chore(deps): upgrade vulnerable dependencies and re-enable strict CVE gating

[jeffgicharu]

Summary

Drives the open dependency-CVE list from 1 CRITICAL + 35 HIGH down to 0 high/critical, then re-tightens the security CI gates that PR #17 had landed in advisory mode.

Change

Dependency upgrades

• apps/web/package.json — next ^15.2.0 → ^15.5.18 (multiple GHSAs).
• Root package.json pnpm.overrides — pin transitive deps to their patched ranges. Each entry maps to an open advisory:
  • handlebars >= 4.7.9 — prototype pollution + RCE chain (storybook → babel preset)
  • minimatch >= 10.2.3 — ReDoS (multiple roots)
  • multer >= 2.1.1 — DoS via malformed body
  • lodash >= 4.18.0 — prototype pollution
  • path-to-regexp >= 8.4.0 — backtracking ReDoS
  • serialize-javascript >= 7.0.3 — XSS via crafted regex
  • flatted >= 3.4.2 — prototype pollution
  • picomatch >= 4.0.4 — ReDoS
  • fast-uri >= 3.1.2 — path traversal + host confusion (nestjs CLI → ajv chain)
  • @babel/plugin-transform-modules-systemjs >= 7.29.4 — arbitrary-code generation (storybook → preset-env chain)
• pnpm install re-pinned the lockfile against these overrides.

CI gating re-enabled

• .github/workflows/dependency-audit.yml — strip || true from the audit step so the job fails on any high/critical.
• .github/workflows/container-scan.yml — flip Trivy exit-code from '0' (advisory) back to '1' (fail-the-build). ignore-unfixed: true stays so the gate only fails on advisories that have an available patch — otherwise we'd be perma-red on Alpine base-image CVEs we can't fix.

Audit deltas

Before this PR (advisory mode tolerated):
```
68 vulnerabilities found
Severity: 7 low | 25 moderate | 35 high | 1 critical
```

After:
```
12 vulnerabilities found
Severity: 4 low | 8 moderate
```

Zero high/critical remaining. The 12 low/moderate are transitives in dev-only paths (storybook, eslint plugins) with no patched versions yet; the strict gate ignores them.

Test plan

• pnpm install reconciles the lockfile against the new overrides cleanly
• pnpm audit --audit-level=high → 0 findings
• pnpm --filter @contractor-os/api test (362 tests) green
• pnpm --filter @contractor-os/web test (26 tests) green
• pnpm build (all packages) green
• CI strict-gate steps re-enabled and exercised on this PR

Closes #14

[gemini-code-assist]

Code Review

This pull request updates several dependencies and introduces an overrides block in package.json to pin versions for security. However, the review highlights that many of the specified versions, including next@15.5.18 and several packages in the overrides block, do not exist on the public npm registry, which poses a critical security risk and will cause build failures. Additionally, the reviewer noted that manual modifications to the pnpm-lock.yaml for fdir are discouraged and should be handled via overrides instead.

[gemini-code-assist]

Several dependency versions specified in this overrides block do not appear to exist on the public npm registry. For example:

• lodash@4.18.1 (Latest stable is 4.17.21)
• handlebars@4.7.9 (Latest stable is 4.7.8)
• multer@2.1.1 (Latest stable is 1.4.5-lts.1)
• @babel/plugin-transform-modules-systemjs@7.29.4 (Latest is 7.26.9)

Using non-standard or non-existent versions is a critical security risk (potential dependency confusion or supply chain attack) and will cause build failures in standard environments. Please verify these versions and ensure they are sourced from a trusted, reachable registry.

[gemini-code-assist]

The version ^15.5.18 for next does not exist on the public npm registry. The current latest stable version of Next.js is 15.1.7. Please check if this is a typo or if you are using a private registry with custom patches. If it is a typo, it will cause installation failures.

[gemini-code-assist]

The peerDependencies for fdir@6.5.0 have been manually modified in the lockfile from ^3 || ^4 to '>=4.0.4'. Manually editing package metadata in the lockfile is highly discouraged as it will likely be overwritten during the next clean pnpm install or lockfile regeneration. If you need to enforce a specific version of a transitive dependency, it should be handled exclusively via the overrides in the root package.json.