fix: draw ui dependabot alerts (#102)

## Summary

- resolve the open Dependabot alerts in \`plugins/draw/ui\`
- move \`@excalidraw/excalidraw\` from \`0.18.0\` to \`0.17.6\`
- align the draw UI package from React 19 to React 18 to match
Excalidraw's supported peer range
- remove the stale \`@excalidraw/excalidraw/index.css\` import that is
not shipped by \`0.17.6\`

## Why

The open alerts were coming from the Excalidraw dependency chain in the
draw UI package. The existing \`0.18.0\` package pulled in vulnerable
Mermaid, DOMPurify, and NanoID versions. Targeted overrides either left
vulnerable subtrees behind or introduced newer advisory chains, so the
most stable fix was to move to the first non-vulnerable Excalidraw
release path and align React to that package's supported peers.

## Impact

This keeps the draw UI buildable while clearing the vulnerable
dependency graph that Dependabot was flagging. The change is isolated to
the draw UI package and its lockfile.

## Validation

- \`cd plugins/draw/ui && npm run build\`
- \`cd plugins/draw/ui && npm audit --json\`

Author: jbeckwith-oai