fix(ci,deps): unblock v1.6.0 publish — restore npm upgrade, bump hono (CVE-2026-54290)

ihor-sokoliuk · claude · ihor-sokoliuk · commit 0d9c5ade5b89 · 2026-06-16T15:55:47.000-05:00
The v1.6.0 tag publish failed on both pipelines: - npm-publish: tokenless OIDC trusted publishing needs npm >= 11.5.1, but the `npm install -g npm` upgrade was removed (SEC-015). Restore it pinned to npm@11.17.0 and tighten the provenance check to require >= 11.5.1. - docker-publish: Trivy gated on HIGH CVE-2026-54290 in transitive hono@4.12.22. Add an npm override pinning hono to >= 4.12.25 (verified: image scan now clean). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -23,6 +23,11 @@ jobs:
           node-version: '20'
           registry-url: 'https://registry.npmjs.org/'
 
+      - name: Pin npm for OIDC trusted publishing
+        # Tokenless OIDC trusted publishing needs npm >= 11.5.1; Node 20 ships npm ~10.
+        # Pinned to a specific version (not @latest) to avoid a mutable supply-chain step.
+        run: npm install -g npm@11.17.0
+
       - name: Verify npm provenance support
         run: |
           NPM_VERSION="$(npm --version)"
@@ -33,8 +38,8 @@ jobs:
               throw new Error('Unable to determine npm version');
             }
             const [major, minor] = version;
-            if (major < 9 || (major === 9 && minor < 5)) {
-              throw new Error('npm >= 9.5.0 is required for npm publish --provenance');
+            if (major < 11 || (major === 11 && minor < 5)) {
+              throw new Error('npm >= 11.5.1 is required for OIDC trusted publishing');
             }
           "
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -23,10 +23,11 @@ Versions follow [Semantic Versioning](https://semver.org/).
 
 - **Least-privilege Docker workflow permissions:** `security-events: write` is now isolated to a dedicated image-scan job in both the publish and rebuild workflows, with `id-token: write` confined to the publish/sign job and workflow-level permissions kept read-only.
 
+- **Patched bundled `hono`:** Pinned the transitive `hono` dependency to ≥ 4.12.25 (via npm `overrides`) to resolve CVE-2026-54290 — a CORS middleware flaw that reflected any origin with credentials — in the published Docker image.
+
 ### Build / CI
 
 - Added a CI workflow that runs lint plus unit and integration tests on every pull request and push to `main`.
-- Removed the mutable global `npm install -g npm@latest` step from the publish workflow.
 
 ## [1.5.0] - 2026-06-12
 
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -71,5 +71,8 @@
         "supertest": "^7.2.2",
         "tsx": "4.22.4",
         "typescript": "^5.8.3"
+    },
+    "overrides": {
+        "hono": ">=4.12.25"
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -71,5 +71,8 @@`
`71`	`71`	`"supertest": "^7.2.2",`
`72`	`72`	`"tsx": "4.22.4",`
`73`	`73`	`"typescript": "^5.8.3"`
	`74`	`+ },`
	`75`	`+ "overrides": {`
	`76`	`+ "hono": ">=4.12.25"`
`74`	`77`	`}`
`75`	`78`	`}`