Dependency audit run on 2026-03-12 found actionable npm vulnerabilities.
Summary
- Total vulnerabilities: 4
- Critical: 0
- High: 4
- Moderate: 0
- Low: 0
Notable vulnerable packages
@hono/node-server (high) — @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware; fix availableexpress-rate-limit (high) — express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network; fix availablehono (high) — Hono added timing comparison hardening in basicAuth and bearerAuth; fix availabletar (high) — tar has Hardlink Path Traversal via Drive-Relative Linkpath; fix available
Also outdated
npm outdated found 9 package(s) behind the latest release
Suggested next steps
- Upgrade direct dependencies that pull in the vulnerable packages
- Rebuild lockfile and rerun
npm audit
- Smoke-test build/runtime paths after upgrades, especially where fixes require semver-major jumps
Dependency audit run on 2026-03-12 found actionable npm vulnerabilities.
Summary
Notable vulnerable packages
@hono/node-server(high) — @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware; fix availableexpress-rate-limit(high) — express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network; fix availablehono(high) — Hono added timing comparison hardening in basicAuth and bearerAuth; fix availabletar(high) — tar has Hardlink Path Traversal via Drive-Relative Linkpath; fix availableAlso outdated
npm outdatedfound 9 package(s) behind the latest releaseSuggested next steps
npm audit