[Aikido] Fix 10 security issues in hono, fast-uri

[aikido-autofix]

Upgrade Hono and fast-uri to fix path traversal, authorization bypass, and URI normalization vulnerabilities enabling file escape, middleware bypass, and policy circumvention.

✅ There are no breaking changes

✅ 10 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-39408	HIGH	[hono] Path traversal vulnerability in toSSG() allows attackers to write files outside the configured output directory during static site generation using specially crafted dynamic route parameters. This enables arbitrary file write attacks that could compromise system integrity.
CVE-2026-39407	MEDIUM	[hono] Path handling inconsistency in serveStatic allows bypassing route-based authorization middleware by using repeated slashes (//) in request paths, enabling unauthorized access to protected static files.
CVE-2026-39409	MEDIUM	[hono] The ipRestriction() middleware fails to canonicalize IPv4-mapped IPv6 addresses before applying IPv4 allow/deny rules, allowing attackers to bypass IP-based access controls in dual-stack environments.
GHSA-26pp-8wgv-hjvm	MEDIUM	[hono] Cookie names are not validated in setCookie(), serialize(), or serializeSigned(), allowing invalid characters that can cause malformed Set-Cookie headers and runtime errors when processing untrusted cookie names.
GHSA-v8w9-8mx6-g223	MEDIUM	[hono] Prototype pollution vulnerability in parseBody({ dot: true }) where specially crafted form field names like __proto__.x create objects with __proto__ properties, potentially enabling prototype pollution if merged unsafely into other objects.
CVE-2026-39410	MEDIUM	[hono] A discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed, enabling attacker-controlled cookies to override legitimate ones through key normalization.
AIKIDO-2026-10336	LOW	[hono] Accept header parsing uses a vulnerable regex that causes catastrophic backtracking when processing crafted headers with many segments, enabling denial of service attacks through CPU exhaustion.
CVE-2026-6321	HIGH	[fast-uri] A vulnerability in URI normalization allows attackers to bypass path-based access controls by using percent-encoded separators and dot segments that normalize to unintended paths. This enables policy bypass attacks where restricted paths can be accessed through specially crafted encoded URLs.
CVE-2026-6322	HIGH	[fast-uri] Normalize function improperly decodes percent-encoded authority delimiters in the host component, re-emitting them as raw delimiters during serialization. This allows attackers to bypass host allowlist checks and redirect requests to unintended authorities.
AIKIDO-2026-10784	HIGH	[fast-uri] A path normalization vulnerability allows attackers to bypass security checks by using percent-encoded slashes and dots that are decoded before dot-segment removal, causing distinct URIs to normalize identically and compare equal.