Refresh vulnerable MCP server dependencies

[bmdhodl]

Summary

The repo-level vulnerability scan is currently red because mcp-server/package-lock.json includes vulnerable transitive packages. npm audit --json on 2026-03-28 reports fixable findings in:

• hono (GHSA-xh87-mx6m-69f3, GHSA-5pq2-9x2x-5p6w, GHSA-p6xx-57qc-3wxr, GHSA-q5qw-h33p-qvwr, GHSA-v8w9-8mx6-g223)
• @hono/node-server (GHSA-wc8c-qw6v-h7f6)
• express-rate-limit (GHSA-46wh-pxpv-q5gq)
• path-to-regexp (GHSA-j3q9-mxjg-w52f, GHSA-27v5-c462-wpq7)

Why this matters

This does not block the Python SDK release directly, but it keeps the repo-level security posture noisy and trips the Scorecard vulnerabilities finding.

Acceptance Criteria

• Refresh mcp-server dependencies to non-vulnerable versions
• Commit the updated package-lock.json
• npm audit returns no fixable production vulnerabilities
• Any breaking API/runtime changes are documented

Proof

Reproduce with:

cd mcp-server
npm audit --json

[bmdhodl]

Post-v1.2.4 scan update on 2026-03-31 / 2026-04-01:\n\n- Merged #281 (path-to-regexp 8.4.0), which cleared the two path-to-regexp alerts.\n- Current open Dependabot alerts on main: 7 total.\n- Remaining vulnerable packages in mcp-server/package-lock.json:\n - hono (4 alerts: 2 high, 2 medium)\n - @hono/node-server (1 high)\n - express-rate-limit (1 high)\n\nThis issue is still active and now represents the remaining MCP dependency refresh scope after the path-to-regexp fix landed.