[auto] Bump hono to 4.12.12 and vite to 8.0.5 in aegis-oss (8 dependabot alerts)#22
Open
stackbilt-admin wants to merge 1 commit intomainfrom
Open
[auto] Bump hono to 4.12.12 and vite to 8.0.5 in aegis-oss (8 dependabot alerts)#22stackbilt-admin wants to merge 1 commit intomainfrom
stackbilt-admin wants to merge 1 commit intomainfrom
Conversation
Addresses 8 dependabot security alerts on aegis-oss: hono (medium severity, #12-#16): - Cookie name bypass in getCookie() via non-breaking space prefix - setCookie() missing cookie name validation - ipRestriction() incorrect IPv4-mapped IPv6 matching - serveStatic middleware bypass via repeated slashes - toSSG() path traversal writing outside output directory vite (2x high, 1x medium, #9-#11): - server.fs.deny bypassed with queries (high) - Arbitrary file read via dev server WebSocket (high) - Path traversal in optimized deps .map handling (medium) Resolved versions: hono 4.12.12, vite 8.0.8 (satisfies ^8.0.5). Typecheck and all 1473 tests pass. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Autonomous Task
Task ID:
7f40f7c8-5421-4309-9488-6ce1ad03e6d4Authority: auto_safe
Exit code: 0
Task Prompt
Bump
honoto4.12.12andviteto8.0.5across the aegis-oss monorepo to clear 8 open dependabot alerts.Context
Dependabot alerts on Stackbilt-dev/aegis-oss:
server.fs.denybypassed with queries (high).maphandling (medium)Vite is dev-only (dev server), so the "high" severity is dev-tool risk, not production. Hono is on the production request path — that's the real priority.
Scope
package.jsonin the monorepo (workspace root + all packages) that pinshonoorvite.^4.12.12(or4.12.12exact if the existing style is exact).^8.0.5(or8.0.5exact if the existing style is exact).npm install(orpnpm install— use whichever lockfile exists) to update the lockfile.npm run typecheck(or workspace equivalent) — Hono 4.12.x shouldn't have type breaks from current 4.x, but verify.npm testorpnpm test). If tests pass, you're done. If they fail, diagnose — Hono 4.12 may have minor API tweaks; check the release notes at https://github.com/honojs/hono/releases.fix(deps): bump hono to 4.12.12 and vite to 8.0.5 for CVE fixes. List the alert numbers in the commit body (hono: chore(ci): bump actions/checkout from 4 to 6 #12-16, vite: feat: trajectory compression — learn from own best executions #9-11).Safety
npm updateorpnpm updatewould touch anything beyond hono and vite, use explicitnpm install hono@4.12.12 vite@8.0.5instead.Result Summary
Commit landed. Bumped hono from 4.12.8 to 4.12.12 and added vite ^8.0.5 (resolved 8.0.8) in
web/package.json. Typecheck clean, all 1473 tests pass.TASK_COMPLETE
Generated by AEGIS task runner. Review before merging.