Skip to content

[auto] Bump hono to 4.12.12 and vite to 8.0.5 in aegis-oss (8 dependabot alerts)#22

Merged
stackbilt-admin merged 1 commit intomainfrom
auto/7f40f7c8
Apr 23, 2026
Merged

[auto] Bump hono to 4.12.12 and vite to 8.0.5 in aegis-oss (8 dependabot alerts)#22
stackbilt-admin merged 1 commit intomainfrom
auto/7f40f7c8

Conversation

@stackbilt-admin
Copy link
Copy Markdown
Member

@stackbilt-admin stackbilt-admin commented Apr 10, 2026

Autonomous Task

Task ID: 7f40f7c8-5421-4309-9488-6ce1ad03e6d4
Authority: auto_safe
Exit code: 0

Task Prompt

Bump hono to 4.12.12 and vite to 8.0.5 across the aegis-oss monorepo to clear 8 open dependabot alerts.

Context

Dependabot alerts on Stackbilt-dev/aegis-oss:

  • 5x hono medium severity — fixed in 4.12.12
    • Cookie name bypass in getCookie() via non-breaking space prefix
    • setCookie() missing cookie name validation
    • ipRestriction() incorrect IPv4-mapped IPv6 matching
    • serveStatic middleware bypass via repeated slashes
    • toSSG() path traversal writing outside output directory
  • 3x vite (2x high, 1x medium) — fixed in 8.0.5
    • server.fs.deny bypassed with queries (high)
    • Arbitrary file read via dev server WebSocket (high)
    • Path traversal in optimized deps .map handling (medium)

Vite is dev-only (dev server), so the "high" severity is dev-tool risk, not production. Hono is on the production request path — that's the real priority.

Scope

  1. Find every package.json in the monorepo (workspace root + all packages) that pins hono or vite.
  2. Bump hono pins to ^4.12.12 (or 4.12.12 exact if the existing style is exact).
  3. Bump vite pins to ^8.0.5 (or 8.0.5 exact if the existing style is exact).
  4. Run npm install (or pnpm install — use whichever lockfile exists) to update the lockfile.
  5. Run npm run typecheck (or workspace equivalent) — Hono 4.12.x shouldn't have type breaks from current 4.x, but verify.
  6. Run the test suite if one exists (npm test or pnpm test). If tests pass, you're done. If they fail, diagnose — Hono 4.12 may have minor API tweaks; check the release notes at https://github.com/honojs/hono/releases.
  7. Commit with a conventional-commits message: fix(deps): bump hono to 4.12.12 and vite to 8.0.5 for CVE fixes. List the alert numbers in the commit body (hono: chore(ci): bump actions/checkout from 4 to 6 #12-16, vite: feat: trajectory compression — learn from own best executions #9-11).

Safety

  • DO NOT bump any other dependencies. If npm update or pnpm update would touch anything beyond hono and vite, use explicit npm install hono@4.12.12 vite@8.0.5 instead.
  • If the typecheck or test fails

Result Summary

Commit landed. Bumped hono from 4.12.8 to 4.12.12 and added vite ^8.0.5 (resolved 8.0.8) in web/package.json. Typecheck clean, all 1473 tests pass.

TASK_COMPLETE

Generated by AEGIS task runner. Review before merging.

@stackbilt-admin stackbilt-admin added the auto-generated Created by AEGIS task runner label Apr 10, 2026
@stackbilt-admin stackbilt-admin mentioned this pull request Apr 23, 2026
Closed
@stackbilt-admin
Copy link
Copy Markdown
Member Author

stackbilt-admin commented Apr 23, 2026

Charter check is failing at Install dependencies — same root cause blocking PR #27. Filed as #31 for investigation. This PR is 13 days stale with 8 dependabot security advisories (hono + vite high-severity), so the CI hole is a supply-chain exposure window, not just a triage item. Unblock order per #31: fix root cause on main → rebase this PR → merge.

This was referenced Apr 23, 2026
Merged
Merged
stackbilt-admin added a commit that referenced this pull request Apr 23, 2026
@stackbilt-admin
ci: unbreak Charter governance workflow (closes #31) (#36)
3090acd 
Charter CI has been failing on every PR since the workflow was added in
65780bd (7/7 runs red). This fixes the three compounding root causes so
the check actually gates what it claims to gate.

## Problems

1. **Install step failed with ENOENT.** Workflow ran `npm ci` at repo root,
   but the repo only had a 5-line stub `package-lock.json` and no
   `package.json`. The application lives in `web/`; the root install was
   never wired for Charter's governance CLI.

2. **`@stackbilt/cli@0.10.0` is unpublishable.** Its npm tarball carries
   `workspace:^` protocol deps that can't be resolved outside the Charter
   monorepo. Pin to `^0.9.2` until upstream publishes a clean 0.10.x.

3. **Policy gates failed on clean checkouts.**
   - `validate` (exit 1): `requireTrailers: true` + `trailerThreshold:
     HIGH` + no trailer convention in this repo's history = every PR red.
     Dependabot PRs (#22) cannot possibly author trailers. Softened to
     `requireTrailers: false` — charter still surfaces suggestions, but
     doesn't block. Re-enable once the repo adopts a trailer convention.
   - `doctor --adf-only` (exit 1): `.ai/manifest.adf` referenced
     `advisory-board.adf` (Atlas/Mercer/Sloan advisor modules), which
     belongs in the daemon, not the OSS core. Removed the reference.

## Fixes

- Add root `package.json` scoped to governance tooling (private, name
  `aegis-oss-governance`, sole devDep `@stackbilt/cli@^0.9.2`)
- Generate proper `package-lock.json` so `npm ci` works in CI
- Relax `.charter/config.json` trailer gate to non-blocking
- Remove `advisory-board.adf` (Stackbilt-specific) from ADF manifest

## Verified locally

All 5 Charter steps exit 0 against this branch:

  validate=0 drift=0 doctor=0 adf-evidence=0 audit=0

## Follow-ups

- Unblock PR #22 (8 dependabot advisories) via rebase once this lands
- Unblock PR #27 (cost_health regression, #26) via rebase once this lands
- File charter-repo bug for `@stackbilt/cli@0.10.0` workspace protocol
  publish failure
- Consider re-authoring a trailer convention and re-enabling strict mode
  once this repo + daemon both adopt it

Refs: #31, #22, #27

Co-authored-by: Aegis <Aegis@stackbilt.dev>
@stackbilt-admin
Copy link
Copy Markdown
Member Author

stackbilt-admin commented Apr 23, 2026

@dependabot rebase

Charter CI unblocked by #36 (merged). Rebasing this PR should now pass both Charter + Test & Typecheck, unblocking 8 high-severity advisories that have been pending 13 days.

@claude
fix(deps): bump hono to 4.12.12 and vite to 8.0.5 for CVE fixes
dc7a696 
Addresses 8 dependabot security alerts on aegis-oss:

hono (medium severity, #12-#16):
- Cookie name bypass in getCookie() via non-breaking space prefix
- setCookie() missing cookie name validation
- ipRestriction() incorrect IPv4-mapped IPv6 matching
- serveStatic middleware bypass via repeated slashes
- toSSG() path traversal writing outside output directory

vite (2x high, 1x medium, #9-#11):
- server.fs.deny bypassed with queries (high)
- Arbitrary file read via dev server WebSocket (high)
- Path traversal in optimized deps .map handling (medium)

Resolved versions: hono 4.12.12, vite 8.0.8 (satisfies ^8.0.5).
Typecheck and all 1473 tests pass.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@stackbilt-admin stackbilt-admin merged commit 143afd9 into main Apr 23, 2026
2 checks passed
@stackbilt-admin stackbilt-admin deleted the auto/7f40f7c8 branch April 23, 2026 22:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

auto-generated Created by AEGIS task runner

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stackbilt-admin