๐Ÿ” Hono CVE bump โ€” 4.12.18 โ†’ 4.12.23

Security playground ยท branch fix/hono-cve-bump ยท 2026-06-04 ยท unblocks the repo-wide Security Tests gate

4
Moderate CVEs
2
Lockfiles bumped
0
Vulns after
14/14
Security tests
Why: a new batch of Hono advisories landed against hono <=4.12.20 (a direct dep in both root and docs/site at ^4.12.18). The npm audit gate in Security Tests started failing repo-wide โ€” on main and every open PR (including the conformance grader PR #2207). Surfaced while shipping #2207, which added zero deps.

The advisories (all moderate, all fixed in 4.12.21+)

GHSAIssue
GHSA-xrhx-7g5j-rcj5IP restriction bypasses static deny rules for non-canonical IPv6
GHSA-3hrh-pfw6-9m5xCookie helper doesn't sanitize sameSite/priority โ†’ Set-Cookie injection
GHSA-f577-qrjj-4474JWT middleware accepts any Authorization scheme, not only Bearer
GHSA-2gcr-mfcq-wcc3app.mount() strips mount prefix using undecoded path โ†’ mis-routing of percent-encoded paths

The fix โ€” bump, not allowlist

Proper root-cause fix: npm update hono in root + docs/site โ†’ 4.12.23 (a patch within the existing ^4.12.18 range, so no package.json edit โ€” only the two lockfiles, which also avoids the Release-Please File Guard). The advisories were not allowlisted โ€” suppressing a security signal is the wrong move. After: npm audit reports 0 vulnerabilities in both; Security Tests 14/14.
This is the PR's playground gate artifact. Merging this unblocks the Security Tests gate for #2207 and all open PRs. Surfaced during the Eval v2 conformance-grader work; kept as a separate security PR for clean provenance.