chore(deps): override ip-address and postcss to clear Dependabot alerts

[rocketstack-matt]

Description

Clears two Dependabot alerts on the root package-lock.json.

Alert	Package	Approach
#303 (GHSA-v2v4-37r5-5v8g)	ip-address	Bump calm-server's express-rate-limit pin from ^8.2.2 → ^8.5.0. The new version declares ip-address: ^10.2.0 directly, so npm installs a patched copy at the top level — no override needed.
#287 (GHSA-qx2v-qp2m-jg93)	postcss	Add postcss: ^8.5.10 override. Top-level postcss was already at 8.5.10; the vulnerable copy was node_modules/next/node_modules/postcss@8.4.31 (Next 15.5.15 pins exact 8.4.31). The stale lockfile entry has been removed so npm re-resolves under the override — next now uses the hoisted top-level postcss@8.5.10.

Note on the ip-address approach

A previous version of this PR used ip-address: ^10.1.1 as an override and surgically removed the top-level lockfile entry. That approach broke the calm-server test suite in CI: express-rate-limit imports ip-address at runtime, and removing the lockfile entry left it unresolvable (locally it was masked by an ip-address package in a parent directory). Bumping express-rate-limit to a version that pulls in a patched ip-address directly is cleaner and avoids the override-anchor problem entirely.

Out of scope

• uuid (alert #301) — the only vulnerable copy is node_modules/mermaid/node_modules/uuid@11.1.0. A global uuid: ^11.1.1 override forces v11 onto v8 consumers (@cypress/request, @azure/msal-node, sockjs); a scoped mermaid: { uuid: ... } override caused mermaid to dedupe to the v8 hoisted copy and broke resolution. The advisory (GHSA-w5hq-g745-h8pq) is a missing buffer bounds check in the v3/v5/v6 generator path when a buf argument is provided — mermaid only generates v4 IDs and does not exercise that path, so real-world risk is essentially nil. Recommend dismissing this alert with a tolerable_risk justification.
• ip-address bundled inside npm CLI (node_modules/npm/node_modules/ip-address@10.1.0, inBundle:true) — not reachable via overrides. Bundled npm CLI is a release-time tool, not a runtime consumer; recommend dismiss-with-justification if Dependabot flags it.
• calm-suite/calm-studio — separate pnpm-managed workspace, intentionally out of scope.

Type of Change

• 🔧 Chore (maintenance, dependencies, CI, etc.)

Affected Components

• CALM Server (calm-server/)
• Dependencies

Testing

• I have tested my changes locally (npm run test:calm-server passes — all 11 tests; npm install resolves cleanly; postcss/ip-address verified at correct versions in the lockfile)
• I have added/updated unit tests (n/a — dependency-only change)
• All existing tests pass

Checklist

• My commits follow the conventional commit format
• I have updated documentation if necessary
• I have added tests for my changes (if applicable)
• My changes follow the project's coding standards

[Copilot]

Pull request overview

This PR aims to clear two Dependabot alerts in the root npm lockfile by adding npm overrides for ip-address and postcss, and by pruning stale nested lockfile entries so npm re-resolves to non-vulnerable versions.

Changes:

• Added root overrides entries for ip-address and postcss in package.json.
• Removed the lockfile entries for node_modules/ip-address@10.1.0 and node_modules/next/node_modules/postcss@8.4.31 to force re-resolution under the overrides.
• Lockfile metadata tidy-up (removed dev / peer flags) for axios and proxy-from-env.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
package.json	Adds overrides for ip-address and postcss to address Dependabot alerts.
package-lock.json	Prunes specific nested/hoisted entries so npm can re-resolve vulnerable dependencies under the overrides.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.