chore(deps): patch low-risk security advisories

[kunickiaj]

Description

Patch the low-risk/easy npm dependency security alerts without touching the protobufjs/model stack.

Changes:

• Bump the Hono catalog from ^4.12.16 to ^4.12.21.
• Add scoped pnpm overrides for patched transitive versions of @hono/node-server, fast-uri, ip-address, path-to-regexp, ws, and picomatch.
• Refresh pnpm-lock.yaml with lifecycle scripts disabled.

Left intentionally separate:

• protobufjs via @xenova/transformers -> onnxruntime-web -> onnx-proto remains for a dedicated compatibility/remediation PR.
• Dev-only esbuild@0.18.20 via deprecated @esbuild-kit remains separate because it involves install-script/native-package risk and is not an easy safe bump.

Type of Change

• 🚀 Feature (new functionality)
• 🐛 Bug fix (fixes an issue)
• 📚 Documentation (docs-only change)
• 🔧 Maintenance (refactor, chore, CI, etc.)
• 🧪 Testing (test-only changes)

Testing

• Relevant checks pass locally (pnpm run tsc, pnpm run lint, pnpm run test)
• Added/updated tests for changes
• Manually verified changes work as expected

Additional validation:

• pnpm install --ignore-scripts
• pnpm audit --prod --json now leaves only the protobufjs cluster.
• pnpm audit --json leaves protobufjs cluster plus dev-only esbuild.
• CodeReviewer pass found no blocking issues in the dependency patch.

Checklist

• Code follows project style (pnpm run lint passes for touched files)
• Self-review completed
• Documentation updated (if needed)
• No new warnings introduced

[kunickiaj]

• chore(deps): patch low-risk security advisories #1109 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[kunickiaj]

Merge activity

• May 21, 5:42 AM UTC: A user started a stack merge that includes this pull request via Graphite.
• May 21, 5:42 AM UTC: @kunickiaj merged this pull request with Graphite.