chore(deps): bump undici and @actions/http-client

[dependabot]

Bumps undici to 6.25.0 and updates ancestor dependency @actions/http-client. These dependencies need to be updated together.

Updates undici from 5.29.0 to 6.25.0

Release notes

Sourced from undici's releases.

v6.25.0

What's Changed

Full Changelog: nodejs/undici@v6.24.1...v6.25.0

v6.24.1

Full Changelog: nodejs/undici@v6.24.0...v6.24.1

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

• GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
  Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

• GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
  Malicious WebSocket 64-bit frame length handling could crash the client.

• GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
  CRLF injection via the upgrade option.

• GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
  Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

• GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
  Unbounded memory consumption in WebSocket permessage-deflate decompression.

Not applicable to v6

• GHSA-phc3-fgpg-7m6h / CVE-2026-2581 affects >= 7.17.0 < 7.24.0 only.

Affected and patched ranges (v6)

• CVE-2026-1525: affected < 6.24.0, patched 6.24.0
• CVE-2026-1528: affected >= 6.0.0 < 6.24.0, patched 6.24.0
• CVE-2026-1527: affected < 6.24.0, patched 6.24.0
• CVE-2026-2229: affected < 6.24.0, patched 6.24.0
• CVE-2026-1526: affected < 6.24.0, patched 6.24.0

References

• GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories

... (truncated)

Commits

• 3420499 Bumped v6.25.0 (#5029)
• d7a1e55 feat: add configurable maxPayloadSize for WebSocket (#4955)
• a9d1848 Do not mark v6.x releases as latest
• 0126586 Ignore local agent configuration files
• c0cf656 Bumped v6.24.1
• f5a9f0c Fix v6 release workflow branch targeting
• af2cb8f wqremove maxDecompressedMessageSize (#4891)
• 8873c94 Bumped v6.24.0
• 411bd01 test(websocket): use node:assert for Node 18 compatibility
• 844bf59 test: fix http2 lint regressions in backport
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for undici since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates @actions/http-client from 2.2.3 to 4.0.1

Changelog

Sourced from @​actions/http-client's changelog.

4.0.1

• Bump undici from 6.23.0 to 6.24.0 #2347

4.0.0

• Breaking change: Package is now ESM-only
  • CommonJS consumers must use dynamic import() instead of require()

3.0.2

• Bump undici from 5.28.5 to 6.23.0

3.0.1

• Add support for ACTIONS_ORCHESTRATION_ID in user-agent and default user-agent #2229

3.0.0

• Add support for Node 24 #2110

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​actions/http-client since your current version.