Add PR dependency audit workflow and fix audited vulnerabilities

[Copilot]

This PR adds a pull-request dependency vulnerability gate for Stretchly and resolves the vulnerabilities it surfaced. The workflow is scoped to trunk, runs without secrets, and follows least-privilege permissions.

Changes

• Dependency vulnerability check on PRs

  • Added .github/workflows/dependency-audit.yml
  • Trigger: pull_request targeting trunk
  • Job runs:
    • npm ci --ignore-scripts
    • npm audit --omit=dev --audit-level=high
  • Runs without secrets and with read-only repository permission (contents: read)
  • actions/setup-node is used without cache: npm to keep the job truly read-only (avoids needing the Actions cache API under contents: read)

• Dependency updates (fix audit findings)

  • fast-uri 3.1.0 → 3.1.2 (transitive via electron-store → conf → ajv) — fixes a high-severity path-traversal / host-confusion advisory
  • dompurify 3.4.1 → 3.4.11 — fixes moderate-severity advisories
  • Lockfile-only changes; package.json ranges are unchanged
  • npm audit --omit=dev --audit-level=high now reports 0 vulnerabilities

Notes

• No changes to existing build/test pipelines.
• CodeQL scanning is intentionally not added here: the repository already has CodeQL default setup enabled, which scans JavaScript/TypeScript and Actions. An advanced CodeQL workflow would conflict with default setup, so it was omitted.

# .github/workflows/dependency-audit.yml (core check)
- name: Install dependencies
  run: npm ci --ignore-scripts

- name: Check production dependencies for vulnerabilities
  run: npm audit --omit=dev --audit-level=high

[Copilot]

Pull request overview

This PR adds repository-level security automation to Stretchly by introducing (1) CodeQL code scanning for JavaScript and (2) an npm dependency vulnerability audit that runs on pull requests targeting trunk.

Changes:

• Added a CodeQL workflow that runs on push/pull_request to trunk and on a weekly schedule.
• Added a PR-only npm audit workflow that installs dependencies and fails on high+ severity production dependency vulnerabilities.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/dependency-audit.yml	Adds a pull-request npm install + npm audit gate for production deps targeting trunk.
.github/workflows/codeql.yml	Adds CodeQL scanning for JavaScript on trunk (push/PR) plus a weekly scheduled scan.