Skip to content

chore: resolve open dependabot security alerts#570

Open
jonathannorris wants to merge 1 commit into
mainfrom
chore/dependabot-alerts-3
Open

chore: resolve open dependabot security alerts#570
jonathannorris wants to merge 1 commit into
mainfrom
chore/dependabot-alerts-3

Conversation

@jonathannorris
Copy link
Copy Markdown
Member

@jonathannorris jonathannorris commented May 13, 2026

Summary

  • Resolved 8 open Dependabot security alerts by bumping vulnerable dependencies

Dependabot Alerts Resolved

Alert Package Severity Fix
#232 hono medium Bumped to 4.12.18 in mcp-worker (CSS Declaration Injection via JSX SSR)
#230 hono low Bumped to 4.12.18 in mcp-worker (improper NumericDate validation in JWT)
#228 hono medium Bumped to 4.12.18 in mcp-worker (Cache Middleware Vary header leak)
#227 fast-uri high Added >=3.1.2 resolution; resolved to 3.1.2 (host confusion via percent-encoded delimiters)
#226 fast-uri high Covered by above resolution (path traversal via percent-encoded dot segments)
#224 hono medium Covered by hono bump (unvalidated JSX tag names)
#222 hono medium Covered by hono bump (bodyLimit bypass for chunked requests)
#213 ip-address medium Existing "ip-address@npm:10.1.0": "^10.1.1" resolution now resolves to 10.2.0 via yarn lockfile regen

@jonathannorris
chore: resolve open dependabot security alerts
ddbf0ad 
- hono 4.12.14 -> 4.12.18 (medium/low, alerts #222 #224 #228 #230 #232)
- fast-uri 3.1.0 -> 3.1.2 (high, alerts #226 #227)
- ip-address 10.1.0 -> 10.2.0 via resolution (medium, alert #213)
Copilot AI review requested due to automatic review settings May 13, 2026 13:34
@jonathannorris jonathannorris requested a review from a team as a code owner May 13, 2026 13:34
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 13, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 devcycle-mcp-server ddbf0ad May 13 2026, 01:36 PM

Copilot AI reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses open Dependabot security alerts by updating dependency versions and enforcing safer transitive resolutions via Yarn.

Changes:

  • Bumped hono to 4.12.18 (including mcp-worker) to pick up upstream security fixes.
  • Added a Yarn resolutions override for fast-uri to ensure a non-vulnerable version is selected.
  • Regenerated yarn.lock to reflect the updated dependency graph.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File Description
yarn.lock Updates lockfile entries to reflect hono@4.12.18 and the fast-uri resolution outcome.
package.json Updates Yarn resolutions for hono and adds a fast-uri resolution override.
mcp-worker/package.json Bumps hono dependency to 4.12.18.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json
"picomatch@npm:^4.0.3": "^4.0.4",
"hono": "^4.12.16",
"hono": "^4.12.18",
"fast-uri": ">=3.1.2",
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonathannorris