[campaign] Security Alert Burndown: Dependabot bundle — Node.js — .github/workflows/package.json (2026-01-29) #12520
Description
Context
This issue tracks one Dependabot PR bundle discovered by the Security Alert Burndown campaign.
Bundle
- Runtime: Node.js
- Manifest: .github/workflows/package.json
Bundling Rules
- Group work by runtime. Never mix runtimes.
- Group changes by target dependency file (one manifest + its lockfile).
- Patch/minor updates may be bundled; major updates should be isolated unless tightly coupled.
- Bundled releases must include a research report (packages, versions, breaking changes, migration, risk, tests).
PRs in Bundle
- Bump hono from 4.11.4 to 4.11.7 in /.github/workflows #12099 - Bump hono from 4.11.4 to 4.11.7 in /.github/workflows (patch - SECURITY RELEASE)
- Bump @sentry/mcp-server from 0.27.0 to 0.29.0 in /.github/workflows #12009 - Bump
@sentry/mcp-serverfrom 0.27.0 to 0.29.0 in /.github/workflows (minor)
Agent Task
- Research each update for breaking changes and summarize risks.
- Create a single bundled PR (one runtime + one manifest).
- Ensure CI passes; run relevant runtime tests.
- Add the research report to the bundled PR.
- Update this issue checklist as PRs are merged.
Notes
- HIGH PRIORITY: hono 4.11.4 → 4.11.7 includes security fixes - prioritize this bundle
@sentry/mcp-serveris a minor update and should be safe to bundle
AI generated by Security Alert Burndown