Skip to content

chore(deps): bump hono and prisma in /services/heady-onboarding#153

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/services/heady-onboarding/multi-df499fd632
Open

chore(deps): bump hono and prisma in /services/heady-onboarding#153
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/services/heady-onboarding/multi-df499fd632

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 7, 2026

Bumps hono to 4.12.18 and updates ancestor dependency prisma. These dependencies need to be updated together.

Updates hono from 4.12.8 to 4.12.18

Release notes

Sourced from hono's releases.

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

... (truncated)

Commits

Updates prisma from 7.5.0 to 7.8.0

Release notes

Sourced from prisma's releases.

7.8.0

Today, we are excited to share the 7.8.0 stable release 🎉

🌟 Star this repo for notifications about new releases, bug fixes & features — or follow us on X!

Highlights

ORM

Features

Prisma Client

  • Added a queryPlanCacheMaxSize option to the PrismaClient constructor for fine-grained control over the query plan cache. Pass 0 to disable the cache entirely, or omit it to use the default cache size. A larger value can improve performance in applications that execute many unique queries, while a smaller one can reduce memory usage. (#29503)

Bug Fixes

Prisma Client

  • Fixed an equality filter panic and incorrect ::jsonb cast when filtering on PostgreSQL JSON list columns. Queries using where: { jsonListField: { equals: [...] } }prisma/prisma-engines#5804
  • Fixed case-insensitive JSON field filtering (mode: insensitive), allowing where: { jsonField: { equals: "...", mode: "insensitive" } }prisma/prisma-engines#5806
  • Fixed incorrect parameterization of enum values that have a custom database name set via @map. (#29422)
  • Fixed a database parameter limit check (P2029), which could incorrectly reject or miss over-limit queries. (#29422)
  • Fixed a regression that caused missing SQL Server VARCHARprisma/prisma-engines#5801

Schema Engine

  • Fixed a misleading error message in prisma migrate diff that referenced the --shadow-database-url CLI flag, which was removed in Prisma 7. (#29455)
  • Fixed prisma migrate dev (and shadow database migration replay in general) failing with CREATE INDEX CONCURRENTLY cannot run inside a transaction blockprisma/prisma-engines#5799
  • Fixed PostgreSQL introspection silently dropping sequence defaults when the database returns the schema-qualified form pg_catalog.nextval('sequence_name'::regclass) instead of the bare nextval(...). Columns backed by sequences now correctly appear as @default(autoincrement())prisma/prisma-engines#5802

Driver Adapters

  • @​prisma/adapter-d1: Savepoint operations (createSavepoint, rollbackToSavepoint, releaseSavepoint) now silently no-op with debug logging instead of executing SQL statements, consistent with how the D1 adapter already treats top-level transactions. (#29499)

Open roles at Prisma

Interested in joining Prisma? We're growing and have several exciting opportunities across the company for developers who are passionate about building with Prisma. Explore our open positions on our Careers page and find the role that's right for you.

Enterprise support

Thousands of teams use Prisma and many of them already tap into our Enterprise & Agency Support Program for hands-on help with everything from schema integrations and performance tuning to security and compliance.

With this program you also get priority issue triage and bug fixes, expert scalability advice, and custom training so that your Prisma-powered apps stay rock-solid at any scale. Learn more or join: https://prisma.io/enterprise.

7.7.0

Today, we are excited to share the 7.7.0 stable release 🎉

🌟 Star this repo for notifications about new releases, bug fixes & features — or follow us on X!

... (truncated)

Commits
  • 5723406 fix(cli): route bootstrap telemetry to Prisma Web Properties project (#29473)
  • 8e71aa7 fix(cli): install missing @prisma/client in prisma bootstrap (#29444)
  • ada077b fix(cli): bootstrap UX — auto-install deps, resumable flow, timeout handling ...
  • 9b0b7f5 feat(cli): add prisma bootstrap command (#29374)
  • 5fece0a chore: bump @​prisma/dev to 0.24.3 (#29396)
  • 45d7e0f feat(cli): add prisma postgres link command (#29352)
  • adbdf15 Pre-bundle Studio frontend assets and replace Hono (#29389)
  • f8258ad chore: bump effect to fix vulnerability (#29384)
  • 74839a9 feat(cli): update bundled @​prisma/studio-core to 0.27.3 (#29376)
  • 309b4bc refactor: extract 'prisma-client-js' into PRISMA_CLIENT_JS_PROVIDER constant ...
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump hono and prisma in /services/heady-onboarding
c1b2c8a 
Bumps [hono](https://github.com/honojs/hono) to 4.12.18 and updates ancestor dependency [prisma](https://github.com/prisma/prisma/tree/HEAD/packages/cli). These dependencies need to be updated together.


Updates `hono` from 4.12.8 to 4.12.18
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.8...v4.12.18)

Updates `prisma` from 7.5.0 to 7.8.0
- [Release notes](https://github.com/prisma/prisma/releases)
- [Commits](https://github.com/prisma/prisma/commits/7.8.0/packages/cli)

---
updated-dependencies:
- dependency-name: hono
  dependency-version: 4.12.18
  dependency-type: indirect
- dependency-name: prisma
  dependency-version: 7.8.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 7, 2026
@dependabot dependabot Bot mentioned this pull request May 7, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants