chore: resolve open dependabot security alerts

[jonathannorris]

Summary

• Resolved 10 open Dependabot security alerts by bumping vulnerable dependencies

Dependabot Alerts Resolved

Alert	Package	Severity	Fix
#235	qs	medium	Added qs@npm:^6.14.0/^6.14.1 resolutions to ^6.15.2; resolved to 6.15.2 (DoS via comma-format null arrays)
#234	ws	medium	Added ws@npm:8.18.0/^8.17.1 resolutions to ^8.20.1; resolved to 8.21.0 (uninitialized memory disclosure)
#232	hono	medium	Bumped to 4.12.18 in mcp-worker (CSS Declaration Injection via JSX SSR)
#230	hono	low	Bumped to 4.12.18 in mcp-worker (improper NumericDate validation in JWT)
#228	hono	medium	Bumped to 4.12.18 in mcp-worker (Cache Middleware Vary header leak)
#227	fast-uri	high	Lockfile bump to 3.1.2 via ^3.1.2 resolution; resolution later removed as upstream express-rate-limit already satisfies it (host confusion via percent-encoded delimiters)
#226	fast-uri	high	Covered by above (path traversal via percent-encoded dot segments)
#224	hono	medium	Covered by hono bump (unvalidated JSX tag names)
#222	hono	medium	Covered by hono bump (bodyLimit bypass for chunked requests)
#213	ip-address	medium	Lockfile-only bump: upgraded express-rate-limit from 8.3.1 to 8.5.2, which depends on ip-address@^10.2.0; lockfile now resolves to 10.2.0

Unresolvable Alerts

Alert	Package	Severity	Reason
#237	yeoman-environment	high	Requires oclif v4 (major upgrade); oclif@3 pins yeoman-environment@^3.15.1 and 6.x needs new peer deps (@yeoman/adapter, @yeoman/types, mem-fs) not provided by oclif@3
#236	uuid	medium	aws-sdk@2 pins uuid exactly at 8.0.0; patched version 11.1.1 is a major version with breaking API changes

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	devcycle-mcp-server	a6396bc	May 28 2026, 01:36 PM

[Copilot]

Pull request overview

This PR addresses open Dependabot security alerts by updating dependency versions and enforcing safer transitive resolutions via Yarn.

Changes:

• Bumped hono to 4.12.18 (including mcp-worker) to pick up upstream security fixes.
• Added a Yarn resolutions override for fast-uri to ensure a non-vulnerable version is selected.
• Regenerated yarn.lock to reflect the updated dependency graph.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File	Description
yarn.lock	Updates lockfile entries to reflect hono@4.12.18 and the fast-uri resolution outcome.
package.json	Updates Yarn resolutions for hono and adds a fast-uri resolution override.
mcp-worker/package.json	Bumps hono dependency to 4.12.18.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.