fix(deps): remove unused cz-conventional-changelog to address CVE-2026-4800

commitizen pins lodash at 4.17.21, which is vulnerable to code injection
via _.template imports key names. cz-conventional-changelog is unused in
this repo — no scripts, hooks, CI workflows, or docs reference it. The
changelog/release pipeline uses semantic-release, which is independent.

Removing the dead dependency eliminates the vulnerable transitive lodash
copy entirely and drops 94 packages from the tree.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: michaelphamcf