Skip to content

Updating Hono & @modelcontextprotocol/sdk dependency versions #49

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
matthew-heath wants to merge 7 commits into
base: dev
Choose a base branch
from
Open

Updating Hono & @modelcontextprotocol/sdk dependency versions #49

matthew-heath wants to merge 7 commits into from

Conversation

@matthew-heath
Copy link

@matthew-heath matthew-heath commented Oct 28, 2025
edited
Loading

As per #48 / anomalyco/sst#6190, this PR intends to update the version of Hono to use patched version.

This also addresses #51.

Vulnerabilities:
high: Hono Improper Authorization vulnerability - GHSA-m732-5p4w-x69g
high: @modelcontextprotocol/sdk - GHSA-w48q-cv73-mx4w
moderate: Hono has Body Limit Middleware Bypass - GHSA-92vj-g62v-jqhh
moderate: Hono vulnerable to Vary Header Injection leading to potential CORS Bypass - GHSA-q7jf-gf43-6x6p

matthew-heath
matthew-heath commented Oct 28, 2025
View reviewed changes
app/function/package.json
"drizzle-orm": "0.41.0",
"hono": "4.7.5",
"hono": "4.10.3",
"opencontrol": "npm:opencontrol@0.1.0"
Copy link
Author

@matthew-heath matthew-heath Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would this need updated to

"opencontrol": "workspace:*" / latest version?

@matthew-heath
Copy link
Author

matthew-heath commented Oct 28, 2025

would core sst package need version bumped from opencontrol@0.0.6 to latest change, subsequent to patching in this package?

@the-sides
Copy link

the-sides commented Nov 19, 2025

Can we get this merged? What are the incompatibilities with hono 4.10 that are slowing this down?

@smith558
Copy link

smith558 commented Nov 19, 2025

Can we get this merged? What are the incompatibilities with hono 4.10 that are slowing this down?

anomalyco/sst#6215

@matthew-heath matthew-heath mentioned this pull request Dec 3, 2025
Open
@matthew-heath matthew-heath changed the title Updating Hono dependency versions Updating Hono & @modelcontextprotocol/sdk dependency versions Dec 5, 2025
@vimtor
Copy link

vimtor commented Dec 19, 2025
edited
Loading

i'm commited to fixing the security vulnerability in SST

for this we need to release a new version of Opencode and then update it on SST

i'm trying your branch @matthew-heath and i get the following error when trying to run the examples/bun

error: Cannot find module 'zod/v4' from '/Developer/opencontrol/node_modules/.bun/@modelcontextprotocol+sdk@1.24.2/node_modules/@modelcontextprotocol/sdk/dist/esm/types.js'

how have you tested the change? i'm not as familiar with this codebase as with the SST one so if anyone can help me test this i will forward it to the core team

@matthew-heath
Copy link
Author

matthew-heath commented Dec 19, 2025

i'm commited to fixing the security vulnerability in SST

for this we need to release a new version of Opencode and then update it on SST

i'm trying your branch @matthew-heath and i get the following error when trying to run the examples/bun

error: Cannot find module 'zod/v4' from '/Developer/opencontrol/node_modules/.bun/@modelcontextprotocol+sdk@1.24.2/node_modules/@modelcontextprotocol/sdk/dist/esm/types.js'

how have you tested the change? i'm not as familiar with this codebase as with the SST one so if anyone can help me test this i will forward it to the core team

Hey @vimtor, thanks for your reply. I have just re-visited this, updating @modelcontextprotocol/sdk subsequently to Hono added additional needs. There was an override in root directory pinning the zod version to 3.24.2 but @modelcontextprotocol/sdk required either zod versions >3.25.0 or >4. I have updated in multiple places and it looks like running examples/bun starts up correctly now and can connect to google models (gemini-3-flash-preview in my case)

Screenshot 2025-12-19 at 12 54 19

vimtor
vimtor approved these changes Dec 19, 2025
View reviewed changes
Copy link

@vimtor vimtor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

working!

i'll push to get this merged and released by next week

Image

@niclaszllaudi
Copy link

niclaszllaudi commented Jan 14, 2026

@vimtor Any updates on this? Would be great to get this merged to fix the various vulnerabilities in SST

@vimtor
Copy link

vimtor commented Jan 14, 2026

@niclaszllaudi waiting on the core team, probably getting merged this week

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

3 more reviewers

@vimtor vimtor vimtor approved these changes

@smith558 smith558 smith558 approved these changes

@djodrell djodrell djodrell approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@matthew-heath @the-sides @smith558 @vimtor @niclaszllaudi @djodrell