fix: upgrade hono to ^4.12.18 to address CVE-2026-44455

[brendan-kellam]

Fixes SOU-1068

Summary

Upgrades hono to ^4.12.18 to address CVE-2026-44455, CVE-2026-44456, CVE-2026-44457, CVE-2026-44458, and CVE-2026-44459.

Details

CVE-2026-44455: hono/jsx Unvalidated JSX Tag Names Allow HTML Injection

The hono package (v4.12.14) had a vulnerability where untrusted input used as JSX element tag names via the programmatic jsx() or createElement() APIs during server-side rendering could inject unintended HTML, attributes, or event handlers.

Dependency chain: hono is a transitive dependency via @modelcontextprotocol/sdk:

• @react-grab/mcp@0.1.29 → @modelcontextprotocol/sdk@1.27.1 → hono@4.12.14
• @modelcontextprotocol/sdk@1.29.0 → hono@4.12.14

Fix: Added Yarn resolutions in the root package.json to force all instances of hono to resolve to ^4.12.18, which includes fixes for multiple CVEs.

References

• Dependabot alert
• GHSA-69xw-7hcm-h432

Linear Issue: SOU-1068

  

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2a33d3a5-7af6-4225-9613-fd67eace1870

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/fix-cve-2026-44455-sou-1068-e23d

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

License Audit

⚠️ Status: PASS

Metric	Count
Total packages	2070
Resolved (non-standard)	11
Unresolved	0
Strong copyleft	0
Weak copyleft	39

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-wasm32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
dompurify	3.4.0	(MPL-2.0 OR Apache-2.0)
lightningcss	1.32.0	MPL-2.0
lightningcss-android-arm64	1.32.0	MPL-2.0
lightningcss-darwin-arm64	1.32.0	MPL-2.0
lightningcss-darwin-x64	1.32.0	MPL-2.0
lightningcss-freebsd-x64	1.32.0	MPL-2.0
lightningcss-linux-arm-gnueabihf	1.32.0	MPL-2.0
lightningcss-linux-arm64-gnu	1.32.0	MPL-2.0
lightningcss-linux-arm64-musl	1.32.0	MPL-2.0
lightningcss-linux-x64-gnu	1.32.0	MPL-2.0
lightningcss-linux-x64-musl	1.32.0	MPL-2.0
lightningcss-win32-arm64-msvc	1.32.0	MPL-2.0
lightningcss-win32-x64-msvc	1.32.0	MPL-2.0

Resolved Packages (11)

Package	Version	Original	Resolved	Source
@react-grab/cli	0.1.23	UNKNOWN	MIT	LICENSE file in npm package tarball
@react-grab/cli	0.1.29	UNKNOWN	MIT	LICENSE file in npm package tarball
@react-grab/mcp	0.1.29	UNKNOWN	MIT	LICENSE file in npm package tarball
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	LICENSE file in npm package tarball (github.com/livebook-dev/codemirror-lang-elixir); npm registry metadata for latest version also reports Apache-2.0
element-source	0.0.3	UNKNOWN	MIT	LICENSE file in npm package tarball
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	LICENSE file in npm package tarball (github.com/livebook-dev/lezer-elixir); npm registry metadata for latest version also reports Apache-2.0
map-stream	0.1.0	UNKNOWN	MIT	npm registry metadata (license: MIT) and GitHub repo package.json at github.com/dominictarr/map-stream
memorystream	0.3.1	UNKNOWN	MIT	extracted from licenses[].type field on npm registry metadata for v0.3.1
pause-stream	0.0.11	MIT,Apache2	MIT OR Apache-2.0	extracted from license array on npm registry metadata (Apache2 normalized to Apache-2.0)
posthog-js	1.369.0	SEE LICENSE IN LICENSE	Apache-2.0	LICENSE file at github.com/PostHog/posthog-js (Apache License 2.0)
valid-url	1.0.9	UNKNOWN	MIT	LICENSE file at github.com/ogt/valid-url

[brendan-kellam]

Closing as duplicate — consolidated into #1186, which addresses all four sibling hono CVEs (44455–44458) with the same 4.12.14 → 4.12.18 bump.