Problem

Dependabot cannot auto-update hono from 4.11.5 to 4.11.7 because package.json uses an exact version pin ("4.11.5"). The Dependabot security update fails with security_update_not_possible.

4 open security advisories (all medium severity) are fixed in 4.11.7:

• CVE-2026-24771 — XSS through ErrorBoundary component
• CVE-2026-24473 — Arbitrary key read in serve-static middleware (CF Workers)
• CVE-2026-24472 — Cache middleware ignores Cache-Control: private (Web Cache Deception)
• CVE-2026-24398 — IPv4 validation bypass in IP Restriction Middleware (IP spoofing)

Fix

Update hono from 4.11.5 to 4.11.7 in package.json and regenerate yarn.lock.

Time estimate: 15m