Refactor: move telemetry track() calls from route handlers to application services

GitHub Dependabot is reporting 6 open medium-severity alerts against evals/promptfoo/package-lock.json. All of them are transitive dependencies pulled in by promptfoo@0.121.3, and all resolve to two underlying packages:

hono 4.12.11 → needs >= 4.12.12
@hono/node-server 1.19.12 → needs >= 1.19.13

Affected alerts

#	Package	Severity	GHSA	Summary
7	hono	medium	GHSA-r5rp-j6wh-rvv4	Non-breaking space prefix bypass in cookie name handling in `getCookie()`
6	hono	medium	GHSA-xpcf-pg52-r92g	Incorrect IP matching in `ipRestriction()` for IPv4-mapped IPv6 addresses
5	hono	medium	GHSA-26pp-8wgv-hjvm	Missing validation of cookie name on write path in `setCookie()`
4	hono	medium	GHSA-xf4j-xp2r-rqqx	Path traversal in `toSSG()` allows writing files outside output dir
3	hono	medium	GHSA-wmmm-f939-6g9c	Middleware bypass via repeated slashes in `serveStatic`
2	@hono/node-server	medium	GHSA-92pp-h63x-v22m	Middleware bypass via repeated slashes in `serveStatic`

All 6 alerts are confined to the promptfoo eval harness — no production swamp code or CLI surface is affected. The risk is low (we only run promptfoo locally/in CI for evals, not as an internet-facing service), but the alerts create noise in the security tab.

Proposed fix

This affects only evals/promptfoo/package.json and its lockfile. The fix would involve one of the following, in order of preference:

Bump promptfoo to a newer release that already pulls in patched hono >= 4.12.12 and @hono/node-server >= 1.19.13 transitively. Verify the new version is API-compatible with how we call promptfoo from the eval harness.
If no upstream promptfoo release pins the patched versions yet, add npm overrides for hono and @hono/node-server to evals/promptfoo/package.json (alongside the existing @anthropic-ai/sdk override) and regenerate the lockfile.
Re-run the promptfoo eval suite once to confirm nothing regressed.

Verification

evals/promptfoo/package-lock.json should resolve hono to >= 4.12.12 and @hono/node-server to >= 1.19.13.
All 6 dependabot alerts (#2 through #7) should auto-close after the bump merges.
The promptfoo eval harness should still run end-to-end against a sample config.

Environment

Repo: systeminit/swamp
File: evals/promptfoo/package-lock.json
Today's promptfoo version: 0.121.3

02Bog Flow

Shipped

4/8/2026, 2:58:54 PM

Click a lifecycle step above to view its details.

03Sludge Pulse

Add GitHub Copilot IDE support

Phase 1: /feed — judge-gated content stream

Add reactions and Giphy integration to comments

Architecture violation: search route imports directly from lib/infrastructure

Introduce domain events to formalize the telemetry-to-consumer pipeline

Refactor: move telemetry track() calls from route handlers to application services

Reindex path feeds error events to consumer, bypassing filtering

Custom swamp-themed avatar generator with daily rerolls

Profile content links with scoring for community contributions

Score extension pull events for extension authors

Score daily sign-in events with streak multiplier

Score sign_up events in the telemetry pipeline

Score extension publish events in the telemetry pipeline

Add 'award' telemetry event type for arbitrary score grants

Bug: authenticated pulls always shows 0 on profile page

Decouple identity_map from main app: username renames via event, not shared DB

Optimise MongoDB Search Queries

Transactional emails on login with google/similar

Add rate limiting to send-verification-email endpoint

Add authentication or rate limiting to check-verified endpoint

swamp data query for morning-message in hello-world tutorial returns nothing.

Document vault migrate command in reference docs

Locks on long running actions

issue-lifecycle skill: improve resumption and close-out guidance

deprovision: firewall deletion fails with resource_in_use immediately after server delete

swamp workflow validate should check step inputs against method's required arguments

data.latest() returns null when new data written while _catalog.db is already marked populated

Bundle cache fallback silently skipped when source and bundle have equal mtimes

Add vault migrate command to move secrets between vaults

First-class methodRunId / invocationId on DataRecord

Consolidate method execution paths — workflow steps and manual runs build MethodContext divergently

CatalogStore constructor runs createSchema before migrateIfNeeded; v1→v2 upgrade fails on existing repos

discord-bot poller double-processes events with >1 replica

datastore sync: clean up zombie _catalog.db* entries from remote index and S3 bucket

datastore sync --push runs pushChanged() twice per invocation (coordinator dedup)

datastore sync --push fails on _catalog.db-wal: catalog SQLite DB lives inside the S3 sync cache

.swamp/datastore-bundles/ leaks into deno lint and deno fmt scans

deno run audit task missing --allow-env flag

Error when submitting a new issue manually

Green text on issue details is a lot