ESbuild support for new @actions/github version

[yuzurihaaa]

Description:

1. We are doing vulnerability scan with Snyk and found that there are vulnerabilities with undici, fast-xml-builder and @actions/glob in this repo.
2. Bumping @actions/github seems to resolve issue on undici.
3. Bumping fast-xml-builder resolved XXE Injection found in the package. But the bump are in package-lock.json.
4. There is a PR that indirectly addressed this, but the build process failed because @actions/github 9.x is ESM only

     > ncc build -o dist/setup src/setup-node.ts && ncc build -o dist/cache-save src/cache-save.ts

     ncc: Version 0.38.4
     ncc: Compiling file index.js into CJS
     ncc: Using typescript@5.9.3 (local user-provided)
     Error: Module not found: Error: Package path . is not exported from package /Users/myusuf/IdeaProjects/setup-node/node_modules/@actions/github (see exports field in 
     /Users/myusuf/IdeaProjects/setup-node/node_modules/@actions/github/package.json)
     Did you mean './@actions/github'?
     Requests that should resolve in the current directory need to start with './'.
     Requests that start with a name are treated as module requests and resolve within module directories (node_modules).
     If changing the source code is not an option there is also a resolve options called 'preferRelative' which tries to resolve these kind of requests in the current directory too.
         at /Users/myusuf/IdeaProjects/setup-node/node_modules/@vercel/ncc/dist/ncc/index.js.cache.js:23:2001849
         at /Users/myusuf/IdeaProjects/setup-node/node_modules/@vercel/ncc/dist/ncc/index.js.cache.js:23:389111
         at _done (eval at create (/Users/myusuf/IdeaProjects/setup-node/node_modules/@vercel/ncc/dist/ncc/index.js.cache.js:21:81694), <anonymous>:9:1)
         at eval (eval at create (/Users/myusuf/IdeaProjects/setup-node/node_modules/@vercel/ncc/dist/ncc/index.js.cache.js:21:81694), <anonymous>:34:22)

similar to the failure in the PR.

Justification:

Are you willing to submit a PR?

1. Yes.

[priya-kinthali]

Hello @yuzurihaaa👋,
Thank you for this feature request. We will investigate it and get back to you as soon as we have some feedback.

[yuzurihaaa]

Hi @priya-kinthali , seems like there's some mistake in my finding.

@actions/github: 8.0.1 resolved undici. I can change fast-xml-builder in package-lock.json to resolve the vulnerabilities from the package.

There's no need for ESM actually. I will open PR for this.

For now, I'll close this issue as it is misleading.

[yuzurihaaa]

Hi @priya-kinthali I've create a PR to address on the vulnerabilities report.