chore: fix npm dependency vulnerabilities (undici, fast-xml-builder)

[yuzurihaaa]

Description

This PR addresses security vulnerabilities identified by Snyk in transitive dependencies.

Upgraded @actions/github from 6.0.1 to 8.0.1 — eliminates 5 vulnerabilities in undici@5.29.0:

• Improper Handling of Highly Compressed Data / Data Amplification (High)
• Uncaught Exception (High)
• Allocation of Resources Without Limits or Throttling (Medium)
• HTTP Request Smuggling (Medium)
• CRLF Injection (Medium)

Updated fast-xml-builder in package-lock.json to a patched version — resolves 2 vulnerabilities introduced transitively via @actions/cache > @azure/storage-blob > @azure/core-xml > fast-xml-parser > fast-xml-builder@1.1.4:

• XML Injection (Medium) — fixed in 1.1.5
• XML External Entity (XXE) Injection (Medium) — fixed in 1.1.7

Before / After:

State	Issues	Vulnerable Paths
Before	8	14
After (this PR)	1	2

The only remaining issue is @actions/glob@0.5.1 ReDoS (Medium) — no upstream fix is currently available.

Related issue

There are also another PR on fast-xml-builder. This combines the PR and @actions/github package bump.

Check list

• Mark if documentation changes are required.
• Mark if tests were added or updated to cover the changes.

Others

npm run test

npm run build

[yuzurihaaa]

Sample run to validate dist/ https://github.com/yuzurihaaa/setup-node/actions/runs/26941635120

[deiga]

suggestion: Would it make sense to directly upgrade to 9.1.1?

The Breaking Change doesn't seem to apply to this repo: https://github.com/actions/toolkit/blob/main/packages/github/RELEASES.md#900

[yuzurihaaa]

I do want to bump to 9.x but the build will fail. You can refer to this PR #1532 too dependabot bumping to 9.x but failed on CI

Error: Module not found: Error: Package path . is not exported from package /Users/runner/work/setup-node/setup-node/node_modules/@actions/github (see exports field in /Users/runner/work/setup-node/setup-node/node_modules/@actions/github/package.json)
Did you mean './@actions/github'?
Requests that should resolve in the current directory need to start with './'.
Requests that start with a name are treated as module requests and resolve within module directories (node_modules).
If changing the source code is not an option there is also a resolve options called 'preferRelative' which tries to resolve these kind of requests in the current directory too.
    at /Users/runner/work/setup-node/setup-node/node_modules/@vercel/ncc/dist/ncc/index.js.cache.js:23:2001849
    at /Users/runner/work/setup-node/setup-node/node_modules/@vercel/ncc/dist/ncc/index.js.cache.js:23:389111
    at _done (eval at create (/Users/runner/work/setup-node/setup-node/node_modules/@vercel/ncc/dist/ncc/index.js.cache.js:21:81694), <anonymous>:9:1)
    at eval (eval at create (/Users/runner/work/setup-node/setup-node/node_modules/@vercel/ncc/dist/ncc/index.js.cache.js:21:81694), <anonymous>:34:22)

Initially I filed an issue on this, but my goal is to resolve the vulnerabilities reported in my org so this this is the minimum viable change. I do have a branch that upgrade to 9.x but I had to change the build script to use esbuild.

[yuzurihaaa]

on an almost related note. I necro-ed a PR (through my PR) to resolve another vulnerability if someone can review the PR. I can help to do the follow up PR.