fix(security): resolve dependabot alerts for h3, @modelcontextprotocol/sdk, lodash, qs

[BYK]

Resolves all open Dependabot alerts for this repo.

Changes

Alert	Package	Severity	Action
#187	h3	HIGH	Bumped existing override >=1.15.5 → >=1.15.6 (SSE injection via unsanitized newlines)
#186	h3	MEDIUM	Bumped existing override >=1.15.5 → >=1.15.6 (path traversal in serveStatic)
#147	@modelcontextprotocol/sdk	HIGH	Updated direct dep ^1.25.2 → ^1.26.0 (resolves to 1.27.1)
#142	lodash	MEDIUM	Added pnpm override >=4.17.23
#148	qs	LOW	Bumped existing override >=6.14.1 → >=6.14.2
#152, #153	svelte	MEDIUM	Dismissed — unused optional peer dep of @vercel/analytics

The svelte alerts were dismissed with reason not_used (consistent with prior dismissals #157, #166) since svelte v4 is only pulled in as an optional peer dependency of @vercel/analytics and the project does not use Svelte.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
spotlightjs	Ready	Preview, Comment	Mar 20, 2026 10:21am

[github-actions]

Semver Impact of This PR

🟢 Patch (bug fixes)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

Bug Fixes 🐛

Security

• Resolve dependabot alerts for h3, @modelcontextprotocol/sdk, lodash, qs by BYK in #1279

• Resolve dependabot alerts for h3, @modelcontextprotocol/sdk, lodash, qs by BYK in #1279

Internal Changes 🔧

• (release) Use workflow-based artifact discovery, remove merge-artifacts job by BYK in #1278

Other

• release: 4.11.1 by BYK in 5fc0b218

---

_{🤖 This preview updates automatically when you update the PR.}

[github-actions]

Codecov Results 📊

✅ Patch coverage is 100.00%. Project has 1348 uncovered lines.
✅ Project coverage is 76.31%. Comparing base (base) to head (head).

Files with missing lines (31)

File	Patch %	Lines
event.ts	52.61%	⚠️ 263 Missing
mcp.ts	65.91%	⚠️ 151 Missing
messageBuffer.ts	67.57%	⚠️ 120 Missing
docker-compose.ts	77.33%	⚠️ 85 Missing
utils.ts	31.71%	⚠️ 84 Missing
extras.ts	28.13%	⚠️ 69 Missing
debugLogging.ts	29.47%	⚠️ 67 Missing
utils.ts	75.28%	⚠️ 66 Missing
index.ts	24.59%	⚠️ 46 Missing
cors.ts	91.08%	⚠️ 39 Missing and 1 partials
logs.ts	28.85%	⚠️ 37 Missing
traces.ts	93.10%	⚠️ 33 Missing and 1 partials
userAgent.ts	52.63%	⚠️ 27 Missing
index.ts	80.47%	⚠️ 25 Missing
utils.ts	66.67%	⚠️ 23 Missing
errors.ts	75.53%	⚠️ 23 Missing
JsonViewer.tsx	71.62%	⚠️ 21 Missing
traces.ts	75.86%	⚠️ 21 Missing
processEnvelope.ts	86.67%	⚠️ 18 Missing
eventContainer.ts	78.05%	⚠️ 18 Missing
open.ts	42.86%	⚠️ 16 Missing
CodeViewer.tsx	54.55%	⚠️ 15 Missing
contentType.ts	66.67%	⚠️ 15 Missing
Attachment.tsx	90.00%	⚠️ 12 Missing and 1 partials
helpers.ts	70.27%	⚠️ 11 Missing
streaming.ts	76.09%	⚠️ 11 Missing
ShikiProvider.tsx	54.17%	⚠️ 11 Missing
AnsiText.tsx	91.00%	⚠️ 9 Missing
logger.ts	65.22%	⚠️ 8 Missing
logger.ts	87.50%	⚠️ 4 Missing and 1 partials
profileChunkProcessor.ts	100.00%	⚠️ 1 partials

Coverage diff

@@            Coverage Diff             @@
##          main       #PR       +/-##
==========================================
+ Coverage    76.31%    76.31%        —%
==========================================
  Files           47        47         —
  Lines         5690      5690         —
  Branches       614       611        -3
==========================================
+ Hits          4342      4342         —
- Misses        1348      1348         —
- Partials         5         5         —

---

Generated by Codecov Action