LTS-2886: bump protobufjs to 7.6.4 to fix GHSA-xq3m-2v4x-88gg

protobufjs <7.5.5 is vulnerable to arbitrary code execution
(GHSA-xq3m-2v4x-88gg). It is a dev-only transitive dependency whose
parent ranges (^7.x) already permit the patched version, so this is a
lockfile-only bump (7.5.4 -> 7.6.4) with no source or package.json
changes. The remaining lockfile churn is npm deduping redundant
entries.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: amitsi-bs