fix: resolve npm audit security vulnerabilities

[Copilot]

Addresses npm vulnerabilities in dev dependencies by running npm audit fix. The remaining vulnerabilities (diff, serialize-javascript, mocha) can only be addressed via --force, which would install undefined@undefined and is not viable.

Changes

• package-lock.json — updated via npm audit fix to patch:
  • underscore (<=1.13.7) — High: unlimited recursion DoS (GHSA-qpx9-hpmf-5gmw)
  • Various other non-breaking transitive dependency updates

Original prompt

Run npm audit fix to resolve known security vulnerabilities in npm dependencies. If npm audit fix alone does not resolve all issues, also try npm audit fix --force for remaining vulnerabilities where safe to do so. Run the existing test suite to verify nothing is broken. Summarize the audit findings and fixes applied in the PR description.

[bwateratmsft]

@copilot Please revert the overrides block in package.json. Also, diff was upgraded from 5.2.2 → 8.0.4 which is a major version bump — that should not happen from npm audit fix. Please reset package-lock.json to the base branch version and only run npm audit fix without --force. Do not add overrides.

[Copilot]

@copilot Please revert the overrides block in package.json. Also, diff was upgraded from 5.2.2 → 8.0.4 which is a major version bump — that should not happen from npm audit fix. Please res...

Done in 53aaf6d. Reverted package.json to the base branch (no overrides), reset package-lock.json to base, then re-ran only npm audit fix (no --force). The remaining vulnerabilities in diff, serialize-javascript, and mocha only suggest npm audit fix --force, which would install undefined@undefined and is not viable.