fix: allow package.json/lock in dep security monitor PRs

The workflow's safe-outputs create-pull-request was blocked by
the compiler's default protected_files list which includes
package-lock.json. Add allowed-files for package.json and
package-lock.json, and set protected-files: fallback-to-issue
as a safety net for any other protected file modifications.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: lpcox