[Snyk] Fix for 1 vulnerabilities

[Nick2bad4u]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json
• package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Allocation of Resources Without Limits or Throttling SNYK-JS-UNDICI-14943963	38

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

[Nick2bad4u]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[github-actions]

# npm audit report

brace-expansion  1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/@actions/glob/node_modules/brace-expansion
node_modules/@eslint/eslintrc/node_modules/brace-expansion
node_modules/@humanwhocodes/config-array/node_modules/brace-expansion
node_modules/archiver-utils/node_modules/brace-expansion
node_modules/cacache/node_modules/brace-expansion
node_modules/editorconfig/node_modules/brace-expansion
node_modules/eslint-plugin-react/node_modules/brace-expansion
node_modules/eslint/node_modules/brace-expansion
node_modules/filelist/node_modules/brace-expansion
node_modules/glob/node_modules/brace-expansion
node_modules/js-beautify/node_modules/brace-expansion
node_modules/mem-fs-editor/node_modules/brace-expansion
node_modules/mocha/node_modules/brace-expansion
node_modules/multimatch/node_modules/brace-expansion
node_modules/prettier-eslint/node_modules/@eslint/eslintrc/node_modules/brace-expansion
node_modules/prettier-eslint/node_modules/brace-expansion
node_modules/prettier-eslint/node_modules/eslint/node_modules/brace-expansion
node_modules/readdir-glob/node_modules/brace-expansion

diff  <4.0.4 || >=6.0.0 <8.0.3
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/diff
node_modules/sinon/node_modules/diff
node_modules/ts-node/node_modules/diff
  mocha  11.4.0 - 12.0.0-beta-3
  Depends on vulnerable versions of diff
  node_modules/mocha

eslint  <9.26.0
Severity: moderate
eslint has a Stack Overflow when serializing objects with circular references - https://github.com/advisories/GHSA-p5wg-g6qr-c7cg
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/prettier-eslint/node_modules/eslint
  @typescript-eslint/parser  1.1.1-alpha.0 - 8.0.0-alpha.62
  Depends on vulnerable versions of eslint
  node_modules/prettier-eslint/node_modules/@typescript-eslint/parser
    prettier-eslint  1.0.2 - 16.4.2
    Depends on vulnerable versions of @typescript-eslint/parser
    Depends on vulnerable versions of eslint
    node_modules/prettier-eslint

glob  10.2.0 - 10.4.5
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix`
node_modules/@jest/reporters/node_modules/glob
node_modules/archiver-utils/node_modules/glob
node_modules/cacache/node_modules/glob
node_modules/jest-config/node_modules/glob
node_modules/jest-runtime/node_modules/glob
node_modules/js-beautify/node_modules/glob
node_modules/mocha/node_modules/glob

js-yaml  <3.14.2
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix`
node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml

undici  <6.23.0
Severity: moderate
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion - https://github.com/advisories/GHSA-g9mf-h72j-4rw9
fix available via `npm audit fix --force`
Will install @actions/[email protected], which is a breaking change
node_modules/undici
  @actions/github  6.0.0 - 8.0.0
  Depends on vulnerable versions of @actions/http-client
  Depends on vulnerable versions of undici
  node_modules/@actions/artifact/node_modules/@actions/github
  node_modules/@actions/attest/node_modules/@actions/github
    @actions/artifact  4.0.0 - 5.0.3
    Depends on vulnerable versions of @actions/github
    node_modules/@actions/artifact
  @actions/http-client  2.2.0 - 3.0.1
  Depends on vulnerable versions of undici
  node_modules/@actions/artifact/node_modules/@actions/github/node_modules/@actions/http-client
  node_modules/@actions/attest/node_modules/@actions/http-client
  node_modules/@actions/glob/node_modules/@actions/http-client
  node_modules/@actions/http-client
    @actions/attest  1.1.0 - 2.1.0
    Depends on vulnerable versions of @actions/http-client
    node_modules/@actions/attest

13 vulnerabilities (3 low, 9 moderate, 1 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

This pull request addresses a security vulnerability (SNYK-JS-UNDICI-14943963) in the undici package by upgrading two GitHub Actions-related devDependencies:

• @actions/github from version 6.0.1 to 8.0.1 (major version upgrade)
• @actions/tool-cache from version 2.0.2 to 3.0.0 (major version upgrade)

Changes:

• Upgraded @actions/github from ^6.0.1 to ^8.0.1, which updates its undici dependency from ^5.x to ^6.23.0
• Upgraded @actions/tool-cache from ^2.0.2 to ^3.0.0, which also updates related dependencies including undici to ^6.23.0
• Updated transitive dependencies including various @octokit packages, universal-user-agent, and before-after-hook as part of the major version upgrades

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
package.json	Updates devDependencies versions for @actions/github (6.0.1 → 8.0.1) and @actions/tool-cache (2.0.2 → 3.0.0)
package-lock.json	Comprehensive lockfile updates reflecting the major version upgrades, including new undici 6.23.0 installations for upgraded packages and updated transitive dependencies

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.