chore(deps): bump transitive ws 8.20.0 -> 8.21.0 to clear GHSA-58qx-3vcg-4xpx

Lockfile-only refresh via npm audit fix. ws is pulled in transitively by
mqtt@5.15.1; cgateweb does not use ws directly (MQTT broker connections go
over TCP, not WebSocket), so real-world exposure to the uninitialized-
memory-disclosure advisory was negligible. Closing the alert anyway.

ip-address also bumped 10.1.0 -> 10.2.0 as a co-incident transitive
update; no advisory but the new version was the only resolution npm
could produce while keeping the lockfile consistent.

No package.json or source changes; npm test still passes (1228/1228).

Author: dougrathbone