fix(deps): drop @hono/node-server override to patch GHSA-wc8c-qw6v-h7f6

[ochafik]

Summary

Removes the overrides entry pinning @hono/node-server to 1.19.7, which is vulnerable to GHSA-wc8c-qw6v-h7f6 (HIGH — authorization bypass for protected static paths via encoded slashes in Serve Static middleware, fixed in 1.19.10).

Why the override existed

Added in 7197610 as a workaround: @modelcontextprotocol/sdk@1.25.3 required @hono/node-server@^1.19.9, which did not yet exist on the public npm registry at the time (latest was 1.19.7). The SDK was subsequently pinned to 1.25.2 (b9a459a), but the override was kept as belt-and-braces.

Why it's safe to remove now

• @hono/node-server 1.19.8–1.19.11 have since been published.
• The pinned SDK (1.25.2) requires ^1.19.7, so natural resolution picks 1.19.11 (latest patch, includes the GHSA fix).
• No source code in this repo imports @hono/node-server directly — it's purely a transitive dep of the MCP SDK.
• All versions involved are in the 1.19.x patch range (no breaking changes per semver).

Verification

$ jq -r '.packages["node_modules/@hono/node-server"].version' package-lock.json
1.19.11

$ rg -c artifactory package-lock.json
(no matches)

$ npm audit | rg GHSA-wc8c
(no matches — resolved)

Lockfile regenerated with --registry=https://registry.npmjs.org/ to avoid leaking internal registry URLs.

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/ext-apps

npm i https://pkg.pr.new/@modelcontextprotocol/ext-apps@535

@modelcontextprotocol/server-basic-preact

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-preact@535

@modelcontextprotocol/server-basic-react

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-react@535

@modelcontextprotocol/server-basic-solid

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-solid@535

@modelcontextprotocol/server-basic-svelte

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-svelte@535

@modelcontextprotocol/server-basic-vanillajs

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-vanillajs@535

@modelcontextprotocol/server-basic-vue

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-vue@535

@modelcontextprotocol/server-budget-allocator

npm i https://pkg.pr.new/@modelcontextprotocol/server-budget-allocator@535

@modelcontextprotocol/server-cohort-heatmap

npm i https://pkg.pr.new/@modelcontextprotocol/server-cohort-heatmap@535

@modelcontextprotocol/server-customer-segmentation

npm i https://pkg.pr.new/@modelcontextprotocol/server-customer-segmentation@535

@modelcontextprotocol/server-debug

npm i https://pkg.pr.new/@modelcontextprotocol/server-debug@535

@modelcontextprotocol/server-map

npm i https://pkg.pr.new/@modelcontextprotocol/server-map@535

@modelcontextprotocol/server-pdf

npm i https://pkg.pr.new/@modelcontextprotocol/server-pdf@535

@modelcontextprotocol/server-scenario-modeler

npm i https://pkg.pr.new/@modelcontextprotocol/server-scenario-modeler@535

@modelcontextprotocol/server-shadertoy

npm i https://pkg.pr.new/@modelcontextprotocol/server-shadertoy@535

@modelcontextprotocol/server-sheet-music

npm i https://pkg.pr.new/@modelcontextprotocol/server-sheet-music@535

@modelcontextprotocol/server-system-monitor

npm i https://pkg.pr.new/@modelcontextprotocol/server-system-monitor@535

@modelcontextprotocol/server-threejs

npm i https://pkg.pr.new/@modelcontextprotocol/server-threejs@535

@modelcontextprotocol/server-transcript

npm i https://pkg.pr.new/@modelcontextprotocol/server-transcript@535

@modelcontextprotocol/server-video-resource

npm i https://pkg.pr.new/@modelcontextprotocol/server-video-resource@535

@modelcontextprotocol/server-wiki-explorer

npm i https://pkg.pr.new/@modelcontextprotocol/server-wiki-explorer@535

commit: 345df10