api: bump vulnerable prod deps via npm audit fix

CI's npm audit --omit=dev --audit-level=high gate failed on five
advisories in api/'s production transitive tree. npm audit fix
upgraded them within their existing semver ranges (no manifest
changes, only api/package-lock.json):

- express-rate-limit  8.2.1   → 8.5.2
- ip-address          10.0.1  → 10.2.0   (GHSA-v2v4-37r5-5v8g, XSS)
- lodash              4.17.23 → 4.18.1   (GHSA-r5fr-rjxr-66jc + GHSA-f23m-r3pf-42rh)
- path-to-regexp      8.3.0   → 8.4.2    (GHSA-j3q9-mxjg-w52f + GHSA-27v5-c462-wpq7, ReDoS)
- qs                  6.14.1  → 6.15.2   (GHSA-w7fw-mjwx-w883, DoS)

All within the existing express@5.2.1 / knex@3.1.0 dependency trees;
no top-level manifest changes were needed. Verified locally with
`npm audit --omit=dev --audit-level=high` (0 vulnerabilities) and
`npm run lint` (clean).

Author: visorcraft