security: patch all high/moderate CVEs in frontend and server dependencies

Frontend:
- vite 7.3.0 → 7.3.2 (CVE: server.fs.deny bypass, arbitrary file read via WebSocket, path traversal in .map handling)
- brace-expansion override ≥5.0.5 (CVE: zero-step sequence process hang)

Server:
- node-forge 1.3.3 → 1.4.0 override (CVE: DoS via BigInteger.modInverse, Ed25519/RSA-PKCS signature forgery, basicConstraints bypass)
- path-to-regexp 0.1.12 → 0.1.13 override (CVE: ReDoS via multiple route parameters)
- picomatch 4.0.3 → 4.0.4 override (CVE: ReDoS via extglob, method injection in POSIX character classes)
- brace-expansion override ≥5.0.5 (CVE: zero-step sequence process hang)

npm audit: 0 vulnerabilities on both frontend and server

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: paoloronco

LYNX/package-lock.json

@@ -82,14 +82,15 @@
     "tailwindcss": "^3.4.11",
     "typescript": "^5.5.3",
     "typescript-eslint": "^8.0.1",
-    "vite": "^7.3.0"
+    "vite": "^7.3.2"
   },
   "overrides": {
     "lodash": "^4.17.23",
     "minimatch": "^10.2.4",
     "ajv": "^8.18.0",
     "rollup": "^4.60.0",
     "flatted": "^3.4.2",
-    "picomatch": "^4.0.4"
+    "picomatch": "^4.0.4",
+    "brace-expansion": "^5.0.5"
   }
 }

LYNX/package.json

@@ -26,6 +26,10 @@
     "tar": "^7.5.12",
     "minimatch": "^10.2.4",
     "glob": "^11.0.0",
-    "cross-spawn": "^7.0.6"
+    "cross-spawn": "^7.0.6",
+    "node-forge": "^1.4.0",
+    "picomatch": "^4.0.4",
+    "brace-expansion": "^5.0.5",
+    "path-to-regexp": "0.1.13"
   }
 }