Security: fix Dependabot alert #15 for undici (GHSA-phc3-fgpg-7m6h)

[slashdevcorpse]

Dependabot Alert

• Alert: Polish public README for Codex CLI alpha #15
• Package: undici
• Severity: medium
• Manifest: pnpm-lock.yaml
• Vulnerable range: >= 7.17.0, < 7.24.0
• Patched version: 7.24.0
• Advisory: GHSA-phc3-fgpg-7m6h
• CVE: CVE-2026-2581
• Public advisory: GHSA-phc3-fgpg-7m6h

Summary

Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS

Remediation

• Update the dependency graph so undici resolves outside the vulnerable range.
• Regenerate pnpm-lock.yaml.
• Run the app test/build checks and package dry run.
• Confirm GitHub Dependabot marks alert Polish public README for Codex CLI alpha #15 resolved after merge.