lib,test: redact proxy credentials in tunnel errors. (CVE-2026-48615) permission: handle process.chdir on writereport. (CVE-2026-48617) tls: normalize hostname for server identity checks. (CVE-2026-48618) http2: cap originSet size to prevent unbounded memory growth. (CVE-2026-48619) tls: fix case-sensitive SNI context matching. (CVE-2026-48928) dns,net: reject hostnames with embedded NUL bytes. (CVE-2026-48930) http: fix response queue poisoning in http.Agent. (CVE-2026-48931) crypto: guard WebCrypto cipher output length. (CVE-2026-48933) tls: bind reusable sessions to authenticated host. (CVE-2026-48934) permission: disable FileHandle utimes with permission model. (CVE-2026-48935) deps: fix integration issues with the latest nghttp2. (CVE-2026-48937)