chore: bump hono + @hono/node-server in lockfile (security noise cleanup)

Resolves our dev-environment lockfile to hono@4.12.4 / @hono/node-server@1.19.10
to clear 9 Dependabot alerts for hono middleware vulns we don't exercise (we
never import serveStatic, ErrorBoundary, setCookie, writeSSE, or the various
auth/cache middlewares).

Published semver ranges are unchanged — catalogs still declare ^4.11.4 and
^1.19.9 which already accept the patched versions. This change does not affect
what consumers see.

Mechanics:
- root package.json resolutions: hono ^4.12.4, @hono/node-server ^1.19.10
  (root is private; resolutions affect our lockfile only, not published deps)
- minimumReleaseAgeExclude: updated entries for the new versions (both
  published 2026-03-03, under the 7-day gate)

Verified via pnpm pack: published @modelcontextprotocol/hono and
@modelcontextprotocol/node still ship ^4.11.4 / ^1.19.9.

Author: felixweinberger

package.json

@@ -77,6 +77,8 @@
         "zod": "catalog:runtimeShared"
     },
     "resolutions": {
-        "strip-ansi": "6.0.1"
+        "strip-ansi": "6.0.1",
+        "hono": "^4.12.4",
+        "@hono/node-server": "^1.19.10"
     }
 }

pnpm-lock.yaml

@@ -57,8 +57,8 @@ linkWorkspacePackages: deep
 minimumReleaseAge: 10080 # 7 days
 minimumReleaseAgeExclude:
     - '@modelcontextprotocol/conformance'
-    - hono@4.11.4 # fixes https://github.com/advisories/GHSA-3vhc-576x-3qv4  https://github.com/advisories/GHSA-f67f-6cw9-8mq4
-    - '@hono/node-server@1.19.9' # https://github.com/honojs/node-server/pull/295
+    - hono@4.12.4 # https://github.com/advisories/GHSA-q5qw-h33p-qvwr
+    - '@hono/node-server@1.19.10' # https://github.com/advisories/GHSA-wc8c-qw6v-h7f6
 
 onlyBuiltDependencies:
     - better-sqlite3