fix(deps): remediate medium vulnerabilities (CIP-2739)

[tobyhede]

Summary

Remediate medium severity vulnerabilities flagged by Vanta:

• lodash: update to >= 4.17.23 (via pnpm.overrides)
• hono: update to >= 4.11.7

Changes

• Added lodash override in package.json pnpm.overrides
• Updated hono dependency in examples/hono-supabase
• Regenerated pnpm-lock.yaml

Test plan

• CI passes

Summary by CodeRabbit

• Chores
  • Updated hono in an example project to the latest patch release to keep the example current and compatible.
  • Added a dependency override for lodash to pin a safer minimum version, improving dependency resolution and reducing potential vulnerabilities.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4801cdc

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

---

📝 Walkthrough

Walkthrough

This pull request updates dependency metadata: it bumps hono from ^4.11.4 to ^4.11.9 in the hono-supabase example and adds a lodash override (>=4.17.23) to the root package.json pnpm overrides.

Changes

Cohort / File(s)	Summary
Hono Framework Update examples/hono-supabase/package.json	Bumped hono dependency from ^4.11.4 to ^4.11.9.
pnpm Dependency Overrides package.json	Added lodash override pinned to >=4.17.23 in the pnpm.overrides section (alongside existing qs override).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• fix(hono-supabase): bump hono to >=4.11.4 for CVE-2026-22817/22818 #288: Previously modified the hono dependency in examples/hono-supabase/package.json, related to the same dependency bump.

Suggested reviewers

• freshtonic

Poem

🐰 A quick hop through package trees, I groom each tiny thread,
Bumped hono one small notch, and pinned lodash safe ahead.
Nibbles of JSON tidy, tidy paws keep versions bright,
A rabbit sings of semver, and sleeps soundly through the night.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately summarizes the main change: remediating medium-severity vulnerabilities in dependencies, which aligns with both files modified (package.json and examples/hono-supabase/package.json).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/cip-2739-medium-vulns

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}