chore(deps-dev): bump the dependencies group with 5 updates

[dependabot]

Bumps the dependencies group with 5 updates:

Package	From	To
@hono/node-server	2.0.2	2.0.3
eslint-config-webpack	4.9.5	4.9.6
hono	4.12.18	4.12.21
lint-staged	17.0.4	17.0.5
webpack	5.106.2	5.107.0

Updates @hono/node-server from 2.0.2 to 2.0.3

Release notes

Sourced from @​hono/node-server's releases.

v2.0.3

What's Changed

• chore(ci): update GitHub Actions versions by @​BlankParticle in honojs/node-server#352
• docs: Align the ServeStaticOptions comment with the current spec by @​kakkokari-gtyih in honojs/node-server#356
• fix: preserve headers mutated after raw Response construction by @​abdulmunimjemal in honojs/node-server#357

New Contributors

• @​kakkokari-gtyih made their first contribution in honojs/node-server#356
• @​abdulmunimjemal made their first contribution in honojs/node-server#357

Full Changelog: honojs/node-server@v2.0.2...v2.0.3

Commits

• 9d87987 2.0.3
• 9463250 fix: preserve headers mutated after raw Response construction (#357)
• cee5e81 docs: Align the ServeStaticOption command with the current specification (#...
• 4aa0650 chore(ci): update GitHub Actions versions (#352)
• See full diff in compare view

Updates eslint-config-webpack from 4.9.5 to 4.9.6

Release notes

Sourced from eslint-config-webpack's releases.

v4.9.6

Patch Changes

• Set reportUnusedDisableDirectives to "error". (by @​alexander-akait in #146)

• Ignore test module in n/no-unsupported-features/node-builtins rule. (by @​alexander-akait in #157)

• Respect minor engines.node versions when picking the ES feature set. The node-to-ES mapping now lives in configs/utils/get-es-version-from-node.js and uses semver ranges, so >=7.6 lands on ES2017 (async/await) instead of ES2016, and >=16.11 lands on ES2022 (Object.hasOwn) instead of older 16.x ranges that lack it. (by @​alexander-akait in #156)

Changelog

Sourced from eslint-config-webpack's changelog.

4.9.6

Patch Changes

• Set reportUnusedDisableDirectives to "error". (by @​alexander-akait in #146)

• Ignore test module in n/no-unsupported-features/node-builtins rule. (by @​alexander-akait in #157)

• Respect minor engines.node versions when picking the ES feature set. The node-to-ES mapping now lives in configs/utils/get-es-version-from-node.js and uses semver ranges, so >=7.6 lands on ES2017 (async/await) instead of ES2016, and >=16.11 lands on ES2022 (Object.hasOwn) instead of older 16.x ranges that lack it. (by @​alexander-akait in #156)

Commits

• 4be45cc chore(release): new release (#147)
• 0d7c539 chore(deps): update (#158)
• a052d99 fix: ignore test module in n/no-unsupported-features/node-builtins rule (#157)
• d8359ff chore(deps): bump the dependencies group across 1 directory with 6 updates (#...
• aa0e27b chore(deps): bump changesets/action in the dependencies group (#153)
• 0987fa1 fix: respect minor Node versions when picking the ES feature set (#156)
• 837b2e0 chore(deps): bump typescript-eslint in the dependencies group (#148)
• 11232bd chore: update deps and set reportUnusedDisableDirectives to "error". (#146)
• 32eaa6f chore(deps): bump actions/setup-node in the dependencies group (#145)
• 2b53bb3 chore(deps): bump the dependencies group with 3 updates (#141)
• See full diff in compare view

Updates hono from 4.12.18 to 4.12.21

Release notes

Sourced from hono's releases.

v4.12.21

Security fixes

This release includes fixes for the following security issues:

app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Affects: app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3

IP Restriction bypasses static deny rules for non-canonical IPv6

Affects: hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5

Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Affects: hono/cookie. Fixes missing validation of sameSite and priority options against injection characters (;, \r, \n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x

JWT middleware accepts any Authorization scheme, not only Bearer

Affects: hono/jwt, hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474

---

Users who use app.mount(), hono/ip-restriction, hono/cookie, or hono/jwt/hono/jwk are encouraged to upgrade to this version.

v4.12.20

What's Changed

• fix(route): preserve the base path of the mounted route() app by @​usualoma in honojs/hono#4942
• fix(jsx): widen jsx and jsxFn children to Child[] by @​ashunar0 in honojs/hono#4947

New Contributors

• @​ashunar0 made their first contribution in honojs/hono#4947

Full Changelog: honojs/hono@v4.12.19...v4.12.20

v4.12.19

What's Changed

• ci: pin GitHub Actions to SHAs by @​yusukebe in honojs/hono#4932
• fix(serveStatic): make options parameter optional in all adapters by @​mixelburg in honojs/hono#4934
• fix(cookie): return the first cookie when there are multiple cookies with the same name by @​usualoma in honojs/hono#4922
• feat(bearer-auth): make bearerAuth generic for typed context in verifyToken by @​justinnais in honojs/hono#4913
• feat(cache): key cache entries by configured vary headers by @​usualoma in honojs/hono#4915
• feat(request): add bytes() by @​yusukebe in honojs/hono#4921
• fix(stream): upgrade @hono/node-server to v2 and fix abort handling by @​yusukebe in honojs/hono#4940

New Contributors

• @​justinnais made their first contribution in honojs/hono#4913

Full Changelog: honojs/hono@v4.12.18...v4.12.19

Commits

• a83ddb8 4.12.21
• 6cbb025 Merge commit from fork
• c831020 Merge commit from fork
• 905aedb Merge commit from fork
• 5463db2 Merge commit from fork
• c657a39 4.12.20
• eb2d0c2 fix(jsx): widen jsx and jsxFn children to Child[] (#4947)
• dcabbec fix(route): preserve the base path of the mounted route() app (#4942)
• 7e62bcd 4.12.19
• e2f252a fix(stream): upgrade @hono/node-server to v2 and fix abort handling (#4940)
• Additional commits viewable in compare view

Updates lint-staged from 17.0.4 to 17.0.5

Release notes

Sourced from lint-staged's releases.

v17.0.5

Patch Changes

• #1792 1f67271 - Correctly set the --max-arg-length default value based on the running platform. This controls how very long lists of staged files are split into multiple chunks.

Changelog

Sourced from lint-staged's changelog.

17.0.5

Patch Changes

• #1792 1f67271 - Correctly set the --max-arg-length default value based on the running platform. This controls how very long lists of staged files are split into multiple chunks.

Commits

• cbd822e Merge pull request #1793 from lint-staged/changeset-release/main
• 1911244 chore(changeset): release
• 7339d7d Merge pull request #1792 from lint-staged/fix-max-arg-length-default
• 1f67271 fix: default maxArgLength to undefined instead of NaN when parsing cli ...
• See full diff in compare view

Updates webpack from 5.106.2 to 5.107.0

Release notes

Sourced from webpack's releases.

v5.107.0

Minor Changes

• Add module.generator.javascript.anonymousDefaultExportName option to control whether webpack sets .name to "default" for anonymous default export functions and classes per ES spec. Defaults to true for applications and false for libraries (when output.library is set) to avoid unnecessary bundle size overhead. Also extract anonymous default export .name fix-up into a shared runtime helper (__webpack_require__.dn), replacing repeated inline Object.defineProperty / Object.getOwnPropertyDescriptor calls with a single short call per module to reduce output size. (by @​xiaoxiaojx in #20894)

• Support module concatenation (scope hoisting) for CSS modules with text, css-style-sheet, style, and link export types (by @​xiaoxiaojx in #20851)

• The generator.exportsConvention function form for CSS modules now accepts string[] in addition to string. (by @​alexander-akait in #20914)

• Add linkInsert hook to CssLoadingRuntimeModule.getCompilationHooks(compilation) so plugin developers can control where stylesheet <link> elements are inserted into the document. (by @​alexander-akait in #20947)

• Add CssModulesPlugin.getCompilationHooks(compilation).orderModules hook. (by @​alexander-akait in #20978)

• Add a pure parser option for css/module and css/auto types matching postcss-modules-local-by-default's pure mode: every selector must contain at least one local class or id, otherwise webpack emits a build error. (by @​alexander-akait in #20946)

• Support CSS Modules @value identifiers as @import URLs and inside url() functions, e.g. @value path: "./other.css"; @import path; and @value bg: "./image.png"; .a { background: url(bg); } (by @​alexander-akait in #20925)

• Add experimental TypeScript support via experiments.typescript: true (auto-enabled by experiments.futureDefaults). Uses Node.js's built-in module.stripTypeScriptTypes (Node.js >= 22.6 with the stable mode: "strip" API, including Node.js 26) to transform .ts, .cts, .mts, data:text/typescript, and data:application/typescript modules — no type checking, only erasable TypeScript (types, generics, import type, casts). .tsx/JSX and non-erasable syntax (enum, namespace, parameter-property constructors, decorator metadata) are NOT supported; use a TSX-capable loader (e.g. ts-loader, swc-loader) for those. (by @​alexander-akait in #20964)

• Added an experiments.html flag that reserves the html module type for the first-class HTML entry-point support. (by @​aryanraj45 in #20902)

• Preserve defer / source import phase keywords on external dependencies in ESM output, the same way import attributes are preserved. (by @​alexander-akait in #20934)

• Support the #__NO_SIDE_EFFECTS__ annotation to mark functions as pure for better tree-shaking. (by @​hai-x in #20775)

• Add module.generator.html.extract for HTML modules and the matching output.htmlFilename / output.htmlChunkFilename filename templates (defaults derived from output.filename / output.chunkFilename with .js swapped for .html, mirroring the CSS pipeline). When extraction is on, the parsed and URL-rewritten HTML is emitted as a standalone .html output file alongside the module's JavaScript export. (by @​alexander-akait in #20979)

• Add "module-sync" to default conditionNames for resolver defaults to align with Node.js, which exposes the module-sync community condition for synchronously-loadable ESM. (by @​alexander-akait in #20933)

Patch Changes

• Fix CSS modules composes so composes: foo from "./self.module.css" from inside self.module.css no longer creates a duplicate module instance. Fix CSS modules composes parsing so local() and global() function wrappers are tracked per class name. Fix CSS modules composes: ... from "<file>" so the composed files load in an order consistent with every rule's local composes order, instead of source first-appearance order. (by @​alexander-akait in #20929)

• Avoid emitting the __webpack_require__ runtime in CSS bundles when all imported CSS modules were concatenated into the same scope. (by @​alexander-akait in #20936)

• Recompute the CSS chunk's [contenthash] and the rendered CSS bytes when an asset referenced by url()/src()/string in CSS changes its hashed filename. (by @​alexander-akait in #20938)

• Embed an inline sourceMappingURL data URI inside the CSS when the parser.exportType option are text, style, or css-style-sheet. Also merge @imported CSS at build time for text and css-style-sheet exportTypes so the bundle ships a single accurate inline source map covering every contributing file. Map each generated CSS-module class export line in the JS bundle back to its selector position in the original CSS file (e.g. btn: "..." → .btn { ... }). (by @​alexander-akait in #20886)

• Fix CSS modules deduplication so a .module.<ext> file imported both directly (JS) and via icss (composes from / :import) becomes a single module instance. (by @​alexander-akait in #20929)

• Preserve @charset at-rule when CSS modules use exportType: "text". (by @​alexander-akait in #20912)

• Resolve [hash]/[fullhash] placeholders in output.publicPath when generating url() references for experiments.css. (by @​alexander-akait in #20879)

• Fix HMR for concatenated CSS modules with style exportType by using stable per-module identifiers for injected style elements and tracking inner module IDs of concatenated modules in HMR records (by @​xiaoxiaojx in #20911)

• Fix CSS Modules @value resolution when the same local name is imported from multiple modules. (by @​alexander-akait in #20940)

• Fix typeof ns.default / ns.default instanceof X on a static import defer * as ns from "./mod" for default-only and default-with-named external modules under optimization.concatenateModules. The concatenated-module rewrite was collapsing ns.default to the deferred-namespace proxy itself instead of routing through the optimized .a getter (which lazily evaluates the module and returns its default value), so typeof ns.default observed "object" (the proxy) rather than the type of the default. The dynamic exportsType already used .a correctly; default-only and default-with-named now match. (by @​alexander-akait in #20910)

... (truncated)

Changelog

Sourced from webpack's changelog.

5.107.0

Minor Changes

• Add module.generator.javascript.anonymousDefaultExportName option to control whether webpack sets .name to "default" for anonymous default export functions and classes per ES spec. Defaults to true for applications and false for libraries (when output.library is set) to avoid unnecessary bundle size overhead. Also extract anonymous default export .name fix-up into a shared runtime helper (__webpack_require__.dn), replacing repeated inline Object.defineProperty / Object.getOwnPropertyDescriptor calls with a single short call per module to reduce output size. (by @​xiaoxiaojx in #20894)

• Support module concatenation (scope hoisting) for CSS modules with text, css-style-sheet, style, and link export types (by @​xiaoxiaojx in #20851)

• The generator.exportsConvention function form for CSS modules now accepts string[] in addition to string. (by @​alexander-akait in #20914)

• Add linkInsert hook to CssLoadingRuntimeModule.getCompilationHooks(compilation) so plugin developers can control where stylesheet <link> elements are inserted into the document. (by @​alexander-akait in #20947)

• Add CssModulesPlugin.getCompilationHooks(compilation).orderModules hook. (by @​alexander-akait in #20978)

• Add a pure parser option for css/module and css/auto types matching postcss-modules-local-by-default's pure mode: every selector must contain at least one local class or id, otherwise webpack emits a build error. (by @​alexander-akait in #20946)

• Support CSS Modules @value identifiers as @import URLs and inside url() functions, e.g. @value path: "./other.css"; @import path; and @value bg: "./image.png"; .a { background: url(bg); } (by @​alexander-akait in #20925)

• Add experimental TypeScript support via experiments.typescript: true (auto-enabled by experiments.futureDefaults). Uses Node.js's built-in module.stripTypeScriptTypes (Node.js >= 22.6 with the stable mode: "strip" API, including Node.js 26) to transform .ts, .cts, .mts, data:text/typescript, and data:application/typescript modules — no type checking, only erasable TypeScript (types, generics, import type, casts). .tsx/JSX and non-erasable syntax (enum, namespace, parameter-property constructors, decorator metadata) are NOT supported; use a TSX-capable loader (e.g. ts-loader, swc-loader) for those. (by @​alexander-akait in #20964)

• Added an experiments.html flag that reserves the html module type for the first-class HTML entry-point support. (by @​aryanraj45 in #20902)

• Preserve defer / source import phase keywords on external dependencies in ESM output, the same way import attributes are preserved. (by @​alexander-akait in #20934)

• Support the #__NO_SIDE_EFFECTS__ annotation to mark functions as pure for better tree-shaking. (by @​hai-x in #20775)

• Add module.generator.html.extract for HTML modules and the matching output.htmlFilename / output.htmlChunkFilename filename templates (defaults derived from output.filename / output.chunkFilename with .js swapped for .html, mirroring the CSS pipeline). When extraction is on, the parsed and URL-rewritten HTML is emitted as a standalone .html output file alongside the module's JavaScript export. (by @​alexander-akait in #20979)

• Add "module-sync" to default conditionNames for resolver defaults to align with Node.js, which exposes the module-sync community condition for synchronously-loadable ESM. (by @​alexander-akait in #20933)

Patch Changes

• Fix CSS modules composes so composes: foo from "./self.module.css" from inside self.module.css no longer creates a duplicate module instance. Fix CSS modules composes parsing so local() and global() function wrappers are tracked per class name. Fix CSS modules composes: ... from "<file>" so the composed files load in an order consistent with every rule's local composes order, instead of source first-appearance order. (by @​alexander-akait in #20929)

• Avoid emitting the __webpack_require__ runtime in CSS bundles when all imported CSS modules were concatenated into the same scope. (by @​alexander-akait in #20936)

• Recompute the CSS chunk's [contenthash] and the rendered CSS bytes when an asset referenced by url()/src()/string in CSS changes its hashed filename. (by @​alexander-akait in #20938)

• Embed an inline sourceMappingURL data URI inside the CSS when the parser.exportType option are text, style, or css-style-sheet. Also merge @imported CSS at build time for text and css-style-sheet exportTypes so the bundle ships a single accurate inline source map covering every contributing file. Map each generated CSS-module class export line in the JS bundle back to its selector position in the original CSS file (e.g. btn: "..." → .btn { ... }). (by @​alexander-akait in #20886)

• Fix CSS modules deduplication so a .module.<ext> file imported both directly (JS) and via icss (composes from / :import) becomes a single module instance. (by @​alexander-akait in #20929)

• Preserve @charset at-rule when CSS modules use exportType: "text". (by @​alexander-akait in #20912)

• Resolve [hash]/[fullhash] placeholders in output.publicPath when generating url() references for experiments.css. (by @​alexander-akait in #20879)

• Fix HMR for concatenated CSS modules with style exportType by using stable per-module identifiers for injected style elements and tracking inner module IDs of concatenated modules in HMR records (by @​xiaoxiaojx in #20911)

• Fix CSS Modules @value resolution when the same local name is imported from multiple modules. (by @​alexander-akait in #20940)

... (truncated)

Commits

• 4657874 chore(release): new release (#20848)
• 7ba46b9 docs: simplify changelog
• 0b7de2f feat: support require(esm) "module.exports" named-export interop (#20981)
• f8076be build: upgrade typescript to v6 (#20982)
• 45a1bab feat(html): add module.generator.html.extract option (#20979)
• 490684a test: add full WHATWG lexer integration tests (#20974)
• 41d236c chore(deps): bump the dependencies group across 1 directory with 19 updates (...
• 865c051 fix: parse # in relative and absolute path directory names as part of the p...
• 561ee9b feat: added CssModulesPlugin.getCompilationHooks(compilation).orderModules ...
• dba0399 refactor(test): migrate errors.js/warnings.js to Jest snapshots (#20966)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[changeset-bot]

⚠️ No Changeset found

Latest commit: c738ff9

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR