Skip to content

deps(deps): bump the hono group across 1 directory with 4 updates#516

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/hono-0f0d30b014
Open

deps(deps): bump the hono group across 1 directory with 4 updates#516
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/hono-0f0d30b014

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 11, 2026

Copy link
Copy Markdown
Contributor

Updates the requirements on @hono/mcp, @hono/standard-validator, hono and hono-openapi to permit the latest version.
Updates @hono/mcp to 0.3.1

Release notes

Sourced from @​hono/mcp's releases.

@​hono/mcp@​0.3.1

Patch Changes

Changelog

Sourced from @​hono/mcp's changelog.

0.3.1

Patch Changes

0.3.0

Minor Changes

  • #1774 9575cbc4b8b32bb1605a465a414a9728f1a6ef9b Thanks @​bookernath! - relax Accept header validation to accept application/json, text/event-stream, or */* individually, improving compatibility with Gemini CLI, Java MCP SDK, Open WebUI, and curl. Add strictAcceptHeader option for strict MCP spec compliance.

0.2.5

Patch Changes

0.2.4

Patch Changes

0.2.3

Patch Changes

0.2.2

Patch Changes

0.2.1

Patch Changes

0.2.0

Minor Changes

0.1.5

... (truncated)

Commits

Updates @hono/standard-validator to 0.2.3

Release notes

Sourced from @​hono/standard-validator's releases.

@​hono/standard-validator@​0.2.3

Patch Changes

  • #2008 a47c715fdbac8406e0399f8f5576dca596e2e5b8 Thanks @​MathurAditya724! - fix(standard-validator): preserve literal union types in RPC input and fix hook data type
    • Port InferInput utility from @hono/zod-validator to preserve literal union types (e.g., z.enum(["asc", "desc"])) in the RPC client's input type, while still falling back to wire-level types (string | string[] for query, string for param/header/cookie) for non-literal values.
    • Fix hook data type to use InferInput instead of InferOutput, matching the runtime behavior where the raw input value is passed to the hook (fixes #1990).
Changelog

Sourced from @​hono/standard-validator's changelog.

0.2.3

Patch Changes

  • #2008 a47c715fdbac8406e0399f8f5576dca596e2e5b8 Thanks @​MathurAditya724! - fix(standard-validator): preserve literal union types in RPC input and fix hook data type
    • Port InferInput utility from @hono/zod-validator to preserve literal union types (e.g., z.enum(["asc", "desc"])) in the RPC client's input type, while still falling back to wire-level types (string | string[] for query, string for param/header/cookie) for non-literal values.
    • Fix hook data type to use InferInput instead of InferOutput, matching the runtime behavior where the raw input value is passed to the hook (fixes #1990).

0.2.2

Patch Changes

0.2.1

Patch Changes

0.2.0

Minor Changes

0.1.5

Patch Changes

0.1.4

Patch Changes

0.1.3

Patch Changes

0.1.2

Patch Changes

... (truncated)

Commits
  • b9168e8 Version Packages (#2011)
  • a47c715 fix(standard-validator): preserve literal unions in RPC input type and fix ho...
  • c5ba38b chore(deps-dev): bump tsdown from 0.22.2 to 0.22.3 (#1996)
  • f89ea30 chore(deps-dev): bump typescript from 5.9.3 to 6.0.3 (#1866)
  • bf845ad chore: unblock TypeScript v6 (#1937)
  • 2cbc5f0 chore(deps-dev): bump tsdown to 0.22.2 (#1908)
  • 4dca7a0 chore(dev-deps): bump @​cloudflare/vitest-pool-workers to 0.16.10 (#1907)
  • 841e2ce fix(standard-validator): fix the type errors (#1830)
  • fc4a20a chore(deps-dev): bump arktype from 2.1.29 to 2.2.0 (#1816)
  • af99687 chore(deps-dev): bump valibot from 1.1.0 to 1.3.0 (#1800)
  • Additional commits viewable in compare view

Updates hono from 4.12.23 to 4.12.29

Release notes

Sourced from hono's releases.

v4.12.29

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.28...v4.12.29

v4.12.28

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.27...v4.12.28

v4.12.27

Security fixes

This release includes fixes for the following security issues:

hono/jsx does not isolate context per request

Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj

Server-Side XSS via JSX escaping bypass in cx()

Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59

... (truncated)

Commits
  • cda1af2 4.12.29
  • 2126289 fix(etag): treat If-None-Match: * as a match (#5084)
  • 0fc7ffc fix(trie-router): match empty wildcard remainder after regexp param (#5102)
  • ab590e4 fix(types): strip extra properties from array types in JSONParsed (#5103)
  • b93a254 fix(aws-lambda): treat any non-identity content-encoding as binary (#5101)
  • 6217f4b fix(lambda-edge): base64 encode content-encoded response bodies (#5099)
  • ba89e97 test(workerd): add compatibilityDate (#5100)
  • 46557ef docs(language): add JSDoc @​example to languageDetector (#5081)
  • 24547a6 fix(lambda-edge): resolve the handler with the value passed to the callback (...
  • 9c6ccd7 chore: fix no-op tsc in test script (#5093)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for hono since your current version.


Updates hono-openapi to 1.3.1

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Updates the requirements on [@hono/mcp](https://github.com/honojs/middleware/tree/HEAD/packages/mcp), [@hono/standard-validator](https://github.com/honojs/middleware/tree/HEAD/packages/standard-validator), [hono](https://github.com/honojs/hono) and [hono-openapi](https://github.com/rhinobase/hono-openapi) to permit the latest version.

Updates `@hono/mcp` to 0.3.1
- [Release notes](https://github.com/honojs/middleware/releases)
- [Changelog](https://github.com/honojs/middleware/blob/main/packages/mcp/CHANGELOG.md)
- [Commits](https://github.com/honojs/middleware/commits/@hono/mcp@0.3.1/packages/mcp)

Updates `@hono/standard-validator` to 0.2.3
- [Release notes](https://github.com/honojs/middleware/releases)
- [Changelog](https://github.com/honojs/middleware/blob/main/packages/standard-validator/CHANGELOG.md)
- [Commits](https://github.com/honojs/middleware/commits/@hono/standard-validator@0.2.3/packages/standard-validator)

Updates `hono` from 4.12.23 to 4.12.29
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.23...v4.12.29)

Updates `hono-openapi` to 1.3.1
- [Release notes](https://github.com/rhinobase/hono-openapi/releases)
- [Commits](https://github.com/rhinobase/hono-openapi/commits)

---
updated-dependencies:
- dependency-name: "@hono/mcp"
  dependency-version: 0.3.1
  dependency-type: direct:production
  dependency-group: hono
- dependency-name: "@hono/standard-validator"
  dependency-version: 0.2.3
  dependency-type: direct:production
  dependency-group: hono
- dependency-name: hono
  dependency-version: 4.12.29
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: hono
- dependency-name: hono-openapi
  dependency-version: 1.3.1
  dependency-type: direct:production
  dependency-group: hono
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot requested review from Vpr99 and ljagiello as code owners July 11, 2026 04:23
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jul 11, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 11, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: npm. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant