fix: bump cookie to ^0.7.0 for CVE-2024-47764 (#932) (#994)

cookie < 0.7.0 is vulnerable to CVE-2024-47764 (CVSS 9.1, Critical): malicious cookie values can inject unexpected object keys like __proto__/constructor/prototype, enabling prototype pollution.

Resolved to cookie@0.7.2 in the lockfile. The package's serialize()/parse() signatures used in src/core/utils/cookie.ts are unchanged in 0.7.x, so this is a drop-in replacement.

Reviving the fix after the prior attempts (#960, #962) were closed without explanation; issue #932 is still open.

The additional lockfile churn is npm's standard peer-marker drift when regenerating the tree — no other package versions changed.

Author: LongOddCode