fix(build): pin tmp >=0.2.6 to resolve GHSA-ph9p-34f9-6g65 (#1686)

# Pull Request

## Description

Pin transitive `tmp` dependency to `>=0.2.6` via the root `overrides`
block to resolve
[GHSA-ph9p-34f9-6g65](GHSA-ph9p-34f9-6g65)
(CWE-22 arbitrary path traversal via symbolic link, high severity).

`tmp@0.2.5` is pulled in transitively through `@vscode/vsce@3.9.1 →
tmp`. Rather than bumping `@vscode/vsce` (which could carry unrelated
breaking changes), the fix uses the repository's existing `overrides`
pattern alongside other pinned transitive deps (`basic-ftp`, `undici`,
`yauzl`, etc.).

## Related Issue(s)

Resolves the `npm Security Audit` CI failure observed on recent PRs
(e.g. #1497).

## Type of Change

**Code & Documentation:**

* [x] Bug fix (non-breaking change fixing an issue)

**Infrastructure & Configuration:**

* [x] Security configuration
* [x] Dependency update

## Testing

* `npm install` succeeded; `package-lock.json` regenerated.
* `npm ls tmp --all` shows the override is active:

  ```text
  hve-core@3.3.101
  └─┬ @vscode/vsce@3.9.1
    └── tmp@0.2.6 overridden
  ```

* `npm run audit:npm` (audit-ci) → exit code 0, "Passed npm security
audit", 0 vulnerabilities across all severities.

## Checklist

### Required Checks

* [x] Files follow existing naming conventions
* [x] Changes are backwards compatible

## Security Considerations

* [x] This PR does not contain any sensitive or NDA information
* [x] Any new dependencies have been reviewed for security issues —
`tmp@0.2.6` is the upstream-published patched release for
GHSA-ph9p-34f9-6g65.

Co-authored-by: Marcel Bindseil <marcelbindseil@gmail.com>

Author: WilliamBerryiii

package.json

@@ -75,6 +75,7 @@
     "picomatch@^2": "2.3.2",
     "picomatch@^4": "4.0.4",
     "smol-toml": "1.6.1",
+    "tmp": "0.2.7",
     "undici": "7.24.1",
     "uuid": "14.0.0",
     "yaml": "2.8.3",