From e292779f1a739b6188efac25f171a8da913ce16b Mon Sep 17 00:00:00 2001 From: "aikido-autofix[bot]" <119856028+aikido-autofix[bot]@users.noreply.github.com> Date: Mon, 15 Jun 2026 08:25:12 +0100 Subject: [PATCH] fix: Fix 4 security issues in @grpc/grpc-js, hono (#32281) Co-authored-by: aikido-autofix[bot] <119856028+aikido-autofix[bot]@users.noreply.github.com> --- package.json | 4 ++-- pnpm-lock.yaml | 46 +++++++++++++++++++++++----------------------- 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/package.json b/package.json index 7c4d0a79227..3ebfc1a2ef7 100644 --- a/package.json +++ b/package.json @@ -175,7 +175,6 @@ "yaml@<=2.8.3": "2.8.3", "axios": "1.16.1", "fast-xml-parser": "5.7.2", - "hono": "4.12.21", "postcss@<=8.5.9": "8.5.10", "@anthropic-ai/sdk@<=0.91.1": "0.91.1", "uuid@<=13.0.1": "13.0.1", @@ -187,7 +186,8 @@ "@tootallnate/once@2": "2.0.1", "@opentelemetry/exporter-prometheus@<=0.217.0": "0.217.0", "@opentelemetry/sdk-node@<=0.217.0": "0.217.0", - "langsmith": "0.6.0" + "langsmith": "0.6.0", + "hono": "4.12.25" }, "patchedDependencies": { "bull@4.16.4": "patches/bull@4.16.4.patch", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 575d4f176c2..bd457ebb9e9 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -578,7 +578,6 @@ overrides: yaml@<=2.8.3: 2.8.3 axios: 1.16.1 fast-xml-parser: 5.7.2 - hono: 4.12.21 postcss@<=8.5.9: 8.5.10 '@anthropic-ai/sdk@<=0.91.1': 0.91.1 uuid@<=13.0.1: 13.0.1 @@ -591,6 +590,7 @@ overrides: '@opentelemetry/exporter-prometheus@<=0.217.0': 0.217.0 '@opentelemetry/sdk-node@<=0.217.0': 0.217.0 langsmith: 0.6.0 + hono: 4.12.25 patchedDependencies: '@lezer/highlight': @@ -7301,8 +7301,8 @@ packages: peerDependencies: graphql: ^0.8.0 || ^0.9.0 || ^0.10.0 || ^0.11.0 || ^0.12.0 || ^0.13.0 || ^14.0.0 || ^15.0.0 || ^16.0.0 || ^17.0.0 - '@grpc/grpc-js@1.14.3': - resolution: {integrity: sha512-Iq8QQQ/7X3Sac15oB6p0FmUg/klxQvXLeileoqrTRGJYLV+/9tubbr9ipz0GKHjmXVsgFPo/+W+2cA8eNcR+XA==} + '@grpc/grpc-js@1.14.4': + resolution: {integrity: sha512-k9Dj3DV/itK9D06Y8f190Qgop7/Ui+D0njFV3LHMPwPT75DpXLQohE9Wmz0QElrJnzsjB7KPWiKJbOl7IPDArQ==} engines: {node: '>=12.10.0'} '@grpc/proto-loader@0.7.13': @@ -7319,7 +7319,7 @@ packages: resolution: {integrity: sha512-TsQLe4i2gvoTtrHje625ngThGBySOgSK3Xo2XRYOdqGN1teR8+I7vchQC46uLJi8OF62YTYA3AhSpumtkhsaKQ==} engines: {node: '>=18.14.1'} peerDependencies: - hono: 4.12.21 + hono: 4.12.25 '@huggingface/inference@4.0.5': resolution: {integrity: sha512-/Qc45BGrN+FBA3JfdeoHfafxfNShH/dxvOsXbBdcxyxIRIYOyefeiXSlShZGVCaiqYpm+10na28D0YtvjKPTlw==} @@ -15087,8 +15087,8 @@ packages: resolution: {integrity: sha512-eSmmWE5bZTK2Nou4g0AI3zZ9rswp7GRKoKXS1BLUkvPviOqs4YTN1djQIqrXy9k5gEtdLPy86JjRwsNM9tnDcA==} engines: {node: '>=0.10.0'} - hono@4.12.21: - resolution: {integrity: sha512-uV63apnb0kyPtAUwoWgaGh9HyIFcv8lgmzPZSiTBQAFOFGIzka5EZ1dZocmGnn0XdX0+XTqJ6Tqv7selMuGLRQ==} + hono@4.12.25: + resolution: {integrity: sha512-2NFaIyNVgJmBs/ecmtGzlmluTFs5cHEWGTdu0t1HBwYzoGXOL5nUQBRMXsXWla5i4KkG//QMzVP88m1+I3fdAQ==} engines: {node: '>=16.9.0'} hookable@5.5.3: @@ -21173,7 +21173,7 @@ packages: engines: {node: '>=18'} xlsx@https://cdn.sheetjs.com/xlsx-0.20.2/xlsx-0.20.2.tgz: - resolution: {integrity: sha512-+nKZ39+nvK7Qq6i0PvWWRA4j/EkfWOtkP/YhMtupm+lJIiHxUrgTr1CcKv1nBk1rHtkRRQ3O2+Ih/q/sA+FXZA==, tarball: https://cdn.sheetjs.com/xlsx-0.20.2/xlsx-0.20.2.tgz} + resolution: {tarball: https://cdn.sheetjs.com/xlsx-0.20.2/xlsx-0.20.2.tgz} version: 0.20.2 engines: {node: '>=0.8'} hasBin: true @@ -24523,7 +24523,7 @@ snapshots: dependencies: graphql: 16.11.0 - '@grpc/grpc-js@1.14.3': + '@grpc/grpc-js@1.14.4': dependencies: '@grpc/proto-loader': 0.8.0 '@js-sdsl/ordered-map': 4.4.2 @@ -24542,9 +24542,9 @@ snapshots: protobufjs: 7.5.8 yargs: 17.7.2 - '@hono/node-server@1.19.13(hono@4.12.21)': + '@hono/node-server@1.19.13(hono@4.12.25)': dependencies: - hono: 4.12.21 + hono: 4.12.25 '@huggingface/inference@4.0.5': dependencies: @@ -25655,7 +25655,7 @@ snapshots: '@microsoft/agents-a365-runtime': 0.1.0-preview.113 '@microsoft/agents-a365-tooling': 0.1.0-preview.113(zod@3.25.67) '@microsoft/agents-hosting': 1.2.3 - hono: 4.12.21 + hono: 4.12.25 langchain: 1.2.30(@langchain/core@1.1.41(@opentelemetry/api@1.9.0)(@opentelemetry/exporter-trace-otlp-proto@0.217.0(@opentelemetry/api@1.9.0))(@opentelemetry/sdk-trace-base@2.7.1(@opentelemetry/api@1.9.0))(openai@6.34.0(ws@8.21.0(bufferutil@4.0.9)(utf-8-validate@5.0.10))(zod@3.25.67))(ws@8.21.0(bufferutil@4.0.9)(utf-8-validate@5.0.10)))(@opentelemetry/api@1.9.0)(@opentelemetry/exporter-trace-otlp-proto@0.217.0(@opentelemetry/api@1.9.0))(@opentelemetry/sdk-trace-base@2.7.1(@opentelemetry/api@1.9.0))(openai@6.34.0(ws@8.21.0(bufferutil@4.0.9)(utf-8-validate@5.0.10))(zod@3.25.67))(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(vue@3.5.26(typescript@6.0.2))(ws@8.21.0(bufferutil@4.0.9)(utf-8-validate@5.0.10))(zod-to-json-schema@3.23.3(zod@3.25.67)) uuid: 13.0.1 optionalDependencies: @@ -25683,7 +25683,7 @@ snapshots: '@microsoft/agents-hosting': 1.2.3 '@modelcontextprotocol/sdk': 1.26.0(zod@3.25.67) express: 5.2.1 - hono: 4.12.21 + hono: 4.12.25 transitivePeerDependencies: - '@cfworker/json-schema' - debug @@ -25770,7 +25770,7 @@ snapshots: '@modelcontextprotocol/sdk@1.26.0(zod@3.25.67)': dependencies: - '@hono/node-server': 1.19.13(hono@4.12.21) + '@hono/node-server': 1.19.13(hono@4.12.25) ajv: 8.18.0 ajv-formats: 3.0.1(ajv@8.18.0) content-type: 1.0.5 @@ -25780,7 +25780,7 @@ snapshots: eventsource-parser: 3.0.8 express: 5.2.1 express-rate-limit: 8.2.2(express@5.2.1) - hono: 4.12.21 + hono: 4.12.25 jose: 6.2.2 json-schema-typed: 8.0.2 pkce-challenge: 5.0.0(patch_hash=651e785d0b7bbf5be9210e1e895c39a16dc3ce8a5a3843b4819565fb6e175b90) @@ -26211,7 +26211,7 @@ snapshots: '@opentelemetry/exporter-logs-otlp-grpc@0.217.0(@opentelemetry/api@1.9.0)': dependencies: - '@grpc/grpc-js': 1.14.3 + '@grpc/grpc-js': 1.14.4 '@opentelemetry/api': 1.9.0 '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.0) '@opentelemetry/otlp-exporter-base': 0.217.0(@opentelemetry/api@1.9.0) @@ -26241,7 +26241,7 @@ snapshots: '@opentelemetry/exporter-metrics-otlp-grpc@0.217.0(@opentelemetry/api@1.9.0)': dependencies: - '@grpc/grpc-js': 1.14.3 + '@grpc/grpc-js': 1.14.4 '@opentelemetry/api': 1.9.0 '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.0) '@opentelemetry/exporter-metrics-otlp-http': 0.217.0(@opentelemetry/api@1.9.0) @@ -26280,7 +26280,7 @@ snapshots: '@opentelemetry/exporter-trace-otlp-grpc@0.217.0(@opentelemetry/api@1.9.0)': dependencies: - '@grpc/grpc-js': 1.14.3 + '@grpc/grpc-js': 1.14.4 '@opentelemetry/api': 1.9.0 '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.0) '@opentelemetry/otlp-exporter-base': 0.217.0(@opentelemetry/api@1.9.0) @@ -26375,7 +26375,7 @@ snapshots: '@opentelemetry/otlp-grpc-exporter-base@0.217.0(@opentelemetry/api@1.9.0)': dependencies: - '@grpc/grpc-js': 1.14.3 + '@grpc/grpc-js': 1.14.4 '@opentelemetry/api': 1.9.0 '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.0) '@opentelemetry/otlp-exporter-base': 0.217.0(@opentelemetry/api@1.9.0) @@ -29583,7 +29583,7 @@ snapshots: '@zilliz/milvus2-sdk-node@2.5.7': dependencies: - '@grpc/grpc-js': 1.14.3 + '@grpc/grpc-js': 1.14.4 '@grpc/proto-loader': 0.7.13 '@opentelemetry/api': 1.9.0 '@petamoriken/float16': 3.9.2 @@ -31696,7 +31696,7 @@ snapshots: dockerode@4.0.9: dependencies: '@balena/dockerignore': 1.0.2 - '@grpc/grpc-js': 1.14.3 + '@grpc/grpc-js': 1.14.4 '@grpc/proto-loader': 0.7.13 docker-modem: 5.0.6 protobufjs: 7.5.8 @@ -33324,7 +33324,7 @@ snapshots: google-gax@4.6.1(encoding@0.1.13): dependencies: - '@grpc/grpc-js': 1.14.3 + '@grpc/grpc-js': 1.14.4 '@grpc/proto-loader': 0.7.13 '@types/long': 4.0.2 abort-controller: 3.0.0 @@ -33487,7 +33487,7 @@ snapshots: dependencies: parse-passwd: 1.0.0 - hono@4.12.21: {} + hono@4.12.25: {} hookable@5.5.3: {} @@ -36349,7 +36349,7 @@ snapshots: nice-grpc@2.1.12: dependencies: - '@grpc/grpc-js': 1.14.3 + '@grpc/grpc-js': 1.14.4 abort-controller-x: 0.4.3 nice-grpc-common: 2.0.2