fix: Patch 9 frontend security vulnerabilities (hono, vite)

[bjcoombs]

Summary

• Bump hono override from 4.12.4 to 4.12.12 (5 medium CVEs - cookie bypass, IP matching, path traversal, middleware bypass)
• Bump @hono/node-server override from 1.19.10 to 1.19.13 (1 medium CVE - middleware bypass via repeated slashes)
• Bump vite from 7.3.1 to 7.3.2 (2 high + 1 medium CVE - path traversal, fs.deny bypass, WebSocket arbitrary file read)

Resolves Dependabot alerts #40-#48.

Test plan

• CI passes (frontend build, lint, tests)
• Dependabot alerts auto-close after merge

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3560527d-192f-4013-8736-dcedaabe1b9c

📥 Commits

Reviewing files that changed from the base of the PR and between 6bff0f2 and 53feeeb.

⛔ Files ignored due to path filters (1)

• frontend/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• frontend/package.json

---

📝 Walkthrough

Walkthrough

Updated dependency version constraints in frontend/package.json. Bumped Hono-related packages (hono and @hono/node-server overrides) to patch versions, and incremented the Vite dev dependency to a newer patch release.

Changes

Cohort / File(s)	Summary
Dependency Version Updates frontend/package.json	Updated overrides.hono from ^4.12.4 to ^4.12.12, overrides.@hono/node-server from ^1.19.10 to ^1.19.13, and devDependencies.vite from ^7.3.1 to ^7.3.2.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: patching frontend security vulnerabilities in hono and vite packages, which matches the changeset.
Description check	✅ Passed	The description is directly related to the changeset, providing specific details about the security vulnerabilities being patched and which dependency versions are being updated.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-frontend-security-deps

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Claude Code Review

Commit: 53feeebe | CI: running (most checks pending, Service Conventions passed)

Summary

Clean security dependency bump patching 9 frontend CVEs across three packages. All changes are confined to frontend/package.json and frontend/package-lock.json. Version bumps are minimal patch/minor increments with correct lockfile resolution. No domain logic, Go code, migrations, or architecture changes.

Verified:

• hono override: ^4.12.4 → ^4.12.12 (resolves to 4.12.12) — 5 medium CVEs
• @hono/node-server override: ^1.19.10 → ^1.19.13 (resolves to 1.19.13) — 1 medium CVE
• vite devDependency: ^7.3.1 → ^7.3.2 (resolves to 7.3.2) — 2 high + 1 medium CVE

Risk Assessment

Area	Level	Detail
Blast radius	Low	Frontend build tooling only
Rollback	Safe	Simple version revert
Scale	N/A	Build-time dependencies
Cross-system	Low	No API or service changes
Migration	N/A	No migrations

Findings

No issues found. The version bumps are correct, lockfile is consistent, and the changes are appropriately scoped to the stated CVE patches.

Bot Review Notes

No unresolved bot review threads at time of review. CodeRabbit review still in progress.

[claude]

Security dependency bumps verified. All version ranges and lockfile resolutions are correct. No domain-level concerns.