Skip to content

build(deps): bump @hono/node-server from 1.19.11 to 1.19.13#1890

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/hono/node-server-1.19.13
Open

build(deps): bump @hono/node-server from 1.19.11 to 1.19.13#1890
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/hono/node-server-1.19.13

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 8, 2026

Bumps @hono/node-server from 1.19.11 to 1.19.13.

Release notes

Sourced from @​hono/node-server's releases.

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump @hono/node-server from 1.19.11 to 1.19.13
a4e379a 
Bumps [@hono/node-server](https://github.com/honojs/node-server) from 1.19.11 to 1.19.13.
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](honojs/node-server@v1.19.11...v1.19.13)

---
updated-dependencies:
- dependency-name: "@hono/node-server"
  dependency-version: 1.19.13
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 8, 2026
@dependabot dependabot bot requested a review from a team as a code owner April 8, 2026 03:19
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 8, 2026
@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Apr 8, 2026

⚠️ No Changeset found

Latest commit: a4e379a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@vercel
Copy link
Copy Markdown
Contributor

vercel bot commented Apr 8, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

3 Skipped Deployments
Project Deployment Actions Updated (UTC)
admin.ensnode.io Skipped Skipped Apr 8, 2026 3:19am
ensnode.io Skipped Skipped Apr 8, 2026 3:19am
ensrainbow.io Skipped Skipped Apr 8, 2026 3:19am

@vercel vercel bot temporarily deployed to Preview – admin.ensnode.io April 8, 2026 03:19 Inactive
@vercel vercel bot temporarily deployed to Preview – ensnode.io April 8, 2026 03:19 Inactive
@vercel vercel bot temporarily deployed to Preview – ensrainbow.io April 8, 2026 03:19 Inactive
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Apr 8, 2026

Greptile Summary

This is a Dependabot-generated dependency bump that upgrades @hono/node-server from 1.19.11 to 1.19.13 across three apps (ensapi, ensrainbow, fallback-ensapi).

Key changes included in this bump:

  • v1.19.13 – Security fix (GHSA-92pp-h63x-v22m): Fixes a path-traversal/bypass issue in the Serve Static Middleware where repeated slashes (//) could be used to bypass middleware routing. All users of serveStatic are encouraged to upgrade.
  • v1.19.12 – Bug fix: Fixes incorrect request draining behaviour when the server issues an early 413 Payload Too Large response, which could previously leave connections in a bad state.
  • The pnpm-lock.yaml change is clean and expected: the resolved version is updated to 1.19.13 for all three apps and their transitive consumers. An incidental addition of a @vitest/mocker@4.0.5 snapshot variant (tsx@4.20.6) and a corresponding adjustment to a vitest@4.0.5 snapshot are also present; these appear to be pnpm de-duplication side-effects and do not affect production behaviour.

Confidence Score: 5/5

Safe to merge — this is a targeted security and bug-fix patch with no breaking API changes.

This is a patch-level dependency bump that addresses a published security advisory (GHSA-92pp-h63x-v22m) and a request-draining bug. All four changed files are as expected: three package.json version specifier updates and a consistent lockfile update. No logic, API surface, or configuration changes are introduced. The incidental @vitest/mocker lockfile snapshot change is a harmless pnpm de-duplication artefact. No P0 or P1 findings.

No files require special attention.

Vulnerabilities

This PR resolves a known security advisory (GHSA-92pp-h63x-v22m) in @hono/node-server's Serve Static Middleware, where inconsistent handling of repeated slashes (//) could allow the middleware to be bypassed. Upgrading to 1.19.13 directly addresses this vulnerability. No new security concerns are introduced by this change.

Important Files Changed

Filename Overview
apps/ensapi/package.json Bumps @hono/node-server minimum version specifier from ^1.19.10 to ^1.19.13 to pick up the security and bug-fix releases.
apps/ensrainbow/package.json Same @hono/node-server minimum version bump as the other apps — straightforward security patch adoption.
apps/fallback-ensapi/package.json Same @hono/node-server minimum version bump in devDependencies — consistent with the other apps.
pnpm-lock.yaml Lockfile updated to resolve @hono/node-server to 1.19.13 across all three apps and their transitive consumers; also adds a new @vitest/mocker@4.0.5 snapshot entry (tsx@4.20.6 variant) and adjusts the vitest@4.0.5 snapshot to reference it — a minor incidental change unrelated to the main bump.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["@hono/node-server v1.19.11\n(previous)"] -->|bump| B["@hono/node-server v1.19.13\n(new)"]
    B --> C["v1.19.12: Fix request draining\nfor early 413 responses"]
    B --> D["v1.19.13: Security fix\nGHSA-92pp-h63x-v22m\n// slash bypass in serveStatic"]
    E["apps/ensapi"] --> B
    F["apps/ensrainbow"] --> B
    G["apps/fallback-ensapi"] --> B
Loading

Reviews (1): Last reviewed commit: "build(deps): bump @hono/node-server from..." | Re-trigger Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants