Fix dependency audit issues

[tk-o]

This PR addresses the issues reported by the OSV scanner.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
admin.ensnode.io	Ready	Preview, Comment	Jun 5, 2026 11:42am
enskit-react-example.ensnode.io	Building	Preview	Jun 5, 2026 11:42am
ensnode.io	Ready	Preview, Comment	Jun 5, 2026 11:42am
ensrainbow.io	Ready	Preview, Comment	Jun 5, 2026 11:42am

[changeset-bot]

⚠️ No Changeset found

Latest commit: 116ddba

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

The hono web framework dependency version is bumped from ^4.12.18 to ^4.12.23 in the pnpm workspace catalog configuration.

Changes

Dependency Version Update

Layer / File(s)	Summary
Hono version bump pnpm-workspace.yaml	The hono catalog entry is updated to ^4.12.23, allowing projects in the workspace to use a newer patch release of the framework.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• namehash/ensnode#1570: Both PRs update the hono dependency version in the pnpm workspace catalog.
• namehash/ensnode#1755: Both PRs modify the hono version constraint in pnpm-workspace.yaml's catalog.
• namehash/ensnode#1632: Both PRs update dependency versions in the pnpm configuration for workspace dependency management.

Poem

🐰 A tiny bump, version fine,
From 4.12.18 to 4.12.23,
Hono soars to newer heights,
One line changed, all tests alight! ✨

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is minimal and lacks required sections from the template, including explicit summary bullets, rationale with issue links, testing details, and pre-review checklist.	Expand the description to follow the Lite PR template: add 1-3 bullet points summarizing changes, explain why the OSV issues required fixing, document testing performed, and complete the pre-review checklist.
Title check	❓ Inconclusive	The title 'Fix dependency audit issues' is related to the changeset which updates a dependency version, but it is overly broad and generic, not clearly describing the specific dependency update.	Consider using a more specific title like 'Update hono dependency to v4.12.23' or 'Fix hono security vulnerability' to better communicate the precise change.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch deps/fix-sec-audit-issues

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR updates the workspace “catalog” dependency version for hono to address vulnerabilities reported by the OSV service.

Changes:

• Bumped hono catalog version from ^4.12.18 to ^4.12.23 in the workspace config.
• Regenerated pnpm-lock.yaml to consistently resolve hono@4.12.23 across importers/snapshots.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
pnpm-workspace.yaml	Updates the catalog-pinned hono version to ^4.12.23.
pnpm-lock.yaml	Updates lockfile resolutions and dependency graph references to use hono@4.12.23 (removing 4.12.18).

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[greptile-apps]

Greptile Summary

This PR bumps the workspace-catalog hono dependency from 4.12.18 to 4.12.23 to address multiple medium-severity CVEs reported by OSV. The lockfile is updated consistently across all packages that carry hono as a direct or peer dependency.

• CVEs resolved: HTTP Response Splitting via serialize (Set-Cookie header injection), Improper Authorization in the jwt middleware (non-Bearer scheme bypass), and HTTP Request Smuggling — all fixed in 4.12.21+; the bump to 4.12.23 also picks up subsequent patch fixes.
• Lockfile consistency: every snapshot entry referencing hono@4.12.18 — including @hono/node-server, @hono/otel, @hono/zod-openapi, @hono/zod-validator, ponder-enrich-gql-docs-middleware, and ponder — is correctly updated to hono@4.12.23.

Confidence Score: 5/5

This PR is safe to merge — it is a targeted patch-level dependency bump with no logic changes.

The change is limited to bumping hono from 4.12.18 to 4.12.23 in the workspace catalog and regenerating the lockfile. No application code is touched. The lockfile update is consistent: every snapshot that previously referenced hono@4.12.18 as a direct dependency or peer has been updated to hono@4.12.23, including all @hono/* packages and ponder.

No files require special attention — both changed files contain only the expected version-string substitutions.

Important Files Changed

Filename	Overview
pnpm-workspace.yaml	Bumps the workspace catalog hono version from ^4.12.18 to ^4.12.23 to remediate multiple medium-severity CVEs
pnpm-lock.yaml	Lockfile updated consistently — all direct and transitive snapshots referencing hono@4.12.18 are replaced with hono@4.12.23, including peer-dep variants for @hono/node-server, @hono/otel, @hono/zod-openapi, @hono/zod-validator, ponder-enrich-gql-docs-middleware, and ponder

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[OSV Audit Report] --> B{hono older than 4.12.21}
    B -->|HTTP Response Splitting| C[Set-Cookie header injection via serialize]
    B -->|Improper Authorization| D[JWT middleware accepts non-Bearer schemes]
    B -->|HTTP Request Smuggling| E[Request smuggling vector]
    C --> F[Bump hono catalog to 4.12.23]
    D --> F
    E --> F
    F --> G[pnpm-workspace.yaml updated]
    F --> H[pnpm-lock.yaml updated]
    H --> I[hono resolved to 4.12.23]
    H --> J[hono-node-server peer updated]
    H --> K[hono-otel peer updated]
    H --> L[hono-zod-openapi peer updated]
    H --> M[ponder peer updated]
    I & J & K & L & M --> N[All CVEs remediated]

Loading

_{Reviews (1): Last reviewed commit: "Fix dependency audit issues" | Re-trigger Greptile}