chore(deps): bump the npm_and_yarn group across 3 directories with 4 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the / directory: hono and qs.
Bumps the npm_and_yarn group with 2 updates in the /docs/knowledge_prototypes/mcp-servers/fetch-mcp directory: @modelcontextprotocol/sdk and hono.
Bumps the npm_and_yarn group with 2 updates in the /scripts/archive/supabase_cleanup directory: next and qs.

Updates hono from 4.11.7 to 4.12.0

Release notes

Sourced from hono's releases.

v4.12.0

Release Notes

Hono v4.12.0 is now available!

This release includes new features for the Hono client, middleware improvements, adapter enhancements, and significant performance improvements to the router and context.

$path for Hono Client

The Hono client now has a $path() method that returns the path string instead of a full URL. This is useful when you need just the path portion for routing or key-based operations:

const client = hc<typeof app>('http://localhost:8787')
// Get the path string
const path = client.api.posts.$path()
// => '/api/posts'
// With path parameters
const postPath = client.api.posts[':id'].$path({
param: { id: '123' },
})
// => '/api/posts/123'
// With query parameters
const searchPath = client.api.posts.$path({
query: { filter: 'test' },
})
// => '/api/posts?filter=test'

Unlike $url() which returns a URL object, $path() returns a plain path string, making it convenient for use with routers or as cache keys.

Thanks @​ShaMan123!

ApplyGlobalResponse Type Helper for RPC Client

The new ApplyGlobalResponse type helper allows you to add global error response types to all routes in the RPC client. This is useful for typing common error responses from app.onError() or global middlewares:

const app = new Hono()
  .get('/api/users', (c) => c.json({ users: ['alice', 'bob'] }, 200))
  .onError((err, c) => c.json({ error: err.message }, 500))
type AppWithErrors = ApplyGlobalResponse<
typeof app,
{
401: { json: { error: string; message: string } }
500: { json: { error: string; message: string } }
}
</tr></table>

... (truncated)

Commits

• d2ed2e9 4.12.0
• 01e78ad Merge pull request #4735 from honojs/next
• a340a25 perf(context): use createResponseInstance for new Response (#4733)
• bd26c31 perf(trie-router): improve performance (1.5x ~ 2.0x) (#4724)
• b85c1e0 feat(types): Add exports field to ExecutionContext (#4719)
• 02346c6 feat(language): add progressive locale code truncation to normalizeLanguage (...
• 7438ab9 perf(context): add fast path to c.json() matching c.text() optimization (#4707)
• 034223f feat(trailing-slash): add alwaysRedirect option to support wildcard routes ...
• 16321af feat(adapter): add getConnInfo for AWS Lambda, Cloudflare Pages, and Netlify ...
• bf37828 feat(basic-auth): add context key and callback options (#4645)
• Additional commits viewable in compare view

Updates qs from 6.14.1 to 6.15.0

Changelog

Sourced from qs's changelog.

6.15.0

• [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
• [Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

Commits

• d9b4c66 v6.15.0
• cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...
• 88e1563 [Fix] duplicates option should not apply to bracket notation keys
• 9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main
• 85cc8ca v6.12.5
• ffc12aa v6.11.4
• 0506b11 [actions] update reusable workflows
• 6a37faf [actions] update reusable workflows
• 8e8df5a [Fix] fix regressions from robustness refactor
• d60bab3 v6.10.7
• Additional commits viewable in compare view

Updates @modelcontextprotocol/sdk from 1.25.2 to 1.26.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.26.0

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

• chore: bump v1.25.3 for backport fixes by @​pcarleton in modelcontextprotocol/typescript-sdk#1412
• fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) by @​samuv in modelcontextprotocol/typescript-sdk#1382
• Fix #1430: Client Credentials providers scopes support (backported) by @​NSeydoux in modelcontextprotocol/typescript-sdk#1442
• chore: bump version to 1.26.0 by @​pcarleton in modelcontextprotocol/typescript-sdk#1479

New Contributors

• @​samuv made their first contribution in modelcontextprotocol/typescript-sdk#1382
• @​NSeydoux made their first contribution in modelcontextprotocol/typescript-sdk#1442

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.3...v1.26.0

v1.25.3

What's Changed

• [v1.x backport] Use correct schema for client sampling validation when tools are present by @​olaservo in modelcontextprotocol/typescript-sdk#1407
• fix: prevent Hono from overriding global Response object (v1.x) by @​mattzcarey in modelcontextprotocol/typescript-sdk#1411

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.2...v1.25.3

Commits

• fe9c07b chore: bump version to 1.26.0 (#1479)
• 4f01e7e fix: add non-null assertions for optional setupServer fields in stateful test
• a05be17 Merge commit from fork
• 50d9fa3 Fix #1430: Client Credentials providers scopes support (backported) (#1442)
• aa81a66 fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x back...
• 6aba065 chore: bump v1.25.3 for backport fixes (#1412)
• 6e8f7e1 fix: prevent Hono from overriding global Response object (v1.x) (#1411)
• 12ae856 [v1.x backport] Use correct schema for client sampling validation when tools ...
• See full diff in compare view

Updates hono from 4.11.5 to 4.12.0

Release notes

Sourced from hono's releases.

v4.12.0

Release Notes

Hono v4.12.0 is now available!

This release includes new features for the Hono client, middleware improvements, adapter enhancements, and significant performance improvements to the router and context.

$path for Hono Client

The Hono client now has a $path() method that returns the path string instead of a full URL. This is useful when you need just the path portion for routing or key-based operations:

const client = hc<typeof app>('http://localhost:8787')
// Get the path string
const path = client.api.posts.$path()
// => '/api/posts'
// With path parameters
const postPath = client.api.posts[':id'].$path({
param: { id: '123' },
})
// => '/api/posts/123'
// With query parameters
const searchPath = client.api.posts.$path({
query: { filter: 'test' },
})
// => '/api/posts?filter=test'

Unlike $url() which returns a URL object, $path() returns a plain path string, making it convenient for use with routers or as cache keys.

Thanks @​ShaMan123!

ApplyGlobalResponse Type Helper for RPC Client

The new ApplyGlobalResponse type helper allows you to add global error response types to all routes in the RPC client. This is useful for typing common error responses from app.onError() or global middlewares:

const app = new Hono()
  .get('/api/users', (c) => c.json({ users: ['alice', 'bob'] }, 200))
  .onError((err, c) => c.json({ error: err.message }, 500))
type AppWithErrors = ApplyGlobalResponse<
typeof app,
{
401: { json: { error: string; message: string } }
500: { json: { error: string; message: string } }
}
</tr></table>

... (truncated)

Commits

• d2ed2e9 4.12.0
• 01e78ad Merge pull request #4735 from honojs/next
• a340a25 perf(context): use createResponseInstance for new Response (#4733)
• bd26c31 perf(trie-router): improve performance (1.5x ~ 2.0x) (#4724)
• b85c1e0 feat(types): Add exports field to ExecutionContext (#4719)
• 02346c6 feat(language): add progressive locale code truncation to normalizeLanguage (...
• 7438ab9 perf(context): add fast path to c.json() matching c.text() optimization (#4707)
• 034223f feat(trailing-slash): add alwaysRedirect option to support wildcard routes ...
• 16321af feat(adapter): add getConnInfo for AWS Lambda, Cloudflare Pages, and Netlify ...
• bf37828 feat(basic-auth): add context key and callback options (#4645)
• Additional commits viewable in compare view

Updates qs from 6.14.1 to 6.15.0

Changelog

Sourced from qs's changelog.

6.15.0

• [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
• [Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

Commits

• d9b4c66 v6.15.0
• cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...
• 88e1563 [Fix] duplicates option should not apply to bracket notation keys
• 9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main
• 85cc8ca v6.12.5
• ffc12aa v6.11.4
• 0506b11 [actions] update reusable workflows
• 6a37faf [actions] update reusable workflows
• 8e8df5a [Fix] fix regressions from robustness refactor
• d60bab3 v6.10.7
• Additional commits viewable in compare view

Updates next from 15.4.10 to 15.5.10

Release notes

Sourced from next's releases.

v15.5.10

Please refer the following changelogs for more information about this security release:

• https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
• https://vercel.com/changelog/summary-of-cve-2026-23864

v15.4.11

Please see this changelog for more information about this security patch.

Commits

• 60a2aa9 v15.5.10
• e5b834d fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (#88588)
• 39a2f6a feat(next/image)!: add images.maximumResponseBody config (#88183)
• bf9f084 Sync DoS mitigations for React Flight
• c5de33e v15.5.9
• dd23399 Backport facebook/react#35351 for 15.5.8 (#87086)
• 7526cd6 v15.5.8
• 1e9ec41 Update React Version (#41)
• 16141e5 Update React Version (#30)
• e01e589 Backport Next.js changes to v15.5.8 (#23)
• Additional commits viewable in compare view

Updates qs from 6.14.1 to 6.15.0

Changelog

Sourced from qs's changelog.

6.15.0

• [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
• [Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

Commits

• d9b4c66 v6.15.0
• cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...
• 88e1563 [Fix] duplicates option should not apply to bracket notation keys
• 9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main
• 85cc8ca v6.12.5
• ffc12aa v6.11.4
• 0506b11 [actions] update reusable workflows
• 6a37faf [actions] update reusable workflows
• 8e8df5a [Fix] fix regressions from robustness refactor
• d60bab3 v6.10.7
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
v0-uvai	Error		Feb 20, 2026 6:51pm

[railway-app]

🚅 Deployed to the EventRelay-pr-28 environment in EventRelay

Service	Status	Web	Updated (UTC)
eslint-config	✅ Success (View Logs)	Web	Feb 20, 2026 at 6:53 pm
EventRelay	✅ Success (View Logs)	Web	Feb 20, 2026 at 6:53 pm
guides	✅ Success (View Logs)	Web	Feb 20, 2026 at 6:53 pm
supabase	✅ Success (View Logs)		Feb 20, 2026 at 6:52 pm
web	✅ Success (View Logs)	Web	Feb 20, 2026 at 6:52 pm

[dependabot]

Superseded by #29.