chore(deps): npm audit fix — hono / fast-uri / ip-address advisories

[carlos-alm]

Summary

• Runs npm audit fix (non-breaking) against advisories published 2026-05-08 → 2026-05-09 that broke the Security audit job on main.
• Bumps the following production-tree packages: @hono/node-server, fast-uri, hono, ip-address (via express-rate-limit).
• No code changes. Lockfile-only patch.

Why

Production npm audit --omit=dev --audit-level=high is failing on main, blocking every open PR. The advisories landed after the 2026-05-08 successful main run.

Advisories addressed:

• GHSA-92pp-h63x-v22m (@hono/node-server middleware bypass)
• GHSA-q3j6-qgpj-74h6, GHSA-v39h-62p7-jpjc (fast-uri path traversal / host confusion)
• Multiple hono advisories up to 4.12.17 (cookie / SSG / JWT / cache leakage)
• GHSA-v2v4-37r5-5v8g (ip-address XSS via express-rate-limit)

Test plan

• npm audit --omit=dev --audit-level=high exits 0 locally
• npm run lint passes
• npx tsc --noEmit passes
• npm test shows no new failures (pre-existing snapshot.test.ts flakes unchanged)
• CI Security audit job passes on this branch

[claude]

Claude finished @carlos-alm's task —— View job

---

PR Review: Dependency Security Update ✅

Reviewing this security audit fix PR following the 5-phase review process:

Todo List:

• Analyze the problem and root cause
• Check for configuration changes (high scrutiny)
• Verify test integrity
• Review package-lock.json changes
• Assess backlog compliance
• Provide final recommendation

Phase 1: Root Cause Analysis ✅

Problem Being Solved: npm audit is failing on main due to security advisories published 2026-05-08 → 2026-05-09, blocking CI for all open PRs.

Why This Approach: Running npm audit fix is the standard approach for resolving security vulnerabilities in transitive dependencies.

Dependency Chain Verification:

• @hono/node-server + hono: via @modelcontextprotocol/sdk (optional dependency for MCP server functionality)
• fast-uri: via ajv ← @modelcontextprotocol/sdk
• ip-address: via express-rate-limit ← @modelcontextprotocol/sdk

✅ All affected packages are legitimate transitive dependencies, not spurious additions.

Phase 2: Configuration Changes (High Scrutiny) ✅

No configuration changes detected. Only package-lock.json was modified - exactly what's expected for npm audit fix.

Phase 3: Test Integrity ✅

No test changes. The lockfile-only approach preserves all test behavior.

Phase 4: Code Quality ✅

Lockfile Analysis: Version bumps appear reasonable:

• @hono/node-server: Updated to address middleware bypass (GHSA-92pp-h63x-v22m)
• hono: Updated to 4.12.18 to address multiple advisories
• fast-uri: Updated to 3.1.2 for path traversal/host confusion fixes
• ip-address: Updated to 10.2.0 for XSS fix

All packages are marked as optional or devOptional in lockfile, maintaining the optional nature of MCP dependencies.

Phase 5: Backlog Compliance ✅

Root Cause Analysis

Problem Being Solved: Production security audit failing on main, blocking CI pipeline for all open PRs
Why This Approach: Standard npm audit fix for transitive dependency vulnerabilities is the correct approach
Risk Assessment: Low risk - lockfile-only changes to optional dependencies with legitimate security fixes

Backlog Compliance

• Zero-dep: ✓ — No new runtime dependencies added, only version bumps to existing transitive deps
• Foundation-aligned: ✓ — Maintains principle P1 (always-current) by unblocking CI; doesn't violate any core principles
• Problem-fit: 3 — Security maintenance doesn't directly address core "AI navigation" problem but is essential infrastructure
• Breaking: No — Lockfile-only changes with no API/CLI changes
• Tier: 1 (zero-dep ✓ + foundation-aligned ✓)

Critical Concerns

None. This is a routine security maintenance PR addressing real vulnerabilities in the production dependency tree.

Final Recommendation

• Rating: ⭐⭐⭐⭐☆ (4/5)
• Action: APPROVE
• Reasoning: Standard security maintenance that unblocks CI with no code changes and legitimate vulnerability fixes. The only missing element is verification that the audit actually passes with these changes, but the approach is sound and the dependency chain is properly verified.

Excellent practices demonstrated: lockfile-only approach, clear security advisory documentation, no configuration relaxation, no test weakening.

---