[Aikido] Fix security issue in hono via minor version upgrade from 4.11.8 to 4.12.7

[aikido-autofix]

Upgrade Hono to fix critical authorization bypass via URL decoding mismatch in static file serving, plus medium-severity SSE/cookie injection and prototype pollution vulnerabilities.

✅ 5 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-29045	🚨 CRITICAL	[hono] URL decoding inconsistency between router and serveStatic allows bypassing route-based middleware protections via encoded slashes (%2F), enabling unauthorized access to protected static resources. This vulnerability permits attackers to circumvent authorization checks through path manipulation.
CVE-2026-29085	MEDIUM	[hono] Improper input validation in streamSSE() allows injection of arbitrary SSE fields through unvalidated carriage return and newline characters in event, id, and retry fields, enabling protocol manipulation and potential information disclosure or DoS attacks.
CVE-2026-29086	MEDIUM	[hono] The setCookie() utility fails to validate semicolons, carriage returns, and newlines in domain and path options, allowing attackers to inject additional cookie attributes through untrusted input. This could lead to cookie manipulation and potential security bypasses.
GHSA-v8w9-8mx6-g223	MEDIUM	[hono] Prototype pollution vulnerability in parseBody({ dot: true }) where specially crafted form field names like __proto__.x create objects with __proto__ properties, potentially enabling prototype pollution if merged unsafely into other objects.
GHSA-gq3j-xvxp-8hrf	LOW	[hono] The basicAuth and bearerAuth middlewares used non-timing-safe string comparison for hash validation, potentially allowing timing-based analysis attacks. The vulnerability has been fixed by implementing constant-time comparison to prevent early termination.

🔗 Related Tasks

• https://linear.app/cube-labs/issue/CUB-2961/small-upgrade-for-hono

---

PR-Codex overview

This PR focuses on updating dependencies in the package.json and pnpm-lock.yaml files, ensuring compatibility and incorporating new versions for better performance and security.

Detailed summary

• Updated tmp dependency version constraint in package.json.
• Added hono version 4.12.7 to package.json and pnpm-lock.yaml.
• Updated dependency versions for @privy-io/cross-app-connect and @wagmi/core to include babel-plugin-macros in pnpm-lock.yaml.
• Updated various dependencies' version constraints and resolved them across multiple packages.

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

[cursor]

PR Summary

Medium Risk
Upgrades the hono framework version, which can subtly change routing/static file behavior and impact request handling paths. Risk is limited to dependency resolution changes but affects a security-sensitive HTTP layer.

Overview
Security dependency update: pins hono to 4.12.7 via pnpm overrides and updates pnpm-lock.yaml accordingly.

This is a minor-version bump intended to pull in upstream fixes (e.g., authorization bypass and injection/prototype-pollution issues) without changing application code.

^{Written by Cursor Bugbot for commit efe461b. This will update automatically on new commits. Configure here.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: efe461b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Override pins exact version instead of minimum range

Low Severity

The hono override uses an exact version pin ("4.12.7") while all other overrides in this file use a minimum range (">=X.Y.Z"). For example, tmp uses ">=0.2.4". Pinning to "4.12.7" means future hono patch releases (e.g., 4.12.8) with additional security or bug fixes won't be picked up by the override — the override would need to be manually updated. Using ">=4.12.7" would match the existing convention and allow automatic adoption of future patches.