Merge pull request #2677 from cfpb/security-severe-and-high

Security updates for high and critical vulnerabilities.

## Changes
- updates jspdf to 4.0.0
- updates glob to 11.1.0 
- updates tar to at least 7.5.6
- bump ansi-html to 0.0.9
- updates qs to at least 6.14.1
  - qs is used by vite-plugin-node-polyfills (which has been updated)
  - but we'd need to move to the next major version of cypress to update its qs dependency. I made a ticket for it over in GHE #5410
 
## Testing

1. Does it look good on staging? Yes!
2. Are tests passing? Yep!

## Screenshot
#### On staging as `v3.3.11-rc2`
<img width="832" height="728" alt="Screenshot 2026-01-26 at 8 00 41 AM" src="https://github.com/user-attachments/assets/e63311f0-7189-4c8f-be41-547e85746ddc" />

Author: billhimmelsbach

package.json

@@ -47,7 +47,7 @@
     "highcharts": "10.3.3",
     "highcharts-react-official": "3.2.1",
     "html-to-image": "1.11.11",
-    "jspdf": "3.0.2",
+    "jspdf": "4.0.0",
     "jwt-decode": "^3.1.2",
     "keycloak-js": "25.0.6",
     "mapbox-gl": "1.13.3",
@@ -114,12 +114,12 @@
     "react-icons": "^4.4.0",
     "serialize-javascript": "5.0.1",
     "vite": "5.4.19",
-    "vite-plugin-node-polyfills": "0.22.0",
+    "vite-plugin-node-polyfills": "0.25.0",
     "vite-plugin-svgr": "^4.1.0",
     "vitest": "^3.2.4"
   },
   "resolutions": {
-    "ansi-html": "0.0.8",
+    "ansi-html": "0.0.9",
     "browserslist": ">=4.17.6",
     "ejs": "3.1.10",
     "glob-parent": "5.1.2",
@@ -138,11 +138,12 @@
     "canvg": "3.0.11",
     "elliptic": "6.6.1",
     "cross-spawn": ">=7.0.6",
-    "glob": ">=10.4.5",
+    "glob": ">=11.1.0",
     "form-data": ">=4.0.4",
     "sha.js": ">=2.4.12",
     "cipher-base": ">=1.0.5",
-    "cheerio": "1.0.0-rc.10"
+    "cheerio": "1.0.0-rc.10",
+    "qs": ">=6.14.0"
   },
   "packageManager": "yarn@4.1.0"
 }