[Snyk] Upgrade koa from 2.13.1 to 2.16.4

[snyk-io]

Snyk has created this PR to upgrade koa from 2.13.1 to 2.16.4.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 16 versions ahead of your current version.

• The recommended version was released 22 days ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	HTTP Header Injection SNYK-JS-KOA-15353398	87	Proof of Concept
	Open Redirect SNYK-JS-KOA-10944994	87	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-KOA-8720152	87	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-KOA-9679272	87	Proof of Concept

Breaking Change Risk

Notice: This assessment is enhanced by AI.

Release notes

Package name: koa

• 2.16.4 - 2026-02-25
  

  What's Changed

  • fix(security): Host Header Injection via ctx.hostname by @ killagu GHSA-7gcc-r8m5-44qm
• 2.16.3 - 2025-10-18
  

  What's Changed

  • fix: normalize referer before redirect by @ fengmk2 in #1909

  Full Changelog: v2.16.2...v2.16.3

• 2.16.2 - 2025-07-30
  

  What's Changed

  • fix: only allow back redirect to the same origin referer by @ fengmk2 in #1898

  Full Changelog: v2.16.1...v2.16.2

• 2.16.1 - 2025-04-06
• 2.16.0 - 2025-02-27
• 2.15.4 - 2025-02-11
• 2.15.3 - 2024-04-11
• 2.15.2 - 2024-03-21
• 2.15.1 - 2024-03-15
• 2.15.0 - 2023-12-29
• 2.14.2 - 2023-04-12
• 2.14.1 - 2022-12-07
• 2.14.0 - 2022-12-06
• 2.13.4 - 2021-10-19
• 2.13.3 - 2021-09-24
• 2.13.2 - 2021-09-24
• 2.13.1 - 2021-01-04

from koa GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[snyk-io]

This is a minor version upgrade for Koa that includes several security fixes. No major API changes are documented, but a behavioral change was introduced to enhance security.

Key Changes:

• Medium Risk - Redirect Behavior: Version 2.16.2 fixes an Open Redirect vulnerability (CVE-2022-23634). The ctx.redirect('back') functionality is now restricted to only allow redirects to the same origin referer. Applications relying on the previous behavior of redirecting to any referer will be impacted.
• Security Fix: Version 2.16.1 addresses a Cross-site Scripting (XSS) vulnerability in ctx.redirect().

Recommendation:
Verify any usage of ctx.redirect('back') to ensure it is compatible with the new same-origin restriction. While this is a security improvement, it could be a breaking change for applications that were unintentionally (or intentionally) relying on the open redirect behavior.

Source: Koa GitHub Releases

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.