fix(security): update dependencies to resolve 3 high-severity CVEs

[vscarpenter]

• next: 16.1.1 → 16.1.6 (fixes GHSA-h25m-26qc-wcjf, HTTP request deserialization DoS)
• @modelcontextprotocol/sdk: ^1.25.3 → ^1.26.0 (fixes GHSA-345p-7cg4-v4c7, cross-client data leak)
• @isaacs/brace-expansion: add override >=5.0.1 (fixes GHSA-7h2j-956f-4vf2, ReDoS)
• hono: bump override to >=4.11.7 (fixes 4 moderate CVEs)
• eslint-config-next: 16.1.1 → 16.1.6 (align with next version)

Resolves daily security-audit.yml workflow failure.

https://claude.ai/code/session_015FyUk4CqDg4wCPg4QW8Mps

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[claude]

Security Dependency Update Review

Summary

This PR addresses 3 high-severity CVEs through targeted dependency updates. The changes are focused, appropriate, and follow security best practices.

---

✅ Strengths

1. Security Focus

• Addresses critical vulnerabilities:
  • Next.js 16.1.1 → 16.1.6: Fixes GHSA-h25m-26qc-wcjf (HTTP request deserialization DoS)
  • @modelcontextprotocol/sdk 1.25.3 → 1.26.0: Fixes GHSA-345p-7cg4-v4c7 (cross-client data leak)
  • @isaacs/brace-expansion: Adds override >=5.0.1 (fixes GHSA-7h2j-956f-4vf2, ReDoS)
  • hono: Bumps override to >=4.11.7 (fixes 4 moderate CVEs)

2. Minimal Scope

• Only touches dependency declarations (package.json, bun.lock)
• No code changes required, reducing risk of introducing bugs
• Maintains version alignment (Next.js + eslint-config-next)

3. Override Strategy

• Uses package overrides appropriately for transitive dependencies
• Follows existing pattern in the project (js-yaml, vite, esbuild already use overrides)

4. Documentation

• Clear PR description with CVE links and resolution context
• Links to Claude.ai session for audit trail

---

🔍 Considerations & Recommendations

1. Test Coverage

• Recommendation: Run full test suite (bun test) before merge to verify no behavioral regressions
• Rationale: While patch/minor updates are typically safe, Next.js 16.1.1→16.1.6 spans 5 patch versions and could include subtle changes

bun test
bun typecheck
bun lint

2. MCP Server Impact

• @modelcontextprotocol/sdk 1.25.3 → 1.26.0 is a minor version bump
• Recommendation: Test MCP server functionality manually:
  • Verify Claude Desktop integration still works
  • Test create/update/delete operations
  • Confirm encryption/decryption operations unchanged
• Location: packages/mcp-server/

3. Hono Override Scope

• Hono is used in Cloudflare Workers (worker/src/)
• Recommendation: Test worker endpoints if possible, especially sync operations
• Hono >=4.11.7 resolves 4 moderate CVEs - consider documenting which CVEs in commit message

4. Lockfile Verification

• bun.lock shows clean updates with no unexpected transitive dependency changes
• express-rate-limit upgraded from 7.5.1 → 8.2.1 (transitive from MCP SDK)
  • This is a major version bump - check if MCP SDK tested this
  • Added new dependency: ip-address@10.0.1

5. Missing Context

• No test execution results shown in PR description
• Recommendation: Add CI check status or manual test confirmation

---

🔒 Security Analysis

✅ Positive Security Practices:

• Proactive vulnerability remediation
• Uses overrides to enforce minimum versions across transitive deps
• Aligns with CLAUDE.md security principle: "Keep dependencies patched and scanned"

⚠️ Minor Concerns:

• express-rate-limit major version bump (7→8) via transitive dependency could have breaking changes
• No explicit test of rate-limiting functionality mentioned

---

📋 Pre-Merge Checklist

• Run bun test - verify all tests pass
• Run bun typecheck - verify no type errors
• Run bun lint - verify no linting issues
• Manual test: MCP server create/update/delete operations
• Manual test: Next.js app loads and renders correctly
• Manual test: Worker sync endpoints (if feasible)
• Verify no console errors in browser dev tools

---

🎯 Verdict

APPROVE with recommendations ✅

This is a well-executed security update. The changes are:

• Necessary: Addresses high-severity CVEs
• Minimal: Only dependency updates, no code changes
• Low-risk: Patch/minor version bumps
• Well-documented: Clear description and CVE references

Priority: Merge after running test suite to ensure no regressions.

---

📚 Additional Notes

Per coding-standards.md:

• ✅ Follows "Keep dependencies patched and scanned" principle
• ✅ Uses standard package manager override mechanism
• ✅ Minimal change scope reduces complexity

Per CLAUDE.md:

• ✅ Resolves security-audit.yml workflow failure
• ✅ Maintains workspace structure (packages/mcp-server)

Suggested merge message:

fix(security): update dependencies to resolve 3 high-severity CVEs

- next: 16.1.1 → 16.1.6 (fixes GHSA-h25m-26qc-wcjf)
- @modelcontextprotocol/sdk: ^1.25.3 → ^1.26.0 (fixes GHSA-345p-7cg4-v4c7)
- @isaacs/brace-expansion: add override >=5.0.1 (fixes GHSA-7h2j-956f-4vf2)
- hono: bump override to >=4.11.7 (fixes 4 moderate CVEs)

Resolves security-audit.yml workflow failure.

---

Review completed by Claude Sonnet 4.5 🤖