chore(deps): bump express-rate-limit and override postcss for security

Clears two Dependabot alerts on the root package-lock.json:

- alert #303 / GHSA-v2v4-37r5-5v8g (ip-address): bump
  calm-server's express-rate-limit pin to ^8.5.0; the new version
  declares ip-address: ^10.2.0 directly, which pulls in a patched
  copy at the top level. Cleaner than an override and avoids the
  resolution issues seen when the override prevented npm from
  installing ip-address at all (caught by the calm-server test
  suite, which uses express-rate-limit at runtime).
- alert #287 / GHSA-qx2v-qp2m-jg93 (postcss): add a postcss: ^8.5.10
  override. The top-level postcss is already at 8.5.10; the alert
  came from node_modules/next/node_modules/postcss@8.4.31 (Next
  15.5.15 pins exact 8.4.31). The stale lockfile entry was holding
  the vulnerable copy in place and has been removed so npm
  re-resolves under the override - next now uses the hoisted
  top-level postcss@8.5.10.

Author: rocketstack-matt

calm-server/package.json

@@ -33,7 +33,7 @@
         "commander": "^14.0.0",
         "copyfiles": "^2.4.1",
         "express": "^4.18.2",
-        "express-rate-limit": "^8.2.2"
+        "express-rate-limit": "^8.5.0"
     },
     "devDependencies": {
         "@types/express": "^5.0.0",

package-lock.json

@@ -85,6 +85,7 @@
         "lodash": "^4.18.1",
         "lodash-es": "^4.18.1",
         "picomatch": "^4.0.4",
+        "postcss": "^8.5.10",
         "@semantic-release/npm": {
             "npm": "11.12.1"
         },