Bump hono from 4.12.14 to 4.12.18 in /modules/web

[dependabot]

Bumps hono from 4.12.14 to 4.12.18.

Release notes

Sourced from hono's releases.

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

---

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

• fix(jsx): normalize SVG attributes on the root element by @​kfly8 in honojs/hono#4893
• fix(ssg): add atom+xml and rss+xml to defaultExtensionMap by @​yuintei in honojs/hono#4899
• fix(cors): make origin optional in CORSOptions by @​truffle-dev in honojs/hono#4905
• fix(types): propagate middleware response types to app.on overloads by @​T4ko0522 in honojs/hono#4906

New Contributors

• @​kfly8 made their first contribution in honojs/hono#4893
• @​truffle-dev made their first contribution in honojs/hono#4905

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

• fix(jwt): support single-line PEM keys by @​hiendv in honojs/hono#4889

... (truncated)

Commits

• f10dee8 4.12.18
• a5bd9eb Merge commit from fork
• 58d3d3a Merge commit from fork
• 568c2ec Merge commit from fork
• ff2b3d3 4.12.17
• 52aaaf9 fix(types): propagate middleware response types to app.on overloads (#4906)
• 76d5589 fix(cors): make origin optional in CORSOptions (#4905)
• 8f027e5 fix(ssg): add atom+xml and rss+xml to defaultExtensionMap (#4899)
• bfba97c fix(jsx): normalize SVG attributes on the <svg> root element (#4893)
• 90d4182 4.12.16
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[kubermatic-bot]

Adding the "do-not-merge/docs-needed" label because no documentation block was detected, please follow our documentation process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kubermatic-bot]

Adding the "do-not-merge/test-issue-needed" label because no test-issue block was detected, please add a proper test-issue block to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kubermatic-bot]

Adding the "do-not-merge/docs-needed" label because no documentation block was detected, please follow our documentation process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kubermatic-bot]

Adding the "do-not-merge/test-issue-needed" label because no test-issue block was detected, please add a proper test-issue block to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kubermatic-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ahmadhamzh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• modules/web/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubermatic-bot]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a kubermatic member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 45.17%. Comparing base (a12f29c) to head (5eddc30).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8061   +/-   ##
=======================================
  Coverage   45.17%   45.17%           
=======================================
  Files         448      448           
  Lines       20912    20912           
  Branches     3009     3009           
=======================================
  Hits         9446     9446           
  Misses      11460    11460           
  Partials        6        6           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.