fix(deps): update patch updates (patch)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@anolilab/eslint-config (source)	27.0.2 → 27.0.10
@anolilab/multi-semantic-release (source)	4.4.4 → 4.4.5
@anolilab/semantic-release-pnpm (source)	8.1.15 → 8.1.16
@anolilab/semantic-release-preset (source)	13.4.16 → 13.4.17
@arethetypeswrong/cli (source)	^0.18.3 → ^0.18.4
@vitest/eslint-plugin	1.6.19 → 1.6.20
browserslist	4.28.2 → 4.28.4
caniuse-lite	1.0.30001797 → 1.0.30001799
commitizen	^4.3.1 → ^4.3.2
hono@<4.12.14 (source)	>=4.12.24 → >=4.12.27
hono@<4.12.21 (source)	>=4.12.24 → >=4.12.27
lint-staged	17.0.7 → 17.0.8
tailwind-csstree	0.3.2 → 0.3.3

---

Release Notes

anolilab/javascript-style-guide (@​anolilab/eslint-config)

v27.0.10

Compare Source

v27.0.9

Compare Source

v27.0.8

Compare Source

v27.0.7

Compare Source

v27.0.6

Compare Source

v27.0.5

Compare Source

v27.0.4

Compare Source

v27.0.3

Compare Source

Miscellaneous Chores

• security: apply audit overrides (c0fe05e)

anolilab/semantic-release (@​anolilab/multi-semantic-release)

v4.4.5

Compare Source

Bug Fixes

• build: add @​visulima/pail devDependency to satisfy cerebro peer (a440c7d)
• deps: bump vitest, lodash override, ckeditor typedoc-plugins, semantic-release peer, workflow pins (3119947), closes #​328 #​329 #​330 #​331 #​324
• lint: satisfy eslint-config v27 rules and make codecov upload non-blocking (da69704)

Dependencies

• @​anolilab/semantic-release-clean-package-json: upgraded to 5.5.14
• @​anolilab/semantic-release-pnpm: upgraded to 8.1.16

anolilab/semantic-release (@​anolilab/semantic-release-pnpm)

v8.1.16

Compare Source

Bug Fixes

• build: add @​visulima/pail devDependency to satisfy cerebro peer (a440c7d)
• lint: satisfy eslint-config v27 rules and make codecov upload non-blocking (da69704)

Dependencies

• @​anolilab/rc: upgraded to 4.0.4

anolilab/semantic-release (@​anolilab/semantic-release-preset)

v13.4.17

Compare Source

Dependencies

• @​anolilab/semantic-release-clean-package-json: upgraded to 5.5.14
• @​anolilab/semantic-release-pnpm: upgraded to 8.1.16

arethetypeswrong/arethetypeswrong.github.io (@​arethetypeswrong/cli)

v0.18.4

Patch Changes

• Updated dependencies [644fab1]
  • @​arethetypeswrong/core@​0.18.4

vitest-dev/eslint-plugin-vitest (@​vitest/eslint-plugin)

v1.6.20

Compare Source

   🐞 Bug Fixes

• hoisted-apis-on-top: Detect vitest.mock and aliased vi/vitest mock calls  -  by @​spokodev in #​909 (8fff9)
• require-test-timeout: Treat imported bindings as explicit timeouts  -  by @​spokodev in #​906 (bd82c)
• valid-expect: Treat .finally() as part of async assertion promise chains  -  by @​spokodev in #​908 (7c697)

    View changes on GitHub

browserslist/browserslist (browserslist)

v4.28.4

Compare Source

• Fixed SyntaxError regression of 4.28.3.

v4.28.3

Compare Source

• Fixed baseline query case-insensitivity (by @​swwind).

browserslist/caniuse-lite (caniuse-lite)

v1.0.30001799

Compare Source

honojs/hono (hono@<4.12.14)

v4.12.27

Compare Source

Security fixes

This release includes fixes for the following security issues:

hono/jsx does not isolate context per request

Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj

Server-Side XSS via JSX escaping bypass in cx()

Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59

API Gateway v1 adapter can drop a repeated request header value

Affects: hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g. 203.0.113.1 dropped when 203.0.113.10 is present) — affecting logic such as X-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvc

---

Users of hono/jsx/hono/jsx-renderer, hono/css (cx()), or the hono/aws-lambda API Gateway v1 / VPC Lattice adapters are encouraged to upgrade.

v4.12.26

Compare Source

What's Changed

• fix(lambda-edge): satisfy Deno lib types for Content-Length body encoding by @​yusukebe in #​5013
• ci: publish to npm from CI with OIDC trusted publishing by @​yusukebe in #​5028
• chore: remove unused devcontainer and gitpod configs by @​yusukebe in #​5029
• chore: replace arg and glob with Bun native APIs in build script by @​yusukebe in #​5030

Full Changelog: honojs/hono@v4.12.25...v4.12.26

v4.12.25

Compare Source

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Affects: hono/aws-lambda. Fixes multiple Set-Cookie response headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xf

Lambda@​Edge adapter keeps only the last value of a repeated request header, dropping the rest

Affects: hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such as X-Forwarded-For reached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8p

lint-staged/lint-staged (lint-staged)

v17.0.8

Compare Source

Patch Changes

• #​1809 179b437 - Fix lint-staged discarding the ongoing merge conflict status (.git/MERGE_HEAD) when using the --hide-unstaged or --hide-all options.

• #​1811 3d0b2c0 - Fix issues with Git commands that are successful but also emit warnings to stderr, by ignoring the stderr output completely when the process exits with code 0. This was the behavior when using nano-spawn and execa, but when switching to tinyexec in 16.3.0 both stdout and stderr were used as interleaved output.

humanwhocodes/tailwind-csstree (tailwind-csstree)

v0.3.3

Compare Source

Bug Fixes

• add descriptors to utility at-rule (#​59) (c517380)

---

Configuration

📅 Schedule: (in timezone Europe/Berlin)

• Branch creation
  • "after 10:00 before 19:00 every weekday except after 13:00 before 14:00"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Thank you for following the naming conventions! 🙏

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

<--- Last few GCs --->

[935:0x17909000]   117796 ms: Scavenge 1493.5 (1518.2) -> 1492.2 (1522.2) MB, pooled: 0 MB, 8.08 / 0.00 ms  (average mu = 0.284, current mu = 0.232) allocation failure; 
[935:0x17909000]   119451 ms: Mark-Compact (reduce) 1495.0 (1522.2) -> 1491.2 (1516.2) MB, pooled: 0 MB, 812.07 / 0.01 ms  (+ 774.7 ms in 0 steps since start of marking, biggest step 0.0 ms, walltime since start of marking 1655 ms) (average mu = 0.270, cu

<--- JS stacktrace --->

FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory
----- Native stack trace -----

 1: 0xe46bbe node::OOMErrorHandler(char const*, v8::OOMDetails const&) [/opt/containerbase/tools/node/22.22.3/bin/node]
 2: 0x1243640 v8::Utils::ReportOOMFailure(v8::internal::Isolate*, char const*, v8::OOMDetails const&) [/opt/containerbase/tools/node/22.22.3/bin/node]
 3: 0x1243917 v8::internal::V8::FatalProcessOutOfMemory(v8::internal::Isolate*, char const*, v8::OOMDetails const&) [/opt/containerbase/tools/node/22.22.3/bin/node]
 4: 0x1472825  [/opt/containerbase/tools/node/22.22.3/bin/node]
 5: 0x1472853  [/opt/containerbase/tools/node/22.22.3/bin/node]
 6: 0x148b92a  [/opt/containerbase/tools/node/22.22.3/bin/node]
 7: 0x148eaf8  [/opt/containerbase/tools/node/22.22.3/bin/node]
 8: 0x1cf7681  [/opt/containerbase/tools/node/22.22.3/bin/node]
/usr/local/bin/node: line 18:   935 Aborted                 /opt/containerbase/tools/node/22.22.3/bin/node "$@"