Skip to content

fix(security): bump hono 4.12.12 → 4.12.14 (ENG-14665)#48

Merged
andriy-sudo merged 1 commit into
mainfrom
andriy/eng-14665-fix-hono-cve
Apr 22, 2026
Merged

fix(security): bump hono 4.12.12 → 4.12.14 (ENG-14665)#48
andriy-sudo merged 1 commit into
mainfrom
andriy/eng-14665-fix-hono-cve

Conversation

@andriy-sudo
Copy link
Copy Markdown
Contributor

@andriy-sudo andriy-sudo commented Apr 20, 2026

Vulnerability Fixes

Package Old New Advisory CVSS Status
hono 4.12.12 4.12.14 GHSA-458j-xx4x-4375 5.4 ✅ Fixed

Tickets

  • ENG-14665 (GHSA-458j-xx4x-4375, MEDIUM) — hono JSX attribute injection: improper handling of JSX attribute names allows malformed keys to corrupt generated HTML output (XSS risk)

Change

Bumped "hono": "^4.12.12""^4.12.14" in overrides and regenerated package-lock.json.

Changelog impact summary
Package Old New Classification Key changes
hono 4.12.12 4.12.14 Patch/security JSX attribute name sanitization fix; no API changes

@andriy-sudo @claude
fix(security): bump hono override 4.12.12 → 4.12.14 (ENG-14665)
468a517 
Fixes GHSA-458j-xx4x-4375 (CVSS 5.4): improper handling of JSX attribute
names in hono/jsx allows malformed attribute keys to inject unintended HTML.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 20, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2beae15f-e7dd-4adc-bb88-66125cd9b49c

📥 Commits

Reviewing files that changed from the base of the PR and between 928d951 and 468a517.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • package.json
📝 Walkthrough

Walkthrough

This pull request updates the hono dependency version in the overrides section of package.json from ^4.12.12 to ^4.12.14. This is a patch version increment within the same minor version range.

Possibly related PRs

Suggested reviewers

  • colriot
🚥 Pre-merge checks | ✅ 2
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: a security-focused bump of the hono dependency with a reference to the tracking ticket.
Description check ✅ Passed The description is directly related to the changeset, providing clear context about the vulnerability, version bump, and impact classification.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch andriy/eng-14665-fix-hono-cve

Comment @coderabbitai help to get the list of available commands and usage tips.

@andriy-sudo andriy-sudo requested a review from colriot April 20, 2026 18:16
@andriy-sudo andriy-sudo merged commit 21f3588 into main Apr 22, 2026
4 checks passed
@andriy-sudo andriy-sudo deleted the andriy/eng-14665-fix-hono-cve branch April 22, 2026 21:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@colriot colriot colriot approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@andriy-sudo @colriot