fix(build): resolve remaining npm audit vulnerabilities in root (#7)

- form-data 4.0.0-4.0.5 → patched (CRLF injection via unescaped multipart field names)

The vite, js-yaml, and @babel/core alerts (dev-only) were already resolved
in the src/ui lock file via the previous PR; the root lock had no separate
copies of those packages.

Co-authored-by: Claude <noreply@anthropic.com>

Author: SSheppDev