fix: upgrade @hono/node-server to 1.19.10 (CVE-2026-29087)#16748
fix: upgrade @hono/node-server to 1.19.10 (CVE-2026-29087)#16748orbisai0security wants to merge 2 commits into
Conversation
Automated dependency upgrade by OrbisAI Security Signed-off-by: orbisai0security <mediratta01.pally@gmail.com>
We are not using this dependency. Original Content我们并没有使用这个依赖 |
… dep CVE-2026-29087 affects @hono/node-server <1.19.10. The package is not used directly — it enters the graph transitively through @modelcontextprotocol/sdk (via @anthropic-ai/claude-agent-sdk) and @ai-sdk/devtools. Pinning via pnpm-workspace.yaml overrides forces the patched version across all transitive consumers without adding a spurious direct dependency. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: OrbisAI Security <mediratta01.pally@gmail.com>
|
You're right that it's not a direct dependency — this repo never imports `@hono/node-server` in source. I've updated the PR to address that. However, the vulnerable version is present in the resolved dependency graph via two transitive chains: ``` The What changed in the PR:
Happy to close this if you'd prefer to address it by upgrading the parent packages instead — but the override approach is the lightest-touch fix and matches what's already in |
Automated daily snapshot via GitHub MCP API: - Open issues: 946 (+4 vs yesterday), 96 unlabeled, 3 P1 open - Open PRs: 100 first page (88→main, 5→v1), 15 draft, 4 new today - Security: CVE-2026-29087 PR #16748 awaiting merge - v1.9.12 released 2026-07-05 (18 PRs) - v2 branch: 0 open PRs (merged into main) - New today: GPT-image2 issues, Fireworks AI config, white screen regression Signed-off-by: Claude <noreply@anthropic.com>
Summary
Upgrade @hono/node-server from 1.19.9 to 1.19.10 to fix CVE-2026-29087.
Vulnerability
CVE-2026-29087pnpm-lock.yamlDescription: @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware
Evidence
Scanner confirmation: trivy rule
CVE-2026-29087flagged this pattern.Production code: This file is in the production codebase, not test-only code.
Threat Model Context
This is a Node.js library - vulnerabilities affect downstream consumers who use this package.
Changes
package.jsonpnpm-lock.yamlVerification
This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.
Automated security fix by OrbisAI Security