refactor: medium/low review findings - W-23163017

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: mshanemc

.claude/plans/W-23163017.md

@@ -9,7 +9,7 @@
 - API surface used: `core.setOutput` (+ getInput/setFailed per WI) — unchanged in 2.0.3
 - 2.0.3 stays CJS (3.0.0 ESM-only); node20 runtime OK
 - 1 of 2 for this GHSA; sibling WI = `@actions/github`. undici@5.29.0 fully gone only after both land
-- transitive churn: `@actions/core@1.11.1` declares `@actions/exec ^1.1.1`; 2.0.3 declares `@actions/exec ^2.0.0` (which declares `@actions/io ^2.0.0`, io has no deps). Lockfile currently has top-level `exec@1.1.1` (package-lock.json:136) + `io@1.1.3` (line 170) — `core` is their SOLE dependent (only requirement sites: package-lock.json:132 core→exec, :142 exec→io). `@actions/github` does NOT depend on exec/io (its deps: undici/@octokit*/http-client). So `npm install` upgrades both in place to exec@2.x + io@2.x; no nested copy, no version conflict (nothing requires exec@1.x once core moves to ^2.0.0)
+- transitive churn: `@actions/exec` 1.1.1→2.x + `@actions/io` 1.1.3→2.x; both upgraded in place (sole dependent is core); no version conflict, no nested copy
 
 ## Phases
 
@@ -33,4 +33,4 @@
 - `npm run compile:github-actions` exits 0 (no API break); git diff on lib minimal/none
 - `npm run check:actions` passes
 - NOT covered by branch e2e (CI tooling dep, not extension runtime)
-- note: undici@5.29.0 persists until sibling `@actions/github` WI lands — expected, not a failure here
+- undici@5.29.0 persists until sibling `@actions/github` WI lands — expected