chore: consolidate dependabot and npm audit dependency updates

[Copilot]

Summary

• reviewed open Dependabot dependency PRs and open dependency-update issues
• bumped vulnerable dependency ranges in manifests (undici, minimatch) and updated root security overrides (brace-expansion, tar, @tootallnate/once, js-yaml)
• regenerated lockfiles across root and affected packages

Validation

• npm run audit-all passes (all package-level audit checks clean)
• npm run lint passes
• npm run build passes
• npm test still fails in this environment on existing network-dependent postman-echo.com tests

[salmanmkc]

@copilot should we do package releases and readme bumps in this PR following semver rules? or should we prep them in a separate pr? Are there any breaking changes we should be cautious of?

[Copilot]

@copilot should we do package releases and readme bumps in this PR following semver rules? or should we prep them in a separate pr? Are there any breaking changes we should be cautious of?

I’d keep releases/readme version bumps in a separate PR. This PR should stay as dependency remediation; then do a focused release PR with changelog/readme/version updates. Based on commit ba2e192, these are semver-safe dependency bumps (undici/minimatch patch/minor within major), so no intentional breaking API changes are expected. The main caution is validating runtime compatibility in release CI (especially transitive/tooling overrides like tar) before publishing.

[salmanmkc]

@copilot agreed, there could be breaking changes, such as packages changing payloads, or responses or adding more headers than is needed, can you try to check if anything could break for example in actions/cache, actions/download-artifact, actions/upload-artifact, actions/github-script, actions/github-checkout, all the actions/setup-* actions, any other first party actions, etc.

[Copilot]

@copilot agreed, there could be breaking changes, such as packages changing payloads, or responses or adding more headers than is needed, can you try to check if anything could break for example in ac...

I checked this in detail against ba2e192 and don’t see an intentional breaking change surface for first-party actions.

What changed at runtime is mainly:

• undici bump via @actions/http-client and @actions/github (6.23.x -> 6.24.x)
• minimatch bump in @actions/glob (resolved to 3.1.5)

Risk review for the actions you listed:

• actions/cache: uses @actions/http-client + @actions/glob → low risk; glob usage here is constrained (nobrace/noext/nonegate) so matching semantics should remain stable.
• actions/upload-artifact / actions/download-artifact: consume @actions/artifact which depends on @actions/github + @actions/http-client → low-to-moderate risk only around proxy/fetch edge behavior (not payload contract changes).
• actions/checkout, actions/github-script, and most setup-* actions: primary exposure is through @actions/http-client/@actions/tool-cache/@actions/core; no API shape changes in toolkit from this PR.

Validation I ran here:

• npm run audit-all ✅
• npm run build ✅
• Focused tests on undici/minimatch paths: glob pattern tests + attest mock-undici tests + github orchestration tests ✅
• Known environment/network-dependent proxy tests still fail due sandbox DNS/proxy restrictions (same class of pre-existing external-network failures), not from these version bumps.

So the practical caution is proxy/network behavior in constrained environments; I don’t see evidence of breaking payload/response contract changes introduced by this PR.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node /home/REDACTED/work/toolkit/toolkit/node_modules/.bin/jest --testTimeout 70000 ./packages/http-client/__tests__/proxy.test.ts ./packages/github/__tests__/orchestration.test.ts ./packages/github/__tests__/github.proxy.test.ts ./packages/glob/__tests__/internal-pattern.test.ts ./packages/attest/__tests__/artifactMetadata.test.ts ./packages/attest/__tests__/store.test.ts (http block)
• https://api.github.com/repos/actions/toolkit/branches/main
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node /home/REDACTED/work/toolkit/toolkit/node_modules/.bin/jest --testTimeout 70000 ./packages/http-client/__tests__/proxy.test.ts ./packages/github/__tests__/orchestration.test.ts ./packages/github/__tests__/github.proxy.test.ts ./packages/glob/__tests__/internal-pattern.test.ts ./packages/attest/__tests__/artifactMetadata.test.ts ./packages/attest/__tests__/store.test.ts (http block)
• postman-echo.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node /home/REDACTED/work/toolkit/toolkit/node_modules/.bin/jest --testTimeout 70000 ./packages/http-client/__tests__/proxy.test.ts ./packages/github/__tests__/orchestration.test.ts ./packages/github/__tests__/github.proxy.test.ts ./packages/glob/__tests__/internal-pattern.test.ts ./packages/attest/__tests__/artifactMetadata.test.ts ./packages/attest/__tests__/store.test.ts (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)