fix(deps): patch high-severity vulnerabilities in babel and fast-uri

[lpcox]

Summary

Patches two high-severity vulnerabilities identified by npm audit.

Vulnerabilities Fixed

GHSA-fv7c-fp4j-7gwp — @babel/plugin-transform-modules-systemjs

• Severity: High
• Impact: Arbitrary code execution when compiling malicious input
• Fix: 7.29.0 → 7.29.4

GHSA-q3j6-qgpj-74h6 / GHSA-v39h-62p7-jpjc — fast-uri

• Severity: High
• Impact: Path traversal via percent-encoded dot segments; host confusion via percent-encoded authority delimiters
• Fix: 3.1.0 → 3.1.2

Changes

Only package-lock.json is modified (6 lines changed). No source code changes.

Verification

• npm audit reports 0 vulnerabilities after fix
• npm run build succeeds
• Both are transitive dev dependencies; no runtime behavior change

Closes #2790
Closes #2791

[Copilot]

Copilot wasn't able to review any files in this pull request.

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	87.48%	87.55%	📈 +0.07%
Statements	87.44%	87.51%	📈 +0.07%
Functions	82.66%	82.66%	➡️ +0.00%
Branches	79.65%	79.69%	📈 +0.04%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/container-lifecycle.ts	87.1% → 88.2% (+1.14%)	87.5% → 88.6% (+1.11%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

🔬 Smoke Test Results

Test	Status
GitHub MCP (fix(deps): patch high-severity vulnerabilities in babel and fast-uri)	✅
GitHub.com connectivity (HTTP 200)	✅
File write/read (smoke-test-copilot-25602907002.txt)	✅

Overall: PASS

PR by @lpcox · Reviewer: @Mossaka

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Claude Engine Smoke Tests

✅ GitHub MCP: Retrieved last 2 merged PRs

• docs: document effective token budget enforcement behavior #2774 docs: document effective token budget enforcement behavior
• docs: sync schemas and specs with source changes #2773 docs: sync schemas and specs with source changes

✅ Playwright: Verified github.com loads with "GitHub" in page title
✅ File Writing: Created test file successfully
✅ Bash Verification: File confirmed via cat and ls

Result: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
1. GitHub MCP (list PRs)	✅ PR #2774 retrieved successfully
2. GitHub.com connectivity	⚠️ Pre-step data unavailable (template not expanded)
3. File write/read	⚠️ Pre-step data unavailable (template not expanded)
4. BYOK inference (this response)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

PR by @lpcox · Reviewer: @Mossaka · Overall: PARTIAL (tests 2–3 skipped due to missing pre-step outputs)

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Smoke Test: FAIL

✅ Merged PRs: docs: document effective token budget enforcement behavior; docs: sync schemas and specs with source changes
❌ safeinputs-gh PR query: tool unavailable; fallback titles: refactor: remove dead re-exports from providers/index.js; fix(deps): patch high-severity vulnerabilities in babel and fast-uri
✅ Playwright: GitHub title verified
❌ Tavily: bridge exposed no tools/results
✅ File/bash, discussion comment, and npm build passed
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	passed	✅ PASS
Go	env	✅	passed	✅ PASS
Go	uuid	✅	passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Note: Java Maven required a workaround — ~/.m2 was owned by root (no write access), so Maven was run with -Dmaven.repo.local=/tmp/gh-aw/agent/m2-repo to use a writable local repository path.

Generated by Build Test Suite for issue #2799 · ● 512K · ◷

[github-actions]

Smoke Test: GitHub Actions Services Connectivity

Check	Result
Redis PING	❌ Connection timeout
PostgreSQL pg_isready	❌ No response
PostgreSQL SELECT 1	❌ No response

Overall: FAIL

Services at host.docker.internal (172.17.0.1) are unreachable from inside the AWF sandbox. The AWF network firewall blocks direct TCP access to non-HTTP ports (6379, 5432) — only HTTP/HTTPS via Squid is permitted for egress.

🔌 Service connectivity validated by Smoke Services