ci: add Grype CVE scanning and fix high/critical CVEs

Adds a Grype CVE scanning workflow that runs on push, PR, and weekly
schedule. Scans package-lock.json (not the working directory) to avoid
false positives from CI runner tooling. Uploads SARIF to the Security
tab and a table report as an artifact. Fails on high severity with a
fix available.

Dependency bumps (all same-major, no breaking changes):
- concurrently 9.2.1 → 9.2.3 (shell-quote critical: GHSA-w7jw-789q-3m8p)
- vitest 3.2.4 → 3.2.6 (critical: arbitrary file read)
- @vitest/coverage-v8 3.2.4 → 3.2.6 (depends on vitest)
- vite 7.3.1 → 7.3.5 (high: GHSA-fx2h-pf6j-xcff)
- cypress 15.9.0 → 15.17.0 (tmp, qs, uuid transitives)
- react-router-dom 6.30.3 → 6.30.4 (moderate: GHSA-2j2x-hqr9-3h42)

Overrides for transitive deps whose parents haven't released fixes:
- form-data 4.0.5 → 4.0.6 (high: GHSA-hmw2-7cc7-3qxx)
- tmp 0.2.5 → 0.2.6 (high: path traversal)

Reduces total vulnerabilities from 19 to 7 (0 critical, 0 high).

Author: coopernetes

.github/workflows/cve.yml

@@ -0,0 +1,53 @@
+name: CVE Scanning
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches: ['main']
+  pull_request:
+    branches: ['main']
+  schedule:
+    - cron: '0 6 * * 1' # Weekly Monday 6am UTC
+
+jobs:
+  grype:
+    name: Grype dependency scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+
+      - name: Install Grype
+        id: grype
+        uses: anchore/scan-action/download-grype@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7
+        with:
+          cache-db: true
+
+      - name: Scan (table)
+        run: |
+          ${{ steps.grype.outputs.cmd }} dir:. \
+            --config .grype.yaml \
+            --output template
+
+      - name: Scan (SARIF)
+        if: ${{ always() }}
+        run: |
+          ${{ steps.grype.outputs.cmd }} dir:. \
+            --config .grype.yaml \
+            --output sarif --file grype-results.sarif || true
+
+      - name: Upload SARIF report
+        if: ${{ always() }}
+        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        with:
+          sarif_file: grype-results.sarif

.grype-report.tmpl

@@ -0,0 +1,6 @@
+{{printf "%-8s | %-19s | %-50s | %-15s | %s" "SEVERITY" "ADVISORY" "PACKAGE" "FIXED IN" "SOURCE"}}
+{{printf "%-8s | %-19s | %-50s | %-15s | %s" "--------" "-------------------" "--------------------------------------------------" "---------------" "------"}}
+{{- range .Matches -}}
+{{- $loc := "" -}}{{- range .Artifact.Locations -}}{{- $loc = .RealPath -}}{{- end}}
+{{printf "%-8s | %-19s | %-50s | %-15s | %s" .Vulnerability.Severity .Vulnerability.ID (printf "%s@%s" .Artifact.Name .Artifact.Version) (join ", " .Vulnerability.Fix.Versions) $loc}}
+{{- end}}

.grype.yaml

@@ -0,0 +1,11 @@
+fail-on-severity: high
+sort-by: severity
+output-template-file: .grype-report.tmpl
+
+ignore:
+  - fix-state: 'wont-fix'
+  - fix-state: 'not-fixed'
+
+# Comment out to include scanning experimental license inventory
+exclude:
+  - './experimental/**'