chore(deps): bump hono from 4.12.7 to 4.12.12

[dependabot]

Bumps hono from 4.12.7 to 4.12.12.

Release notes

Sourced from hono's releases.

v4.12.12

Security fixes

This release includes fixes for the following security issues:

Middleware bypass via repeated slashes in serveStatic

Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (//) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c

Path traversal in toSSG() allows writing files outside the output directory

Affects: toSSG() for Static Site Generation. Fixes a path traversal issue where crafted ssgParams values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx

Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g

Missing validation of cookie name on write path in setCookie()

Affects: setCookie(), serialize(), and serializeSigned() from hono/cookie. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm

Non-breaking space prefix bypass in cookie name handling in getCookie()

Affects: getCookie() from hono/cookie. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4

---

Users who use Serve Static, Static Site Generation, Cookie utilities, or IP restriction middleware are strongly encouraged to upgrade to this version.

v4.12.11

What's Changed

• feat(css): add classNameSlug option to createCssContext by @​flow-pie in honojs/hono#4834

New Contributors

• @​flow-pie made their first contribution in honojs/hono#4834

Full Changelog: honojs/hono@v4.12.10...v4.12.11

v4.12.10

What's Changed

• test(router): fix Simple capturing group test by @​yusukebe in honojs/hono#4838
• docs: fix impaired -> inspired typo in benchmark READMEs by @​Abhi3975 in honojs/hono#4843
• fix(jsx/dom): apply select value after children are rendered by @​usualoma in honojs/hono#4847
• fix(compress): convert strong ETag to weak ETag when compressing by @​usualoma in honojs/hono#4848
• docs(ip-restriction): add clear JSDoc examples and param types by @​VISHNU7KASIREDDY in honojs/hono#4851

New Contributors

• @​Abhi3975 made their first contribution in honojs/hono#4843
• @​VISHNU7KASIREDDY made their first contribution in honojs/hono#4851

... (truncated)

Commits

• c37ba26 4.12.12
• cc067c8 Merge commit from fork
• a586cd7 Merge commit from fork
• 48fa223 Merge commit from fork
• b470278 Merge commit from fork
• 9aff14b Merge commit from fork
• 2c403c6 4.12.11
• f82aba8 feat(css): add classNameSlug option to createCssContext (#4834)
• 9f374a5 4.12.10
• a8c56a6 docs(ip-restriction): add clear JSDoc examples and param types (#4851)
• Additional commits viewable in compare view

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agents-api	Ready	Preview, Comment	Apr 14, 2026 6:19pm
agents-docs	Ready	Preview, Comment	Apr 14, 2026 6:19pm
agents-manage-ui	Ready	Preview, Comment	Apr 14, 2026 6:19pm

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	husky@​9.1.7
	next@​16.2.2
	class-variance-authority@​0.7.1
	@​opentelemetry/​sdk-trace-node@​2.5.1 ⏵ 2.1.0
	picocolors@​1.1.1
	@​opentelemetry/​context-async-hooks@​2.0.1 ⏵ 2.1.0	+1
	@​types/​json-schema@​7.0.15
	@​langfuse/​tracing@​4.0.1
	clsx@​2.1.1
	date-fns@​4.1.0
	@​types/​node@​22.18.4
	js-yaml@​4.1.1
	tsx@​4.20.5
	hast-util-to-jsx-runtime@​2.3.6
	mdast-util-to-markdown@​2.1.2
	unist-util-visit@​5.1.0
	remark-gfm@​4.0.1
	remark-rehype@​11.1.2
	remark@​15.0.1
	langfuse@​3.38.5
	tailwindcss@​4.1.18
	globals@​16.5.0
	ajv@​8.18.0
	zod@​4.3.6
	yaml@​2.8.2
	sharp@​0.34.5
	tw-animate-css@​1.4.0
	typescript@​5.9.2
	prettier@​3.8.1
	zustand@​5.0.9
	@​opentelemetry/​core@​2.3.0 ⏵ 2.1.0			+1	+1
	dotenv@​16.6.1
	@​tailwindcss/​postcss@​4.1.18

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → npm/entities@4.5.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[changeset-bot]

⚠️ No Changeset found

Latest commit: b471d7c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

A matching internal PR is ready in inkeep/agents-private#95 for canonical review and merge.

• Original author attribution is preserved as @dependabot[bot]
• The internal PR is the authoritative merge surface
• The public repo will pick up the merged change through the normal mirror sync

This comment will be updated as the bridge state changes.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.