chore(deps): bump hono to 4.10.6

[julio-rocketchat]

Proposed changes (including videos or screenshots)

The current version of Hono has some CVEs related to it. This PR bumps Hono to fix said CVEs.

Issue(s)

VLN-168
VLN-169
VLN-170

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• Chores
  • Updated HTTP routing dependency to maintain compatibility and stability.
  • No user-facing behavior or error-handling changes are expected from this update.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 78099a9

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

A single-line dependency change: hono was bumped from ^4.6.19 to ^4.10.7 in the http-router package, pulling in several upstream security fixes (JWT aud validation, Vary header handling, and body limit behavior).

Changes

Cohort / File(s)	Summary
Dependency Update packages/http-router/package.json	Bumped hono from ^4.6.19 to ^4.10.7 (patch/minor-range update only). This incorporates upstream fixes including JWT audience validation, CORS Vary header handling, and body limit middleware correctness.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Check that the caret range ^4.10.7 is intentional and compatible with the project’s dependency policy.
• Confirm lockfile (e.g., package-lock.json / pnpm-lock.yaml / yarn.lock) is updated accordingly.
• Run unit/integration tests for http-router to ensure no unexpected runtime issues.

Possibly related PRs

• chore(deps): Bump Hono #37317 — Bumps hono in a different package to a similar ^4.10.x range; likely part of a coordinated security upgrade across packages.

Poem

🐇 I hopped through package.json with glee,
I nudged hono forward — safe as can be.
JWT, CORS, limits now tidy and bright,
A tiny bump, a cozy night.
Hop on, ship safe, and sleep tight! ✨

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately reflects the main change: bumping the Hono dependency version in the http-router package.
Linked Issues check	✅ Passed	The Hono version bump from ^4.6.19 to ^4.10.7 includes all fixes for VLN-168 (JWT aud validation - patched in 4.10.2), VLN-169 (Vary header injection - patched in 4.10.3), and VLN-170 (body limit bypass - patched in 4.9.7).
Out of Scope Changes check	✅ Passed	The only change is a Hono dependency version bump in package.json, which directly addresses the three linked security vulnerabilities with no extraneous modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bump-hono-to-4-10-6

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between cb158a1 and 78099a9.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• packages/http-router/package.json (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/http-router/package.json

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📦 Docker Image Size Report

📈 Changes

Service	Current	Baseline	Change	Percent
sum of all images	1.2GiB	1.2GiB	+12MiB
rocketchat	360MiB	349MiB	+12MiB
omnichannel-transcript-service	132MiB	132MiB	+66KiB
queue-worker-service	132MiB	132MiB	+55KiB
ddp-streamer-service	126MiB	126MiB	+61KiB
account-service	113MiB	113MiB	+67KiB
stream-hub-service	111MiB	111MiB	+69KiB
authorization-service	111MiB	111MiB	+70KiB
presence-service	111MiB	111MiB	+73KiB

📊 Historical Trend

---
config:
  theme: "dark"
  xyChart:
    width: 900
    height: 400
---
xychart
  title "Image Size Evolution by Service (Last 30 Days + This PR)"
  x-axis ["11/15 22:28", "11/16 01:28", "11/17 23:50", "11/18 22:53", "11/19 23:02", "11/21 16:49", "11/24 17:34", "11/27 22:32", "11/28 19:05", "12/01 23:01", "12/02 21:57", "12/03 21:00", "12/04 18:17", "12/05 21:56", "12/08 20:15", "12/09 00:41 (PR)"]
  y-axis "Size (GB)" 0 --> 0.5
  line "account-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "authorization-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "ddp-streamer-service" [0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12]
  line "omnichannel-transcript-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "presence-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "queue-worker-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "rocketchat" [0.36, 0.36, 0.35, 0.35, 0.35, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.35]
  line "stream-hub-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]

Loading

Statistics (last 15 days):

• 📊 Average: 1.5GiB
• ⬇️ Minimum: 1.2GiB
• ⬆️ Maximum: 1.6GiB
• 🎯 Current PR: 1.2GiB

ℹ️ About this report

This report compares Docker image sizes from this build against the develop baseline.

• Tag: pr-37733
• Baseline: develop
• Timestamp: 2025-12-09 00:41:13 UTC
• Historical data points: 15

---

Updated: Tue, 09 Dec 2025 00:41:13 GMT

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.80%. Comparing base (27e4252) to head (78099a9).
⚠️ Report is 2 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #37733      +/-   ##
===========================================
- Coverage    67.88%   67.80%   -0.08%     
===========================================
  Files         3450     3450              
  Lines       113976   113976              
  Branches     20955    20955              
===========================================
- Hits         77374    77286      -88     
- Misses       34473    34573     +100     
+ Partials      2129     2117      -12     

Flag	Coverage Δ
e2e	57.33% <ø> (-0.01%)	⬇️
e2e-api	42.19% <ø> (-0.93%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.