GHSA-xf4j-xp2r-rqqx

## Summary

A path traversal issue in `toSSG()` allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via `ssgParams`, specially crafted values can cause generated file paths to escape the intended output directory.

## Details

The static site generation process creates output files based on route paths derived from application routes and parameters. When `ssgParams` is used to provide values for dynamic routes, those values are used to construct output file paths. If these values contain traversal sequences (e.g. `..`), the resulting output path may resolve outside the configured output directory. As a result, files may be written to unintended locations instead of being confined within the specified output directory.

For example: ```ts import { Hono } from 'hono' import { toSSG, ssgParams } from 'hono/ssg'

const app = new Hono()

app.get('/:id', ssgParams([{ id: '../pwned' }]), (c) => { return c.text('pwned') })

toSSG(app, fs, { dir: './static' }) ```

In this case, the generated output path may resolve outside `./static`, resulting in a file being written outside the intended output directory.

## Impact

An attacker who can influence values passed to `ssgParams` during the build process may be able to write files outside the intended output directory.

Depending on the build and deployment environment, this may:

* overwrite unintended files * affect generated artifacts * impact deployment outputs or downstream tooling

This issue is limited to build-time static site generation and does not affect request-time routing.