chore(deps): bump undici and @actions/artifact

[dependabot]

Bumps undici to 6.25.0 and updates ancestor dependency @actions/artifact. These dependencies need to be updated together.

Updates undici from 5.29.0 to 6.25.0

Release notes

Sourced from undici's releases.

v6.25.0

What's Changed

Full Changelog: nodejs/undici@v6.24.1...v6.25.0

v6.24.1

Full Changelog: nodejs/undici@v6.24.0...v6.24.1

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

• GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
  Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

• GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
  Malicious WebSocket 64-bit frame length handling could crash the client.

• GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
  CRLF injection via the upgrade option.

• GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
  Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

• GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
  Unbounded memory consumption in WebSocket permessage-deflate decompression.

Not applicable to v6

• GHSA-phc3-fgpg-7m6h / CVE-2026-2581 affects >= 7.17.0 < 7.24.0 only.

Affected and patched ranges (v6)

• CVE-2026-1525: affected < 6.24.0, patched 6.24.0
• CVE-2026-1528: affected >= 6.0.0 < 6.24.0, patched 6.24.0
• CVE-2026-1527: affected < 6.24.0, patched 6.24.0
• CVE-2026-2229: affected < 6.24.0, patched 6.24.0
• CVE-2026-1526: affected < 6.24.0, patched 6.24.0

References

• GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories

... (truncated)

Commits

• 3420499 Bumped v6.25.0 (#5029)
• d7a1e55 feat: add configurable maxPayloadSize for WebSocket (#4955)
• a9d1848 Do not mark v6.x releases as latest
• 0126586 Ignore local agent configuration files
• c0cf656 Bumped v6.24.1
• f5a9f0c Fix v6 release workflow branch targeting
• af2cb8f wqremove maxDecompressedMessageSize (#4891)
• 8873c94 Bumped v6.24.0
• 411bd01 test(websocket): use node:assert for Node 18 compatibility
• 844bf59 test: fix http2 lint regressions in backport
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for undici since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates @actions/artifact from 4.0.0 to 6.2.1

Changelog

Sourced from @​actions/artifact's changelog.

6.2.1

• Support the RFC 5987 filename* field in the content-disposition header. This allows us to correctly download files and artifacts with Chinese/Japanese/Korean (among other) characters in their name.

6.2.0

• Support uploading single un-archived files (not zipped). Direct uploads are only supported for artifacts version 7+ (based on the major version of actions/upload-artifact). Callers must pass the skipArchive option to uploadArtifact. Only single files can be uploaded at a time right now. Default behavior should remain unchanged if skipArchive = false. When skipArchive = true, the name of the file is used as the name of the artifact for consistency with the downloads: you upload artifact.txt, you download artifact.txt.

6.1.0

• Support downloading non-zip artifacts. Zipped artifacts will be decompressed automatically (with an optional override). Un-zipped artifacts will be downloaded as-is.

6.0.0

• Breaking change: Package is now ESM-only
  • CommonJS consumers must use dynamic import() instead of require()

5.0.3

• Bump @actions/http-client to 3.0.2

5.0.1

• Fix Node.js 24 punycode deprecation warning by updating @azure/storage-blob from ^12.15.0 to ^12.29.1 #2211
• Removed direct @azure/core-http dependency (now uses @azure/core-rest-pipeline via storage-blob)

5.0.0

• Dependency updates for Node.js 24 runtime support
• Update @actions/core to v2
• Update @actions/http-client to v3

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​actions/artifact since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[psiinon]

Checkmarx One – Scan Summary & Details – cc3ed1ab-d60d-4ada-bb77-36e848fad56a

---

Fixed Issues (6)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CVE-2026-1525	Npm-undici-5.29.0
	CVE-2026-1526	Npm-undici-5.29.0
	CVE-2026-1528	Npm-undici-5.29.0
	CVE-2026-22036	Npm-undici-5.29.0
	CVE-2026-2229	Npm-undici-5.29.0
	CVE-2026-1527	Npm-undici-5.29.0

---

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR