fix: upgrade @actions/http-client to remove undici@5.29.0 (CVE-2026-22036)

[evervault-dependencies]

Linear issue: COM-177

Summary

Eliminates the remaining vulnerable undici@5.29.0 instance in the dependency graph by adding a targeted pnpm override that bumps @actions/http-client from the 2.x range up to 4.0.0. The 4.0.0 release already resolves undici@6.23.0 (the patched boundary), and since nothing in the workspace imports from @actions/http-client directly, the change is transparent to consumers (actions/revert-deploy only imports @actions/core and @actions/github).

A previous override (undici@>=6.0.0 <6.23.0 → ^6.24.0, commit dd7e7ac) handled all v6 vulnerable resolutions, but deliberately stopped short of forcing a cross-major upgrade for the v5 branch — which has no patched release for this CVE. This PR closes that remaining gap.

CVE-2026-22036 — undici Unbounded Decompression Chain DoS

• Severity: MEDIUM
• CVSS: 5.9
• SLA Deadline: 2026-05-29T18:11:52.722Z
• Affected Package: undici < 6.23.0
• Fixed in: undici >= 6.23.0 (or >= 7.18.2)
• Advisory: GHSA-g9mf-h72j-4rw9
• Dependabot Alert: https://github.com/evervault/evervault-js/security/dependabot/138
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22036

undici's fetch() implementation follows RFC 9110's support for chained Content-Encoding values (e.g., Content-Encoding: gzip, br, gzip, br, ...). The decompression chain has no length cap, and the default maxHeaderSize permits a malicious HTTP server to respond with thousands of compression steps — leading to excessive CPU and memory allocation (DoS) for any Node.js process fetching from an attacker-controlled endpoint.

Exposure assessment

The only consumer of undici@5.29.0 was @actions/http-client@2.2.3 (via @actions/github@6.0.0), used inside the actions/revert-deploy GitHub Actions script which talks only to the GitHub API (a trusted server). No production/shipped library code is affected. The remediation is a defence-in-depth cleanup that also makes the dependency tree audit-clean.

Changes

• package.json — added "@actions/http-client@>=2.0.0 <4.0.0": "4.0.0" to pnpm.overrides (scoped to the vulnerable range; v4+ packages are untouched).
• pnpm-lock.yaml — regenerated; undici@5.29.0 is gone, only undici@6.23.0 and undici@6.25.0 remain.

Verification

$ grep -E "undici: 5\.29\.0|undici@5\.29\.0" pnpm-lock.yaml
# (no output)

$ grep -E "^  undici@" pnpm-lock.yaml
  undici@>=6.0.0 <6.23.0: ^6.24.0
  undici@6.23.0:
  undici@6.25.0:
  undici@6.23.0: {}
  undici@6.25.0: {}

$ pnpm --filter @ev/revert-s3-deploy build
# ⚡️ Build success

[changeset-bot]

⚠️ No Changeset found

Latest commit: cf6dcba

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR