chore: update dependencies to latest patch/minor versions

[devin-ai-integration]

Summary

Updates all backend and frontend dependencies to their latest patch/minor versions within existing semver ranges. This resolves all 13 frontend vulnerabilities and reduces backend vulnerabilities from 14 to 7 (remaining are sqlite3 build-time transitive deps requiring a major version upgrade).

Backend dependency updates

Package	Previous	Updated	Notes
cors	2.8.5	2.8.6	Bug fix
express	4.22.1	4.22.2	Patch
jsonwebtoken	9.0.2	9.0.3	Security: HMAC signature verification bypass
nodemon	3.1.11	3.1.14	Dev dependency
+ transitive deps	—	—	Various security fixes (qs, picomatch, minimatch, etc.)

Frontend dependency updates

Package	Previous	Updated	Notes
axios	1.13.2	1.16.0	Security: 16 CVEs (SSRF, prototype pollution, DoS)
react-router-dom	7.10.0	7.15.0	Security: CSRF, XSS, open redirect
vite	7.2.6	7.3.3	Security: path traversal, fs.deny bypass, WebSocket file read
react	19.2.0	19.2.6	Patch
react-dom	19.2.0	19.2.6	Patch
@mui/material	7.3.6	7.3.11	Patch
@mui/icons-material	7.3.6	7.3.11	Patch
@mui/x-date-pickers	8.19.0	8.28.5	Minor
@tanstack/react-query	5.90.11	5.100.10	Minor
typescript-eslint	8.48.1	8.59.3	Minor
eslint + plugins	various	latest patch/minor	Dev dependencies
+ transitive deps	—	—	All frontend audit vulnerabilities resolved

Security vulnerabilities addressed

• Frontend: 13 → 0 vulnerabilities
• Backend: 14 → 7 vulnerabilities (remaining 7 are in sqlite3 build-time deps — requires sqlite3 v5→v6 major upgrade)

Intentionally skipped major updates

These require breaking change migrations and are not included:

• express 4→5, express-rate-limit 7→8, helmet 7→8
• jest 29→30, joi 17→18, sqlite3 5→6, supertest 6→7
• @mui/* 7→9, typescript 5→6, vite 7→8, globals 16→17

Review & Testing Checklist for Human

• Verify the app starts correctly (cd backend && npm run dev + cd frontend && npm run dev)
• Spot-check core flows: login, create client, add work entry, generate report
• Confirm no visual regressions from MUI patch updates

Notes

• All 161 backend tests pass
• Frontend lint passes cleanly
• Frontend TypeScript compilation and Vite build succeed
• Only lockfiles were changed — no source code modifications
• The remaining 7 backend vulnerabilities are all in sqlite3's native build toolchain (tar, node-gyp, cacache) and are only exploitable during npm install, not at runtime

Link to Devin session: https://partner-workshops.devinenterprise.com/sessions/ce3f2bd043624d2e86768f2b07d7a2a1

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.