Security Vulnerability
After upgrading to v7, we started getting these Dependabot alerts for security vulnerabilities in the
hono package. Is there a plan to address these vulnerabilities?
4 Replies
You chose to compile with the bot. One moment while I piece together your answer…
I’m sorry, but the provided knowledge sources don’t mention Prisma 7 including
- any open/closed issues or roadmap items about
hono as a dependency, nor do they discuss any hono-related security advisories or plans to address them.
The docs and issues do show that the Prisma team takes dependency CVEs seriously and regularly bumps vulnerable packages like undici, cross-spawn, and others in scheduled releases. [undici CVE; cross-spawn CVE] They also sometimes provide guidance on using interim or dev builds when a specific security fix is pending a stable release. [instrumentation CVE]
However, there is no explicit information here about:
- hono being bundled with Prisma v7, or- any open/closed issues or roadmap items about
hono CVEs.
Given that, I can’t reliably confirm whether the alerts stem from Prisma’s own dependencies or from another package in your project, nor whether there’s already a fix in progress.
Based on the available information, the best concrete steps are:
1. Open a GitHub issue on prisma/prisma including:
- The exact Dependabot advisory links for hono.
- Your package-lock.json / pnpm-lock.yaml snippet showing how hono is pulled in.
2. If you believe this is a security issue in Prisma itself, you can also report it via Prisma’s security contact: security@prisma.io. [Security contact]
I’m limited to the sources above, so I can’t say more with confidence about hono specifically.
🤔 Alright, thanks for letting us know that there's still some help needed. A team member will reply to you shortly.
In the meantime, please let us know any additional info, questions, or which parts of the answer may need clarification.Hi @WTLccochran!
Could you please elaborate on what exactly is the security vulnerability about?
Does it refer to code generated by Prisma?
Or is Hono package using Prisma as a dependency?
@Nurul I believe Prisma 7 is using Hono based on the new security vulnerability alerts from Dependabot. We are a SOC II Type 2 company and this alert requires us to take action. Here are the known security vulnerabilites.
Ah, thanks for sharing the screenshot. It seems that it's the other way around. Prisma introduced dependency to Hono and Hono has some security vulnerability
Let me check with our ORM team internally regarding this
Just got a confirmation. This will be fixed in Prisma 7.0.1 releasing next week