chore(deps): bump hono from 4.12.21 to 4.12.25 in /apps/backend in the npm_and_yarn group across 1 directory#25
Open
dependabot[bot] wants to merge 1 commit into
Conversation
dependabot
Bot
added
dependencies
Bumps the npm_and_yarn group with 1 update in the /apps/backend directory: [hono](https://github.com/honojs/hono). Updates `hono` from 4.12.21 to 4.12.25 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.21...v4.12.25) --- updated-dependencies: - dependency-name: hono dependency-version: 4.12.25 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/apps/backend/npm_and_yarn-c3b932bfa0
branch
from
08a94f7 to
03d6924
Compare
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| "bencode": "^4.0.0", | ||
| "drizzle-orm": "^0.45.2", | ||
| "hono": "4.12.21", | ||
| "hono": "4.12.25", |
Contributor
There was a problem hiding this comment.
The root bun.lock still pins hono to 4.12.21 (line 36 and 676) while package.json now declares 4.12.25. Because Dependabot does not update Bun lockfiles, the security fixes bundled in this release will not be installed until someone runs bun install locally, verifies the lockfile diff, and commits the updated bun.lock. Any CI step that runs bun install --frozen-lockfile will also fail with the current state of the repository.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the npm_and_yarn group with 1 update in the /apps/backend directory: hono.
Updates
honofrom 4.12.21 to 4.12.25Release notes
Sourced from hono's releases.
... (truncated)
Commits
fce483e4.12.25751ba41Merge commit from forkf0b094dMerge commit from forkfa5f9bfMerge commit from fork3892a6cMerge commit from fork74c2cf8test(aws-lambda): update integration tests (#5012)7ae7cbaMerge commit from fork1b13848chore(ci): bump codecov-action to v7.0.0 (#5011)5fdde5a4.12.24c78932dfix(utils/ipaddr): render the unspecified address binary as "::" (#4998)Greptile Summary
This PR bumps
honofrom4.12.21to4.12.25inapps/backend, picking up five security patches released inv4.12.25. The backend does not appear to use the affected middleware (CORS with wildcard credentials, body-limit on AWS Lambda, serve-static on Windows, or Lambda adapters), so no application-level changes are needed.%5Con Windows (GHSA-wwfh-h76j-fc44),Set-Cookiemerge on ALB (GHSA-j6c9-x7qj-28xf), and header overwrite on Lambda@Edge (GHSA-wgpf-jwqj-8h8p).bun.lockwas not updated by Dependabot (Bun lockfiles are not yet supported by Dependabot), so the patched version won't actually be installed untilbun installis run and the updated lockfile is committed.Confidence Score: 4/5
Safe to merge, but the security patches won't take effect until bun.lock is regenerated and committed separately.
The package.json change is correct and the target version carries important security fixes. However, bun.lock was not updated — it still resolves hono@4.12.21 — so the patched binary won't be installed from the lockfile until a follow-up bun install commit is made. This gap between declared and locked version is a real, present state in the repo that needs manual resolution.
bun.lock at the repo root needs to be regenerated with
bun installand committed to complete this upgrade.Important Files Changed
Sequence Diagram
%%{init: {'theme': 'neutral'}}%% sequenceDiagram participant Dep as Dependabot participant PJ as package.json participant BL as bun.lock participant CI as CI / bun install Dep->>PJ: bumps hono 4.12.21 → 4.12.25 Dep-->>BL: ❌ not updated (Bun lockfile unsupported) CI->>BL: "reads pinned hono@4.12.21" Note over CI,BL: Security patches not applied<br/>until bun install + lockfile commit%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%% sequenceDiagram participant Dep as Dependabot participant PJ as package.json participant BL as bun.lock participant CI as CI / bun install Dep->>PJ: bumps hono 4.12.21 → 4.12.25 Dep-->>BL: ❌ not updated (Bun lockfile unsupported) CI->>BL: "reads pinned hono@4.12.21" Note over CI,BL: Security patches not applied<br/>until bun install + lockfile commitReviews (2): Last reviewed commit: "chore(deps): bump hono" | Re-trigger Greptile