chore(deps): bump the production group across 1 directory with 6 updates

[dependabot]

Bumps the production group with 6 updates in the / directory:

Package	From	To
@hono/node-server	1.19.9	1.19.12
dotenv	17.2.3	17.4.0
hono	4.11.6	4.12.10
hono-openapi	1.2.0	1.3.0
lodash	4.17.23	4.18.1
ws	8.19.0	8.20.0

Updates @hono/node-server from 1.19.9 to 1.19.12

Release notes

Sourced from @​hono/node-server's releases.

v1.19.12

What's Changed

• chore: ignore claude setting by @​yusukebe in honojs/node-server#314
• fix: request draining for early 413 responses by @​usualoma in honojs/node-server#329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

What's Changed

• fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @​usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

Commits

• 6cdb5a7 1.19.12
• 70250f7 fix: request draining for early 413 responses (#329)
• cfc08b3 chore: ignore claude setting (#314)
• ecd4d6b 1.19.11
• c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
• 2f8ca36 1.19.10
• 455015b Merge commit from fork
• cc05c48 chore: add benchmark for comparing with npm and local (dev) (#305)
• 58c4412 chore: Adding LICENSE file with MIT license referenced in README.md (#297)
• b1daa4c docs(readme): add @​usualoma as an author (#300)
• See full diff in compare view

Updates dotenv from 17.2.3 to 17.4.0

Changelog

Sourced from dotenv's changelog.

17.4.0 (2026-04-01)

Added

• Add skills/ folder with focused agent skills: skills/dotenv/SKILL.md (core usage) and skills/dotenvx/SKILL.md (encryption, multiple environments, variable expansion) for AI coding agent discovery via the skills.sh ecosystem (npx skills add motdotla/dotenv)

Changed

• Tighten up logs: ◇ injecting env (14) from .env (#1003)

17.3.1 (2026-02-12)

Changed

• Fix as2 example command in README and update spanish README

17.3.0 (2026-02-12)

Added

• Add a new README section on dotenv’s approach to the agentic future.

Changed

• Rewrite README to get humans started more quickly with less noise while simultaneously making more accessible for llms and agents to go deeper into details.

17.2.4 (2026-02-05)

Changed

• Make DotenvPopulateInput accept NodeJS.ProcessEnv type (#915)

• Give back to dotenv by checking out my newest project vestauth. It is auth for agents. Thank you for using my software.

Commits

• a2e31d6 17.4.0
• 4f041ee changelog 🪵
• bab8b98 README
• 516d47e update
• ce9b98f adjust quickstart
• d3a9065 update links
• 9a3f955 add banner
• d35b6a9 clean up
• a115e3a remove version
• 185e641 hide as2 for now - very early beta
• Additional commits viewable in compare view

Updates hono from 4.11.6 to 4.12.10

Release notes

Sourced from hono's releases.

v4.12.10

What's Changed

• test(router): fix Simple capturing group test by @​yusukebe in honojs/hono#4838
• docs: fix impaired -> inspired typo in benchmark READMEs by @​Abhi3975 in honojs/hono#4843
• fix(jsx/dom): apply select value after children are rendered by @​usualoma in honojs/hono#4847
• fix(compress): convert strong ETag to weak ETag when compressing by @​usualoma in honojs/hono#4848
• docs(ip-restriction): add clear JSDoc examples and param types by @​VISHNU7KASIREDDY in honojs/hono#4851

New Contributors

• @​Abhi3975 made their first contribution in honojs/hono#4843
• @​VISHNU7KASIREDDY made their first contribution in honojs/hono#4851

Full Changelog: honojs/hono@v4.12.9...v4.12.10

v4.12.9

What's Changed

• fix(request): remove parseBody from bodyCache to prevent TypeError by @​yusukebe in honojs/hono#4807
• feat(client): add PickResponseByStatusCode type by @​yusukebe in honojs/hono#4791
• fix(ssg): pass SSG_CONTEXT to forGetInfoURLRequest by @​yuintei in honojs/hono#4810
• fix(service-worker): make fire() fallback behavior consistent with handle() by @​yusukebe in honojs/hono#4821
• fix(cors): reflect request origin when credentials is true with wildcard by @​ctonneslan in honojs/hono#4813

New Contributors

• @​yuintei made their first contribution in honojs/hono#4810
• @​ctonneslan made their first contribution in honojs/hono#4813

Full Changelog: honojs/hono@v4.12.8...v4.12.9

v4.12.8

What's Changed

• fix(utils/mime): Normalize input extension to lowercase before MIME check by @​TheEssem in honojs/hono#4800
• fix(bearer-auth): escape regex metacharacters in bearer auth prefix option by @​otoneko1102 in honojs/hono#4750

New Contributors

• @​TheEssem made their first contribution in honojs/hono#4800

Full Changelog: honojs/hono@v4.12.7...v4.12.8

v4.12.7

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

---

Full Changelog: honojs/hono@v4.12.6...v4.12.7

v4.12.6

What's Changed

• fix(accept): replace regex split to mitigate ReDoS by @​EdamAme-x in honojs/hono#4758

... (truncated)

Commits

• 9f374a5 4.12.10
• a8c56a6 docs(ip-restriction): add clear JSDoc examples and param types (#4851)
• 0bce36b fix(compress): convert strong ETag to weak ETag when compressing (#4848)
• 75b4308 fix(jsx/dom): apply select value after children are rendered (#4847)
• f47b559 docs: fix impaired -> inspired typo in benchmark READMEs (#4843)
• 018277e test(router): fix Simple capturing group test (#4838)
• e1ae0eb 4.12.9
• 66fe9fe fix(cors): reflect request origin when credentials is true with wildcard (#4813)
• 50e2611 fix(service-worker): make fire() fallback behavior consistent with `handle(...
• be85106 fix(ssg): pass SSG_CONTEXT to forGetInfoURLRequest (#4810)
• Additional commits viewable in compare view

Updates hono-openapi from 1.2.0 to 1.3.0

Release notes

Sourced from hono-openapi's releases.

v1.3.0

What's Changed

• fix: allow resolver() in documentation.components.responses by @​MathurAditya724 in rhinobase/hono-openapi#220
• fix: apply JSONParsed to describeResponse handler typing by @​MathurAditya724 in rhinobase/hono-openapi#221
• fix: handle ArkType morph schemas in OpenAPI spec generation by @​MathurAditya724 in rhinobase/hono-openapi#222
• fix: set requestBody.required to true for validator() by @​MathurAditya724 in rhinobase/hono-openapi#223
• fix: auto-convert z.date() to string/date-time in Zod v4 schemas by @​MathurAditya724 in rhinobase/hono-openapi#224

Full Changelog: rhinobase/hono-openapi@v1.2.0...v1.3.0

Commits

• 10f45a6 released v1.3.0
• ba0b545 chore: update .gitignore
• ab3bf78 fix: auto-convert z.date() to string/date-time in Zod v4 schemas (#196) (#224)
• 0a098bc fix: set requestBody.required to true for validator() (#201) (#223)
• 493a209 fix: handle ArkType morph schemas in OpenAPI spec generation (#222)
• bd49da4 fix: apply JSONParsed to describeResponse handler typing (#221)
• cd580be fix: allow resolver() in documentation.components.responses (#220)
• See full diff in compare view

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates ws from 8.19.0 to 8.20.0

Release notes

Sourced from ws's releases.

8.20.0

Features

• Added exports for the PerMessageDeflate class and utilities for the Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1f).

Commits

• 8439255 [dist] 8.20.0
• d3503c1 [minor] Export the PerMessageDeflate class and header utils
• 3ee5349 [api] Convert the isServer and maxPayload parameters to options
• 91707b4 [doc] Add missing space
• 8b55319 [pkg] Update eslint to version 10.0.1
• ca533a5 [pkg] Update globals to version 17.0.0
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions