NPM audit fixes

[GhadimiR]

Toolkit audit is failing, bumping some deps to resolve.

Hoisted a couple of transitive dependencies to ensure we're using non-vulnerable versions.

[Copilot]

Pull Request Overview

This PR updates dependency versions in the artifact package to address failing NPM audits and resolve vulnerability findings.

• Bumps @actions/github from v5.1.1 to v6.0.1
• Replaces @octokit/request-error@^5.0.0 with @octokit/request@^8.4.1 and @octokit/request-error@^5.1.1

Files not reviewed (1)

• packages/artifact/package-lock.json: Language not supported

Comments suppressed due to low confidence (2)

packages/artifact/package.json:44

• Bumping to @actions/github v6 introduces breaking changes; please add or update tests to verify compatibility with any updated APIs.

"@actions/github": "^6.0.1",

packages/artifact/package.json:50

• [nitpick] The new @octokit/request dependency isn't referenced in the code; consider removing it or adding intended usage.

"@octokit/request": "^8.4.1",

[Link-]

This one is new 🤔 where is it coming from?

[GhadimiR]

This one is just getting hoisted, it was previously still included but now we're specifying a version of it at the top level

[Link-]

This is a big jump, are we sure we're not breaking anything?

[GhadimiR]

From what I can see reviewing the package releases, the majors just drop support for older Node versions that we don't test against anymore.

We can't however go to 6.x.x as that's when this package goes ESM so we'd have significant work involved, but for the time being they are backporting vulnerability fixes to 5.x.x

[GhadimiR]

For some extra confidence, I took these changes into a fork and ran some test workflows, all working as intended.