chore(deps): bump hono from 4.12.5 to 4.12.14 (combines #40260, #40258)

[ggazzo]

Summary

Combines the two Dependabot PRs that bump hono from 4.12.5 (pinned in #40172) to 4.12.14:

• chore(deps): bump hono from 4.12.5 to 4.12.14 in /packages/http-router #40258 — bumps hono in /packages/http-router
• chore(deps): bump hono from 4.12.5 to 4.12.14 in /apps/meteor #40260 — bumps hono in /apps/meteor

Both are needed together because hono is consumed by both packages. Merging individually would leave one package on the older pinned version.

Context

In #40172 hono was pinned to exactly 4.12.5 after we observed CI failures (ABAC, iframe auth) while rolling up several patch-level bumps simultaneously. Subsequent investigation pointed at cron (moment-timezone → luxon) and @noble/ed25519 as primary culprits — those were reverted. It's possible hono 4.12.14 now works fine in isolation; this PR tests that hypothesis.

Hono changelog highlights (v4.12.6 → v4.12.14)

• v4.12.6: ReDoS fix in accept parser
• v4.12.9: parseBody removed from bodyCache; CORS reflects origin on credentials+wildcard
• v4.12.12: Security fixes for setCookie/getCookie name validation, static middleware path normalization, SSG path traversal, IPv4-mapped IPv6 IP restriction
• v4.12.14: JSX attribute validation; AWS Lambda header handling

Test plan

• CI passes all suites (unit, API CE/EE, API Livechat CE/EE, UI CE/EE, Federation Matrix)
• If CI fails, the failing tests confirm hono as the root cause — not cron / noble-ed25519

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated the hono HTTP routing framework from version 4.12.5 to 4.12.14 across multiple packages in the application stack.

Task: ARCH-2111

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: dc367a9

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

The hono dependency version was updated from 4.12.5 to 4.12.14 across two package.json files in the Meteor app and HTTP router packages. No functional code changes or other dependencies were affected.

Changes

Cohort / File(s)	Summary
Hono Dependency Update apps/meteor/package.json, packages/http-router/package.json	Updated hono dependency version from 4.12.5 to 4.12.14 in both files.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested labels

type: chore

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: bumping the hono dependency from 4.12.5 to 4.12.14 across multiple packages, and references the combined PRs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.84%. Comparing base (0d68957) to head (dc367a9).
⚠️ Report is 2 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #40263      +/-   ##
===========================================
+ Coverage    69.83%   69.84%   +0.01%     
===========================================
  Files         3296     3296              
  Lines       119173   119173              
  Branches     21480    21461      -19     
===========================================
+ Hits         83219    83236      +17     
+ Misses       32645    32642       -3     
+ Partials      3309     3295      -14     

Flag	Coverage Δ
e2e	59.77% <ø> (+0.04%)	⬆️
e2e-api	46.23% <ø> (+0.01%)	⬆️
unit	70.58% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ggazzo]

/jira ARCH-2083