Fix CVE-2026-1526: Update undici to 7.24.7

[blueguy]

Description

This PR fixes a critical security vulnerability (CVE-2026-1526) in the undici package by updating it from version 5.29.0 to 7.24.7. The vulnerability allowed for unbounded memory consumption through WebSocket permessage-deflate
decompression, which could lead to denial of service attacks.

Related Issue(s)

• Addresses CVE-2026-1526 / GHSA-vrm6-8vpv-qv8q

Checklist

• This PR includes a documentation change
• This PR does not need a documentation change

---

• This PR includes test changes
• This PR's changes are already tested

---

• This change is not user-facing
• This change is a patch change
• This change is a minor change
• This change is a major (breaking) change

Changes made

• Add overrides section to package.json to force undici >= 6.24.0
• Update package-lock.json with undici@7.24.7
• Rebuild bundled distribution files in dist/ directory
• Fix CVE-2026-1526 (High severity): Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
• Fix additional undici vulnerabilities: GHSA-g9mf-h72j-4rw9, GHSA-2mjp-6q6p-2qxm, GHSA-v9p9-hfj2-hcw8, GHSA-4992-7rv2-5pvq

Security Impact

Before: undici@5.29.0 with 5 high/moderate severity vulnerabilities
After: undici@7.24.7 with 0 vulnerabilities

This change addresses a remote DoS vulnerability where a malicious WebSocket server could send small compressed frames (~6MB) that expand to extremely large sizes (~1GB+), exhausting memory and causing the Node.js process to crash.

References

• GHSA-vrm6-8vpv-qv8q
• https://nvd.nist.gov/vuln/detail/CVE-2026-1526