fix(deps): align dompurify override with the direct dependency

package.json declared dompurify both as a direct dependency and as a
top-level override at the same range, so every Dependabot npm run
failed with 'Override for dompurify@x conflicts with direct
dependency' and could not refresh any npm PR. Use npm's $dompurify
reference so the override tracks the direct dependency version: the
transitive security floor is preserved and Dependabot can bump the
direct dependency freely. Lockfile regenerated (no tree change, 0
vulnerabilities).

Co-Authored-By: aeroftp[bot] <aeroftp[bot]@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: 3 people

package-lock.json

@@ -62,6 +62,6 @@
   },
   "overrides": {
     "picomatch": ">=2.3.2",
-    "dompurify": "^3.4.2"
+    "dompurify": "$dompurify"
   }
 }