chore(hono): Update [DEV] minor & patch dependencies to ^4.12.26

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
hono (source)	^4.12.15 → ^4.12.26

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

honojs/hono (hono)

v4.12.26

Compare Source

What's Changed

• fix(lambda-edge): satisfy Deno lib types for Content-Length body encoding by @​yusukebe in #​5013
• ci: publish to npm from CI with OIDC trusted publishing by @​yusukebe in #​5028
• chore: remove unused devcontainer and gitpod configs by @​yusukebe in #​5029
• chore: replace arg and glob with Bun native APIs in build script by @​yusukebe in #​5030

Full Changelog: honojs/hono@v4.12.25...v4.12.26

v4.12.25

Compare Source

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Affects: hono/aws-lambda. Fixes multiple Set-Cookie response headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xf

Lambda@​Edge adapter keeps only the last value of a repeated request header, dropping the rest

Affects: hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such as X-Forwarded-For reached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8p

v4.12.24

Compare Source

What's Changed

• docs(contribution): simplifyAI Usage Policy by @​yusukebe in #​4972
• chore: remove @​types/glob by @​rtritto in #​4978
• fix(bearer-auth): mention verifyToken in missing-options error message by @​tan7vir in #​4987
• refactor(language): Test/improve tests on languages middleware by @​iNeoO in #​4980
• fix(utils/ipaddr): expand "::" to eight zero groups by @​youcefzemmar in #​4973
• fix: clean up config files trailing comma, stale excludes, typesVersions gaps, jsr paths by @​Mohammad-Faiz-Cloud-Engineer in #​4982
• refactor(timing): Test/add test for middleware timing by @​iNeoO in #​4991
• fix(utils/ipaddr): render the unspecified address binary as "::" by @​sarathfrancis90 in #​4998

Full Changelog: honojs/hono@v4.12.23...v4.12.24

---

Configuration

📅 Schedule: (in timezone GMT)

• Branch creation
  • "before 7am on the first day of the week"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Jun 26, 2026 2:59pm
swingset	Ready	Preview, Comment	Jun 26, 2026 2:59pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: b4ae02f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8574

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8574

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8574

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8574

@clerk/electron

npm i https://pkg.pr.new/@clerk/electron@8574

@clerk/electron-passkeys

npm i https://pkg.pr.new/@clerk/electron-passkeys@8574

@clerk/eslint-plugin

npm i https://pkg.pr.new/@clerk/eslint-plugin@8574

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8574

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8574

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8574

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8574

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8574

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8574

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8574

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8574

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8574

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8574

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8574

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8574

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8574

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8574

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8574

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8574

commit: b4ae02f

[github-actions]

Break Check: no API changes detected across the tracked packages.

_{Last ran on 2876377. Pushes that change no tracked declarations (no API surface change vs. base) are skipped and don't update this comment.}

[github-actions]

API Changes Report

Generated by Break Check on 2026-06-26T15:01:03.185Z

Summary

Metric	Count
Packages analyzed	19
Packages with changes	0
🔴 Breaking changes	0
🟡 Non-breaking changes	0
🟢 Additions	0

No API Changes Detected

All packages have stable APIs with no detected changes.

---

Report generated by Break Check

_{Last ran on b4ae02f.}

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

<--- Last few GCs --->

[920:0x27e4e000]    90082 ms: Scavenge (interleaved) 1476.3 (1494.7) -> 1470.4 (1494.0) MB, pooled: 0 MB, 34.69 / 0.01 ms  (average mu = 0.378, current mu = 0.387) task; 
[920:0x27e4e000]    92099 ms: Mark-Compact (reduce) 1479.8 (1497.0) -> 1469.6 (1480.3) MB, pooled: 0 MB, 124.31 / 0.10 ms  (+ 1619.1 ms in 81 steps since start of marking, biggest step 51.5 ms, walltime since start of marking 1921 ms) (average mu = 0.355,
FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory
----- Native stack trace -----

 1: 0x73f8c4 node::OOMErrorHandler(char const*, v8::OOMDetails const&) [/opt/containerbase/tools/node/24.15.0/bin/node]
 2: 0xc06f90  [/opt/containerbase/tools/node/24.15.0/bin/node]
 3: 0xc0707f  [/opt/containerbase/tools/node/24.15.0/bin/node]
 4: 0xeaa885  [/opt/containerbase/tools/node/24.15.0/bin/node]
 5: 0xeaa8b2  [/opt/containerbase/tools/node/24.15.0/bin/node]
 6: 0xeaabaa  [/opt/containerbase/tools/node/24.15.0/bin/node]
 7: 0xebb8aa  [/opt/containerbase/tools/node/24.15.0/bin/node]
 8: 0xebfc50  [/opt/containerbase/tools/node/24.15.0/bin/node]
 9: 0x1953f71  [/opt/containerbase/tools/node/24.15.0/bin/node]
/usr/local/bin/node: line 18:   920 Aborted                 /opt/containerbase/tools/node/24.15.0/bin/node "$@"

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.