chore(deps-dev): bump hono from 4.12.4 to 4.12.16 in /packages/hono

[dependabot]

Bumps hono from 4.12.4 to 4.12.16.

Release notes

Sourced from hono's releases.

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

• fix(jwt): support single-line PEM keys by @​hiendv in honojs/hono#4889

New Contributors

• @​hiendv made their first contribution in honojs/hono#4889

Full Changelog: honojs/hono@v4.12.14...v4.12.15

v4.12.14

Security fixes

This release includes fixes for the following security issues:

Improper handling of JSX attribute names in hono/jsx SSR

Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which could allow malformed attribute keys to corrupt the generated HTML output and inject unintended attributes or elements. GHSA-458j-xx4x-4375

Other changes

• fix(aws-lambda): handle invalid header names in request processing (#4883) fa2c74fe

v4.12.13

What's Changed

• fix(types): infer response type from last handler in app.on 9-/10-handler overloads by @​T4ko0522 in honojs/hono#4865
• feat(trailing-slash): add skip option by @​yusukebe in honojs/hono#4862
• feat(cache): add onCacheNotAvailable option by @​yusukebe in honojs/hono#4876

New Contributors

• @​T4ko0522 made their first contribution in honojs/hono#4865

Full Changelog: honojs/hono@v4.12.12...v4.12.13

v4.12.12

Security fixes

This release includes fixes for the following security issues:

... (truncated)

Commits

• 90d4182 4.12.16
• db05b96 Merge commit from fork
• 614b834 Merge commit from fork
• 027e3df fix(method-override): handle Content-Type with charset parameter (#4894)
• f774f8d 4.12.15
• 18fe604 fix(jwt): support single-line PEM keys (#4889)
• cf2d2b7 4.12.14
• 66daa2e Merge commit from fork
• fa2c74f fix(aws-lambda): handle invalid header names in request processing (#4883)
• 3779927 4.12.13
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Greptile Summary

This is a Dependabot-generated bump of the hono devDependency from 4.12.4 to 4.12.16 in the @better-webhook/hono adapter package, picking up three security advisories (GHSA-69xw-7hcm-h432, GHSA-9vqf-7f2p-gf9v, GHSA-458j-xx4x-4375) along with several bug fixes.

• The devDependency version used in CI and tests is now patched, but the peerDependencies range remains \"^4.0.0\", meaning downstream consumers can still resolve to any vulnerable 4.x version.
• No runtime code is changed; only packages/hono/package.json is modified.

Confidence Score: 3/5

Safe to merge for the CI environment, but downstream consumers of the published package can still resolve vulnerable hono versions via the unchanged peer dependency range.

The devDependency update patches the test environment, but the peerDependency constraint ^4.0.0 leaves consumers free to install any 4.x hono version, including those with three security advisories around JSX injection and body-limit bypass.

packages/hono/package.json — the peerDependency range needs to be tightened alongside the devDependency bump.

Security Review

• Peer dependency allows vulnerable hono versions (packages/hono/package.json): The peerDependencies range ^4.0.0 permits consumers to install hono versions containing three patched CVEs — JSX tag-name HTML injection (GHSA-69xw-7hcm-h432), bodyLimit() bypass for chunked requests (GHSA-9vqf-7f2p-gf9v), and JSX attribute injection in SSR (GHSA-458j-xx4x-4375). The devDependency update does not protect library consumers from these vulnerabilities.

Important Files Changed

Filename	Overview
packages/hono/package.json	Bumps hono devDependency from 4.12.4 to 4.12.16 to pick up multiple security patches, but the peerDependency range remains ^4.0.0, allowing consumers to resolve vulnerable versions.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["@better-webhook/hono\npublished package"] -->|peerDependency ^4.0.0| B{Consumer resolves hono}
    B -->|resolves < 4.12.14| C["❌ Vulnerable\nGHSA-69xw-7hcm-h432\nGHSA-9vqf-7f2p-gf9v\nGHSA-458j-xx4x-4375"]
    B -->|resolves >= 4.12.16| D["✅ Patched"]
    A -->|devDependency 4.12.16| E["CI / Tests\n✅ Patched"]

Loading

Comments Outside Diff (1)

1. packages/hono/package.json, line 59 (link)

   Broad peer dependency range allows vulnerable hono versions

   The peerDependencies constraint "hono": "^4.0.0" permits any 4.x release, including versions below 4.12.14 that contain the security vulnerabilities patched in this series (GHSA-69xw-7hcm-h432 — JSX tag-name HTML injection; GHSA-9vqf-7f2p-gf9v — bodyLimit() bypass for chunked requests; GHSA-458j-xx4x-4375 — JSX attribute injection). This bump updates the devDependency used in CI, but consumers of @better-webhook/hono who resolve the peer to an older 4.x version remain exposed. Tightening the constraint to ">=4.12.16" (or "^4.12.16") would signal to package managers that the vulnerable range is unsafe.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: packages/hono/package.json
   Line: 59
   
   Comment:
   **Broad peer dependency range allows vulnerable hono versions**
   
   The `peerDependencies` constraint `"hono": "^4.0.0"` permits any 4.x release, including versions below 4.12.14 that contain the security vulnerabilities patched in this series (GHSA-69xw-7hcm-h432 — JSX tag-name HTML injection; GHSA-9vqf-7f2p-gf9v — `bodyLimit()` bypass for chunked requests; GHSA-458j-xx4x-4375 — JSX attribute injection). This bump updates the devDependency used in CI, but consumers of `@better-webhook/hono` who resolve the peer to an older 4.x version remain exposed. Tightening the constraint to `">=4.12.16"` (or `"^4.12.16"`) would signal to package managers that the vulnerable range is unsafe.
   
   How can I resolve this? If you propose a fix, please make it concise.

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
packages/hono/package.json:59
**Broad peer dependency range allows vulnerable hono versions**

The `peerDependencies` constraint `"hono": "^4.0.0"` permits any 4.x release, including versions below 4.12.14 that contain the security vulnerabilities patched in this series (GHSA-69xw-7hcm-h432 — JSX tag-name HTML injection; GHSA-9vqf-7f2p-gf9v — `bodyLimit()` bypass for chunked requests; GHSA-458j-xx4x-4375 — JSX attribute injection). This bump updates the devDependency used in CI, but consumers of `@better-webhook/hono` who resolve the peer to an older 4.x version remain exposed. Tightening the constraint to `">=4.12.16"` (or `"^4.12.16"`) would signal to package managers that the vulnerable range is unsafe.

_{Reviews (1): Last reviewed commit: "chore(deps-dev): bump hono from 4.12.4 t..." | Re-trigger Greptile}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
better-webhook-docs	Ready	Preview, Comment	May 8, 2026 5:02pm

[dependabot]

Superseded by #97.