## npm Lockfile Regression: Hono@4.12.12 Vulnerability Persists Despite pnpm Fix (GHSA-458j-xx4x-4375)
A critical security regression has been identified in a project's dependency management, leaving systems using `npm install` exposed to a known HTML injection vulnerability. Despite a previous fix that correctly updated the pnpm override to require `hono@>=4.12.14`, the `package-lock.json` file was never regenerated. This npm lockfile continues to pin the dependency to the vulnerable version `hono@4.12.12`, creating a silent security gap for any user or CI/CD pipeline that relies on npm instead of pnpm.

The vulnerability, tracked as **GHSA-458j-xx4x-4375**, is a medium-severity HTML injection flaw (CWE-79, CVSS 4.3) within the `hono/jsx` server-side rendering component. It stems from improper handling of JSX attribute names. The issue represents a regression of a previously closed security ticket (#117). While the `pnpm-lock.yaml` correctly resolves to the patched version `4.12.14`, the `package-lock.json` remains stale, meaning the fix is only effective for one package manager ecosystem.

This discrepancy creates a significant operational risk. Development and deployment environments are now bifurcated based on the package manager toolchain. Teams using `npm install` will unknowingly deploy a vulnerable application, potentially opening a vector for cross-site scripting attacks. The situation underscores the critical importance of synchronizing all lockfiles after a security patch and highlights a common pitfall in multi-package-manager projects where a fix in one system does not automatically propagate to another.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: npm, pnpm, lockfile, security-vulnerability, dependency-management
- **Credibility**: unverified
- **Published**: 2026-04-20 17:23:12
- **ID**: 72817
- **URL**: https://whisperx.ai/en/intel/72817