RepoJournal
Vercel

@vercel

Next.js + the Vercel platform — frontend infrastructure for the web

Pick a date

The Wire · Showcase

CRITICAL CORS VULNERABILITY PATCHED ACROSS AI AND WORKFLOW, DEPENDABOT NOW RESTORES AUTOMATION

By RepoJournal · Filed · About Vercel

Hono's CORS middleware was reflecting credentials to arbitrary origins—both vercel/ai and vercel/workflow patched it overnight, and you need to upgrade before your next deploy.

CVE-2026-54290 (CVSS 7.1) hit hono versions before 4.12.25 [1] [2], where the CORS middleware with credentials enabled would echo back any request Origin header and send Access-Control-Allow-Credentials: true, exposing authenticated endpoints to cross-origin requests. Both repos deployed fixes immediately [1] [2]. Meanwhile, vercel/ai switched from Renovate to Dependabot [3], restoring automated dependency updates across main and two release branches now that Renovate is gone. On the security hardening front, vercel/ai also locked down GitHub Actions token permissions [4] and attached SLSA provenance to releases [5], pushing the OSSF Scorecard from 0/10 on token scoping to passing. Astro users in vercel/workflow got hit separately—CVE-2026-54299 requires bumping to 6.4.6 with no 5.x backport available [6]. Over in vercel/workflow, the payload compression RFC landed [7], cutting stored bytes by 73-89% using zstd with gzip fallback, and a critical SWC plugin fix [8] prevents dead-code elimination from stripping identifier references buried in destructuring defaults. The workflow CLI now prints deep links to observability dashboards [9], letting agents hand users clickable URLs instead of dashboard guesses.

Action items

References

  1. [1] fix(devtools): bump hono to ^4.12.25 (CVE-2026-54290) (#16166) vercel/ai
  2. [2] fix(deps): upgrade hono to 4.12.25 to resolve CVE-2026-54290 (#2462) vercel/workflow
  3. [3] ci: add Dependabot config, migrating from Renovate (#16174)lm vercel/ai
  4. [4] ci: restrict GitHub Actions workflow token permissions (#16172) vercel/ai
  5. [5] ci: attach SLSA provenance to GitHub Releases for OSSF Scorecard ↗ vercel/ai
  6. [6] fix(deps): upgrade astro to 6.4.6 to resolve CVE-2026-54299 (#2457) vercel/workflow
  7. [7] RFC: compress serialized payload refs — zstd (gzip fallback), specVersion 5 ↗ vercel/workflow
  8. [8] fix(swc-plugin): count destructuring-default references in DCE usage analysis ↗ vercel/workflow
  9. [9] feat(cli): print run deep links with `--url`, fix dashboard route ↗ vercel/workflow

FAQ

What changed in Vercel on June 17, 2026?
Hono's CORS middleware was reflecting credentials to arbitrary origins—both vercel/ai and vercel/workflow patched it overnight, and you need to upgrade before your next deploy.
What should Vercel teams do about it?
Upgrade hono to 4.12.25 before next production deploy—CORS vulnerability is live and exploitable • Audit any Astro 5.x deployments in vercel/workflow and upgrade to 6.4.6 (no backport) • Verify Dependabot is synced across your release branches after vercel/ai migration
Which Vercel repositories shipped on June 17, 2026?
vercel/ai, vercel/workflow

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.