Bump the npm_and_yarn group across 15 directories with 3 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: hono.
Bumps the npm_and_yarn group with 2 updates in the /astro-blog-starter-template directory: fast-xml-parser and picomatch.
Bumps the npm_and_yarn group with 2 updates in the /chanfana-openapi-template directory: hono and picomatch.
Bumps the npm_and_yarn group with 1 update in the /containers-template directory: hono.
Bumps the npm_and_yarn group with 2 updates in the /next-starter-template directory: fast-xml-parser and picomatch.
Bumps the npm_and_yarn group with 1 update in the /openauth-template directory: hono.
Bumps the npm_and_yarn group with 1 update in the /r2-explorer-template directory: hono.
Bumps the npm_and_yarn group with 2 updates in the /react-postgres-fullstack-template directory: hono and picomatch.
Bumps the npm_and_yarn group with 2 updates in the /react-router-hono-fullstack-template directory: hono and picomatch.
Bumps the npm_and_yarn group with 2 updates in the /react-router-postgres-ssr-template directory: hono and picomatch.
Bumps the npm_and_yarn group with 1 update in the /to-do-list-kv-template directory: picomatch.
Bumps the npm_and_yarn group with 2 updates in the /vite-react-template directory: hono and picomatch.
Bumps the npm_and_yarn group with 1 update in the /workers-for-platforms-template directory: hono.
Bumps the npm_and_yarn group with 1 update in the /workflows-starter-template directory: picomatch.
Bumps the npm_and_yarn group with 2 updates in the /x402-proxy-template directory: hono and picomatch.

Updates hono from 4.11.1 to 4.12.12

Release notes

Sourced from hono's releases.

v4.12.12

Security fixes

This release includes fixes for the following security issues:

Middleware bypass via repeated slashes in serveStatic

Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (//) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c

Path traversal in toSSG() allows writing files outside the output directory

Affects: toSSG() for Static Site Generation. Fixes a path traversal issue where crafted ssgParams values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx

Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g

Missing validation of cookie name on write path in setCookie()

Affects: setCookie(), serialize(), and serializeSigned() from hono/cookie. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm

Non-breaking space prefix bypass in cookie name handling in getCookie()

Affects: getCookie() from hono/cookie. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4

---

Users who use Serve Static, Static Site Generation, Cookie utilities, or IP restriction middleware are strongly encouraged to upgrade to this version.

v4.12.11

What's Changed

• feat(css): add classNameSlug option to createCssContext by @​flow-pie in honojs/hono#4834

New Contributors

• @​flow-pie made their first contribution in honojs/hono#4834

Full Changelog: honojs/hono@v4.12.10...v4.12.11

v4.12.10

What's Changed

• test(router): fix Simple capturing group test by @​yusukebe in honojs/hono#4838
• docs: fix impaired -> inspired typo in benchmark READMEs by @​Abhi3975 in honojs/hono#4843
• fix(jsx/dom): apply select value after children are rendered by @​usualoma in honojs/hono#4847
• fix(compress): convert strong ETag to weak ETag when compressing by @​usualoma in honojs/hono#4848
• docs(ip-restriction): add clear JSDoc examples and param types by @​VISHNU7KASIREDDY in honojs/hono#4851

New Contributors

• @​Abhi3975 made their first contribution in honojs/hono#4843
• @​VISHNU7KASIREDDY made their first contribution in honojs/hono#4851

... (truncated)

Commits

• c37ba26 4.12.12
• cc067c8 Merge commit from fork
• a586cd7 Merge commit from fork
• 48fa223 Merge commit from fork
• b470278 Merge commit from fork
• 9aff14b Merge commit from fork
• 2c403c6 4.12.11
• f82aba8 feat(css): add classNameSlug option to createCssContext (#4834)
• 9f374a5 4.12.10
• a8c56a6 docs(ip-restriction): add clear JSDoc examples and param types (#4851)
• Additional commits viewable in compare view

Updates fast-xml-parser from 5.3.3 to 5.5.11

Release notes

Sourced from fast-xml-parser's releases.

performance improvment, increase entity expansion default limit

• increase default entity explansion limit as many projects demand for that

maxEntitySize: 10000,
maxExpansionDepth: 10000,
maxTotalExpansions: Infinity,
maxExpandedLength: 100000,
maxEntityCount: 1000,

• performance improvement
  • reduce calls to toString
  • early return when entities are not present
  • prepare rawAttrsForMatcher only if user sets jPath: false

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.9...v5.5.10

fix typins and matcher instance in callbacks

combine typings file to avoid configuration changes pass readonly instance of matcher to the call backs to avoid accidental push/pop call

fix bugs of entity parsing and value parsing

fix: entity expansion limits update strnum package to 2.2.0

fix entity expansion and incorrect replacement and performance

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.5...v5.5.6

support onDangerousProperty

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.3...v5.5.5

update dependecies to fix typings

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.1...v5.5.2

integrate path-expression-matcher

• support path-expression-matcher
• fix: stopNode should not be parsed
• performance improvement for stopNode checking

Separate Builder

XML Builder was the part of fast-xml-parser for years. But considering that any bug in builder may false-alarm the users who are only using parser and vice-versa, we have decided to split it into a separate package.

Migration

To migrate to fast-xml-builder;

From

import { XMLBuilder } from "fast-xml-parser";

... (truncated)

Commits

• See full diff in compare view

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates hono from 4.11.1 to 4.12.12

Release notes

Sourced from hono's releases.

v4.12.12

Security fixes

This release includes fixes for the following security issues:

Middleware bypass via repeated slashes in serveStatic

Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (//) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c

Path traversal in toSSG() allows writing files outside the output directory

Affects: toSSG() for Static Site Generation. Fixes a path traversal issue where crafted ssgParams values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx

Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g

Missing validation of cookie name on write path in setCookie()

Affects: setCookie(), serialize(), and serializeSigned() from hono/cookie. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm

Non-breaking space prefix bypass in cookie name handling in getCookie()

Affects: getCookie() from hono/cookie. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4

---

Users who use Serve Static, Static Site Generation, Cookie utilities, or IP restriction middleware are strongly encouraged to upgrade to this version.

v4.12.11

What's Changed

• feat(css): add classNameSlug option to createCssContext by @​flow-pie in honojs/hono#4834

New Contributors

• @​flow-pie made their first contribution in honojs/hono#4834

Full Changelog: honojs/hono@v4.12.10...v4.12.11

v4.12.10

What's Changed

• test(router): fix Simple capturing group test by @​yusukebe in honojs/hono#4838
• docs: fix impaired -> inspired typo in benchmark READMEs by @​Abhi3975 in honojs/hono#4843
• fix(jsx/dom): apply select value after children are rendered by @​usualoma in honojs/hono#4847
• fix(compress): convert strong ETag to weak ETag when compressing by @​usualoma in honojs/hono#4848
• docs(ip-restriction): add clear JSDoc examples and param types by @​VISHNU7KASIREDDY in honojs/hono#4851

New Contributors

• @​Abhi3975 made their first contribution in honojs/hono#4843
• @​VISHNU7KASIREDDY made their first contribution in honojs/hono#4851

... (truncated)

Commits

• c37ba26 4.12.12
• cc067c8 Merge commit from fork
• a586cd7 Merge commit from fork
• 48fa223 Merge commit from fork
• b470278 Merge commit from fork
• 9aff14b Merge commit from fork
• 2c403c6 4.12.11
• f82aba8 feat(css): add classNameSlug option to createCssContext (#4834)
• 9f374a5 4.12.10
• a8c56a6 docs(ip-restriction): add clear JSDoc examples and param types (#4851)
• Additional commits viewable in compare view

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates hono from 4.11.1 to 4.12.12

Release notes

Sourced from hono's releases.

v4.12.12

Security fixes

This release includes fixes for the following security issues:

Middleware bypass via repeated slashes in serveStatic

Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (//) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c

Path traversal in toSSG() allows writing files outside the output directory

Affects: toSSG() for Static Site Generation. Fixes a path traversal issue where crafted ssgParams values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx

Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g

Missing validation of cookie name on write path in setCookie()

Affects: setCookie(), serialize(), and serializeSigned() from hono/cookie. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm

Non-breaking space prefix bypass in cookie name handling in getCookie()

Affects: getCookie() from hono/cookie. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4

---

Users who use Serve Static, Static Site Generation, Cookie utilities, or IP restriction middleware are strongly encouraged to upgrade to this version.

v4.12.11

What's Changed

• feat(css): add classNameSlug option to createCssContext by @​flow-pie in honojs/hono#4834

New Contributors

• @​flow-pie made their first contribution in honojs/hono#4834

Full Changelog: honojs/hono@v4.12.10...v4.12.11

v4.12.10

What's Changed

• test(router): fix Simple capturing group test by @​yusukebe in honojs/hono#4838
• docs: fix impaired -> inspired typo in benchmark READMEs by @​Abhi3975 in honojs/hono#4843
• fix(jsx/dom): apply select value after children are rendered by @​usualoma in honojs/hono#4847
• fix(compress): convert strong ETag to weak ETag when compressing by @​usualoma in honojs/hono#4848
• docs(ip-restriction): add clear JSDoc examples and param types by @​VISHNU7KASIREDDY in honojs/hono#4851

New Contributors

• @​Abhi3975 made their first contribution in honojs/hono#4843
• @​VISHNU7KASIREDDY made their first contribution in honojs/hono#4851

... (truncated)

Commits

• c37ba26 4.12.12
• cc067c8 Merge commit from fork
• a586cd7 Merge commit from fork
• 48fa223 Merge commit from fork
• b470278 Merge commit from fork
• 9aff14b Merge commit from fork
• 2c403c6 4.12.11
• f82aba8 feat(css): add classNameSlug option to createCssContext (#4834)
• 9f374a5 4.12.10
• a8c56a6 docs(ip-restriction): add clear JSDoc examples and param types (#4851)
• Additional commits viewable in compare view

Updates fast-xml-parser from 4.2.5 to 5.5.8

Release notes

Sourced from fast-xml-parser's releases.

performance improvment, increase entity expansion default limit

• increase default entity explansion limit as many projects demand for that

maxEntitySize: 10000,
maxExpansionDepth: 10000,
maxTotalExpansions: Infinity,
maxExpandedLength: 100000,
maxEntityCount: 1000,

• performance improvement
  • reduce calls to toString
  • early return when entities are not present
  • prepare rawAttrsForMatcher only if user sets jPath: false

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.9...v5.5.10

fix typins and matcher instance in callbacks

combine typings file to avoid configuration changes pass readonly instance of matcher to the call backs to avoid accidental push/pop call

fix bugs of entity parsing and value parsing

fix: entity expansion limits update strnum package to 2.2.0

fix entity expansion and incorrect replacement and performance

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.5...v5.5.6

support onDangerousProperty

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.3...v5.5.5

update dependecies to fix typings

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.1...v5.5.2

integrate path-expression-matcher

• support path-expression-matcher
• fix: stopNode should not be parsed
• performance improvement for stopNode checking

Separate Builder

XML Builder was the part of fast-xml-parser for years. But considering that any bug in builder may false-alarm the users who are only using parser and vice-versa, we have decided to split it into a separate package.

Migration

To migrate to fast-xml-builder;

From

import { XMLBuilder } from "fast-xml-parser";

... (truncated)

Commits

• See full diff in compare view

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates hono from 4.11.1 to 4.12.12

Release notes

Sourced from hono's releases.

v4.12.12

Security fixes

This release includes fixes for the following security issues:

Middleware bypass via repeated slashes in serveStatic

Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (//) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c

Path traversal in toSSG() allows writing files outside the output directory

Affects: toSSG() for Static Site Generation. Fixes a path traversal issue where crafted ssgParams values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx

Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g

Missing validation of cookie name on write path in setCookie()

Affects: setCookie(), serialize(), and serializeSigned() from hono/cookie. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm

Non-breaking space prefix bypass in cookie name handling in getCookie()

Affects: getCookie() from hono/cookie. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4

---

Users who use Serve Static, Static Site Generation, Cookie utilities, or IP restriction middleware are strongly encouraged to upgrade to this version.

v4.12.11

What's Changed

• feat(css): add classNameSlug option to createCssContext by @​flow-pie in honojs/hono#4834

New Contributors

• @​flow-pie made their first contribution in honojs/hono#4834

Full Changelog: honojs/hono@v4.12.10...v4.12.11

v4.12.10

What's Changed

• test(router): fix Simple capturing group test by @​yusukebe in honojs/hono#4838
• docs: fix impaired -> inspired typo in benchmark READMEs by @​Abhi3975 in honojs/hono#4843
• fix(jsx/dom): apply select value after children are rendered by @​usualoma in honojs/hono#4847
• fix(compress): convert strong ETag to weak ETag when compressing by @​usualoma in honojs/hono#4848
• docs(ip-restriction): add clear JSDoc examples and param types by @​VISHNU7KASIREDDY in honojs/hono#4851

New Contributors

• @​Abhi3975 made their first contribution in honojs/hono#4843
• @​VISHNU7KASIREDDY made their first contribution in honojs/hono#4851

... (truncated)

Commits

• c37ba26 4.12.12
• cc067c8 Merge commit from fork
• a586cd7 Merge commit from fork
• 48fa223 Merge commit from fork
• b470278 Merge commit from fork
• 9aff14b Merge commit from fork
• 2c403c6 4.12.11
• f82aba8 feat(css): add classNameSlug option to createCssContext (#4834)
• 9f374a5 4.12.10
• a8c56a6 docs(ip-restriction): add clear JSDoc examples and param types (#4851)
• Additional commits viewable in compare view

Updates hono from 4.11.1 to 4.12.12

Release notes

Sourced from hono's releases.

v4.12.12

Security fixes

This release includes fixes for the following security issues:

Middleware bypass via repeated slashes in serveStatic

Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (//) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c

Path traversal in toSSG() allows writing files outside the output directory

Affects: toSSG() for Static Site Generation. Fixes a path traversal issue where crafted ssgParams values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx

Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g

Missing validation of cookie name on write path in setCookie()

Affects: setCookie(), serialize(), and serializeSigned() from hono/cookie. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm

Non-breaking space prefix bypass in cookie name handling in getCookie()

Affects: getCookie() from hono/cookie. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4

---

Users who use Serve Static, Static Site Generation, Cookie utilities, or IP restriction middleware are strongly encouraged to upgrade to this version.

v4.12.11

What's Changed

• feat(css): add classNameSlug option to createCssContext by @​flow-pie in honojs/hono#4834

New Contributors

• @​flow-pie made their first contribution in honojs/hono#4834

Full Changelog: honojs/hono@v4.12.10...v4.12.11

v4.12.10

What's Changed

• test(router): fix Simple capturing group test by @​yusukebe in honojs/hono#4838
• docs: fix impaired -> inspired typo in benchmark READMEs by @​Abhi3975 in honojs/hono#4843
• fix(jsx/dom): apply select value after children are rendered by @​usualoma in honojs/hono#4847
• fix(compress): convert strong ETag to weak ETag when compressing by @​usualoma in honojs/hono#4848
• docs(ip-restriction): add clear JSDoc examples and param types by @​VISHNU7KASIREDDY in honojs/hono#4851

New Contributors

• @​Abhi3975 made their first contribution in honojs/hono#4843
• @​VISHNU7KASIREDDY made their first contribution in honojs/hono#4851

... (truncated)

Commits

• c37ba26 4.12.12
• cc067c8 Merge commit from fork
• a586cd7 Merge commit from fork
• 48fa223 Merge commit from fork
• b470278 Merge commit from fork
• 9aff14b Merge commit from fork
• 2c403c6 4.12.11
• f82aba8 feat(css): add classNameSlug option to createCssContext (#4834)
• 9f374a5 4.12.10
• a8c56a6 docs(ip-restriction): add clear JSDoc examples and param types (#4851)
• Additional commits viewable in compare view

Updates hono from 4.11.1 to 4.12.12

Release notes

Sourced from hono's releases.

v4.12.12

Security fixes

This release includes fixes for the following security issues:

Middleware bypass via repeated slashes in serveStatic

Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (//) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c

Path traversal in toSSG() allows writing files outside the output directory

Affects: toSSG() for Static Site Generation. Fixes a path traversal issue where crafted ssgParams values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx

Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g

Missing validation of cookie name on write path in setCookie()

Affects: setCookie(), serialize(), and serializeSigned() from hono/cookie. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm

Non-breaking space prefix bypass in cookie name handling in getCookie()

Affects: getCookie() from hono/cookie. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4

---

Users who use Serve Static, Static Site Generation, Cookie utilities, or IP restriction middleware are strongly encouraged to upgrade to this version.

v4.12.11

What's Changed

• feat(css): add classNameSlug option to createCssContext by @​flow-pie in honojs/hono#4834

New Contributors

• @​flow-pie made their first contribution in honojs/hono#4834

Full Changelog: honojs/hono@v4.12.10...v4.12.11

v4.12.10

What's Changed

• test(router): fix Simple capturing group test by @​yusukebe in honojs/hono#4838
• docs: fix impaired -> inspired typo in benchmark READMEs by @​Abhi3975 in honojs/hono#4843
• fix(jsx/dom): apply select value after children are rendered by @​usualoma in honojs/hono#4847
• fix(compress): convert strong ETag to weak ETag when compressing by @​usualoma in honojs/hono#4848
• docs(ip-restriction): add clear JSDoc examples and param types by @​VISHNU7KASIREDDY in honojs/hono#4851

New Contributors

• @​Abhi3975 made their first contribution in honojs/hono#4843
• @​VISHNU7KASIREDDY made their first contribution in honojs/hono#4851

... (truncated)

Commits

• c37ba26 4.12.12
• cc067c8 Merge commit from fork
• a586cd7 Merge commit from fork
• 48fa223 Merge commit from fork
• b470278 Merge commit from fork
• 9aff14b Merge commit from fork
• 2c403c6 4.12.11
• f82aba8 feat(css): add classNameSlug option to createCssContext (#4834)
• 9f374a5 4.12.10
• a8c56a6 docs(ip-restriction): add clear JSDoc examples and param types (#4851)
• Additional commits viewable in compare view

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates hono from 4.11.1 to 4.12.12

Release notes

Sourced from hono's releases.

v4.12.12

Security fixes

This release includes fixes for the following security issues:

Middleware bypass via repeated slashes in serve...

Description has been truncated