diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index f57e121e..ccc690a2 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -18,6 +18,9 @@ overrides: vite@>=8.0.0 <8.0.16: ^8.0.16 js-yaml@>=4.0.0 <4.2.0: ^4.2.0 '@babel/core@>=7.0.0 <7.29.6': ^7.29.6 + hono@<4.12.25: 4.12.25 + got@<11.8.5: 11.8.6 + electron@>=23.0.0 <39.8.5: 41.7.0 importers: @@ -962,7 +965,7 @@ packages: resolution: {integrity: sha512-GwtvgtXxnWsucXvbQXkRgqksiH2Qed37H9xHZocE5sA3N8O8O8/8FA3uclQXxXVzc9XBZuEOMK7+r02FmSpHtw==} engines: {node: '>=18.14.1'} peerDependencies: - hono: ^4 + hono: 4.12.25 '@huggingface/jinja@0.5.9': resolution: {integrity: sha512-uWTG+l3VJRsl7EXxYizuL3P+cCPoc3cRqbWWRcQN0FhejRfbdq0RNhCmbY/YDtnTcz9icdLYuLDjsnz4d8JMuw==} @@ -2832,9 +2835,6 @@ packages: '@types/mysql@2.15.27': resolution: {integrity: sha512-YfWiV16IY0OeBfBCk8+hXKmdTKrKlwKN1MNKAPBu5JYxLwBEZl7QzeEpGnlZb3VMGJrrGmB84gXiH+ofs/TezA==} - '@types/node@16.18.126': - resolution: {integrity: sha512-OTcgaiwfGFBKacvfwuHzzn1KLxH/er8mluiy8/uM3sGXHaRe73RrSIj01jow9t4kJEW633Ov+cOexXeiApTyAw==} - '@types/node@24.12.2': resolution: {integrity: sha512-A1sre26ke7HDIuY/M23nd9gfB+nrmhtYyMINbjI1zHJxYteKR6qSMX56FsmjMcDb3SMcjJg5BiRRgOCC/yBD0g==} @@ -3296,10 +3296,6 @@ packages: caniuse-lite@1.0.30001787: resolution: {integrity: sha512-mNcrMN9KeI68u7muanUpEejSLghOKlVhRqS/Za2IeyGllJ9I9otGpR9g3nsw7n4W378TE/LyIteA0+/FOZm4Kg==} - capture-stack-trace@1.0.2: - resolution: {integrity: sha512-X/WM2UQs6VMHUtjUDnZTRI+i1crWteJySFzr9UpGoQa4WQffXVTTXuekjl7TjZRlcF2XfjgITT0HxZ9RnxeT0w==} - engines: {node: '>=0.10.0'} - ccount@2.0.1: resolution: {integrity: sha512-eyrF0jiFpY+3drT6383f1qhkbGsLSifNAjA61IUjZjmLCWjItY6LB9ft9YhoDgwfmclB2zhu51Lc7+95b8NRAg==} @@ -3488,10 +3484,6 @@ packages: crc@3.8.0: resolution: {integrity: sha512-iX3mfgcTMIq3ZKLIsVFAbv7+Mc10kxabAGQb8HvjA1o3T1PIYprbakQ65d3I+2HGHt6nSKkM9PYjgoJO2KcFBQ==} - create-error-class@3.0.2: - resolution: {integrity: sha512-gYTKKexFO3kh200H1Nit76sRwRtOY32vQd3jpAQKpLtZqyNsSQNfI4N7o3eP2wUjV35pTWKRYqFUDBvUha/Pkw==} - engines: {node: '>=0.10.0'} - cross-dirname@0.1.0: resolution: {integrity: sha512-+R08/oI0nl3vfPcqftZRpytksBXDzOUveBq/NBVx0sUp1axwzPQrKinNx5yd5sxPu8j1wIy8AfnVQ+5eFdha6Q==} @@ -3924,9 +3916,6 @@ packages: resolution: {integrity: sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==} engines: {node: '>= 0.4'} - duplexer3@0.1.5: - resolution: {integrity: sha512-1A8za6ws41LQgv9HrE/66jyC5yuSjQ3L/KOpFtoBilsAK2iA2wuS5rTt1OCzIvtS2V7nVmedsUU+DGRcjBmOYA==} - ee-first@1.1.1: resolution: {integrity: sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==} @@ -3956,11 +3945,6 @@ packages: resolution: {integrity: sha512-bO3y10YikuUwUuDUQRM4KfwNkKhnpVO7IPdbsrejwN9/AABJzzTQ4GeHwyzNSrVO+tEH3/Np255a3sVZpZDjvg==} engines: {node: '>=8.0.0'} - electron@23.3.13: - resolution: {integrity: sha512-BaXtHEb+KYKLouUXlUVDa/lj9pj4F5kiE0kwFdJV84Y2EU7euIDgPthfKtchhr5MVHmjtavRMIV/zAwEiSQ9rQ==} - engines: {node: '>= 12.20.55'} - hasBin: true - electron@41.7.0: resolution: {integrity: sha512-U6KAKivjk6YQ0Z5+eloJBjwhbHRE206gvy1UBMw2bSluWtMh5waeXMvX6AT/Ujm5ymYXVJOp7g9N7vOFw16wBQ==} engines: {node: '>= 12.20.55'} @@ -4313,10 +4297,6 @@ packages: resolution: {integrity: sha512-6tfZ91bOr7bOXnK7PRDCGBLa1H4U080YHNaAQ2KsMGlLEzRbk44nsZF2E1IeRc3vtJHPVbKCYgdFbaGO2ljd8g==} engines: {node: '>=10.19.0'} - got@6.7.1: - resolution: {integrity: sha512-Y/K3EDuiQN9rTZhBvPRWMLXIKdeD1Rj0nzunfoi0Yyn5WBEbzxXKU9Ub2X41oZBagVWOBU3MuDonFMgPWQFnwg==} - engines: {node: '>=4'} - graceful-fs@4.2.11: resolution: {integrity: sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==} @@ -4384,8 +4364,8 @@ packages: resolution: {integrity: sha512-Xwwo44whKBVCYoliBQwaPvtd/2tYFkRQtXDWj1nackaV2JPXx3L0+Jvd8/qCJ2p+ML0/XVkJ2q+Mr+UVdpJK5w==} engines: {node: '>=12.0.0'} - hono@4.12.23: - resolution: {integrity: sha512-eIaZ9qDgu7XV0pxOCrg7/WhnQ6Ivm22UcxhXx/A3dcbqbbYgBEkc6e/J/s7j2tS96zoB0S9VBdLwQNCWwUo4LA==} + hono@4.12.25: + resolution: {integrity: sha512-2NFaIyNVgJmBs/ecmtGzlmluTFs5cHEWGTdu0t1HBwYzoGXOL5nUQBRMXsXWla5i4KkG//QMzVP88m1+I3fdAQ==} engines: {node: '>=16.9.0'} hookable@6.1.1: @@ -4593,14 +4573,6 @@ packages: is-promise@4.0.0: resolution: {integrity: sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ==} - is-redirect@1.0.0: - resolution: {integrity: sha512-cr/SlUEe5zOGmzvj9bUyC4LVvkNVAXu4GytXLNMr1pny+a65MpQ9IJzFHD5vi7FyJgb4qt27+eS3TuQnqB+RQw==} - engines: {node: '>=0.10.0'} - - is-retry-allowed@1.2.0: - resolution: {integrity: sha512-RUbUeKwvm3XG2VYamhJL1xFktgjvPzL0Hq8C+6yrWIswDy3BIXGqCxhxkc30N9jqK311gVU137K8Ei55/zVJRg==} - engines: {node: '>=0.10.0'} - is-stream@1.1.0: resolution: {integrity: sha512-uQPm8kcs47jx38atAcWTVxyltQYoPT68y9aWYdV6yWXSyW8mzSat0TL6CiWdZeCdF3KrAvpVtnHbTv4RN+rqdQ==} engines: {node: '>=0.10.0'} @@ -4848,10 +4820,6 @@ packages: resolution: {integrity: sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q==} hasBin: true - lowercase-keys@1.0.1: - resolution: {integrity: sha512-G2Lj61tXDnVFFOi8VZds+SoQjtQC3dgokKdDG2mTm1tx4m50NUHBOZSBwQQHyy0V12A0JTG4icfZQH+xPyh8VA==} - engines: {node: '>=0.10.0'} - lowercase-keys@2.0.0: resolution: {integrity: sha512-tqNXrS78oMOE73NMxK4EMLQsQowWf8jKooH9g7xPavRT706R6bkQJ6DY2Te7QukaZsulxa30wQ7bk0pm4XiHmA==} engines: {node: '>=8'} @@ -5478,10 +5446,6 @@ packages: deprecated: No longer maintained. Please contact the author of the relevant native addon; alternatives are available. hasBin: true - prepend-http@1.0.4: - resolution: {integrity: sha512-PhmXi5XmoyKw1Un4E+opM2KcsJInDvKyuOumcjjw3waw86ZNjHwVUOOWLc4bCzLdcKNaWBH9e99sbWzDQsVaYg==} - engines: {node: '>=0.10.0'} - pretty-format@27.5.1: resolution: {integrity: sha512-Qb1gy5OrP5+zDf2Bvnzdl3jsTf1qXVMazbvCoKhtKqVs4/YK4ozX4gKQJJVyNe+cajNPn0KoC0MC3FUmaHWEmQ==} engines: {node: ^10.13.0 || ^12.13.0 || ^14.15.0 || >=15.0.0} @@ -6141,10 +6105,6 @@ packages: resolution: {integrity: sha512-7dPUZQGy/+m3/wjVz3ZW5dobSoD/02NxJpoXUX0WIyjfVS3l0c+b/+9phIDFA7FHzkYtwtMFgeGZ/Y8jVTeqQQ==} engines: {node: '>=4'} - timed-out@4.0.1: - resolution: {integrity: sha512-G7r3AhovYtr5YKOWQkta8RKAPb+J9IsO4uVmzjl8AZwfhs8UcUwTiD6gcJYSgOtzyjvQKrKYn41syHbUWMkafA==} - engines: {node: '>=0.10.0'} - tiny-async-pool@1.3.0: resolution: {integrity: sha512-01EAw5EDrcVrdgyCLgoSPvqznC0sVxDSVeiOz09FUpjh71G79VCqneOr+xvt7T1r76CF6ZZfPjHorN2+d+3mqA==} @@ -6346,10 +6306,6 @@ packages: synckit: optional: true - unzip-response@2.0.1: - resolution: {integrity: sha512-N0XH6lqDtFH84JxptQoZYmloF4nzrQqqrAymNj+/gW60AO2AZgOcf4O/nUXJcYfyQkqvMo9lSupBZmmgvuVXlw==} - engines: {node: '>=4'} - update-browserslist-db@1.2.3: resolution: {integrity: sha512-Js0m9cx+qOgDxo0eMiFGEueWztz+d4+M3rGlmKPT+T4IS/jP4ylw3Nwpu6cpTTP8R1MAC1kF4VbdLt3ARf209w==} hasBin: true @@ -6363,10 +6319,6 @@ packages: uri-js@4.4.1: resolution: {integrity: sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==} - url-parse-lax@1.0.0: - resolution: {integrity: sha512-BVA4lR5PIviy2PMseNd2jbFQ+jwSwQGdJejf5ctd1rEXt0Ypd7yanUK9+lYechVlN5VaTJGsu2U/3MDDu6KgBA==} - engines: {node: '>=0.10.0'} - use-sync-external-store@1.6.0: resolution: {integrity: sha512-Pp6GSwGP/NrPIrxVFAIkOQeyw8lFenOHijQWkUTrDvrF4ALqylP2C/KCkeS9dpUM3KvYRQhna5vt7IL95+ZQ9w==} peerDependencies: @@ -7404,9 +7356,9 @@ snapshots: transitivePeerDependencies: - tailwind-merge - '@hono/node-server@1.19.14(hono@4.12.23)': + '@hono/node-server@1.19.14(hono@4.12.25)': dependencies: - hono: 4.12.23 + hono: 4.12.25 '@huggingface/jinja@0.5.9': {} @@ -7587,7 +7539,7 @@ snapshots: '@modelcontextprotocol/sdk@1.29.0(zod@4.4.2)': dependencies: - '@hono/node-server': 1.19.14(hono@4.12.23) + '@hono/node-server': 1.19.14(hono@4.12.25) ajv: 8.20.0 ajv-formats: 3.0.1(ajv@8.20.0) content-type: 1.0.5 @@ -7597,7 +7549,7 @@ snapshots: eventsource-parser: 3.1.0 express: 5.2.1 express-rate-limit: 8.5.2(express@5.2.1) - hono: 4.12.23 + hono: 4.12.25 jose: 6.2.3 json-schema-typed: 8.0.2 pkce-challenge: 5.0.1 @@ -9212,8 +9164,6 @@ snapshots: dependencies: '@types/node': 25.9.1 - '@types/node@16.18.126': {} - '@types/node@24.12.2': dependencies: undici-types: 7.16.0 @@ -9727,8 +9677,6 @@ snapshots: caniuse-lite@1.0.30001787: {} - capture-stack-trace@1.0.2: {} - ccount@2.0.1: {} chai@6.2.2: {} @@ -9899,10 +9847,6 @@ snapshots: buffer: 5.7.1 optional: true - create-error-class@3.0.2: - dependencies: - capture-stack-trace: 1.0.2 - cross-dirname@0.1.0: optional: true @@ -10263,8 +10207,6 @@ snapshots: es-errors: 1.3.0 gopd: 1.2.0 - duplexer3@0.1.5: {} - ee-first@1.1.1: {} ejs@3.1.10: @@ -10336,14 +10278,6 @@ snapshots: transitivePeerDependencies: - supports-color - electron@23.3.13: - dependencies: - '@electron/get': 2.0.3 - '@types/node': 16.18.126 - extract-zip: 2.0.1 - transitivePeerDependencies: - - supports-color - electron@41.7.0: dependencies: '@electron/get': 2.0.3 @@ -10744,22 +10678,6 @@ snapshots: p-cancelable: 2.1.1 responselike: 2.0.1 - got@6.7.1: - dependencies: - '@types/keyv': 3.1.4 - '@types/responselike': 1.0.3 - create-error-class: 3.0.2 - duplexer3: 0.1.5 - get-stream: 3.0.0 - is-redirect: 1.0.0 - is-retry-allowed: 1.2.0 - is-stream: 1.1.0 - lowercase-keys: 1.0.1 - safe-buffer: 5.2.1 - timed-out: 4.0.1 - unzip-response: 2.0.1 - url-parse-lax: 1.0.0 - graceful-fs@4.2.11: {} guid-typescript@1.0.9: {} @@ -10883,7 +10801,7 @@ snapshots: highlight.js@11.11.1: {} - hono@4.12.23: {} + hono@4.12.25: {} hookable@6.1.1: {} @@ -11080,10 +10998,6 @@ snapshots: is-promise@4.0.0: {} - is-redirect@1.0.0: {} - - is-retry-allowed@1.2.0: {} - is-stream@1.1.0: {} is-stream@2.0.1: {} @@ -11315,8 +11229,6 @@ snapshots: dependencies: js-tokens: 4.0.0 - lowercase-keys@1.0.1: {} - lowercase-keys@2.0.0: {} lowlight@3.3.0: @@ -12044,7 +11956,7 @@ snapshots: package-json@4.0.1: dependencies: - got: 6.7.1 + got: 11.8.6 registry-auth-token: 3.4.0 registry-url: 3.1.0 semver: 5.7.2 @@ -12176,8 +12088,6 @@ snapshots: tar-fs: 2.1.4 tunnel-agent: 0.6.0 - prepend-http@1.0.4: {} - pretty-format@27.5.1: dependencies: ansi-regex: 5.0.1 @@ -12398,7 +12308,7 @@ snapshots: react-devtools@7.0.1: dependencies: cross-spawn: 5.1.0 - electron: 23.3.13 + electron: 41.7.0 internal-ip: 6.2.0 minimist: 1.2.8 react-devtools-core: 7.0.1 @@ -13100,8 +13010,6 @@ snapshots: dependencies: execa: 0.7.0 - timed-out@4.0.1: {} - tiny-async-pool@1.3.0: dependencies: semver: 5.7.2 @@ -13279,8 +13187,6 @@ snapshots: dependencies: rolldown: 1.0.0-rc.17 - unzip-response@2.0.1: {} - update-browserslist-db@1.2.3(browserslist@4.28.2): dependencies: browserslist: 4.28.2 @@ -13304,10 +13210,6 @@ snapshots: dependencies: punycode: 2.3.1 - url-parse-lax@1.0.0: - dependencies: - prepend-http: 1.0.4 - use-sync-external-store@1.6.0(react@19.2.5): dependencies: react: 19.2.5 diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 05d8c7d8..c9d05a8a 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -100,6 +100,9 @@ minimumReleaseAgeExclude: - "dompurify@3.4.10" - "protobufjs@7.6.4" - "form-data@4.0.6" + # 2026-06-16 Dependabot advisory batch: hono security patch published within + # the 7-day guard window, adopted immediately (alerts #124-#128). + - "hono@4.12.25" # Supply-chain guard: refuse to install any package version published less # than this many minutes ago. 7 days catches the typical window in which @@ -126,3 +129,14 @@ overrides: "vite@>=8.0.0 <8.0.16": "^8.0.16" "js-yaml@>=4.0.0 <4.2.0": "^4.2.0" "@babel/core@>=7.0.0 <7.29.6": "^7.29.6" + # 2026-06-16 advisory batch. + # hono CORS wildcard-with-credentials + path traversal etc. (#124-#128). + "hono@<4.12.25": "4.12.25" + # got UNIX-socket redirect (#103); only the dev react-devtools update-notifier + # chain pulls the vulnerable 6.x. Pin to the last CJS line (11.x), since + # package-json@4 `require()`s got and got@12+ is ESM-only. + "got@<11.8.5": "11.8.6" + # electron use-after-free / injection batch (#106-#123). The vulnerable 23.x + # comes only from react-devtools (dev-only standalone inspector); 23.x has no + # in-line patch (#104), so dedupe it onto the app's own electron major. + "electron@>=23.0.0 <39.8.5": "41.7.0"