* fix(security): bump hono and transitive deps (ENG-12770) - hono 4.11.9 → 4.12.8 (GHSA-q5qw-h33p-qvwr HIGH, GHSA-5pq2-9x2x-5p6w, GHSA-p6xx-57qc-3wxr, GHSA-v8w9-8mx6-g223, GHSA-gq3j-xvxp-8hrf) - @hono/node-server 1.19.9 → 1.19.11 (GHSA-wc8c-qw6v-h7f6 HIGH) - express-rate-limit 8.2.1 → 8.3.1 (GHSA-46wh-pxpv-q5gq HIGH) - ajv 8.17.1 → 8.18.0 (GHSA-2g4f-4pwh-qvx6) - qs 6.14.1 → 6.15.0 (GHSA-w7fw-mjwx-w883) - flatted 3.3.3 → 3.4.1 (GHSA-25h7-pfq9-p65f HIGH) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(security): use nested override for ajv to avoid breaking eslint The flat ajv override forced @eslint/eslintrc's v6 instance to v8, which is incompatible. Switch to a per-consumer nested override so only @modelcontextprotocol/sdk gets ajv ^8.18.0. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(security): drop unnecessary overrides, rely on npm update instead Transitive deps (hono, @hono/node-server, express-rate-limit, qs, flatted, ajv) already resolve to patched versions within their existing semver ranges. Overrides are only needed when the fix requires a version outside the allowed range (e.g. minimatch). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>