Skip to content

fix: upgrade hono to >=4.12.7 to resolve prototype pollution CVE#5

Draft
Copilot wants to merge 2 commits intocursor/critical-bug-inspection-4ffafrom
copilot/sub-pr-4
Draft

fix: upgrade hono to >=4.12.7 to resolve prototype pollution CVE#5
Copilot wants to merge 2 commits intocursor/critical-bug-inspection-4ffafrom
copilot/sub-pr-4

Conversation

Copy link

Copilot AI commented Mar 12, 2026
edited
Loading

hono@4.12.5 (transitive via @modelcontextprotocol/sdk) has a prototype pollution vulnerability (GHSA-v8w9-8mx6-g223, moderate), patched in >=4.12.7. This was causing the pnpm audit --prod security CI job to fail.

Changes

  • package.json — Added hono: ">=4.12.7" to pnpm.overrides alongside the existing phin override: 
    "overrides": {
  "phin@<3.7.1": ">=3.7.1",
  "hono": ">=4.12.7"
}
  • pnpm-lock.yaml — Regenerated; hono now resolves to 4.12.7.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI mentioned this pull request Mar 12, 2026
Draft
@starmorph
fix: upgrade hono to >=4.12.7 to resolve prototype pollution CVE
df31c9c 
Co-authored-by: starmorph <121908331+starmorph@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix restrict MCP config permissions to protect API keys fix: upgrade hono to >=4.12.7 to resolve prototype pollution CVE Mar 12, 2026
Copilot AI requested a review from starmorph March 12, 2026 19:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@starmorph starmorph Awaiting requested review from starmorph

Assignees

@starmorph starmorph

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@starmorph