npm Lockfile Regression: [email protected] Vulnerability Persists Despite pnpm Fix (GHSA-458j-xx4x-4375)

A critical security regression has been identified in a project's dependency management, leaving systems using `npm install` exposed to a known HTML injection vulnerability. Despite a previous fix that correctly updated the pnpm override to require `hono@>=4.12.14`, the `package-lock.json` file was never regenerated. This npm lockfile continues to pin the dependency to the vulnerable version `[email protected]`, creating a silent security gap for any user or CI/CD pipeline that relies on npm instead of pnpm.

The vulnerability, tracked as **GHSA-458j-xx4x-4375**, is a medium-severity HTML injection flaw (CWE-79, CVSS 4.3) within the `hono/jsx` server-side rendering component. It stems from improper handling of JSX attribute names. The issue represents a regression of a previously closed security ticket (#117). While the `pnpm-lock.yaml` correctly resolves to the patched version `4.12.14`, the `package-lock.json` remains stale, meaning the fix is only effective for one package manager ecosystem.

This discrepancy creates a significant operational risk. Development and deployment environments are now bifurcated based on the package manager toolchain. Teams using `npm install` will unknowingly deploy a vulnerable application, potentially opening a vector for cross-site scripting attacks. The situation underscores the critical importance of synchronizing all lockfiles after a security patch and highlights a common pitfall in multi-package-manager projects where a fix in one system does not automatically propagate to another.