chore(deps): bump the dependencies group with 4 updates

[dependabot]

Bumps the dependencies group with 4 updates: memfs, @hono/node-server, hono and lint-staged.

Updates memfs from 4.57.7 to 4.57.8

Release notes

Sourced from memfs's releases.

Release v4.57.8

What's Changed

• fix: clamp negative truncate length to zero (uninitialized-memory leak) by @​chatman-media in streamich/memfs#1261

New Contributors

• @​chatman-media made their first contribution in streamich/memfs#1261

Full Changelog: streamich/memfs@v4.57.7...v4.57.8

Commits

• 29b912b chore: release v4.57.8
• b5c6c62 Merge pull request #1261 from chatman-media/fix/truncate-negative-length-memo...
• f2be1ce fix: 🐛 clamp negative truncate length to zero
• See full diff in compare view

Updates @hono/node-server from 2.0.5 to 2.0.6

Release notes

Sourced from @​hono/node-server's releases.

v2.0.6

What's Changed

• ci: publish to npm from CI with OIDC trusted publishing and bump np by @​yusukebe in honojs/node-server#361
• ci: use npm Staged publishing by @​yusukebe in honojs/node-server#364
• fix: preserve status and statusText when cloning a Response with liveheaders by @​usualoma in honojs/node-server#363

Full Changelog: honojs/node-server@v2.0.5...v2.0.6

Commits

• ff75c61 2.0.6
• 814720f fix: preserve status and statusText when cloning a Response with live headers...
• a76209a ci: use npm Staged publishing (#364)
• 44c365a ci: publish to npm from CI with OIDC trusted publishing and bump np (#361)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​hono/node-server since your current version.

Updates hono from 4.12.25 to 4.12.27

Release notes

Sourced from hono's releases.

v4.12.27

Security fixes

This release includes fixes for the following security issues:

hono/jsx does not isolate context per request

Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj

Server-Side XSS via JSX escaping bypass in cx()

Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59

API Gateway v1 adapter can drop a repeated request header value

Affects: hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g. 203.0.113.1 dropped when 203.0.113.10 is present) — affecting logic such as X-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvc

---

Users of hono/jsx/hono/jsx-renderer, hono/css (cx()), or the hono/aws-lambda API Gateway v1 / VPC Lattice adapters are encouraged to upgrade.

v4.12.26

What's Changed

• fix(lambda-edge): satisfy Deno lib types for Content-Length body encoding by @​yusukebe in honojs/hono#5013
• ci: publish to npm from CI with OIDC trusted publishing by @​yusukebe in honojs/hono#5028
• chore: remove unused devcontainer and gitpod configs by @​yusukebe in honojs/hono#5029
• chore: replace arg and glob with Bun native APIs in build script by @​yusukebe in honojs/hono#5030

Full Changelog: honojs/hono@v4.12.25...v4.12.26

Commits

• 97c6fe1 4.12.27
• aa92177 Merge commit from fork
• cd3f6f7 Merge commit from fork
• d4853a8 fix(jsx): make merged context-isolation tests pass tsc type check (#5037)
• 6735fea fix(jsx): cast awaitedFallback through unknown to fix Deno type check (#5036)
• fab3b13 Merge commit from fork
• 9f0dadf ci: use npm Staged publishing (#5035)
• 27b7992 4.12.26
• d29982c chore: replace arg and glob with Bun native APIs in build script
• 16215d5 chore: remove unused devcontainer and gitpod configs (#5029)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for hono since your current version.

Updates lint-staged from 17.0.7 to 17.0.8

Release notes

Sourced from lint-staged's releases.

v17.0.8

Patch Changes

• #1809 179b437 - Fix lint-staged discarding the ongoing merge conflict status (.git/MERGE_HEAD) when using the --hide-unstaged or --hide-all options.

• #1811 3d0b2c0 - Fix issues with Git commands that are successful but also emit warnings to stderr, by ignoring the stderr output completely when the process exits with code 0. This was the behavior when using nano-spawn and execa, but when switching to tinyexec in 16.3.0 both stdout and stderr were used as interleaved output.

Changelog

Sourced from lint-staged's changelog.

17.0.8

Patch Changes

• #1809 179b437 - Fix lint-staged discarding the ongoing merge conflict status (.git/MERGE_HEAD) when using the --hide-unstaged or --hide-all options.

• #1811 3d0b2c0 - Fix issues with Git commands that are successful but also emit warnings to stderr, by ignoring the stderr output completely when the process exits with code 0. This was the behavior when using nano-spawn and execa, but when switching to tinyexec in 16.3.0 both stdout and stderr were used as interleaved output.

Commits

• 5f3b8f2 Merge pull request #1812 from lint-staged/changeset-release/main
• 43a9b8d chore(changeset): release
• 630e2f6 Merge pull request #1809 from lint-staged/restore-merge-status
• 179b437 fix: restore Git merge status after creating backup stash
• 6bae2e2 Merge pull request #1811 from lint-staged/exec-git-ignore-stderr
• b82a830 ci: run npm audit omitting dev, including prod dependencies
• 0b19b80 build(deps): update dependencies
• 3d0b2c0 fix: ignore stderr when doing Git operations
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[changeset-bot]

⚠️ No Changeset found

Latest commit: c98adf3

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR