Security Audit & Remediation: GitHub Actions

[inlined]

Security Audit & Remediation: GitHub Actions

A. Previous CVEs

• GHSA-hmw2-7cc7-3qxx - form-data via send-email action (Severity: High)
• GHSA-p88m-4jfj-68fv - undici via send-email action (Severity: High)
• GHSA-vxpw-j846-p89q - undici via send-email action (Severity: High)

B. Changes Made

• Lockfile & Bundle Security Updates: form-data and undici are transitive dependencies required by mailgun.js (^13.1.0). The existing version range required by mailgun.js already allows patched versions, so package.json did not require modifications. Running npm audit fix updated the locked transitive resolutions in .github/actions/send-email/package-lock.json.
• Rebuilt Action Bundle: Ran npm run pack (ncc build) to recompile the patched transitive dependencies into the bundled runtime file .github/actions/send-email/dist/index.js executed by GitHub Actions.

C. Remaining CVEs

• None within .github unit scope (npm audit in .github/actions/send-email reports 0 vulnerabilities).

D. Introduced CVEs

• None

E. Testing Strategy

• Verified zero vulnerabilities reported post-fix (npm audit).
• Verified zero workflow syntax regressions and confirmed existing lint checks pass.

[gemini-code-assist]

Code Review

This pull request updates several dependency versions in the .github/actions/send-email/package-lock.json file, including upgrading form-data to 4.0.6, hasown to 2.0.4, and undici to 6.27.0. No review comments were provided, and there is no feedback to address.

[lahirumaramba]

Thank you! LGTM