ci: Fix remaining Dependabot alerts with npm overrides.

[nedseb]

Summary

Add npm overrides in package.json to force patched versions of vulnerable transitive dependencies:

• picomatch → ^4.0.4 (method injection, ReDoS)
• lodash → ^4.17.22 (resolves to 4.17.23, prototype pollution)
• tmp → ^0.2.4 (resolves to 0.2.5, arbitrary file write via symlink)
• brace-expansion → ^2.0.3 (process hang / memory exhaustion)

Reduces Dependabot alerts from 8 to 2. The 2 remaining are bundled inside npm internal (node_modules/npm/node_modules/) and cannot be overridden.

Closes #280

Copilot review notes

Copilot suggested downgrading picomatch to 2.3.2 and brace-expansion to 1.1.12 for semver compatibility. These suggestions are incorrect: picomatch 2.3.2 IS the vulnerable version (the fix is 4.0.4+), and brace-expansion 1.x is not affected by the same advisory (GHSA-f886-m6hf-6m8v targets 2.0.0–2.0.2). The overrides are correct as-is.

Test plan

• npm audit goes from 7 to 2 vulnerabilities
• Remaining 2 vulns are in npm-bundled deps (unfixable)
• make ci passes (lint + 271 tests)
• CI passes on this PR

[Copilot]

Pull request overview

Adds npm overrides to remediate Dependabot-reported vulnerabilities in transitive dependencies used by the repo’s Node-based tooling (commit hooks / release tooling), and updates package-lock.json accordingly.

Changes:

• Adds overrides in package.json for picomatch, lodash, tmp, and brace-expansion.
• Updates package-lock.json to reflect the overridden dependency graph (notably brace-expansion and tmp upgrades, and removal of some now-unneeded nested deps).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 4 comments.

File	Description
package.json	Introduces npm overrides to force patched transitive dependency versions.
package-lock.json	Updates the resolved dependency tree to match the new overrides.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The PR description mentions tmp 0.2.4, but with the current override ("^0.2.4") the lockfile resolves tmp to 0.2.5. Consider updating the PR description (or pinning the override) so the documented remediation matches what npm will actually install.

[nedseb]

Les 4 commentaires Copilot ont été analysés :

1. lodash 4.17.22 vs 4.17.23 et tmp 0.2.4 vs 0.2.5 : correct, la description a été mise à jour pour préciser que ^4.17.22 résout à 4.17.23 et ^0.2.4 résout à 0.2.5.

2. picomatch : suggestion de downgrade à 2.3.2 : incorrect. picomatch 2.3.2 est la version vulnérable. Le fix est en 4.0.4+. L'override ^4.0.4 est correct. micromatch 4.0.8 fonctionne avec picomatch 4.x (testé, CI passe).

3. brace-expansion : suggestion de downgrade à 1.1.12 : incorrect. L'advisory GHSA-f886-m6hf-6m8v cible brace-expansion 2.0.0–2.0.2. La branche 1.x n'est pas concernée par cette advisory mais ne la corrige pas non plus. L'override ^2.0.3 force la version patchée dans la branche 2.x.