[security](deps): Bump hono from 4.12.14 to 4.12.16 in the npm_and_yarn group across 1 directory

FORJAMIE.md

@@ -16,7 +16,7 @@
 ## Status
 
 <!-- STATUS_START -->
-**Last updated:** 2026-05-05
+**Last updated:** 2026-05-07
 **Production status:** IN_PROGRESS overall; Agent Design Prepare north-star plan is REVIEW_GREEN
 **Overall health:** Yellow overall; Green for the Agent Design Prepare plan lane
 
@@ -99,7 +99,7 @@ flowchart LR
 | Quality debt radar | Warn-first baseline active | `pnpm quality-debt:check` validates the category/source contract, `pnpm quality-debt:report` generates weekly burn-down snapshots, and CI/release workflows run the radar as warn-first evidence |
 | Protected settings migration | In progress | The initial settings wave is migrated onto shared shell/composition patterns, with explicit state stories and jsdom exemplar tests for the protected settings slice; broader app/storybook warn backlog remains intentionally non-blocking |
 | Visual regression workflow | In progress | Root visual scripts now route through `scripts/run-playwright-suite.mjs` and `packages/ui build:visual`, and the exemplar gate now covers both the template browser shell and an isolated template-widget shell route |
-| Current dependency hygiene | In progress | This change-set pins `vitest-axe` back to `1.0.0-pre.3` for deterministic installs |
+| Current dependency hygiene | In progress | Security dependency PRs must update direct dependencies and transitive override/lockfile paths; the Hono remediation now forces SDK consumers to `>=4.12.16` |
 | Long-term debt cleanup | In progress | Lint, icon a11y, and docs maintenance remain ongoing work |
 
 ## How to run locally
@@ -176,6 +176,7 @@ See also: `~/.codex/instructions/Learnings.md`
 - `DESIGN.md` section line numbers must stay anchored to the original file, including YAML frontmatter. Lint findings use those lines as agent remediation evidence.
 - `astudio design init` validates the starter contract before writing, but it must still enforce the write gate first so a missing `--write` remains a policy error instead of a provenance error.
 - Package-level Biome scripts need to use the same pinned Biome 2.x command as the root scripts. The workspace still contains older Biome 1.x dependencies for other packages, and those cannot parse the current `biome.json` schema.
+- Security upgrades that touch `platforms/mcp` need lockfile verification for both direct dependencies and SDK transitive runtime paths. A direct Hono bump is incomplete if `@modelcontextprotocol/sdk` still resolves its embedded Hono copy to the vulnerable version.
 - Browser-backed Playwright gates need a provisioned Chromium cache and a macOS launch path that is not blocked by the Codex sandbox. If every browser test fails at launch with `bootstrap_check_in ... Permission denied (1100)`, treat it as an environment permission issue and rerun the browser gate through the approved unsandboxed path before debugging UI code.
 - Package manifests can point at `dist` in `main`, `types`, `exports`, `bin`, or `files`, but those generated outputs are no longer committed source. Build before pack, publish, or direct `node packages/*/dist/...` execution.
 - `pnpm generated-source:check` is the canonical freshness gate for tracked generated runtime inputs. It regenerates the web template registry, widget JavaScript manifest, and Cloudflare worker manifest, formats the tracked generated source with Biome 2.3.11, and fails if the committed snapshot is stale.
@@ -215,6 +216,10 @@ See also: `~/.codex/instructions/Learnings.md`
 
 ## Recent changes
 
+### 2026-05-07
+
+- **Hono security override completion**: tightened the root pnpm override from `hono@<4.12.7` to `hono@<4.12.16` and regenerated `pnpm-lock.yaml` so `@modelcontextprotocol/sdk@1.26.0` and `@hono/node-server@1.19.11` resolve Hono through `4.12.16`, closing the MCP runtime path left open by the direct Dependabot bump.
+
 ### 2026-05-05
 
 - **Framer Motion widget manifest refresh**: refreshed the tracked widget runtime manifests on the Dependabot `framer-motion` update branch after installing from the branch lockfile. The dependency update changes the built `pizzaz-shop` and `solar-system` widget bundle hashes, so `packages/widgets/src/sdk/generated/widget-manifest.js` and `packages/cloudflare-template/src/worker/widget-manifest.generated.ts` now match the generated-source freshness gate used by CI.

package.json

@@ -147,7 +147,7 @@
     "ajv": "^8.18.0",
     "concurrently": "^9.2.1",
     "fast-check": "^4.7.0",
-    "hono": "^4.12.14",
+    "hono": "^4.12.16",
     "playwright": "^1.58.2",
     "sharp": "^0.34.5",
     "tsx": "^4.21.0",
@@ -174,7 +174,7 @@
       "react-router@>=7.0.0 <7.12.0": ">=7.12.0",
       "react-router@>=7.0.0 <7.9.6": ">=7.9.6",
       "react-router@>=7.0.0 <=7.8.2": ">=7.9.0",
-      "hono@<4.12.7": ">=4.12.7",
+      "hono@<4.12.16": ">=4.12.16",
       "@hono/node-server@<1.19.10": ">=1.19.10",
       "basic-ftp@<5.2.0": ">=5.2.0",
       "diff@<8.0.3": ">=8.0.3",

platforms/mcp/package.json

@@ -17,7 +17,7 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.26.0",
-    "hono": "^4.12.14",
+    "hono": "^4.12.16",
     "zod": "^4.3.5",
     "zod-to-json-schema": "^3.25.1"
   },