[codex] Fix draw UI audit dependency chain

[jbeckwith-oai]

What changed

This updates plugins/draw/ui to use the audit-safe upstream dependency combination:

• downgrade @excalidraw/excalidraw from 0.18.0 to 0.17.6
• align the package back to React 18 / React DOM 18
• update the app imports to match the older Excalidraw package layout

Why

npm audit was flagging the @excalidraw/excalidraw@0.18.0 dependency chain for mermaid, dompurify, and nanoid.

Before changing anything, I checked whether the app was actually exposed to those advisories.

• The broad dompurify findings were not all clearly reachable in this embed.
• The nanoid finding did not appear to be exploitable here because the affected call pattern requires fractional size arguments, and the packaged call sites use plain nanoid().
• The mermaid finding was the meaningful one: this UI mounts stock Excalidraw, which includes Mermaid import support in the bundled dependency chain, so user-initiated import of untrusted Mermaid content was still enough to leave a real XSS path in scope.

Given that, the fix here is to remove the vulnerable upstream chain rather than add lockfile overrides.

Impact

• npm audit is clean for plugins/draw/ui
• the package stays on a supported upstream dependency set instead of carrying lockfile-only pinning
• the Excalidraw embed continues to build and type-check with the adjusted package layout

Validation

• npm audit --json
• npx tsc --noEmit
• npm run build

Build still emits the existing Vite chunk-size warning for the large Excalidraw bundle, but the build succeeds.