fix: MAX_BUFFER_SIZE guard for chunked responses + bump fast-proxy-lite 1.1.3

[molty3000]

Summary

Two security hardening changes:

1. Buffer overflow protection for chunked responses (🔴 Moderate)

default-hooks.js — The onResponse handler buffered unbounded chunked responses into memory when Connection: close was set. A malicious or misconfigured upstream could exhaust the gateway process memory.

Fix: Added a 1MB MAX_BUFFER_SIZE guard that tracks accumulated buffer size during chunk collection. When exceeded, the stream is destroyed and a 502 Bad Gateway is returned instead of OOM-ing the process.

• Removed unused stream-to-array import (replaced with for await iterator)
• Added regression tests: 2MB chunked response → 502 rejection; keep-alive → streams normally

2. Bump fast-proxy-lite ^1.1.2 → ^1.1.3

Pulls in the SSRF fix: buildURL() now validates origin, blocking absolute-form HTTP requests that bypass the configured base URL.

Test Plan

57 passing (19s) — full test suite green

New tests

• large chunked rejected with 502 when Connection close (buffer limit) — 2MB chunked response with Connection: close → 502
• large chunked streamed normally when Connection keep-alive — 2MB chunked with keep-alive → 200 (no buffering)

Existing tests preserved

• All chunked transfer-encoding tests (close + keep-alive)
• All onError hook tests (sync, async, throws, no-error)
• All proxy, WS, cache, QS, lambda tests

Files Changed

File	Change
lib/default-hooks.js	+23/-3 — MAX_BUFFER_SIZE guard, remove toArray
package.json	^1.1.2 → ^1.1.3 fast-proxy-lite
test/smoke.test.js	+21 — regression tests for buffer overflow