fix(deps): bump hono for audit compliance

[ndycode]

Summary

• Separate dependency/security PR to resolve the Hono high-severity audit finding so the new PR workflow can run audit:ci without mixing dependency churn into ci(actions): add dedicated pull request workflow #66.
• Keeps this bump isolated so PR CI continues to focus on infrastructure plumbing while the new job completes.

Testing

• npm run audit:ci
• npm run typecheck
• npm run build

---

Summary by cubic

Bump hono from 4.12.3 to 4.12.6 to resolve the high-severity audit finding and keep npm run audit:ci passing. Updates both dependencies and overrides; no app code changes.

^{Written for commit e259ead. Summary will update on new commits.}

note: greptile review for oc-chatgpt-multi-auth. cite files like lib/foo.ts:123. confirm regression tests + windows concurrency/token redaction coverage.

Greptile Summary

this PR bumps hono from 4.12.3 to 4.12.6 in both dependencies and overrides to satisfy npm audit --omit=dev --audit-level=high. the lockfile update is mechanically correct with the right resolved URL and new sha512 hash.

the audit compliance goal is sound, but the exact override pin (4.12.6) will block future security patches from automatically flowing through the tree. using >=4.12.6 in the override would be safer — it enforces the minimum security version while allowing patches to be picked up in future installs.

Confidence Score: 4/5

• safe to merge for audit unblocking; version bump is correct and consistent with lockfile. one trade-off worth considering: exact override pin blocks future patches.
• the mechanical change is sound — version bump, updated lockfile hash, overrides kept in sync. audit compliance is verified by the stated test (npm run audit:ci). score is 4/5 (not higher) because the exact override pin creates a latent hazard: if another CVE lands in hono before the next dep PR, this override will silently prevent the patch from applying to transitive consumers. consider the >=4.12.6 alternative.
• package.json override pin warrants review

Important Files Changed

Filename	Overview
package.json	bumps hono from 4.12.3 → 4.12.6 in both dependencies and overrides to satisfy npm audit --omit=dev --audit-level=high. the version change is correct and aligns with the lockfile. however, the exact override pin (4.12.6) blocks future patch releases; using >=4.12.6 would allow patches to flow through automatically while still enforcing the minimum version.
package-lock.json	lockfile correctly reflects hono 4.12.6 with the new resolved URL and sha512 integrity hash. the mechanical change is consistent with package.json and verified.

_{Last reviewed commit: e259ead}

Greptile also left 1 inline comment on this PR.

[coderabbitai]

📝 Walkthrough

Walkthrough

version bump for hono from 4.12.3 to 4.12.6 applied consistently across dependencies and overrides in package.json. no functional code changes introduced.

Changes

Cohort / File(s)	Summary
Dependency Version Bump package.json	bumped hono from 4.12.3 to 4.12.6 in both dependencies and overrides sections.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

bug

---

notes:

• version bump is clean and consistent across both sections. no misalignment between dependencies and overrides.
• hono 4.12.4, 4.12.5, and 4.12.6 should have been validated against existing middleware and handler patterns before merge. did you verify this in a local environment?
• no regression tests added or modified here, which is expected for a dependency bump. however, ensure the consuming codebase has adequate test coverage around http request/response handling that would catch any incompatibilities.
• windows path handling in hono shouldn't be affected by a patch bump, but flag it if any platform-specific routing behavior was modified in those releases.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description provides context about the audit fix and testing steps, but deviates significantly from the required template structure and validation checklist.	Align description with the template: add explicit sections for 'Summary', 'What Changed', complete the Validation checklist (npm run lint, typecheck, test, documentation test, build), and fill Docs/Governance and Risk/Rollback sections.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	title follows conventional commits format with fix type, (deps) scope, and summary under 72 chars in lowercase imperative.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/hono-audit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 2 files

[greptile-apps]

exact override pin blocks future security patches. "hono": "4.12.6" forces any transitive consumer back to 4.12.6, even if a patch like 4.12.7 is released. if another CVE lands in hono before the next dep PR, this override actively blocks the fix.

consider ">=4.12.6" instead — allows future patches while enforcing the minimum security version:

Suggested change

	"hono": "4.12.6",
	"hono": ">=4.12.6",

Prompt To Fix With AI

This is a comment left during a code review.
Path: package.json
Line: 125

Comment:
exact override pin blocks future security patches. `"hono": "4.12.6"` forces any transitive consumer back to 4.12.6, even if a patch like 4.12.7 is released. if another CVE lands in hono before the next dep PR, this override actively blocks the fix.

consider `">=4.12.6"` instead — allows future patches while enforcing the minimum security version:

```suggestion
    "hono": ">=4.12.6",
```

How can I resolve this? If you propose a fix, please make it concise.

[ndycode]

This PR is the audit/dependency companion to #66 and should merge before (or alongside) #66 so the new audit gate passes.