fix(security): patch all dependabot vulnerabilities

Update direct deps: jspdf ^4.1.0, next ^16.1.6. Add overrides to
force patched transitive deps: qs >=6.14.2, tar >=7.5.7,
js-yaml >=4.1.1. Regenerate both bun.lock and package-lock.json.
npm audit now reports 0 vulnerabilities.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: aramb-dev