From de2982ea413b66c86fca324ca1b9a0db35e332b0 Mon Sep 17 00:00:00 2001 From: Jeffrey von Rotz Date: Mon, 2 Mar 2026 21:04:26 +0100 Subject: [PATCH] =?UTF-8?q?fix(security):=20update=20lock=20file=20?= =?UTF-8?q?=E2=80=94=20hono=204.12.3=20+=20SDK=201.27.1=20(#4)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updated transitive deps to patched versions: - @modelcontextprotocol/sdk: 1.26.0 -> 1.27.1 (cross-client data leak via shared transport, affects 1.10.0-1.25.3, patched in 1.26.0) - hono: 4.12.0 -> 4.12.3 (authentication bypass via IP spoofing, patched in 4.12.3) No package.json change needed — existing semver ranges already allow the patched versions. --- package-lock.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/package-lock.json b/package-lock.json index c610f5d..7bb7e67 100644 --- a/package-lock.json +++ b/package-lock.json @@ -621,9 +621,9 @@ } }, "node_modules/@modelcontextprotocol/sdk": { - "version": "1.26.0", - "resolved": "https://registry.npmjs.org/@modelcontextprotocol/sdk/-/sdk-1.26.0.tgz", - "integrity": "sha512-Y5RmPncpiDtTXDbLKswIJzTqu2hyBKxTNsgKqKclDbhIgg1wgtf1fRuvxgTnRfcnxtvvgbIEcqUOzZrJ6iSReg==", + "version": "1.27.1", + "resolved": "https://registry.npmjs.org/@modelcontextprotocol/sdk/-/sdk-1.27.1.tgz", + "integrity": "sha512-sr6GbP+4edBwFndLbM60gf07z0FQ79gaExpnsjMGePXqFcSSb7t6iscpjk9DhFhwd+mTEQrzNafGP8/iGGFYaA==", "license": "MIT", "dependencies": { "@hono/node-server": "^1.19.9", @@ -2615,9 +2615,9 @@ } }, "node_modules/hono": { - "version": "4.12.0", - "resolved": "https://registry.npmjs.org/hono/-/hono-4.12.0.tgz", - "integrity": "sha512-NekXntS5M94pUfiVZ8oXXK/kkri+5WpX2/Ik+LVsl+uvw+soj4roXIsPqO+XsWrAw20mOzaXOZf3Q7PfB9A/IA==", + "version": "4.12.3", + "resolved": "https://registry.npmjs.org/hono/-/hono-4.12.3.tgz", + "integrity": "sha512-SFsVSjp8sj5UumXOOFlkZOG6XS9SJDKw0TbwFeV+AJ8xlST8kxK5Z/5EYa111UY8732lK2S/xB653ceuaoGwpg==", "license": "MIT", "engines": { "node": ">=16.9.0"