.12.27
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.25...v4.12.27)

Updates `@biomejs/biome` from 2.5.0 to 2.5.1
- [Release notes](https://github.com/biomejs/biome/releases)
- [Changelog](https://github.com/biomejs/biome/blob/main/packages/@biomejs/biome/CHANGELOG.md)
- [Commits](https://github.com/biomejs/biome/commits/@biomejs/biome@2.5.1/packages/@biomejs/biome)

---
updated-dependencies:
- dependency-name: "@hono/node-server"
  dependency-version: 2.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: non-breaking
- dependency-name: hono
  dependency-version: 4.12.27
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: non-breaking
- dependency-name: "@biomejs/biome"
  dependency-version: 2.5.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: non-breaking
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 28, 2026
@dependabot dependabot Bot requested a review from UltimaPhoenix as a code owner June 28, 2026 21:18
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 28, 2026
@UltimaPhoenix UltimaPhoenix merged commit bda218c into main Jun 28, 2026
9 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/non-breaking-047ade8468 branch June 28, 2026 21:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant