Update vulnerable Hono and fast-uri dependencies (#29650)

## Summary

- Pin `hono` to 4.12.25, the first patched release for the recent Hono
security advisories.
- Pin `fast-uri` to 3.1.1 to fix the percent-encoded path traversal
vulnerability.
- Refresh `pnpm-lock.yaml` with only those dependency updates.

`hono` 4.12.25 is used instead of the newer 4.12.27 because the
repository requires dependencies to be at least seven days old.
This commit is contained in:
jif
2026-06-23 16:19:19 +01:00
committed by GitHub
Unverified
parent bbe1006890
commit c553cea9ea
2 changed files with 16 additions and 12 deletions
+2
View File
@@ -14,9 +14,11 @@
"@modelcontextprotocol/sdk": "1.26.0",
"braces": "^3.0.3",
"esbuild": "0.28.1",
"fast-uri": "3.1.1",
"flatted": "3.4.2",
"glob@10.4.5": "10.5.0",
"handlebars": "4.7.9",
"hono": "4.12.25",
"micromatch": "^4.0.8",
"minimatch@3.1.2": "3.1.4",
"minimatch@9.0.5": "9.0.7",
+14 -12
View File
@@ -8,9 +8,11 @@ overrides:
'@modelcontextprotocol/sdk': 1.26.0
braces: ^3.0.3
esbuild: 0.28.1
fast-uri: 3.1.1
flatted: 3.4.2
glob@10.4.5: 10.5.0
handlebars: 4.7.9
hono: 4.12.25
micromatch: ^4.0.8
minimatch@3.1.2: 3.1.4
minimatch@9.0.5: 9.0.7
@@ -455,7 +457,7 @@ packages:
resolution: {integrity: sha512-TsQLe4i2gvoTtrHje625ngThGBySOgSK3Xo2XRYOdqGN1teR8+I7vchQC46uLJi8OF62YTYA3AhSpumtkhsaKQ==}
engines: {node: '>=18.14.1'}
peerDependencies:
hono: ^4
hono: 4.12.25
'@humanfs/core@0.19.1':
resolution: {integrity: sha512-5DyQ4+1JEUzejeK1JGICcideyfUbGixgS9jNgex5nqkW+cY7WZhxBigmieN5Qnw9ZosSNVC9KQKyb+GUaGyKUA==}
@@ -1341,8 +1343,8 @@ packages:
fast-levenshtein@2.0.6:
resolution: {integrity: sha512-DCXu6Ifhqcks7TZKY3Hxp3y6qphY5SJZmrWMDrKcERSOXWQdMhU9Ig/PYrzyw/ul9jOIyh0N4M0tbC5hodg8dw==}
fast-uri@3.1.0:
resolution: {integrity: sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==}
fast-uri@3.1.1:
resolution: {integrity: sha512-h2r7rcm6Ee/J8o0LD5djLuFVcfbZxhvho4vvsbeV0aMvXjUgqv4YpxpkEx0d68l6+IleVfLAdVEfhR7QNMkGHQ==}
fastq@1.19.1:
resolution: {integrity: sha512-GwLTyxkCXjXbxqIhTsMI2Nui8huMPtnxg7krajPJAjnEG/iiOS7i+zCtWGZR9G0NBKbXKh6X9m9UIsYX/N6vvQ==}
@@ -1484,8 +1486,8 @@ packages:
resolution: {integrity: sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==}
engines: {node: '>= 0.4'}
hono@4.12.12:
resolution: {integrity: sha512-p1JfQMKaceuCbpJKAPKVqyqviZdS0eUxH9v82oWo1kb9xjQ5wA6iP3FNVAPDFlz5/p7d45lO+BpSk1tuSZMF4Q==}
hono@4.12.25:
resolution: {integrity: sha512-2NFaIyNVgJmBs/ecmtGzlmluTFs5cHEWGTdu0t1HBwYzoGXOL5nUQBRMXsXWla5i4KkG//QMzVP88m1+I3fdAQ==}
engines: {node: '>=16.9.0'}
html-escaper@2.0.2:
@@ -2873,9 +2875,9 @@ snapshots:
'@eslint/core': 0.15.2
levn: 0.4.1
'@hono/node-server@1.19.13(hono@4.12.12)':
'@hono/node-server@1.19.13(hono@4.12.25)':
dependencies:
hono: 4.12.12
hono: 4.12.25
'@humanfs/core@0.19.1': {}
@@ -3095,7 +3097,7 @@ snapshots:
'@modelcontextprotocol/sdk@1.26.0(zod@3.25.76)':
dependencies:
'@hono/node-server': 1.19.13(hono@4.12.12)
'@hono/node-server': 1.19.13(hono@4.12.25)
ajv: 8.17.1
ajv-formats: 3.0.1(ajv@8.17.1)
content-type: 1.0.5
@@ -3105,7 +3107,7 @@ snapshots:
eventsource-parser: 3.0.6
express: 5.2.1
express-rate-limit: 8.3.2(express@5.2.1)
hono: 4.12.12
hono: 4.12.25
jose: 6.1.3
json-schema-typed: 8.0.2
pkce-challenge: 5.0.0
@@ -3401,7 +3403,7 @@ snapshots:
ajv@8.17.1:
dependencies:
fast-deep-equal: 3.1.3
fast-uri: 3.1.0
fast-uri: 3.1.1
json-schema-traverse: 1.0.0
require-from-string: 2.0.2
@@ -3905,7 +3907,7 @@ snapshots:
fast-levenshtein@2.0.6: {}
fast-uri@3.1.0: {}
fast-uri@3.1.1: {}
fastq@1.19.1:
dependencies:
@@ -4054,7 +4056,7 @@ snapshots:
dependencies:
function-bind: 1.1.2
hono@4.12.12: {}
hono@4.12.25: {}
html-escaper@2.0.2: {}