fix(deps): override serialize-javascript to ^7.0.5 to resolve CVEs

Forces transitive devDep serialize-javascript (via mocha) to a
patched version. Closes Dependabot alerts:

- #28 (HIGH, GHSA-5c6j-r48x-rmvq): RCE via RegExp.flags and
  Date.prototype.toISOString
- #32 (MEDIUM, CVE-2026-34043): CPU DoS via crafted array-like
  objects

Dev-only change. The published tarball's source files
(index.js, index.d.ts, README.md, LICENSE) are byte-identical
to 0.6.4 -- verified via diff -r of pre/post npm pack output.
No version bump needed; consumers ignore overrides declared
in transitive dependencies.

Lockfile also picks up incidental minor/patch bumps of unrelated
devDeps (within existing semver ranges) from the full re-resolve,
and corrects a stale "version": "0.6.3" field that the 0.6.4
release commit didn't refresh.

Verified:
- All 39 tests pass on Node 18.x / 20.x / 22.x (locally via nvm)
- mocha --parallel passes (exercises serialize-javascript IPC path)
- npm audit reports 0 vulnerabilities (was 5)
- Published tarball file listing unchanged
- index.js, index.d.ts, README.md, LICENSE bit-for-bit identical
- Only package.json differs in the tarball, by exactly the
  overrides block addition

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: zuchka