fix: upgrade hono to ^4.12.18 to address CVE-2026-44455, CVE-2026-44456, CVE-2026-44457, CVE-2026-44458

[brendan-kellam]

Fixes SOU-1068
Fixes SOU-1069
Fixes SOU-1070
Fixes SOU-1071

Summary

Upgrades hono from 4.12.14 to 4.12.18 to address four related CVEs:

• CVE-2026-44455
• CVE-2026-44456
• CVE-2026-44457
• CVE-2026-44458

Changes

• Bumped the yarn resolution for @modelcontextprotocol/sdk/hono from ^4.12.14 to ^4.12.18.
• Added one CHANGELOG entry per CVE under [Unreleased] → Fixed.

Consolidated from #1187, #1188, #1190 — all four PRs were the same package bump for sibling CVEs.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
  • Upgraded hono to address multiple security vulnerabilities.

[coderabbitai]

Walkthrough

The pull request updates the @modelcontextprotocol/sdk/hono dependency resolution in package.json from ^4.12.14 to ^4.12.18 to address CVEs. The changelog is updated in the [Unreleased] Fixed section to document this upgrade.

Changes

hono Dependency Security Update

Layer / File(s)	Summary
Dependency Resolution package.json	@modelcontextprotocol/sdk/hono resolution version updated from ^4.12.14 to ^4.12.18.
Changelog Documentation CHANGELOG.md	[Unreleased] Fixed section documents hono upgrade to ^4.12.18 with CVE references.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• sourcebot-dev/sourcebot#1121: Both PRs modify the same package.json "resolutions" entry for @modelcontextprotocol/sdk/hono (related PR added the resolution entry; this PR updates its version).

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly describes the main change: upgrading hono to address specific CVEs, which matches the file changes in package.json and CHANGELOG.md.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/fix-cve-2026-44457-hono-sou-1070-6a4b

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

License Audit

⚠️ Status: PASS

Metric	Count
Total packages	2070
Resolved (non-standard)	20
Unresolved	0
Strong copyleft	0
Weak copyleft	38

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-wasm32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
lightningcss	1.32.0	MPL-2.0
lightningcss-android-arm64	1.32.0	MPL-2.0
lightningcss-darwin-arm64	1.32.0	MPL-2.0
lightningcss-darwin-x64	1.32.0	MPL-2.0
lightningcss-freebsd-x64	1.32.0	MPL-2.0
lightningcss-linux-arm-gnueabihf	1.32.0	MPL-2.0
lightningcss-linux-arm64-gnu	1.32.0	MPL-2.0
lightningcss-linux-arm64-musl	1.32.0	MPL-2.0
lightningcss-linux-x64-gnu	1.32.0	MPL-2.0
lightningcss-linux-x64-musl	1.32.0	MPL-2.0
lightningcss-win32-arm64-msvc	1.32.0	MPL-2.0
lightningcss-win32-x64-msvc	1.32.0	MPL-2.0

Resolved Packages (20)

Package	Version	Original	Resolved	Source
@react-grab/cli	0.1.23	UNKNOWN	MIT	GitHub repo aidenybai/react-grab LICENSE
@react-grab/cli	0.1.29	UNKNOWN	MIT	GitHub repo aidenybai/react-grab LICENSE
@react-grab/mcp	0.1.29	UNKNOWN	MIT	GitHub repo aidenybai/react-grab LICENSE
@sentry/cli	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry (confirmed)
@sentry/cli-darwin	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry (confirmed)
@sentry/cli-linux-arm	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry (confirmed)
@sentry/cli-linux-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry (confirmed)
@sentry/cli-linux-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry (confirmed)
@sentry/cli-linux-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry (confirmed)
@sentry/cli-win32-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry (confirmed)
@sentry/cli-win32-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry (confirmed)
@sentry/cli-win32-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry (confirmed)
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	npm registry
element-source	0.0.3	UNKNOWN	MIT	GitHub repo aidenybai/element-source LICENSE
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	npm registry
map-stream	0.1.0	UNKNOWN	MIT	npm registry
memorystream	0.3.1	UNKNOWN	MIT	extracted from licenses[].type object
pause-stream	0.0.11	MIT,Apache2	MIT	GitHub repo dominictarr/pause-stream LICENSE (dual-licensed MIT and Apache 2)
posthog-js	1.369.0	SEE LICENSE IN LICENSE	Apache-2.0	GitHub repo PostHog/posthog-js LICENSE
valid-url	1.0.9	UNKNOWN	MIT	GitHub repo ogt/valid-url LICENSE

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CHANGELOG.md`:
- Line 15: Update the CHANGELOG entry for the hono bump (^4.12.18) to only claim
CVEs actually fixed by that release: remove CVE-2026-44455 and CVE-2026-44458
from the list, and either omit CVE-2026-44456 or note it was fixed in 4.12.16
(not newly resolved by 4.12.18); keep CVE-2026-44457 as the sole CVE attributed
to 4.12.18 and preserve the PR reference and version string ("hono" and
"^4.12.18") in the entry.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bb23c055-f77f-486d-8333-4ed6bffe950a

📥 Commits

Reviewing files that changed from the base of the PR and between b7ea547 and 3448b52.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• CHANGELOG.md
• package.json