fix(deps): bump @remix-run/router to patch XSS in emr dashboard (#1420) (#1453)

## Why this matters

The EMR dashboard frontend resolved `@remix-run/router@1.23.1`
transitively through `react-router-dom@^6.20.0`, exposing it to the
high-severity **XSS-via-open-redirect** advisory
[GHSA-2w69-qvjg-hvjx](GHSA-2w69-qvjg-hvjx)
(CVE-2026-22029). Before: a fresh install of the dashboard pulled in the
vulnerable router. After: the `react-router-dom` floor is bumped to
`^6.30.4`, which pins the patched `@remix-run/router@1.23.3`, clearing
the advisory while staying on the 6.x line — **no major-version
migration to react-router 7 required** (`react-router-dom@6.30.4` was
released with the patched router after #1420 was filed, so the earlier
"needs RR7" note no longer applies).

Scope is limited to the router bump: `package.json` floor + lockfile
refresh only (13 lines changed, no package additions/removals). The
sibling `electron/` dashboard does **not** pull in `@remix-run/router`,
so it's untouched. The remaining vite/rollup/postcss/picomatch
advisories in `npm audit` are pre-existing and out of scope for this
fix.

## Test plan

- [x] `npm audit --audit-level=high` no longer reports
`@remix-run/router` / `react-router` in
`hub/agents/python/emr/gaia_agent_emr/dashboard/frontend/` (high count
dropped 6→3, all remaining unrelated)
- [x] `npm run build` succeeds (vite build, 39 modules, clean)
- [x] Diff is scope-clean: only `react-router-dom` / `react-router` /
`@remix-run/router` entries changed in the lockfile
- [x] Confirmed `electron/package-lock.json` has no `@remix-run/router`
dependency

Closes #1420

Co-authored-by: Ovtcharov <kovtchar@amd.com>

Author: kovtcharov-amd

hub/agents/python/emr/gaia_agent_emr/dashboard/frontend/package-lock.json

@@ -10,7 +10,7 @@
   "dependencies": {
     "react": "^18.2.0",
     "react-dom": "^18.2.0",
-    "react-router-dom": "^6.20.0"
+    "react-router-dom": "^6.30.4"
   },
   "devDependencies": {
     "@vitejs/plugin-react": "^4.2.0",