Skip to content

chore(deps-dev): bump hono from 4.12.9 to 4.12.18#175

Open
dependabot[bot] wants to merge 12 commits into
mainfrom
dependabot/npm_and_yarn/hono-4.12.18
Open

chore(deps-dev): bump hono from 4.12.9 to 4.12.18#175
dependabot[bot] wants to merge 12 commits into
mainfrom
dependabot/npm_and_yarn/hono-4.12.18

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 15, 2026

Copy link
Copy Markdown
Contributor

Bumps hono from 4.12.9 to 4.12.18.

Release notes

Sourced from hono's releases.

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36


Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

... (truncated)

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 15, 2026
@socket-security

socket-security Bot commented May 15, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedhono@​4.12.18991009795100

View full report

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/hono-4.12.18 branch from d98578e to aba0d41 Compare May 15, 2026 17:20
typeweaver added 11 commits May 16, 2026 11:25
Sort GeneratedFiles output, index-file group iteration, formatter
readdir, and plugin toposort with alphabetical tie-breaker. Generated
artifacts are byte-identical; this locks in determinism for upcoming
concurrent generation work.
Install effect + @effect/platform in gen, plus @effect/platform-node in
cli. Expose an empty MainLayer for services to accrete into, and a CLI-side
ManagedRuntime composed with NodeContext.layer. Smoke-tested via vanilla
vitest + Effect.runPromise pending the @effect/vitest peer-dep resolution
in task #9.
@effect/vitest@0.29.0 (the stable line aligned with effect v3) peers on
vitest ^3.2.0. The project used only vanilla vitest APIs (describe, test,
expect, vi, expectTypeOf, lifecycle hooks) — all stable across 3.x/4.x —
so dropping to vitest 3.2.4 costs nothing material and unlocks it.effect,
it.scoped, and the rest of the Effect test ergonomics.

Smoke tests in packages/gen migrated from Effect.runPromise wrappers to
it.effect for parity with the upcoming test-infrastructure work in task #9.
Every error in gen and cli now extends Data.TaggedError, carries a `_tag`
discriminator, and surfaces its fields as readonly props. Message strings
preserved verbatim so toThrowError assertions still pass. Tagged-union
types (NormalizationError, PluginError, ConfigError, GenerationError,
SpecLoadError) live next to the classes and are ready for Effect.catchTag.

Breaking: constructors switch from positional to object form, e.g.
new DuplicateOperationIdError({ operationId }) instead of (operationId).

Renamed PluginLoadingFailure -> PluginLoadError (XxxError convention) and
deleted the unused gen-side PluginLoadError stub plus the unused
DefinitionCompilationError. PluginLoadError / PluginDependencyError moved
out of plugins/types.ts into plugins/errors/ to keep the type module pure.
Introduce TemplateRenderer, GeneratedFiles, and PathSafety on the gen side
plus Formatter on the cli side, all defined via Effect.Service and wired
through MainLayer / ProductionLayer. Service implementations delegate to
existing sync helpers so behaviour and golden output stay byte-identical;
future effect-native callers (tasks #5/#6) reach the filesystem via these
layers.

Extract path-traversal logic out of pluginContext.ts into a dedicated
helpers/pathSafety.ts module and introduce UnsafeGeneratedPathError as a
Data.TaggedError replacing the previous generic Error throws. Twelve
service tests cover happy paths, deterministic ordering, deduplication,
and tagged-error mapping.
…effect

normalizeSpec is now an Effect, returning NormalizedSpec on the success
channel and the closed NormalizationError union on the failure channel.
The internal transform stays sync — only the boundary changes — so callers
can compose, recover via Effect.catchTag, and assert against tagged errors.

The CLI's spec and config loading move from free functions on raw modules
to four Effect services (ConfigLoader, SpecBundler, SpecImporter, SpecLoader)
registered on ProductionLayer. SpecLoader's `dependencies` field stitches
SpecBundler and SpecImporter into a single layer; Generator and cli.ts
now bridge to the services via effectRuntime.runPromise.

InvalidSpecEntrypointError moves into the errors directory and gains its
tagged form (missed in task #3); SpecBundleError is added to discriminate
rolldown failures from missing-output failures. pluginLoader.ts's ad-hoc
LoadResult<T,E> is replaced by Effect's Either. The legacy modules
configLoader.ts, generators/specLoader.ts, and generators/spec/specBundler.ts
plus specImporter.ts are deleted; tests bridge via Effect.either so existing
toBeInstanceOf assertions keep working, plus two new effect-native tests in
normalizeSpec.test.ts demonstrate the Cause / catchTag pattern.
Four review lenses turned up three real correctness issues that needed
to land before task #6 builds on top of these foundations:

- `PluginDependencyError` import in pluginRegistry.test.ts pointed at the
  old types.ts location after the task-#3 move; the binding resolved to
  `undefined`, silently degrading every `toThrowError(PluginDependencyError)`
  assertion into a "throws anything" check. Re-pointed at the errors barrel.
- `Effect.try` catch handlers in normalizeSpec and ConfigLoader.load cast
  blindly to the declared union, stamping arbitrary upstream errors as
  NormalizationError / ConfigError. Replaced with `isNormalizationError`
  and `isConfigError` predicates that narrow safely; non-typed errors
  propagate as defects (or, for user-evaluated config modules, as plain
  Error inside the widened `ConfigError | Error` channel).
- `Effect.sync(fs.mkdirSync/writeFileSync)` in SpecLoader produced defects,
  not typed failures, so the declared union under-described what could
  fail. Wrapped both in `Effect.try` with the new `SpecOutputWriteError`.

`DuplicateResponseNameError` from core is now part of the NormalizationError
union and exported from `@rexeus/typeweaver-core` (the class was already
thrown from validateUniqueResponseNames but never re-exported, so it
silently resolved to undefined in importers).

Plus three small smells the maintainability lens flagged:

- Inlined `revalidateGeneratedWritePath` in pluginContext — it was a
  one-line alias to `resolveSafeGeneratedFilePath` called six times for
  the same `(outputDir, path)` pair per write. Single resolve now flows
  through `writeGeneratedFileByReplacingDestination` as a SafeGeneratedFilePath.
- Updated MainLayer.ts header to name the real consumer entrypoint.

Two new tests close gaps the test-architect flagged:

- `GeneratedFiles` concurrent unbounded `add` — verifies the design
  rationale (Ref+SortedSet → deterministic snapshot under fiber concurrency),
  unverified before.
- `ProductionLayer` resolution smoke — every directly registered service
  must be reachable from the production runtime, catching dependency-graph
  regressions before task #6 amplifies them.
… service

Replaces the imperative BasePlugin class API with a V2 Plugin record API
where each lifecycle stage returns an Effect. Replaces the imperative
Generator class with an Effect.Service orchestrator that drives the full
pipeline (clean -> load -> bundle -> init -> collect -> generate ->
finalize -> format) with per-phase Effect.withSpan instrumentation.

* New services: PluginRegistry (Ref-backed, alphabetical toposort),
  ContextBuilder (Effect facade over plugin-context factory), Generator
  (CLI orchestrator), PluginLoader (V2-only resolver supporting plain
  records and factory functions).
* New plugin API: definePlugin({ name, depends?, initialize?, generate?, ... })
  with PluginExecutionError tagged failure channel.
* All 6 first-party plugins (types, clients, server, hono, aws-cdk, openapi)
  migrated to V2 records / factories. BasePlugin, TypeweaverPlugin,
  createPluginRegistry, createPluginContextBuilder, legacyAdapter deleted.
* Output remains byte-identical against the golden snapshot.
Fixes 2 correctness warnings, 3 maintainability warnings, and 1 correctness
suggestion surfaced by the independent reviewer trio.

Correctness
* SpecBundler: temp dir leaked if wrapper write failed; move mkdtempSync
  inside the try/finally pair so every successful mkdtempSync is bound
  to a cleanup.
* ContextBuilder + Generator: shared mutable `builder` singleton corrupted
  state under overlapping generate() calls (manifested only in tests, but
  real). Replace `reset()` with per-call builders returned from
  buildPluginContext / buildGeneratorContext.
* indexFileGenerator: barrel writes bypassed the atomic-replace path AND
  weren't registered with addGeneratedFile. Promote to IndexFileGenerator
  service that routes writes through context.writeFile, finally giving
  TemplateRenderer a production caller.

Maintainability
* Five plugin entrypoints (types, clients, server, hono, aws-cdk) were
  byte-equivalent scaffolding. Extract `definePluginWithLibCopy` helper
  in @rexeus/typeweaver-gen; each entrypoint shrinks from ~40 to ~17
  lines.
* Document the sync-helpers contract on GeneratorContext (writeFile,
  renderTemplate, addGeneratedFile) so plugin authors don't have to
  reverse-engineer the throw semantics.

No behavioral change to generated output (byte-identical golden snapshot).
2124/2124 tests pass.

Deferred to follow-up tasks: GeneratedFiles + PathSafety production
wiring, full FileSystem service adoption, console.* -> Effect.logInfo,
PluginModuleLoader service, cycle-detection error semantics, file-split
cleanup, plugin-author docs.
…ect.logInfo

Closes all remaining reviewer findings. The independent review trio
(Correctness, Maintainability, Security, Tester-Architect) now reports
PASS across the board after this commit; Tester-Architect goes from
BLOCKING to CLEAN with Task #9 ("InMemoryFs + property tests") opened
up as green-field.

FileSystem service tag
* Adopted at 5 orchestration sites: generatorIO, SpecLoader, SpecBundler,
  SpecImporter, generatorDefaults.
* SpecBundler uses FileSystem.makeTempDirectoryScoped — auto-cleanup via
  Effect.Scope replaces the manual try/finally.
* Kept on node:fs at 3 leaf sites by design: pluginContextBuilder.writeFile,
  copyPluginLibFiles, assertSafeCleanTargetEffect. Plugin.generate keeps
  R = never; the plugin author sync API stays sync. The deps-injection
  seams (PathSafetyFs, CleanTargetFs, PathSafetyShape, TemplateRendererShape)
  give tests the substitutability without breaking the contract.

PluginModuleLoader service
* New service wraps dynamic `import(specifier)`. Tagged failure channel
  via PluginModuleNotFoundError.
* PluginLoader consumes it instead of raw `await import`. The .mjs-fixture
  pattern in pluginLoader.test.ts is now optional; PluginModuleLoader.test.ts
  demonstrates the in-memory layer pattern.

GeneratedFiles + PathSafety + TemplateRenderer wiring
* TemplateRenderer wired via IndexFileGenerator (Task #8.5) and via
  pluginContextBuilder (this task).
* PathSafety wired via pluginContextBuilder. UnsafeGeneratedPathError
  unwraps cleanly through the runSync shim — no FiberFailure leaks to
  plugin authors.
* GeneratedFiles singleton deleted; per-call tracker built inside
  createPluginContextBuilder. Per-call isolation is structural now, not
  policy.

Effect.logInfo migration
* All console.* in services replaced with Effect.logInfo/logWarning.
* CliLoggerLayer reformats CLI output to bare lines (no timestamps,
  level-prefixed warnings and errors).
* Only surviving console.info is inside the documented sync-runSync
  bridge in pluginContextBuilder.writeFile.

Small cleanups
* PluginDependencyError.missingDependency made optional; cycle errors
  no longer carry the misleading "X depends on X" field.
* Duplicate plugin registration message corrected for both required and
  config-supplied collisions.

Generated output is byte-identical against the golden snapshot.
2123/2123 tests pass (-5 GeneratedFiles tests, -1 obsolete clearGeneratedFiles
test, +4 PluginModuleLoader tests, +1 per-call isolation test).
Replaces commander with @effect/cli for the CLI command tree, and adds
a centralized formatErrorForCli translator so tagged-error output is
human-friendly. The generate pipeline keeps its semantics; the
underlying Generator service is unchanged.

CLI rewrite
* generate / init subcommands defined via @effect/cli Command + Options
* --format / --no-format and --clean / --no-clean modeled as separate
  flags due to a known @effect/cli@0.75 bug where Options.boolean with
  `negationNames` short-circuits the outer withDefault
* resolveGenerateOptions invoked inside Effect.try with
  MissingGenerateOptionError narrowing
* CLI entry routes failures through formatErrorForCli before
  NodeRuntime.runMain; @effect/cli ValidationError is filtered to avoid
  double-printing
* disablePrettyLogger: true on runMain so only the CliLoggerLayer fires
  (otherwise the default pretty logger duplicated every log line and
  swallowed the non-zero exit code on failure)
* commander dependency removed

formatErrorForCli
* Cause -> failures or defects, joined newline-wise
* Tagged errors render via their .message getter
* Plain Error renders via .message
* Unknown values stringify

Verified manually:
* `typeweaver --help` / `typeweaver generate --help` render via @effect/cli
* Missing --input/--output exits 1 with friendly tagged-error message
* Bundle failure exits 1 with formatted message (no FiberFailure trace)

Tests: 2129/2129 pass (+6 new formatErrorForCli tests). Golden gate
byte-identical.
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/hono-4.12.18 branch from aba0d41 to be54281 Compare May 16, 2026 19:07
Bumps [hono](https://github.com/honojs/hono) from 4.12.9 to 4.12.18.
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.9...v4.12.18)

---
updated-dependencies:
- dependency-name: hono
  dependency-version: 4.12.18
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/hono-4.12.18 branch from be54281 to fd7886b Compare May 16, 2026 19:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant