hono: add maxBodyBytes guard for JSON parsing

[TheodorNEngoy]

createMcpHonoApp() includes a built-in JSON body parser that currently reads the full request body.

This PR adds a maxBodyBytes option (default: 1_000_000) and enforces it when parsing application/json bodies, returning 413 Payload too large when exceeded. This provides a basic DoS guard while keeping the behavior configurable.

Includes tests + README option docs.

[changeset-bot]

🦋 Changeset detected

Latest commit: 74cfc3e

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@modelcontextprotocol/hono	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1493

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1493

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@1493

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@1493

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@1493

commit: 74cfc3e

[TheodorNEngoy]

Added a changeset so this results in a patch bump for @modelcontextprotocol/hono. All checks are green.

Behavior recap: adds maxBodyBytes (default 1_000_000) for JSON parsing in createMcpHonoApp(), returning 413 when exceeded. Happy to tweak the default/shape if you’d prefer.