Security playground ยท branch fix/hono-cve-bump ยท 2026-06-04 ยท unblocks the repo-wide Security Tests gate
hono <=4.12.20 (a direct dep in both
root and docs/site at ^4.12.18). The npm audit gate in Security Tests
started failing repo-wide โ on main and every open PR (including the conformance grader PR #2207).
Surfaced while shipping #2207, which added zero deps.
| GHSA | Issue |
|---|---|
| GHSA-xrhx-7g5j-rcj5 | IP restriction bypasses static deny rules for non-canonical IPv6 |
| GHSA-3hrh-pfw6-9m5x | Cookie helper doesn't sanitize sameSite/priority โ Set-Cookie injection |
| GHSA-f577-qrjj-4474 | JWT middleware accepts any Authorization scheme, not only Bearer |
| GHSA-2gcr-mfcq-wcc3 | app.mount() strips mount prefix using undecoded path โ mis-routing of percent-encoded paths |
npm update hono in root + docs/site โ 4.12.23 (a patch within
the existing ^4.12.18 range, so no package.json edit โ only the two lockfiles, which also
avoids the Release-Please File Guard). The advisories were not allowlisted โ suppressing a security
signal is the wrong move. After: npm audit reports 0 vulnerabilities in both; Security Tests 14/14.