chore(deps): apply npm audit fix for transitive dependencies

[sid88in]

Patches transitive CVEs via safe sub-dependency bumps within already-allowed semver ranges. No package.json changes.

• All 248 tests pass
• Lint and build clean
• Remaining advisories deferred to a future release (tracked separately)

What

Runs npm audit fix (safe mode, no --force) to patch transitive dependency
CVEs via sub-dependency bumps within already-allowed semver ranges.

Impact

• package.json unchanged
• package-lock.json updated
• Total vulnerabilities: 78 → 64 (15 advisories cleared, including 1 critical)
• Production-tree vulnerabilities: 16 → 7
• Severity breakdown:
  • Critical: 1 → 0
  • High: 36 → 33
  • Moderate: 26 → 17
  • Low: 15 → 14

Verification

• ✅ npm test — 248/248 tests passing
• ✅ npm run lint — clean
• ✅ npm run build — clean

Advisories patched

Critical

• @babel/traverse — Arbitrary code execution when compiling crafted malicious code (GHSA-67hx-6x53-jw92, CVSS 9.3)

High

• cross-spawn — Regular Expression Denial of Service (ReDoS) (GHSA-3xgq-45jj-v275, CVSS 7.5)
• http-cache-semantics — ReDoS vulnerability (GHSA-rc47-6667-2j5j, CVSS 7.5)
• path-to-regexp — Backtracking regular expression output (GHSA-9wv6-86v2-598j, CVSS 7.5)

Moderate

• @babel/helpers — Inefficient RegExp complexity in transpiled code (GHSA-968p-4wvh-cqc8, CVSS 6.2)
• @babel/runtime — Inefficient RegExp complexity in transpiled code (GHSA-968p-4wvh-cqc8, CVSS 6.2)
• ajv — ReDoS when using $data option (GHSA-2g4f-4pwh-qvx6)
• graphql — Uncontrolled resource consumption (GHSA-9pv7-vfvm-6vr7, CVSS 5.3)
• qs — arrayLimit bypass in bracket notation allows DoS via memory exhaustion (GHSA-6rw7-vpxm-498p)
• tough-cookie — Prototype pollution (GHSA-72xf-g2v4-qvf3, CVSS 6.5)
• word-wrap — ReDoS vulnerability (GHSA-j8xg-fqg3-53r7, CVSS 5.3)
• xml2js — Prototype pollution (GHSA-776f-qx25-q3cc, CVSS 5.3)
• yaml — Stack overflow via deeply nested YAML collections (GHSA-48c2-rrv3-qjmp)

Low

• formidable — Filename guessing of untrusted executable content (GHSA-75v8-2h7p-7m2m)
• qs — arrayLimit bypass in comma parsing allows DoS (GHSA-w7fw-mjwx-w883)

Not in scope

7 production-tree advisories remain that require breaking changes
(aws-sdk v2 EOL migration, esbuild dev-server, @serverless/utils major bump,
fast-json-patch with no upstream fix). These are deferred and will be tracked
in follow-up issues.

Release

Triggers semantic-release patch bump → v2.10.6

[sid88in]

@AlexHladin — going ahead and self-merging this since it's just transitive dep bumps with all tests green. Bigger changes coming this weekend that I'll definitely want your eyes on.