chore(deps): override transitive packages with available security patches

The yarn → npm switch makes the full transitive tree visible to
dependency-review for the first time, surfacing a batch of pre-existing
advisories. The four direct deps that pull them in (hyperlink,
static-site-generator-webpack-plugin, webpack-pwa-manifest, sitemap-static)
are already at their latest published versions, so the only available
levers are npm overrides on the transitive packages with patched
versions.

Pinned via overrides:

- @tootallnate/once ^3.0.1  (was 1.x — GHSA-vpq2-c234-7xj6)
- file-type        ^21.3.1  (was 16.x — GHSA-5v7r-6r5c-r473)
- form-data         ^4.0.4  (was 2.x — GHSA-fjxv-7rqg-78g4)
- minimist          ^1.2.8  (replaces the older sitemap-static-only 1.2.5
                             pin — GHSA-xvch-5gv4-984h)
- nth-check         ^2.0.1  (was 1.x — GHSA-rp65-9cf3-cjxr)
- phin              ^3.7.1  (was 2.x — GHSA-x565-32qp-m3vf)
- qs               ^6.13.0  (was 6.5.x — GHSA-6rw7-vpxm-498p)
- tough-cookie      ^4.1.3  (was 2.5.x — GHSA-72xf-g2v4-qvf3)

Drops `npm audit` from 23 advisories to 8. The remaining 8 all come from
deprecated packages with no upstream patch — `html-minifier`,
`lodash.pick`, `request` — reachable only via `hyperlink` and
`static-site-generator-webpack-plugin`, which would need to be replaced
to address them.

Author: claude