fix: upgrade hono to ^4.12.18 to address CVE-2026-44455, CVE-2026-44456, CVE-2026-44457, CVE-2026-44458 (#1186)

brendan-kellam · cursoragent · claude · web-flow · commit 82660ef4d115 · 2026-05-09T15:29:13.000-07:00
* fix: upgrade hono to ^4.12.18 to address CVE-2026-44457 Co-authored-by: Brendan Kellam <brendan@sourcebot.dev> * docs: add CHANGELOG entry for CVE-2026-44457 fix Co-authored-by: Brendan Kellam <brendan@sourcebot.dev> * docs: add CHANGELOG entries for CVE-2026-44455, 44456, 44458 Consolidates SOU-1068, SOU-1069, SOU-1071 into this PR (already addressing SOU-1070 / CVE-2026-44457). Same hono 4.12.14 -> 4.12.18 bump fixes all four. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: collapse hono CVE CHANGELOG entries into a single line Per the updated convention in CLAUDE.md (one CHANGELOG line per PR, not per CVE), the four sibling hono CVEs share one comma-separated entry. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Fixed blame gutter commit navigation to use the file path as it existed at the attributing commit, so clicking a blame line whose commit predates a rename resolves to the correct historical path. [#1178](https://github.com/sourcebot-dev/sourcebot/pull/1178)
 - Bumped transitive `fast-uri` dependency to `^3.1.2`. [#1181](https://github.com/sourcebot-dev/sourcebot/pull/1181)
 - Upgraded `simple-git` to `3.36.0` to address CVE-2026-6951. [#1183](https://github.com/sourcebot-dev/sourcebot/pull/1183)
+- Upgraded `hono` to `^4.12.18` to address CVE-2026-44455, CVE-2026-44456, CVE-2026-44457, CVE-2026-44458. [#1186](https://github.com/sourcebot-dev/sourcebot/pull/1186)
 
 ### Changed
 - Reduced the log verbosity of the worker by changing various log messages from info to debug. [#1179](https://github.com/sourcebot-dev/sourcebot/pull/1179)
diff --git a/package.json b/package.json
@@ -49,7 +49,7 @@
         "brace-expansion@npm:^5.0.2": "^5.0.5",
         "brace-expansion@npm:^1.1.7": "^1.1.13",
         "@react-email/preview-server/next": "^16.2.3",
-        "@modelcontextprotocol/sdk/hono": "^4.12.14",
+        "@modelcontextprotocol/sdk/hono": "^4.12.18",
         "@modelcontextprotocol/sdk/@hono/node-server": "^1.19.13",
         "langsmith@npm:>=0.5.0 <1.0.0": "^0.5.19",
         "markdown-it@npm:^14.1.0": "^14.1.1",
diff --git a/yarn.lock b/yarn.lock
@@ -14608,10 +14608,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"hono@npm:^4.12.14":
-  version: 4.12.14
-  resolution: "hono@npm:4.12.14"
-  checksum: 10c0/78de4c98a9a3da0f067e38dcc4bd27f0d82b45d146ac39f5ca688515ee482c0a2e704d2ac6c1ee91ad17596b7c52b3e4b9483acd9c238d42f6ebcb43414a71b6
+"hono@npm:^4.12.18":
+  version: 4.12.18
+  resolution: "hono@npm:4.12.18"
+  checksum: 10c0/b0b9688fd9e41a1847b077d579dc0e92a28b67c247c6ee7d1e751c0bae269824c30c7773feff1a2874e40ea36a3d2f9d1fc5ba618a28ecdf2ca1b33ed2473864
   languageName: node
   linkType: hard
 
