fix(deps): update dependency koa to v2.16.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
koa	2.15.4 -> 2.16.1

GitHub Vulnerability Alerts

CVE-2025-32379

Summary

In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app.

Patches

This issue is patched in 2.16.1 and 3.0.0-alpha.5.

PoC

Coming soon...

Impact

1. Redirect user to another phishing site
2. Make request to another endpoint of the application based on user's cookie
3. Steal user's cookie

---

Release Notes

koajs/koa (koa)

v2.16.1

Compare Source

fix: don't render redirect values in anchor ref

v2.16.0

Compare Source

This is a backported release to fix core underlying issue with HEAD requests when using http2.createSecureServer. See discussion at https://github.com/koajs/koa/pull/1593 and https://github.com/koajs/koa/issues/1547.

• fix missing cleanup, if response socket is no longer writeable (issue 1547) (https://github.com/koajs/koa/pull/1593) 399cb6b

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

COMPARE TO master

Total Size Diff 📉 -1.36 KB

Diff by File

Name	Diff
pnpm-lock.yaml	📉 -1.36 KB