fix(security): npm security fixes (2026-06-23)

[github-actions]

Included fixes

• CVE-2026-12151 (high): undici WebSocket client vulnerable to denial of service via fragment count bypass — undici 6.24.1 -> 6.27.0
• CVE-2026-9679 (medium): undici vulnerable to HTTP header injection via Set-Cookie percent-decoding — undici 6.24.1 -> 6.27.0
• CVE-2026-11525 (low): undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching — undici 6.24.1 -> 6.27.0
• CVE-2026-6733 (low): undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse — undici 6.24.1 -> 6.27.0
• CVE-2026-49356 (low): @babel/core arbitrary file read via sourceMappingURL comment — @babel/core 7.26.10 -> 7.29.7

Skipped (already satisfied / would downgrade)

• None.

Risks

• No major-version bump applied in this PR.

[jitsu-code-review]

Reviewed the dependency override updates in \ and the resulting lockfile changes. I specifically checked for correctness regressions (unexpected runtime package upgrades/downgrades beyond the intended constraints) and security-related inconsistencies in the resolved versions.\n\nNo actionable bugs, security issues, or user-visible regressions stood out in this change set.

[jitsu-code-review]

Reviewed the dependency override updates in package.json and the resulting lockfile changes. I checked for correctness regressions (unexpected runtime package upgrades or downgrades beyond the intended constraints) and security-related inconsistencies in resolved versions.

No actionable bugs, security issues, or user-visible regressions stood out in this change set.