Vulnerable transitive dependency: undici (via jsdom devDependency)

[missingbulb]

Summary

npm audit reports one high + one moderate vulnerability in undici, pulled in transitively through our test-only devDependency jsdom:

google-calendar-event-creator
`-- jsdom@29.1.1
  `-- undici@7.27.2

Advisories (affect undici 7.0.0 – 7.27.2):

• High — TLS certificate validation bypass via dropped requestTls in the SOCKS5 ProxyAgent (GHSA-vmh5-mc38-953g)
• Moderate — cross-user information disclosure via shared-cache whitespace bypass (GHSA-pr7r-676h-xcf6)

Exposure

Low. undici is only reachable via jsdom, which is a devDependency used by the test harness (test/harness.js). It is not part of the shipped Chrome extension, and the test suite doesn't drive undici's SOCKS5 proxy or shared-cache paths. No production code path is affected.

Fix

npm audit fix bumps undici within jsdom's tree (expected to be a lockfile-only change). To be done on its own branch/PR through the normal flow, with npm test green before merge.

Surfaced while resolving the #396 merge conflicts; pre-existing on main, not introduced by that change.

[missingbulb]

Fixed on branch claude/laughing-rubin-dv31ua (commit 4f4f454).

Change: lockfile-only bump of undici 7.27.2 → 7.28.0. 7.28.0 satisfies jsdom's ^7.25.0 range, so package.json is untouched and the bump lands entirely within jsdom's subtree (the diff is 3 lines: version/resolved/integrity on the node_modules/undici entry).

Verification:

• npm audit → found 0 vulnerabilities (was 1 high grouping all the undici advisories, incl. the high GHSA-vmh5-mc38-953g and moderate GHSA-pr7r-676h-xcf6).
• npm test → 285 passing, 0 failing.

As the issue notes, undici is reachable only via the test-only jsdom devDependency, so no shipped-extension code path was affected. No PR opened yet — ready for review/merge through the normal flow.

---

Generated by Claude Code