While our pull_request_target flows can only be triggered by adding a label,
there is a short time window where a user could push another commit to the
target. If we do not check out the sha referenced in the Github action but the
ref, then this ref would point to the newly pushed commit, allowing to inject
code to steal credentials.

* chore(deps): lock file maintenance minor/patch updates

* Resolve audit

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Lukas Taegert-Atkinson <[email protected]>

…process for robust environment detection (#6251)

fix: Isolate and cache `process.report.getReport()` calls in a child process for robust environment detection.

This refactoring isolates the `process.report.getReport()` call into a separate child process. This change is necessary because since the introduction of this code, we have observed frequent process crashes on Windows, specifically with the error code -1073740940 (0xC0000374), which corresponds to a Windows heap corruption error.

By moving the report generation to an isolated process, any potential instability or memory corruption is contained and does not affect the main process.

The retrieved report header is cached to ensure that the child process is spawned only once, making this a fast and efficient solution for environment detection.

Co-authored-by: Lukas Taegert-Atkinson <[email protected]>

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>