Skip to content

Bump hono direct dep + override @hono/node-server (six advisories) #1484

Closed
#1499
Closed
Bump hono direct dep + override @hono/node-server (six advisories)#1484
#1499
Labels
P2Medium priority - Backlog, when time permitsarea: serverHTTP server (packages/server) - API routes, SSE, adaptersdependenciesPull requests that update a dependency fileeffort/lowSingle file or function, one responsibility, isolated changesecuritySecurity vulnerabilities and hardening
@Wirasm

Description

@Wirasm
Wirasm
opened on Apr 29, 2026

Context

Spun out of #1353 follow-up. `bun audit` against `bun.lock` (the actual runtime tree) flagged `hono` and `@hono/node-server` with several advisories. These are not on the Dependabot dashboard because Dependabot's `bun.lock` coverage is incomplete — they only surface via `bun audit` locally.

Affected packages

`hono <4.12.12` — direct dep in `@archon/server`

Currently pinned to `^4.11.4` in `packages/server/package.json`. Six advisories:

  • GHSA-26pp-8wgv-hjvm — missing validation of cookie name on write path in `setCookie()` (moderate)
  • GHSA-r5rp-j6wh-rvv4 — non-breaking-space prefix bypass in cookie name handling in `getCookie()` (moderate)
  • GHSA-xf4j-xp2r-rqqx — path traversal in `toSSG()` allows writing files outside the output directory (moderate)
  • GHSA-wmmm-f939-6g9c — middleware bypass via repeated slashes in `serveStatic` (moderate)
  • GHSA-458j-xx4x-4375 — improperly handles JSX attribute names allows HTML injection in `hono/jsx` SSR (moderate)
  • GHSA-xpcf-pg52-r92g — incorrect IP matching in `ipRestriction()` for IPv4-mapped IPv6 addresses (moderate)

Several of these affect code paths Archon actually uses (`setCookie` / `getCookie` for the auth sidecar; `serveStatic` for the bundled web UI).

`@hono/node-server <1.19.13` — transitive

Pulled in via `@anthropic-ai/claude-agent-sdk`, `@mariozechner/pi-ai`, and `shadcn`. Not directly imported by Archon.

Proposed fix

In `packages/server/package.json`:
```diff

  • "hono": "^4.11.4"
  • "hono": "^4.12.12"
    ```

In root `package.json` overrides:
```diff
"overrides": {
...

  • "@hono/node-server": "^1.19.13"
    }
    ```

Verification

  • `bun install` should not change other resolved versions
  • `bun run validate` must pass
  • Spot-check the auth sidecar's cookie flows (Caddy forward_auth) since two advisories are in `setCookie`/`getCookie`
  • `bun audit` should drop these 7 findings

Effort: ~30 min including manual cookie verification.

Metadata

Metadata

Assignees

No one assigned

    Labels

    P2Medium priority - Backlog, when time permitsarea: serverHTTP server (packages/server) - API routes, SSE, adaptersdependenciesPull requests that update a dependency fileeffort/lowSingle file or function, one responsibility, isolated changesecuritySecurity vulnerabilities and hardening

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions