fix: resolve critical security vulnerabilities (21→9 vulnerabilities)

[keith-oak]

Summary

This PR addresses critical security vulnerabilities by updating dependencies, reducing total vulnerabilities from 21 to 9 (57% reduction).

• Fixes #932 (Vulnerable dependency cookie < 0.7.0)
• Partially addresses #891 (Multiple dependencies out of date causing issues in downstream packages)

Security Impact

Before

• 1 critical vulnerability
• 4 high vulnerabilities
• 11 moderate vulnerabilities
• 5 low vulnerabilities
• Total: 21 vulnerabilities

After

• 0 critical vulnerabilities ✅
• 1 high vulnerability
• 7 moderate vulnerabilities
• 1 low vulnerability
• Total: 9 vulnerabilities

Changes Made

1. Manual updates for critical issues:

   • cookie: ^0.5.0 → ^0.7.0 (fixes CVE-2024-47764)
   • vitest: ^2.0.2 → ^2.1.9 (fixes RCE vulnerability)

2. Automated security fixes via npm audit fix:

   • Updated 90 packages
   • Fixed vulnerabilities in: @babel packages, @octokit packages, axios, nanoid, rollup, send, serve-static, tar-fs, and others

Testing

• ✅ All unit tests pass
• ✅ Build completes successfully
• ✅ No breaking changes introduced

Remaining Vulnerabilities

The 9 remaining vulnerabilities require major version updates with potential breaking changes:

• cypress (9.x → 14.x)
• esbuild/vite dependencies
• npm bundled dependencies (brace-expansion, cross-spawn)

These should be addressed in separate PRs with dedicated testing.

Related PRs

• Complements PR #960 (cookie vulnerability fix only)
• Works alongside PR #961 (Dependabot enablement)

Benefits

This PR provides immediate security improvements without breaking changes, making it safe to merge quickly while planning for the remaining major updates.