chore(deps): bump the bun-dependencies group across 1 directory with 2 updates

[dependabot]

Bumps the bun-dependencies group with 2 updates in the / directory: hono and wrangler.

Updates hono from 4.12.9 to 4.12.12

Release notes

Sourced from hono's releases.

v4.12.12

Security fixes

This release includes fixes for the following security issues:

Middleware bypass via repeated slashes in serveStatic

Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (//) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c

Path traversal in toSSG() allows writing files outside the output directory

Affects: toSSG() for Static Site Generation. Fixes a path traversal issue where crafted ssgParams values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx

Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g

Missing validation of cookie name on write path in setCookie()

Affects: setCookie(), serialize(), and serializeSigned() from hono/cookie. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm

Non-breaking space prefix bypass in cookie name handling in getCookie()

Affects: getCookie() from hono/cookie. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4

---

Users who use Serve Static, Static Site Generation, Cookie utilities, or IP restriction middleware are strongly encouraged to upgrade to this version.

v4.12.11

What's Changed

• feat(css): add classNameSlug option to createCssContext by @​flow-pie in honojs/hono#4834

New Contributors

• @​flow-pie made their first contribution in honojs/hono#4834

Full Changelog: honojs/hono@v4.12.10...v4.12.11

v4.12.10

What's Changed

• test(router): fix Simple capturing group test by @​yusukebe in honojs/hono#4838
• docs: fix impaired -> inspired typo in benchmark READMEs by @​Abhi3975 in honojs/hono#4843
• fix(jsx/dom): apply select value after children are rendered by @​usualoma in honojs/hono#4847
• fix(compress): convert strong ETag to weak ETag when compressing by @​usualoma in honojs/hono#4848
• docs(ip-restriction): add clear JSDoc examples and param types by @​VISHNU7KASIREDDY in honojs/hono#4851

New Contributors

• @​Abhi3975 made their first contribution in honojs/hono#4843
• @​VISHNU7KASIREDDY made their first contribution in honojs/hono#4851

... (truncated)

Commits

• c37ba26 4.12.12
• cc067c8 Merge commit from fork
• a586cd7 Merge commit from fork
• 48fa223 Merge commit from fork
• b470278 Merge commit from fork
• 9aff14b Merge commit from fork
• 2c403c6 4.12.11
• f82aba8 feat(css): add classNameSlug option to createCssContext (#4834)
• 9f374a5 4.12.10
• a8c56a6 docs(ip-restriction): add clear JSDoc examples and param types (#4851)
• Additional commits viewable in compare view

Updates wrangler from 4.77.0 to 4.80.0

Release notes

Sourced from wrangler's releases.

wrangler@4.80.0

Minor Changes

• #13151 9c4035b Thanks @​G4brym! - Add type generation for AI Search bindings

  Running wrangler types now generates AiSearchNamespace and AiSearchInstance types for ai_search_namespaces and ai_search config bindings respectively. Both simple and per-environment modes are supported.

  // wrangler.json
  {
    "ai_search_namespaces": [
      { "binding": "AI_SEARCH", "namespace": "production" }
    ],
    "ai_search": [
      { "binding": "BLOG_SEARCH", "instance_name": "cloudflare-blog" }
    ]
  }

  // Generated by `wrangler types`
  interface Env {
    AI_SEARCH: AiSearchNamespace;
    BLOG_SEARCH: AiSearchInstance;
  }

• #13011 b9b7e9d Thanks @​ruifigueira! - Add experimental headful browser rendering support for local development

  Experimental: This feature may be removed or changed without notice.

  When developing locally with the Browser Rendering API, you can enable headful (visible) mode via the X_BROWSER_HEADFUL environment variable to see the browser while debugging:

  X_BROWSER_HEADFUL=true wrangler dev
  X_BROWSER_HEADFUL=true vite dev

  Note: when using @cloudflare/playwright, two Chrome windows may appear — the initial blank page and the one created by browser.newPage(). This is expected behavior due to how Playwright handles browser contexts via CDP.

• #12992 48d83ca Thanks @​RiscadoA! - Add vpc_networks binding support for routing Worker traffic through a Cloudflare Tunnel or network.

  {
    "vpc_networks": [
      // Route through a specific Cloudflare Tunnel
      { "binding": "MY_FIRST_VPC", "tunnel_id": "<tunnel-id>" },
      // Route through the Cloudflare One mesh network
      { "binding": "MY_SECOND_VPC", "network_id": "cf1:network" }
    ]

... (truncated)

Commits

• 0de6989 Version Packages (#13141)
• d5bffde Use today as the compat date instead of relying on the actual workerd compat ...
• 48d83ca [wrangler] Add vpc_networks binding support (#12992)
• fb67a18 Bump the workerd-and-workers-types group with 2 updates (#13162)
• 9c4035b [wrangler] Add type generation for AI Search bindings (#13151)
• 4dc94fd Polish Cloudflare Vite plugin installation during autoconfig (#13150)
• 14e72eb [wrangler] Fix D1 migration file ordering (#10126)
• db60b94 Add gitignore-like helpers to cli package and remove old duplicated logic fro...
• 5d29055 Bump the workerd-and-workers-types group with 2 updates (#13155)
• 260d0ad Remove all removable eslint disabling comments for no-restricted-imports in...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions