Skip to content

Commit 1f6da97

Browse files
ndycodendycode
authored
security(deps): bump hono to 4.12.14 and vite override to ^7.3.2 (#392)
Resolves all open Dependabot alerts on package-lock.json: - hono <4.12.14: JSX SSR HTML injection, cookie name bypass, IPv4-mapped IPv6 ipRestriction, setCookie validation, serveStatic repeated-slash bypass, toSSG path traversal (alerts #16, #18, #20, #22, #24, #26) - vite <7.3.2: dev server WebSocket arbitrary file read, optimized deps .map path traversal, server.fs.deny query bypass (alerts #12, #13, #14) Lockfile refreshed via npm install --package-lock-only. Typecheck, lint, and 3418/3418 tests pass.
1 parent e275984 commit 1f6da97

2 files changed

Lines changed: 10 additions & 10 deletions

File tree

package-lock.json

Lines changed: 7 additions & 7 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -154,17 +154,17 @@
154154
"dependencies": {
155155
"@codex-ai/plugin": "file:vendor/codex-ai-plugin",
156156
"@openauthjs/openauth": "^0.4.3",
157-
"hono": "4.12.10",
157+
"hono": "4.12.14",
158158
"undici": "^6.24.1",
159159
"zod": "^4.3.6"
160160
},
161161
"overrides": {
162-
"hono": "4.12.10",
162+
"hono": "4.12.14",
163163
"flatted": "3.4.2",
164164
"minimatch": "10.2.4",
165165
"picomatch": "4.0.4",
166166
"rollup": "4.59.0",
167-
"vite": "^7.3.1",
167+
"vite": "^7.3.2",
168168
"micromatch": {
169169
"picomatch": "2.3.2"
170170
},

0 commit comments

Comments
 (0)