Bundle Node.js security updates: hono 4.11.7, @sentry/mcp-server 0.29.0

[Copilot]

Bundles two Dependabot PRs for .github/workflows/package.json: hono security patch and @sentry/mcp-server minor update.

Security Fixes (hono 4.11.4 → 4.11.7)

Transitive dependency via @sentry/mcp-server → @modelcontextprotocol/sdk → @hono/node-server.

Fixed CVEs:

• CVE-2026-24398: IPv4 validation bypass in IP Restriction Middleware
• CVE-2026-24472: Cache poisoning with Cache-Control: private (Web Cache Deception)
• CVE-2026-24473: Arbitrary key read in Serve Static Middleware (Cloudflare)
• CVE-2026-24771: Reflected XSS in ErrorBoundary component

Minor Update (@sentry/mcp-server 0.27.0 → 0.29.0)

Standard semver minor bump. No breaking changes identified.

Changes

• .github/workflows/package.json + lockfile: Updated versions
• .github/workflows/shared/mcp/sentry.md: Updated npx reference from @sentry/mcp-server@0.27.0 to @0.29.0
• .github/workflows/mcp-inspector.lock.yml: Recompiled workflow
• DEPENDENCY_UPDATE_RESEARCH.md: Research report with CVE analysis and risk assessment

Verification

npm audit
# found 0 vulnerabilities (was 1 moderate with 4 CVEs)

No breaking changes. MCP inspector workflow uses Sentry MCP server; hono used only as peer dependency in SDK.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/getsentry/sentry-mcp/releases
  • Triggering command: /usr/bin/curl curl -s REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[campaign] Security Alert Burndown: Dependabot bundle — Node.js — .github/workflows/package.json (2026-01-29)</issue_title>
<issue_description>## Context
This issue tracks one Dependabot PR bundle discovered by the Security Alert Burndown campaign.

Bundle

• Runtime: Node.js
• Manifest: .github/workflows/package.json

Bundling Rules

• Group work by runtime. Never mix runtimes.
• Group changes by target dependency file (one manifest + its lockfile).
• Patch/minor updates may be bundled; major updates should be isolated unless tightly coupled.
• Bundled releases must include a research report (packages, versions, breaking changes, migration, risk, tests).

PRs in Bundle

• Bump hono from 4.11.4 to 4.11.7 in /.github/workflows #12099 - Bump hono from 4.11.4 to 4.11.7 in /.github/workflows (patch - SECURITY RELEASE)
• Bump @sentry/mcp-server from 0.27.0 to 0.29.0 in /.github/workflows #12009 - Bump @sentry/mcp-server from 0.27.0 to 0.29.0 in /.github/workflows (minor)

Agent Task

1. Research each update for breaking changes and summarize risks.
2. Create a single bundled PR (one runtime + one manifest).
3. Ensure CI passes; run relevant runtime tests.
4. Add the research report to the bundled PR.
5. Update this issue checklist as PRs are merged.

Notes

• HIGH PRIORITY: hono 4.11.4 → 4.11.7 includes security fixes - prioritize this bundle
• @sentry/mcp-server is a minor update and should be safe to bundle

AI generated by Security Alert Burndown

Comments on the Issue (you are @copilot in this section)

• Fixes [campaign] Security Alert Burndown: Dependabot bundle — Node.js — .github/workflows/package.json (2026-01-29) #12520

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[github-actions]

Smoke test results
[WIP] Update dependencies in .github/workflows for security release | Add dynamic library dependency detection for AWF container mounts
GitHub MCP ✅; safeinputs-gh ✅; Serena ✅
Playwright ✅; Tavily ✅; File write ✅
Bash cat ✅; Discussion + comment ✅; Build ✅
Overall: PASS

AI generated by Smoke Codex