chore(deps)(deps): bump the minor-and-patch group across 1 directory with 37 updates

[dependabot]

Bumps the minor-and-patch group with 37 updates in the / directory:

Package	From	To
js-yaml	4.1.1	4.2.0
@vitest/coverage-v8	4.1.7	4.1.8
esbuild	0.28.0	0.28.1
turbo	2.9.14	2.9.18
vitest	4.1.7	4.1.8
@langchain/core	1.1.48	1.1.49
better-auth	1.6.11	1.6.18
hono	4.12.23	4.12.25
mongodb	7.2.0	7.3.0
mongoose	9.6.2	9.7.0
@types/node	25.9.1	25.9.3
tsx	4.22.3	4.22.4
@astrojs/starlight	0.39.2	0.40.0
astro	6.3.7	6.4.6
sharp	0.34.5	0.35.1
@tanstack/react-query	5.100.14	5.101.0
@tanstack/react-router	1.170.8	1.170.15
@xyflow/react	12.10.2	12.11.0
lucide-react	1.16.0	1.18.0
react	19.2.6	19.2.7
@types/react	19.2.15	19.2.17
react-dom	19.2.6	19.2.7
@tailwindcss/postcss	4.3.0	4.3.1
@tanstack/router-plugin	1.168.11	1.168.18
tailwindcss	4.3.0	4.3.1
vite	8.0.14	8.0.16
bullmq	5.77.2	5.78.1
ioredis	5.10.1	5.11.1
@langchain/anthropic	1.4.0	1.4.1
isomorphic-git	1.38.1	1.38.4
langchain	1.4.0	1.4.5
@radix-ui/react-label	2.1.8	2.1.9
@radix-ui/react-separator	1.1.8	1.1.9
@radix-ui/react-slot	1.2.4	1.2.5
@radix-ui/react-tooltip	1.2.8	1.2.9
date-fns	4.3.0	4.4.0
radix-ui	1.4.3	1.5.0

Updates js-yaml from 4.1.1 to 4.2.0

Changelog

Sourced from js-yaml's changelog.

[4.2.0] - 2026-06-01

Added

• Added docs/safety.md with notes about processing untrusted YAML.
• Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
• Added maxMergeSeqLength (20) loader option. Not a problem after merge fix, but an additional restriction for safety.
• Added sourcemaps to dist/ builds.

Changed

• Stop resolving numbers with underscores as numeric scalars, #627.
• Switched dev toolchains to Vite / neostandard.
• Updated demo.
• Reorganized tests.
• dist/ files are no longer kept in the repository.

Fixed

• Fix parsing of properties on the first implicit block mapping key, #62.
• Fix trailing whitespace handling when folding flow scalar lines, #307.
• Reject top-level block scalars without content indentation, #280.
• Ensure numbers survive round-trip, #737.
• Fix test coverage for issue #221.
• Fix flow scalar trailing whitespace folding, #307.
• Fix digits in YAML named tag handles.

Security

• Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

Commits

• See full diff in compare view

Updates @vitest/coverage-v8 from 4.1.7 to 4.1.8

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• See full diff in compare view

Updates esbuild from 0.28.0 to 0.28.1

Release notes

Sourced from esbuild's releases.

v0.28.1

• Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

  This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

  Thanks to @​dellalibera for reporting this issue.

• Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

  The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

  Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

  Thanks to @​sondt99 for reporting this issue.

• Avoid inlining using and await using declarations (#4482)

  Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

  // Original code
  {
    using x = new Resource()
    x.activate()
  }
  // Old output (with --minify)
  new Resource().activate();
  // New output (with --minify)
  {using e=new Resource;e.activate()}

• Fix module evaluation when an error is thrown (#4461, #4467)

  If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

• Fix some edge cases around the new operator (#4477)

  Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

  // Original code
  new (foo()`bar`)()
  new (foo()?.bar)()
  // Old output
  new foo()bar();
  new (foo())?.bar();

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.28.1

• Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

  This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

  Thanks to @​dellalibera for reporting this issue.

• Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

  The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

  Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

  Thanks to @​sondt99 for reporting this issue.

• Avoid inlining using and await using declarations (#4482)

  Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

  // Original code
  {
    using x = new Resource()
    x.activate()
  }
  // Old output (with --minify)
  new Resource().activate();
  // New output (with --minify)
  {using e=new Resource;e.activate()}

• Fix module evaluation when an error is thrown (#4461, #4467)

  If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

• Fix some edge cases around the new operator (#4477)

  Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

  // Original code
  new (foo()`bar`)()
  new (foo()?.bar)()
  // Old output
  new foo()bar();
  new (foo())?.bar();

... (truncated)

Commits

• bb9db84 publish 0.28.1 to npm
• 9ff053e security: add integrity checks to the Deno API
• 0a9bf21 enforce non-negative size in gzip parser
• e2a1a71 security: forbid \\ in local dev server requests
• 83a2cbf fix #4482: don't inline using declarations
• 308ad74 fix #4471: renaming of nested var declarations
• f013f5f fix some typos
• aafd6e4 chore: fix some minor issues in comments (#4462)
• 15300c3 follow up: cjs evaluation fixes
• 1bda0c3 fix #4461, fix #4467: esm evaluation fixes
• Additional commits viewable in compare view

Updates turbo from 2.9.14 to 2.9.18

Release notes

Sourced from turbo's releases.

Turborepo v2.9.18

What's Changed

Changelog

• release(turborepo): 2.9.17 by @​github-actions[bot] in vercel/turborepo#13047
• ci: Fetch version.txt via API in docs alias failure notification by @​anthonyshew in vercel/turborepo#13050
• fix: Harden cache archive symlink restore by @​anthonyshew in vercel/turborepo#13051
• chore: Remove web UI mode by @​anthonyshew in vercel/turborepo#13052
• fix: Harden query server file access by @​anthonyshew in vercel/turborepo#13053
• fix: Confine prune patch paths by @​anthonyshew in vercel/turborepo#13054
• fix: Prevent git argument injection in SCM refs by @​anthonyshew in vercel/turborepo#13055
• fix: Strip special mode bits from cache restore by @​anthonyshew in vercel/turborepo#13056
• fix: Contain incremental cache outputs by @​anthonyshew in vercel/turborepo#13057
• fix(turborepo): Normalize Windows daemon path hash by @​Balance8 in vercel/turborepo#13020
• fix: Preserve vt100 cell byte counts by @​anthonyshew in vercel/turborepo#13058
• fix: Separate artifact signature fields by @​anthonyshew in vercel/turborepo#13059
• fix: Validate OidHash hex buffers by @​anthonyshew in vercel/turborepo#13060
• fix: Block self-hosted login URLs from attempting to use Vercel's SSO by @​anthonyshew in vercel/turborepo#13061

New Contributors

• @​Balance8 made their first contribution in vercel/turborepo#13020

Full Changelog: vercel/turborepo@v2.9.17...v2.9.18

Turborepo v2.9.17

What's Changed

Changelog

• fix: Keep non-PTY stdin alive for persistent tasks by @​anthonyshew in vercel/turborepo#12972
• release(turborepo): 2.9.16 by @​github-actions[bot] in vercel/turborepo#12970
• release(turborepo): 2.9.17-canary.1 by @​github-actions[bot] in vercel/turborepo#12973
• fix: Add auth HTTP timeouts by @​anthonyshew in vercel/turborepo#12976
• fix: Detect affected root tasks in query by @​anthonyshew in vercel/turborepo#12977
• fix: Wait for Windows graceful shutdown by @​anthonyshew in vercel/turborepo#12979
• release(turborepo): 2.9.17-canary.2 by @​github-actions[bot] in vercel/turborepo#12980
• test: Skip installs for JSON output fixtures by @​anthonyshew in vercel/turborepo#12981
• feat: Add Rsbuild examples by @​Nsttt in vercel/turborepo#12942
• test: Skip installs for single package dry runs by @​anthonyshew in vercel/turborepo#12982
• test: Skip Corepack setup without installs by @​anthonyshew in vercel/turborepo#12983
• test: Skip installs for metadata-only Rust tests by @​anthonyshew in vercel/turborepo#12985
• test: Skip remaining unnecessary fixture installs by @​anthonyshew in vercel/turborepo#12986
• test: Add final hash contract snapshots by @​anthonyshew in vercel/turborepo#12984
• test: Trim run logging integration matrix by @​anthonyshew in vercel/turborepo#12987
• test: Trim affected query integration matrix by @​anthonyshew in vercel/turborepo#12988
• test: Narrow Windows integration test group by @​anthonyshew in vercel/turborepo#12989
• test: Trim task dependency integration coverage by @​anthonyshew in vercel/turborepo#12990
• test: Trim affected integration coverage by @​anthonyshew in vercel/turborepo#12991
• test: Collapse integration test matrices by @​anthonyshew in vercel/turborepo#12992

... (truncated)

Commits

• 3bdce32 publish 2.9.18 to registry
• 2a76556 fix: Block self-hosted login URLs from attempting to use Vercel's SSO (#13061)
• da8e348 fix: Validate OidHash hex buffers (#13060)
• 3018717 fix: Separate artifact signature fields (#13059)
• 34514e2 fix: Preserve vt100 cell byte counts (#13058)
• 24e2d34 fix(turborepo): Normalize Windows daemon path hash (#13020)
• 16dc881 fix: Contain incremental cache outputs (#13057)
• 92e1f8e fix: Strip special mode bits from cache restore (#13056)
• f46f896 fix: Prevent git argument injection in SCM refs (#13055)
• 7f353ca fix: Confine prune patch paths (#13054)
• Additional commits viewable in compare view

Updates vitest from 4.1.7 to 4.1.8

Release notes

Sourced from vitest's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• See full diff in compare view

Updates @langchain/core from 1.1.48 to 1.1.49

Commits

• See full diff in compare view

Updates better-auth from 1.6.11 to 1.6.18

Release notes

Sourced from better-auth's releases.

v1.6.18

better-auth

Bug Fixes

• Fixed getCookieCache to return null for expired sessions instead of treating stale signed cookies as live sessions.
• Fixed the delete-account confirmation link to prevent duplicate account deletions from concurrent callback requests.
• Fixed one-time tokens from being redeemable multiple times under concurrent requests.
• Fixed password reset tokens from changing a password more than once under concurrent requests.
• Fixed Reddit sign-in to assign a non-routable placeholder address (<id>@reddit.invalid) to users with no email, preventing accidental matches with real mailboxes.
• Fixed Sign-In with Ethereum nonces from being accepted multiple times under concurrent sign-in requests.
• Added internalAdapter.reserveVerificationValue to atomically record single-use markers, ensuring only one concurrent caller succeeds for replay-protected operations.
• Added the incrementOne adapter method and SecondaryStorage.increment for atomic counter updates, enabling strict rate-limit and usage-counter enforcement under concurrent load.
• Fixed expired two-factor challenges from completing login and prevented duplicate session creation from concurrent verifications.
• Fixed captcha verification to time out after 10 seconds, preventing slow or unreachable captcha providers from hanging requests indefinitely.
• Fixed /delete-user/callback to reject account deletion when the session has been revoked server-side (cookie-only session deployments are unaffected).
• Fixed rate limiting to prevent concurrent requests from slipping past configured limits, with a new optional consume method for custom storage backends to opt into strict enforcement.
• Fixed team deletion to preserve pending invitations by removing only the deleted team's reference rather than invalidating the invitations entirely.
• Fixed expected authentication validation failures to log as warnings instead of errors.
• Fixed MCP bearer token validation to reject expired access tokens and require the offline_access scope for refresh token usage.
• Fixed plugin API inference in composite monorepo setups where the core package resolved through multiple paths (#9583)
• Fixed OpenAPI generation to accurately serialize Zod request schemas, including optional, nullable, intersected, and record-shaped types (#9315)
• Fixed a memory leak where the JWKS cache could grow on every access token verification.
• Fixed Google One Tap to require a configured client ID (set via the oneTap plugin or socialProviders.google) and reject tokens issued for other applications.
• Fixed device-authorization token polling to prevent the same approved device code from being redeemed multiple times under concurrent polls.
• Fixed account cookie preservation when switching users in the same browser session.
• Fixed email OTP sign-in to prevent concurrent requests from signing in multiple times or exceeding the attempt limit.
• Fixed phone-number OTP sign-in to prevent concurrent requests from signing in multiple times or exceeding the attempt limit.
• Fixed two-factor OTP sign-in to prevent concurrent requests from signing in multiple times or exceeding the attempt limit.
• Fixed the Have I Been Pwned plugin to check breached passwords on additional endpoints, including email-OTP and phone-number reset-password routes and admin password-setting routes.
• Fixed the multi-session set-active and revoke endpoints to only act on sessions the caller holds a signed cookie for, preventing unauthorized session manipulation.
• Fixed the OIDC /oauth2/endsession endpoint to reject cross-site logout requests that carry only a session cookie without a valid id_token_hint.
• Fixed WeChat sign-in to work without an email address by assigning a stable placeholder email, with mapProfileToUser available to supply a real one.

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SAML assertion replay protection to hold under concurrent requests, preventing a duplicate submission from being accepted more than once.
• Fixed organization admins and owners to verify domain ownership for SSO providers their organization owns, not just the member who originally registered the provider.
• Fixed trustEmailVerified to treat only a boolean true or the string "true" as a verified email, rejecting the string "false" as unverified.

For detailed changes, see CHANGELOG

@better-auth/memory-adapter

Bug Fixes

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.18

Patch Changes

• #9315 9ef7240 Thanks @​GautamBytes! - fix OpenAPI requestBody generation for intersected and default-wrapped body schemas

• #9583 b21a5f7 Thanks @​GautamBytes! - Fix plugin-provided client methods and additional session fields not being inferred in composite monorepos.

• Updated dependencies [b21a5f7]:

  • @​better-auth/core@​1.6.18
  • @​better-auth/drizzle-adapter@​1.6.18
  • @​better-auth/kysely-adapter@​1.6.18
  • @​better-auth/memory-adapter@​1.6.18
  • @​better-auth/mongo-adapter@​1.6.18
  • @​better-auth/prisma-adapter@​1.6.18
  • @​better-auth/telemetry@​1.6.18

1.6.17

Patch Changes

• #9993 baeaa00 Thanks @​gustavovalverde! - When a team had a single open slot, accepting an invitation into it was wrongly rejected as over the member limit and left a dangling membership record. Two invitations accepted into a nearly-full team at the same time could also push it past its limit. Both are fixed.

• #9482 3e99e6c Thanks @​bytaesu! - admin.setUserPassword now creates a credential account when the target user does not have one, matching the behavior of resetPassword. Previously the call returned status: true without doing anything for users without an existing credential account (e.g., social-only or magic-link signups), so admins migrating users from another auth system or assigning an initial password to a social-only user can now do so directly without poking the account table.

• 96c78c3 Thanks @​GautamBytes! - Downgrade expected auth validation failures from error logs to warnings.

• #9993 baeaa00 Thanks @​gustavovalverde! - Captcha provider verification requests now time out after 10 seconds and fail closed, so a slow or unreachable captcha provider can no longer tie up a request indefinitely.

• #9993 baeaa00 Thanks @​gustavovalverde! - A delete-account confirmation link can no longer delete the account more than once when its callback is opened concurrently.

• #9991 0c3856f Thanks @​gustavovalverde! - Completing account deletion through /delete-user/callback now fails when the session has been revoked server-side, instead of proceeding within the cookie-cache window. Deployments that keep sessions only in the cookie are unaffected.

• #9993 baeaa00 Thanks @​gustavovalverde! - Polling for a device-authorization token can no longer redeem the same approved device code more than once when several polls arrive together.

• #9993 baeaa00 Thanks @​gustavovalverde! - Submitting the same email OTP from several requests at once can no longer sign in more than once or gain extra tries beyond the attempt limit.

• #10002 ed7b6c9 Thanks @​gustavovalverde! - Adding a member to a team that is already at its maximumMembersPerTeam limit is now rejected on every path. addMember with a teamId and add-team-member previously skipped the limit that invitation acceptance enforced, so they could push a team over its cap. A rejected addMember no longer creates the organization member.

• #9677 e0a768c Thanks @​GautamBytes! - Refactor role.authorize control flow while preserving existing authorization behavior.

• #9987 7343284 Thanks @​bytaesu! - Generic OAuth sign-in works again for providers whose userinfo response has no sub or id field when mapProfileToUser derives the account id. An empty id field now falls back to sub.

• #9991 0c3856f Thanks @​gustavovalverde! - getCookieCache now returns null for an expired session instead of the stale session data. Middleware that calls it to gate access no longer treats an expired signed cookie as a live session.

• #9993 baeaa00 Thanks @​gustavovalverde! - The Have I Been Pwned plugin now checks submitted passwords against the breach database on more password-setting endpoints by default, including the email-OTP and phone-number reset-password routes and the admin create-user and set-user-password routes. A breached password can no longer be set through those routes when the plugin is enabled with its default paths.

• #9987 7343284 Thanks @​bytaesu! - Preserve the fresh account cookie issued while switching users in the same browser instead of expiring it from stale request cookie state.

• #9991 0c3856f Thanks @​gustavovalverde! - Expired MCP access tokens are no longer accepted. A protected MCP resource now rejects a bearer token once it has expired, both on the server and through the remote client. A refresh token is accepted only when the original authorization included the offline_access scope.

... (truncated)

Commits

• 04debbf chore: release v1.6.18 (#10026)
• 9ef7240 fix(open-api): serialize zod request schemas accurately (#9315)
• b21a5f7 fix(client): preserve plugin inference in composite monorepos (#9583)
• 0d8b238 chore: release v1.6.17 (#9984)
• eff3c99 test(next-js): verify nextCookies forwards all set-cookie headers (#10013)
• e0a768c refactor(access): flatten access plugin role authorization logic (#9677)
• 3310ebc fix(open-api): mark model ids as required (#9704)
• 59e0ccb fix(client): updateSession should infer session additional fields (#9777)
• 96c78c3 fix(logger): downgrade validation logs level to warn
• 5c289b5 fix(account): resolve stateless account cookies across instances (#9979)
• Additional commits viewable in compare view

Updates hono from 4.12.23 to 4.12.25

Release notes

Sourced from hono's releases.

v4.12.25

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Affects: hono/aws-lambda. Fixes multiple Set-Cookie response headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xf

Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

Affects: hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such as X-Forwarded-For reached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8p

v4.12.24

What's Changed

• docs(contribution): simplifyAI Usage Policy by @​yusukebe in honojs/hono#4972
• chore: remove @​types/glob by @​rtritto in honojs/hono#4978
• fix(bearer-auth): mention verifyToken in missing-options error message by @​tan7vir in honojs/hono#4987
• refactor(language): Test/improve tests on languages middleware by @​iNeoO in honojs/hono#4980
• fix(utils/ipaddr): expand "::" to eight zero groups by @​youcefzemmar in honojs/hono#4973
• fix: clean up config files trailing comma, stale excludes, typesVersions gaps, jsr paths by @​Mohammad-Faiz-Cloud-Engineer in honojs/hono#4982
• refactor(timing): Test/add test for middleware timing by @​iNeoO in honojs/hono#4991
• fix(utils/ipaddr): render the unspecified address binary as "::" by @​sarathfrancis90 in honojs/hono#4998

Full Changelog: honojs/hono@v4.12.23...v4.12.24

Commits

• fce483e 4.12.25
• 751ba41 Merge commit from fork
• f0b094d Merge commit from fork
• fa5f9bf Merge commit from fork
• 3892a6c Merge commit from fork
• 74c2cf8 test(aws-lambda): update integration tests (#5012)
• 7ae7cba Merge commit from fork
• 1b13848 chore(ci): bump codecov-action to v7.0.0 (#5011)
• 5fdde5a 4.12.24
• c78932d fix(utils/ipaddr): render the unspecified address binary as "::" (#4998)
• Additional commits viewable in compare view

Updates mongodb from 7.2.0 to 7.3.0

Release notes

Sourced from mongodb's releases.

v7.3.0

[!IMPORTANT] A future minor release will raise the minimum supported MongoDB Server version from 4.2 to 4.4. This is in accordance with MongoDB Software Lifecycle Schedules. Support for MongoDB Server 4.2 will be dropped in a future release!

7.3.0 (2026-06-04)

The MongoDB Node.js team is pleased to announce version 7.3.0 of the mongodb package!

Release Notes

maxWireVersion is bumped to 29

Max wire version & max server version bumped in preparation for MongoDB LTS (v9.0).

Fixed SCRAM authentication for non-Node.js runtimes (e.g., Deno)

SCRAM-based authentication (the default mechanism for username/password connections) was broken when using the driver in non-Node.js environments such as Deno. The root cause was an implicit toString() call on byte arrays that produced incorrect output outside of Node.js. This fix ensures explicit UTF-8 string conversion is used throughout the SCRAM implementation, restoring authentication in Deno and other web-compatible runtimes.

Features

• NODE-7518: bump maxWireVersion (#4950) (4447050)

Bug Fixes

• NODE-7548: SCRAM authentication fails on non-Node runtimes (#4932) (a10d2c9)

Documentation

• Reference
• API
• Changelog

We invite you to try the mongodb library immediately, and report any issues to the NODE project.

Changelog

Sourced from mongodb's changelog.

7.3.0 (2026-06-04)

Features

• NODE-7518: bump maxWireVersion (#4950) (4447050)

Bug Fixes

• NODE-7548: SCRAM authentication fails on non-Node runtimes (#4932) (a10d2c9)

Commits

• 99106de chore(main): release 7.3.0 (#4944)
• fd940fe ci: use toolchain python in windows (#4954)
• b7f54b5 test(NODE-5517): display installed deps in CI (#4948)
• de29d72 chore: disable bson compat tests in prs (#4952)
• 4447050 feat(NODE-7518): bump maxWireVersion (#4950)
• d2b828b chore(NODE-7599): tighten build workflow permissions and update release docs ...
• 24e5705 chore(NODE-7512): add Windows Node Latest to smoke test configuration (#4940)
• 90f6967 chore(NODE-7563): migrate main release workflows to npm trusted publishers (#...
• a10d2c9 fix(NODE-7548): SCRAM authentication fails on non-Node runtimes (#4932)
• 5c986b1 test(NODE-6820): test on Graviton processor (#4936)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for mongodb since your current version.

Updates mongoose from 9.6.2 to 9.7.0

Release notes

Sourced from mongoose's releases.

9.7.0 / 2026-06-09

• feat: add Node.js TracingChannel support for APM instrumentation #16275 #16105 logaretm
• feat(model): add standard schema adapter for models #16308 #16280
• fix(cursor): avoid waiting on buffering to run aggregation middleware ...

  Description has been truncated

  ---

  [!NOTE]
  Medium Risk
  Version-only changes, but they touch auth (better-auth, hono) and data layers (mongoose, mongodb); regressions would show up at runtime rather than in this diff.

  Overview
  Bumps 37 minor/patch dependency versions across the root, apps/*, and packages/* package.json files only—no application source changes.

  Notable upgrades on the API and frontend stacks include better-auth 1.6.11 → 1.6.18, hono 4.12.23 → 4.12.25, mongoose / mongodb, and js-yaml 4.2.0 (root, api, core). Worker/core pick up bullmq, @langchain/*, and langchain. Docs moves Astro/Starlight/sharp; UI bumps Radix, date-fns, and lucide-react. Root dev tooling updates turbo, vitest, and esbuild.

  ^{Reviewed by Cursor Bugbot for commit 7093032. Bugbot is set up for automated code reviews on this repo. Configure here.}

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[cursor]

Security review complete: I found no PR-introduced issues in the changed files.

Changed files are limited to package manifests and pnpm-lock.yaml; no MCP route, query execution, Better Auth, Hono route-validation, or env/secret-handling source files changed. I spot-checked the current implementations for the requested threat surfaces: MCP bearer-token/project scoping, execute_query read-only DuckDB view sandboxing with timeout/result limits, Better Auth secret/cookie/CSRF setup, Hono/Zod validation patterns, env secret exposure, and dependency exposure.

Validation run:

• pnpm install --frozen-lockfile passed.
• pnpm audit --prod reports 14 advisories, but the same 14 advisories are present on the base commit, so they do not appear to be introduced by this dependency bump.

  

_{Sent by Cursor Automation: archmax Security Review}