fix(deps): bump hono 4.12.18 -> 4.12.21 (resolves 4 Dependabot advisories)

ndycode · ndycode · commit 3c35571f4dcc · 2026-06-08T03:14:51.000+08:00
Patches all four open MEDIUM Dependabot alerts on hono (<4.12.21): - GHSA-3hrh-pfw6-9m5x (CVE-2026-47675): Set-Cookie injection via unsanitized sameSite/priority in the cookie helper - GHSA-2gcr-mfcq-wcc3 (CVE-2026-47676): app.mount() strips the mount prefix using an undecoded path - GHSA-xrhx-7g5j-rcj5 (CVE-2026-47674): IP-restriction bypass for non-canonical IPv6 deny rules - GHSA-f577-qrjj-4474 (CVE-2026-47673): JWT middleware accepts any Authorization scheme, not only Bearer The bump is a patch within 4.12.x (non-breaking). The loopback bridge in lib/local-bridge.ts uses only core Hono routing and none of the affected middleware, so this is dependency hygiene. Also pulled in by npm audit fix: brace-expansion 5.0.5 -> 5.0.6 (dev-only, GHSA-jxxr-4gwj-5jf2). npm audit now reports 0 vulnerabilities. Docs kept in sync with the new pin (enforced by test/documentation.test.ts docs-supplychain-03): - SECURITY.md: hono override rationale updated to 4.12.21 - README.md: current prerelease link corrected to v2.3.0-beta.1 (drifted at the v2.3.0-beta.1 release; was the second failing doc test) Verified: build, typecheck, lint, and full vitest suite (4428 passed, 0 failed, 3 skipped) all green.
diff --git a/README.md b/README.md
@@ -383,7 +383,7 @@ codex-multi-auth doctor --json
 
 ## Release Notes
 
-- Current prerelease: [docs/releases/v2.3.0-beta.0.md](docs/releases/v2.3.0-beta.0.md) — install via `npm i -g codex-multi-auth@beta`
+- Current prerelease: [docs/releases/v2.3.0-beta.1.md](docs/releases/v2.3.0-beta.1.md) — install via `npm i -g codex-multi-auth@beta`
 - Current stable: [docs/releases/v2.2.2.md](docs/releases/v2.2.2.md) — install via `npm i -g codex-multi-auth`
 - Previous stable: [docs/releases/v2.2.1.md](docs/releases/v2.2.1.md)
 - Previous stable: [docs/releases/v2.2.0.md](docs/releases/v2.2.0.md)
diff --git a/SECURITY.md b/SECURITY.md
@@ -79,7 +79,7 @@ The following are not treated as vulnerabilities in this repository:
 
 Security override rationale (`package.json` -> `overrides`):
 
-- `hono`: pinned to `4.12.18` to keep builds out of the vulnerable `4.12.0-4.12.1` range reported in `GHSA-xh87-mx6m-69f3` (authentication bypass advisory).
+- `hono`: pinned to `4.12.21` to keep builds out of the vulnerable `<4.12.21` range reported in `GHSA-3hrh-pfw6-9m5x`, `GHSA-2gcr-mfcq-wcc3`, `GHSA-xrhx-7g5j-rcj5`, and `GHSA-f577-qrjj-4474` (Set-Cookie injection, `app.mount()` path-decoding, IPv6 IP-restriction bypass, and JWT scheme-acceptance advisories).
 - `rollup`: pinned to `^4.59.0` to keep the Vite and Vitest transitive graph above the vulnerable `<4.59.0` range surfaced by `npm audit`.
 
 Before release and after dependency changes:
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -176,12 +176,12 @@
 		"@codex-ai/plugin": "file:vendor/codex-ai-plugin",
 		"@codex-ai/sdk": "file:vendor/codex-ai-sdk",
 		"@openauthjs/openauth": "^0.4.3",
-		"hono": "4.12.18",
+		"hono": "4.12.21",
 		"undici": "6.25.0",
 		"zod": "4.4.3"
 	},
 	"overrides": {
-		"hono": "4.12.18",
+		"hono": "4.12.21",
 		"flatted": "3.4.2",
 		"minimatch": "10.2.4",
 		"picomatch": "4.0.4",
