[Aikido] Fix 9 security issues in path-to-regexp, undici

[aikido-autofix]

Upgrade path-to-regexp and undici to fix HTTP request smuggling, WebSocket DoS via decompression bombs and invalid parameters, and header injection vulnerabilities.

✅ Code not affected by breaking changes.

No breaking changes from either package upgrade affect this codebase:

undici (6.23.0 => 7.24.1):

• The package is only used as a transitive dependency through @actions/* packages (visible in package-lock.json)

• No direct imports or usage of undici found in the source code

• The throwOnError option is not used anywhere in the codebase

• No interceptors are configured or used in the source code

• The deduplicate interceptor is not used

• Node.js version requirement is >=20 (package.json), which satisfies undici 7.x's requirement of Node.js >= 18.17

path-to-regexp (8.2.0 => 8.4.0):

• Used as a transitive dependency through express (visible in package-lock.json)

• All route patterns in the codebase are simple static paths (e.g., /api/runtime/config, /api/runtime/apps/down)

• No wildcard patterns (*) are used in route definitions

• No optional route groups are present in the route patterns

• The changes restricting wildcard backtracking and optional route combinations do not apply to the simple route patterns used in this codebase

All breaking changes by upgrading path-to-regexp from version 8.2.0 to 8.4.0 (CHANGELOG)

Version	Description
8.4.0	Restricts wildcard backtracking when using more than 1 in a path
8.4.0	Rejects large optional route combinations (restricts number of generated combinations to < 256, equivalent to 8 top-level optional groups)

All breaking changes by upgrading undici from version 6.23.0 to 7.24.1 (CHANGELOG)

Version	Description
7.0.0	Upgraded llhttp to 9.2.0
7.0.0	Dropped interceptors
7.0.0	Dropped throwOnError
7.0.0	Bumped concurrently from 8.2.2 to 9.0.0 in /benchmarks (node < 18 unsupported)
7.0.0	Dropped Node.js v18 support
7.22.0	fix(deduplicate): do not deduplicate non-safe methods by default - This changes the default behavior of the deduplicate interceptor to no longer deduplicate non-safe HTTP methods, which could cause previously deduplicated requests to now be sent multiple times.

✅ 9 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-1525	HIGH	[undici] Duplicate HTTP Content-Length headers with case-variant names are allowed, creating malformed requests that can cause denial of service or enable HTTP request smuggling attacks in inconsistent header interpretation scenarios.
CVE-2026-1526	MEDIUM	[undici] A malicious WebSocket server can send compressed frames that expand to extremely large sizes in memory without limits, causing denial-of-service through memory exhaustion and process crash. The vulnerability stems from unbounded decompression in the permessage-deflate extension without size validation.
CVE-2026-1528	MEDIUM	[undici] A server can send a WebSocket frame with an extremely large 64-bit length value, causing ByteParser integer overflow that results in a fatal TypeError and process termination (DoS).
CVE-2026-2229	MEDIUM	[undici] A malicious WebSocket server can crash the client process by sending an invalid server_max_window_bits parameter in the permessage-deflate extension, causing an uncaught RangeError when creating a zlib decompressor with an out-of-range value.
CVE-2026-1527	LOW	[undici] HTTP request smuggling vulnerability allowing CRLF injection through the upgrade option, enabling arbitrary header injection and premature request termination to smuggle data to non-HTTP services.
AIKIDO-2026-10369	LOW	[undici] Prototype pollution vulnerability allows attackers to modify object prototypes through specially crafted input with keys like __proto__ or constructor, potentially influencing application behavior or enabling further attacks.
AIKIDO-2026-10385	LOW	[undici] A prototype pollution vulnerability allows attackers to inject special keys like __proto__, constructor, or prototype into internal objects, potentially modifying the prototype chain and influencing application behavior or enabling further attacks.
CVE-2026-4926	MEDIUM	[path-to-regexp] A bad regular expression is generated with multiple sequential optional groups, causing exponential regex growth and denial of service. Attackers can exploit this by crafting malicious route patterns with many optional groups to consume excessive resources.
CVE-2026-4923	LOW	[path-to-regexp] A ReDoS (Regular Expression Denial of Service) vulnerability exists when multiple wildcards are combined with parameters in certain configurations, allowing attackers to cause excessive backtracking and denial of service through crafted input strings.

🔗 Related Tasks

• https://aikido.atlassian.net/browse/AIK-11154
• https://aikido.atlassian.net/browse/AIK-11415