[PR] chore(deps): bump hono from 4.11.7 to 4.12.21 in /t [apisix]

Thu, 21 May 2026 22:52:48 -0700 


dependabot[bot] opened a new pull request, #13419:
URL: https://github.com/apache/apisix/pull/13419

   Bumps [hono](https://github.com/honojs/hono) from 4.11.7 to 4.12.21.
   <details>
   <summary>Release notes</summary>
   <p><em>Sourced from <a href="https://github.com/honojs/hono/releases";>hono's 
releases</a>.</em></p>
   <blockquote>
   <h2>v4.12.21</h2>
   <h2>Security fixes</h2>
   <p>This release includes fixes for the following security issues:</p>
   <h3>app.mount() strips mount prefix using undecoded path, causing incorrect 
routing for percent-encoded paths</h3>
   <p>Affects: <code>app.mount()</code>. Fixes prefix stripping using the raw 
URL pathname instead of the decoded path, where percent-encoded characters in 
the mount prefix or path could cause the prefix to be removed at the wrong 
position, resulting in the sub-application receiving an incorrect path. 
GHSA-2gcr-mfcq-wcc3</p>
   <h3>IP Restriction bypasses static deny rules for non-canonical IPv6</h3>
   <p>Affects: <code>hono/ip-restriction</code>. Fixes IP address comparison 
using string equality, where non-canonical IPv6 representations of a denied 
address — such as compressed forms or hex-notation IPv4-mapped addresses — 
could bypass static deny rules. GHSA-xrhx-7g5j-rcj5</p>
   <h3>Cookie helper does not sanitize sameSite and priority, allowing 
Set-Cookie injection</h3>
   <p>Affects: <code>hono/cookie</code>. Fixes missing validation of 
<code>sameSite</code> and <code>priority</code> options against injection 
characters (<code>;</code>, <code>\r</code>, <code>\n</code>), where 
user-controlled input passed to either option could inject additional 
attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x</p>
   <h3>JWT middleware accepts any Authorization scheme, not only Bearer</h3>
   <p>Affects: <code>hono/jwt</code>, <code>hono/jwk</code>. Fixes missing 
scheme validation in the Authorization header, where any two-part header value 
was accepted regardless of the scheme name, allowing non-Bearer schemes to pass 
JWT authentication. GHSA-f577-qrjj-4474</p>
   <hr />
   <p>Users who use <code>app.mount()</code>, <code>hono/ip-restriction</code>, 
<code>hono/cookie</code>, or <code>hono/jwt</code>/<code>hono/jwk</code> are 
encouraged to upgrade to this version.</p>
   <h2>v4.12.20</h2>
   <h2>What's Changed</h2>
   <ul>
   <li>fix(route): preserve the base path of the mounted route() app by <a 
href="https://github.com/usualoma";><code>@​usualoma</code></a> in <a 
href="https://redirect.github.com/honojs/hono/pull/4942";>honojs/hono#4942</a></li>
   <li>fix(jsx): widen jsx and jsxFn children to Child[] by <a 
href="https://github.com/ashunar0";><code>@​ashunar0</code></a> in <a 
href="https://redirect.github.com/honojs/hono/pull/4947";>honojs/hono#4947</a></li>
   </ul>
   <h2>New Contributors</h2>
   <ul>
   <li><a href="https://github.com/ashunar0";><code>@​ashunar0</code></a> made 
their first contribution in <a 
href="https://redirect.github.com/honojs/hono/pull/4947";>honojs/hono#4947</a></li>
   </ul>
   <p><strong>Full Changelog</strong>: <a 
href="https://github.com/honojs/hono/compare/v4.12.19...v4.12.20";>https://github.com/honojs/hono/compare/v4.12.19...v4.12.20</a></p>
   <h2>v4.12.19</h2>
   <h2>What's Changed</h2>
   <ul>
   <li>ci: pin GitHub Actions to SHAs by <a 
href="https://github.com/yusukebe";><code>@​yusukebe</code></a> in <a 
href="https://redirect.github.com/honojs/hono/pull/4932";>honojs/hono#4932</a></li>
   <li>fix(serveStatic): make options parameter optional in all adapters by <a 
href="https://github.com/mixelburg";><code>@​mixelburg</code></a> in <a 
href="https://redirect.github.com/honojs/hono/pull/4934";>honojs/hono#4934</a></li>
   <li>fix(cookie): return the first cookie when there are multiple cookies 
with the same name by <a 
href="https://github.com/usualoma";><code>@​usualoma</code></a> in <a 
href="https://redirect.github.com/honojs/hono/pull/4922";>honojs/hono#4922</a></li>
   <li>feat(bearer-auth): make bearerAuth generic for typed context in 
verifyToken by <a 
href="https://github.com/justinnais";><code>@​justinnais</code></a> in <a 
href="https://redirect.github.com/honojs/hono/pull/4913";>honojs/hono#4913</a></li>
   <li>feat(cache): key cache entries by configured vary headers by <a 
href="https://github.com/usualoma";><code>@​usualoma</code></a> in <a 
href="https://redirect.github.com/honojs/hono/pull/4915";>honojs/hono#4915</a></li>
   <li>feat(request): add <code>bytes()</code> by <a 
href="https://github.com/yusukebe";><code>@​yusukebe</code></a> in <a 
href="https://redirect.github.com/honojs/hono/pull/4921";>honojs/hono#4921</a></li>
   <li>fix(stream): upgrade <code>@hono/node-server</code> to v2 and fix abort 
handling by <a href="https://github.com/yusukebe";><code>@​yusukebe</code></a> 
in <a 
href="https://redirect.github.com/honojs/hono/pull/4940";>honojs/hono#4940</a></li>
   </ul>
   <h2>New Contributors</h2>
   <ul>
   <li><a href="https://github.com/justinnais";><code>@​justinnais</code></a> 
made their first contribution in <a 
href="https://redirect.github.com/honojs/hono/pull/4913";>honojs/hono#4913</a></li>
   </ul>
   <p><strong>Full Changelog</strong>: <a 
href="https://github.com/honojs/hono/compare/v4.12.18...v4.12.19";>https://github.com/honojs/hono/compare/v4.12.18...v4.12.19</a></p>
   <!-- raw HTML omitted -->
   </blockquote>
   <p>... (truncated)</p>
   </details>
   <details>
   <summary>Commits</summary>
   <ul>
   <li><a 
href="https://github.com/honojs/hono/commit/a83ddb882e0c0b8c336050dba087bb2e1b12488e";><code>a83ddb8</code></a>
 4.12.21</li>
   <li><a 
href="https://github.com/honojs/hono/commit/6cbb025ff87fca1a3d00d0ccca0eaf3a6385c3f1";><code>6cbb025</code></a>
 Merge commit from fork</li>
   <li><a 
href="https://github.com/honojs/hono/commit/c831020fb1fa2e929d222f6c84e1abfe013e512b";><code>c831020</code></a>
 Merge commit from fork</li>
   <li><a 
href="https://github.com/honojs/hono/commit/905aedbc20661e0e2fa378783a7ec44a5c3df43d";><code>905aedb</code></a>
 Merge commit from fork</li>
   <li><a 
href="https://github.com/honojs/hono/commit/5463db2735476959b8af67756f4e513f4fe19115";><code>5463db2</code></a>
 Merge commit from fork</li>
   <li><a 
href="https://github.com/honojs/hono/commit/c657a39ccc8d3194d345d9e82c8587bd25b5b6e8";><code>c657a39</code></a>
 4.12.20</li>
   <li><a 
href="https://github.com/honojs/hono/commit/eb2d0c238adbcee5933d0f8c15f1a65a88f50565";><code>eb2d0c2</code></a>
 fix(jsx): widen jsx and jsxFn children to Child[] (<a 
href="https://redirect.github.com/honojs/hono/issues/4947";>#4947</a>)</li>
   <li><a 
href="https://github.com/honojs/hono/commit/dcabbece347817ef7193439c39d28546b8ac3a85";><code>dcabbec</code></a>
 fix(route): preserve the base path of the mounted route() app (<a 
href="https://redirect.github.com/honojs/hono/issues/4942";>#4942</a>)</li>
   <li><a 
href="https://github.com/honojs/hono/commit/7e62bcd22fa4e8f0e83cb564bac85e32f5434dd3";><code>7e62bcd</code></a>
 4.12.19</li>
   <li><a 
href="https://github.com/honojs/hono/commit/e2f252a8745eb25f06485b8d43e8410bf027c8ef";><code>e2f252a</code></a>
 fix(stream): upgrade <code>@hono/node-server</code> to v2 and fix abort 
handling (<a 
href="https://redirect.github.com/honojs/hono/issues/4940";>#4940</a>)</li>
   <li>Additional commits viewable in <a 
href="https://github.com/honojs/hono/compare/v4.11.7...v4.12.21";>compare 
view</a></li>
   </ul>
   </details>
   <br />
   
   
   [![Dependabot compatibility 
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=hono&package-manager=npm_and_yarn&previous-version=4.11.7&new-version=4.12.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
   
   Dependabot will resolve any conflicts with this PR as long as you don't 
alter it yourself. You can also trigger a rebase manually by commenting 
`@dependabot rebase`.
   
   [//]: # (dependabot-automerge-start)
   [//]: # (dependabot-automerge-end)
   
   ---
   
   <details>
   <summary>Dependabot commands and options</summary>
   <br />
   
   You can trigger Dependabot actions by commenting on this PR:
   - `@dependabot rebase` will rebase this PR
   - `@dependabot recreate` will recreate this PR, overwriting any edits that 
have been made to it
   - `@dependabot show <dependency name> ignore conditions` will show all of 
the ignore conditions of the specified dependency
   - `@dependabot ignore this major version` will close this PR and stop 
Dependabot creating any more for this major version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this minor version` will close this PR and stop 
Dependabot creating any more for this minor version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this dependency` will close this PR and stop 
Dependabot creating any more for this dependency (unless you reopen the PR or 
upgrade to it yourself)
   You can disable automated security fix PRs for this repo from the [Security 
Alerts page](https://github.com/apache/apisix/network/alerts).
   
   </details>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to