fix: refresh vulnerable lockfile dependencies in examples and mcp

[czubocha]

Summary

This PR refreshes lockfile-only dependency resolutions to clear GitHub security alerts in the Bedrock AgentCore JavaScript examples and the root workspace lockfile.

Fixed advisories

Examples

• express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting
• fastify: Missing end anchor in subtypeNameReg allows malformed Content-Types to pass validation

Root workspace lockfile

• hono: arbitrary file access via serveStatic
• hono: cookie attribute injection via unsanitized domain and path in setCookie()
• @hono/node-server: authorization bypass for protected static paths via encoded slashes

Additional cleanup

• Align root package-lock.json metadata for packages/sf-core so @aws-sdk/client-sso-oidc matches the pinned version in packages/sf-core/package.json

Changes

Example lockfile refreshes

Updated affected Bedrock AgentCore example lockfiles to pick up patched transitive dependencies:

• express-rate-limit 8.2.1 -> 8.3.1
• ip-address 10.0.1 -> 10.1.0
• fastify 5.7.x -> 5.8.2

Root lockfile refresh

Updated root package-lock.json to resolve:

• hono -> 4.12.5
• @hono/node-server -> 1.19.11

Testing / verification

• Ran targeted npm audit checks for updated examples
• Verified updated examples report no remaining vulnerabilities for the refreshed dependency trees
• Ran root npm audit --json
  • confirmed Hono-related high/moderate advisories are cleared
  • only unrelated low-severity aws-sdk v2 advisory remains

Notes

• No source code changes
• No package.json dependency additions
• Lockfile-only update scoped to the reported security alerts and one lockfile metadata correction

[Mmarzex]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (14)

• package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic-dockerfile/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-browser-custom/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-browser/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-code-interpreter-custom/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-code-interpreter/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-comprehensive/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-gateway/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-memory/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-multi-gateway/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-streaming/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/mcp-server/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/strands-browser/package-lock.json is excluded by !**/package-lock.json

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b5cf45d5-8c99-4bde-b775-58854e514d7f

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch cursor/examples-vulnerabilities-fix-cf60

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}