Run npm audit fix (non-breaking) (#25832)

Applies `npm audit fix` (no `--force`) to resolve 5 of 26 reported
vulnerabilities. Only `package-lock.json` is modified — semver ranges in
`package.json` are unchanged.

## Packages updated

| Package | Before | After | CVE/Advisory |
|---|---|---|---|
| `cipher-base` | 1.0.4 | 1.0.7 |
[GHSA-cpq7-6gpm-g9rc](GHSA-cpq7-6gpm-g9rc)
— **critical**, missing type checks |
| `ajv` | 6.12.6 / 8.17.1 | 6.14.0 / 8.18.0 |
[GHSA-2g4f-4pwh-qvx6](GHSA-2g4f-4pwh-qvx6)
— ReDoS via `$data` |
| `bn.js` | 4.11.8 / 5.2.1 | 4.12.3 / 5.2.3 |
[GHSA-378v-28hj-76wf](GHSA-378v-28hj-76wf)
— infinite loop |
| `glob` | 10.4.5 | 10.5.0 |
[GHSA-5j98-mcp5-4vw2](GHSA-5j98-mcp5-4vw2)
— CLI command injection |
| `minimatch` (3.x / 9.x) | 3.1.2 / 9.0.x | 3.1.5 / 9.0.9 |
[GHSA-3ppc-4f35-3m26](GHSA-3ppc-4f35-3m26)
— ReDoS |

## Remaining vulnerabilities (21)

All require `--force` and involve breaking changes (e.g. mocha
downgrade, `copy-webpack-plugin` major bump,
`node-polyfill-webpack-plugin` major bump). Not addressed here per the
constraint of no forced updates.

<!-- START COPILOT ORIGINAL PROMPT -->



<details>

<summary>Original prompt</summary>

> Run npm audit fix. Do not use force flag.


</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

Created from [VS
Code](https://code.visualstudio.com/docs/copilot/copilot-coding-agent).

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: rzhao271 <7199958+rzhao271@users.noreply.github.com>

Author: Copilot