chore: upgrade hono to ^4.12.25 to address CVE-2026-54287

[brendan-kellam]

Fixes SOU-1346

Refreshes the hono lockfile entry to 4.12.25 to address CVE-2026-54287 (GHSA-j6c9-x7qj-28xf), where the AWS Lambda adapter merges multiple Set-Cookie headers into one comma-joined value.

hono is a transitive dependency (@modelcontextprotocol/sdk → hono@^4.11.4). The existing range already admitted the patched version, so only yarn.lock needed refreshing (yarn up -R hono) — no package.json or resolutions change. Verified with yarn why hono that all instances now resolve to 4.12.25.

Summary by CodeRabbit

• Chores
  • Updated release documentation with dependency maintenance notes.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6768490a-16d2-41ba-b588-6883f350cbf5

📥 Commits

Reviewing files that changed from the base of the PR and between c0780a1 and c06286b.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• CHANGELOG.md

---

Walkthrough

A single line is added to CHANGELOG.md under the ## [Unreleased] section, recording a "Fixed" entry that the hono dependency was upgraded to ^4.12.25, referencing PR #1322.

Changes

Changelog Entry

Layer / File(s)	Summary
Unreleased changelog entry for hono bump CHANGELOG.md	Adds a Fixed bullet under [Unreleased] noting hono was upgraded to ^4.12.25.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minutes

Possibly related PRs

• sourcebot-dev/sourcebot#1186: Same pattern — a hono dependency bump recorded in CHANGELOG.md under [Unreleased] → Fixed, bumping hono to ^4.12.18.
• sourcebot-dev/sourcebot#1289: Directly related — another hono version bump changelog entry (^4.12.24) in the same [Unreleased] → Fixed section.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch linear/sou-1346-sourcebot-devsourcebot-cve-2026-54287-hono-aws-lambda-d7de

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch linear/sou-1346-sourcebot-devsourcebot-cve-2026-54287-hono-aws-lambda-d7de

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

License Audit

⚠️ Status: PASS

Metric	Count
Total packages	2136
Resolved (non-standard)	20
Unresolved	0
Strong copyleft	0
Weak copyleft	38

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-wasm32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
lightningcss	1.32.0	MPL-2.0
lightningcss-android-arm64	1.32.0	MPL-2.0
lightningcss-darwin-arm64	1.32.0	MPL-2.0
lightningcss-darwin-x64	1.32.0	MPL-2.0
lightningcss-freebsd-x64	1.32.0	MPL-2.0
lightningcss-linux-arm-gnueabihf	1.32.0	MPL-2.0
lightningcss-linux-arm64-gnu	1.32.0	MPL-2.0
lightningcss-linux-arm64-musl	1.32.0	MPL-2.0
lightningcss-linux-x64-gnu	1.32.0	MPL-2.0
lightningcss-linux-x64-musl	1.32.0	MPL-2.0
lightningcss-win32-arm64-msvc	1.32.0	MPL-2.0
lightningcss-win32-x64-msvc	1.32.0	MPL-2.0

Resolved Packages (20)

Package	Version	Original	Resolved	Source
@react-grab/cli	0.1.23	UNKNOWN	MIT	GitHub repo (aidenybai/react-grab LICENSE)
@react-grab/cli	0.1.29	UNKNOWN	MIT	GitHub repo (aidenybai/react-grab LICENSE)
@react-grab/mcp	0.1.29	UNKNOWN	MIT	GitHub repo (aidenybai/react-grab LICENSE)
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	GitHub repo (livebook-dev/codemirror-lang-elixir LICENSE)
element-source	0.0.3	UNKNOWN	MIT	LICENSE file in npm package tarball
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	GitHub repo (livebook-dev/lezer-elixir LICENSE)
map-stream	0.1.0	UNKNOWN	MIT	GitHub repo (dominictarr/map-stream LICENCE)
memorystream	0.3.1	UNKNOWN	MIT	npm registry licenses field (object {type:MIT})
valid-url	1.0.9	UNKNOWN	MIT	GitHub repo (ogt/valid-url LICENSE file)
posthog-js	1.369.0	SEE LICENSE IN LICENSE	Apache-2.0	GitHub repo (PostHog/posthog-js LICENSE file)
pause-stream	0.0.11	MIT,Apache2	(MIT OR Apache-2.0)	extracted from object + LICENSE file (dual MIT/Apache-2)
@sentry/cli	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	self-identifying license string (Functional Source License 1.1, MIT Future License)
@sentry/cli-darwin	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	self-identifying license string (Functional Source License 1.1, MIT Future License)
@sentry/cli-linux-arm	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	self-identifying license string (Functional Source License 1.1, MIT Future License)
@sentry/cli-linux-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	self-identifying license string (Functional Source License 1.1, MIT Future License)
@sentry/cli-linux-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	self-identifying license string (Functional Source License 1.1, MIT Future License)
@sentry/cli-linux-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	self-identifying license string (Functional Source License 1.1, MIT Future License)
@sentry/cli-win32-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	self-identifying license string (Functional Source License 1.1, MIT Future License)
@sentry/cli-win32-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	self-identifying license string (Functional Source License 1.1, MIT Future License)
@sentry/cli-win32-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	self-identifying license string (Functional Source License 1.1, MIT Future License)