Replace deprecated akismet with @cedx/akismet

[Copilot]

akismet (v2.0.7) has been unmaintained for 4+ years and pulls in several vulnerable transitive deps: form-data (critical), request (SSRF), tough-cookie (prototype pollution), and qs (DoS). @cedx/akismet is the actively maintained replacement recommended by Akismet's official docs, and has zero dependencies (uses native fetch).

Changes

• packages/server/package.json: swap akismet@^2.0.7 → @cedx/akismet@^17.1.0
• packages/server/src/service/akismet.js: rewrite service using the new API — replaces callback-based code with async/await, uses Client/Blog/Author/Comment/CheckResult classes; loaded via dynamic import() to bridge ESM→CJS
• pnpm-lock.yaml: updated accordingly

// Before: callback-style with deprecated lib
const akismet = Akismet.client({ blog, apiKey: AKISMET_KEY });
akismet.verifyKey(function(err, verified) {
  akismet.checkComment({ user_ip, permalink, comment_author, comment_content }, cb);
});

// After: native async/await, no transitive deps
const { Author, Blog, CheckResult, Client, Comment } = await import('@cedx/akismet');
const client = new Client(AKISMET_KEY, new Blog({ url: blog }));
const isValid = await client.verifyKey();
const result = await client.checkComment(
  new Comment({ author: new Author({ ipAddress, name, email }), content, permalink }),
);
return result !== CheckResult.ham;