security(#302): patch npm dependency vulnerabilities

[nolanmak]

Closes #302.

Patches all production npm advisories. npm audit fix (non-breaking) regenerated the lockfile only — no package.json edits, no major bumps (existing semver ranges already permitted the patched releases).

• undici → 6.24.1 (via discord.js 14.26.4 / @discordjs/rest 2.6.1): clears request-smuggling, CRLF-injection, decompression-DoS, WS-overflow.
• path-to-regexp → 8.4.2: clears Express routing ReDoS.
• plus qs, ws, @hono/node-server, express-rate-limit, ip-address (moderates).

npm audit --omit=dev: was 4 high / 8 moderate → now 0 / 0. npm run build passes. (lodash/fast-uri from the issue text weren't present in this tree's production audit.)

Only package-lock.json changed (node_modules untracked).

Follow-up: add npm audit + cargo audit/cargo deny as CI gates (issue task 3).

🤖 swarm-authored, human-review-required (draft).

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b7691c7f-2a1b-4340-8125-1a9a03bedc6b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sec/302-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}