YTMD/youtube-music
1
0
Fork 0
Code Issues 445 Pull requests 34 Projects Releases 87 Packages Wiki Activity Actions

[Snyk] Security upgrade hono from 4.9.6 to 4.9.7 #3900

Open
th-ch wants to merge 1 commit from snyk-fix-cc0d8c0a11cb136c85b52eac08f01ecd into master
pull from: snyk-fix-cc0d8c0a11cb136c85b52eac08f01ecd
merge into: YTMD:master
Conversation 0 Commits 1 Files changed 1 +1 -1
th-ch commented 2025-09-15 14:02:28 +00:00 (Migrated from github.com)
Copy link

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

  • package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning 
Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

Issue
medium severity HTTP Request Smuggling
SNYK-JS-HONO-12668833

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

![snyk-top-banner](https://res.cloudinary.com/snyk/image/upload/r-d/scm-platform/snyk-pull-requests/pr-banner-default.svg) ### Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project. #### Snyk changed the following file(s): - `package.json` #### Note for [zero-installs](https://yarnpkg.com/features/zero-installs) users If you are using the Yarn feature [zero-installs](https://yarnpkg.com/features/zero-installs) that was introduced in Yarn V2, note that this PR does not update the `.yarn/cache/` directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run `yarn` to update the contents of the `./yarn/cache` directory. If you are not using zero-install you can ignore this as your flow should likely be unchanged. <details> <summary>⚠️ <b>Warning</b></summary> ``` Failed to update the yarn.lock, please update manually before merging. ``` </details> #### Vulnerabilities that will be fixed with an upgrade: | | Issue | :-------------------------:|:------------------------- ![medium severity](https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/m.png 'medium severity') | HTTP Request Smuggling <br/>[SNYK-JS-HONO-12668833](https://snyk.io/vuln/SNYK-JS-HONO-12668833) --- > [!IMPORTANT] > > - Check the changes in this PR to ensure they won't cause issues with your project. > - Max score is 1000. Note that the real score may have changed since the PR was raised. > - This PR was automatically created by Snyk using the credentials of a real user. --- **Note:** _You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs._ For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiIxOGQ4N2Y2NC03ZjQ5LTQyMGYtYWYzMi1iNWY0ZTUxYzg3MjAiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6IjE4ZDg3ZjY0LTdmNDktNDIwZi1hZjMyLWI1ZjRlNTFjODcyMCJ9fQ==" width="0" height="0"/> 🧐 [View latest project report](https://app.snyk.io/org/th-ch/project/81809c53-bb7b-46b9-a0d7-806d45d74ac6?utm_source&#x3D;github&amp;utm_medium&#x3D;referral&amp;page&#x3D;fix-pr) 📜 [Customise PR templates](https://docs.snyk.io/scan-using-snyk/pull-requests/snyk-fix-pull-or-merge-requests/customize-pr-templates?utm_source=github&utm_content=fix-pr-template) 🛠 [Adjust project settings](https://app.snyk.io/org/th-ch/project/81809c53-bb7b-46b9-a0d7-806d45d74ac6?utm_source&#x3D;github&amp;utm_medium&#x3D;referral&amp;page&#x3D;fix-pr/settings) 📚 [Read about Snyk's upgrade logic](https://docs.snyk.io/scan-with-snyk/snyk-open-source/manage-vulnerabilities/upgrade-package-versions-to-fix-vulnerabilities?utm_source=github&utm_content=fix-pr-template) --- **Learn how to fix vulnerabilities with free interactive lessons:** 🦉 [Learn about vulnerability in an interactive lesson of Snyk Learn.](https://learn.snyk.io/?loc&#x3D;fix-pr) [//]: # 'snyk:metadata:{"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"hono","from":"4.9.6","to":"4.9.7"}],"env":"prod","issuesToFix":["SNYK-JS-HONO-12668833"],"prId":"18d87f64-7f49-420f-af32-b5f4e51c8720","prPublicId":"18d87f64-7f49-420f-af32-b5f4e51c8720","packageManager":"yarn","priorityScoreList":[null],"projectPublicId":"81809c53-bb7b-46b9-a0d7-806d45d74ac6","projectUrl":"https://app.snyk.io/org/th-ch/project/81809c53-bb7b-46b9-a0d7-806d45d74ac6?utm_source=github&utm_medium=referral&page=fix-pr","prType":"fix","templateFieldSources":{"branchName":"default","commitMessage":"default","description":"default","title":"default"},"templateVariants":["updated-fix-title","pr-warning-shown"],"type":"auto","upgrade":["SNYK-JS-HONO-12668833"],"vulns":["SNYK-JS-HONO-12668833"],"patch":[],"isBreakingChange":false,"remediationStrategy":"vuln"}'
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin snyk-fix-cc0d8c0a11cb136c85b52eac08f01ecd:snyk-fix-cc0d8c0a11cb136c85b52eac08f01ecd
git switch snyk-fix-cc0d8c0a11cb136c85b52eac08f01ecd

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch master
git merge --no-ff snyk-fix-cc0d8c0a11cb136c85b52eac08f01ecd
git switch snyk-fix-cc0d8c0a11cb136c85b52eac08f01ecd
git rebase master
git switch master
git merge --ff-only snyk-fix-cc0d8c0a11cb136c85b52eac08f01ecd
git switch snyk-fix-cc0d8c0a11cb136c85b52eac08f01ecd
git rebase master
git switch master
git merge --no-ff snyk-fix-cc0d8c0a11cb136c85b52eac08f01ecd
git switch master
git merge --squash snyk-fix-cc0d8c0a11cb136c85b52eac08f01ecd
git switch master
git merge --ff-only snyk-fix-cc0d8c0a11cb136c85b52eac08f01ecd
git switch master
git merge snyk-fix-cc0d8c0a11cb136c85b52eac08f01ecd
git push origin master
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
awaiting-reply

Awaiting reply

  
breaking changes

   
bug

Something isn't working

  
cannot-reproduce

Bug cannot be reproduced

  
dependencies

Pull requests that update a dependency file

  
documentation

   
duplicate

This issue or pull request already exists

  
electron-issue

It's an Electron or Electron related dependencies issue (not YTM-Desktop issue)

  
enhancement

New feature or request

  
fix-available

A fix to the issue is available in a new version

  
good first issue

Good for newcomers

  
help wanted

Extra attention is needed

  
invalid

This doesn't seem right

  
javascript

Pull requests that update javascript code

  
need more information

Need more information about the issue

  
need rebase

This plugin need rebase

  
official-youtube-music-issue

It's an YouTube's issue (not YTM-Desktop issue)

  
plugin request

An issue/discussion requesting for a new plugin or new functionality to an existing plugin.

  
question

Further information is requested

  
release

Release

  
security

   
stale

   
Status: blocked

There are something to do before this

  
typo

   
wontfix

This will not be worked on

  
ytmd-issue

An issue/discussion about ytm desktop, unrelated to th-ch/youtube-music

No labels
awaiting-reply
breaking changes
bug
cannot-reproduce
dependencies
documentation
duplicate
electron-issue
enhancement
fix-available
good first issue
help wanted
invalid
javascript
need more information
need rebase
official-youtube-music-issue
plugin request
question
release
security
stale
Status: blocked
typo
wontfix
ytmd-issue
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: YTMD/youtube-music#3900
No description provided.
Delete branch "snyk-fix-cc0d8c0a11cb136c85b52eac08f01ecd"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?