The Wire · Showcase
CRITICAL CORS VULNERABILITY PATCHED ACROSS AI AND WORKFLOW, DEPENDABOT NOW RESTORES AUTOMATION
By RepoJournal · Filed · About Vercel
Hono's CORS middleware was reflecting credentials to arbitrary origins—both vercel/ai and vercel/workflow patched it overnight, and you need to upgrade before your next deploy.
CVE-2026-54290 (CVSS 7.1) hit hono versions before 4.12.25 [1] [2], where the CORS middleware with credentials enabled would echo back any request Origin header and send Access-Control-Allow-Credentials: true, exposing authenticated endpoints to cross-origin requests. Both repos deployed fixes immediately [1] [2]. Meanwhile, vercel/ai switched from Renovate to Dependabot [3], restoring automated dependency updates across main and two release branches now that Renovate is gone. On the security hardening front, vercel/ai also locked down GitHub Actions token permissions [4] and attached SLSA provenance to releases [5], pushing the OSSF Scorecard from 0/10 on token scoping to passing. Astro users in vercel/workflow got hit separately—CVE-2026-54299 requires bumping to 6.4.6 with no 5.x backport available [6]. Over in vercel/workflow, the payload compression RFC landed [7], cutting stored bytes by 73-89% using zstd with gzip fallback, and a critical SWC plugin fix [8] prevents dead-code elimination from stripping identifier references buried in destructuring defaults. The workflow CLI now prints deep links to observability dashboards [9], letting agents hand users clickable URLs instead of dashboard guesses.
Action items
- → Upgrade hono to 4.12.25 before next production deploy—CORS vulnerability is live and exploitable vercel/ai [immediate]
- → Audit any Astro 5.x deployments in vercel/workflow and upgrade to 6.4.6 (no backport) vercel/workflow [immediate]
- → Verify Dependabot is synced across your release branches after vercel/ai migration vercel/ai [plan]
- → Monitor vercel/workflow payload compression rollout—73-89% storage savings, verify no serialization regressions vercel/workflow [monitor]
References
- [1] fix(devtools): bump hono to ^4.12.25 (CVE-2026-54290) (#16166) vercel/ai
- [2] fix(deps): upgrade hono to 4.12.25 to resolve CVE-2026-54290 (#2462) vercel/workflow
- [3] ci: add Dependabot config, migrating from Renovate (#16174)lm vercel/ai
- [4] ci: restrict GitHub Actions workflow token permissions (#16172) vercel/ai
- [5] ci: attach SLSA provenance to GitHub Releases for OSSF Scorecard ↗ vercel/ai
- [6] fix(deps): upgrade astro to 6.4.6 to resolve CVE-2026-54299 (#2457) vercel/workflow
- [7] RFC: compress serialized payload refs — zstd (gzip fallback), specVersion 5 ↗ vercel/workflow
- [8] fix(swc-plugin): count destructuring-default references in DCE usage analysis ↗ vercel/workflow
- [9] feat(cli): print run deep links with `--url`, fix dashboard route ↗ vercel/workflow
FAQ
- What changed in Vercel on June 17, 2026?
- Hono's CORS middleware was reflecting credentials to arbitrary origins—both vercel/ai and vercel/workflow patched it overnight, and you need to upgrade before your next deploy.
- What should Vercel teams do about it?
- Upgrade hono to 4.12.25 before next production deploy—CORS vulnerability is live and exploitable • Audit any Astro 5.x deployments in vercel/workflow and upgrade to 6.4.6 (no backport) • Verify Dependabot is synced across your release branches after vercel/ai migration
- Which Vercel repositories shipped on June 17, 2026?
- vercel/ai, vercel/workflow