fix: resolve all bun audit vulnerabilities with package overrides

[Dani Akash (DaniAkash)]

Add overrides for 8 vulnerable transitive dependencies: qs, markdown-it, lodash-es, @modelcontextprotocol/sdk, axios, diff, @isaacs/brace-expansion, and hono. This resolves 11 security vulnerabilities including DoS, ReDoS, prototype pollution, XSS, and data leak issues.

[github-actions]

Thank you for your contribution! Before we can merge this PR, we need you to sign our Contributor License Agreement.

To sign the CLA, please add a comment to this PR with the following text:

I have read the CLA Document and I hereby sign the CLA

You only need to sign once. After signing, this check will pass automatically.

---

Troubleshooting

• Already signed but still failing? Comment recheck to trigger a re-verification.
• Signed with a different email? Make sure your commit email matches your GitHub account email, or add your commit email to your GitHub account.

- - - I have read the CLA Document and I hereby sign the CLA - - - **1** out of **2** committers have signed the CLA.
✅ (DaniAkash)[https://github.com/DaniAkash]
❌ Claude (@claude)
_{You can retrigger this bot by commenting **recheck** in this Pull Request. Posted by the **CLA Assistant Lite bot**.}

[greptile-apps]

Greptile Summary

This PR addresses security vulnerabilities by adding package overrides for serialize-javascript (7.0.3) and lodash-es (4.17.23), and directly updating hono from ^4.6.0 to ^4.12.3 in both agent and server packages.

Key Changes:

• Added serialize-javascript@7.0.3 override to fix vulnerabilities in transitive dependencies (used by webpack plugins)
• Added lodash-es@4.17.23 override to fix prototype pollution vulnerabilities in transitive dependencies
• Updated hono to 4.12.3 in both apps/agent and apps/server (minor version bump, compatible with existing semver ranges)

Note: The PR description mentions fixing 8 vulnerable packages, but only 3 packages are actually addressed in the final implementation. The initial approach attempted to override more packages, but these were removed (see commit 0b4a977) in favor of a more conservative approach. The diff override was specifically removed because it crossed a major version boundary and could break @google/gemini-cli-core compatibility.

Confidence Score: 4/5

• This PR is safe to merge with low risk - only updates vulnerable dependencies without code changes
• The overrides for serialize-javascript and lodash-es are patch/minor version upgrades that fix known security vulnerabilities. The hono update is a minor version bump (4.6.0 → 4.12.3) within the declared semver range, ensuring compatibility. The approach is conservative - the initial commit attempted to override 8 packages but was reduced to just 2 overrides + 1 direct update after removing problematic overrides (like diff which crossed major version boundary). Score is 4/5 rather than 5/5 due to the misleading PR description that doesn't match the final implementation.
• No files require special attention - all changes are straightforward dependency version updates

Important Files Changed

Filename	Overview
package.json	Added overrides for serialize-javascript (7.0.3) and lodash-es (4.17.23) to fix security vulnerabilities in transitive dependencies
apps/agent/package.json	Updated hono from ^4.6.0 to ^4.12.3 (minor version bump within semver range)
apps/server/package.json	Updated hono from ^4.6.0 to ^4.12.3 (minor version bump within semver range)

_{Last reviewed commit: cf6ca77}

[greptile-apps]

_{2 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}