security: resolve npm Dependabot alerts, add npm ecosystem to Dependabot

[mmcky]

Summary

Resolves all 4 open Dependabot security alerts plus one additional npm audit finding. All affected packages are transitive devDependencies under webpack-dev-server (local dev / CI build only) — nothing in the shipped theme assets or Python package changes.

Lockfile updates (npm audit fix, all semver-compatible)

Alert	Package	Change	Advisory
#77 (critical)	shell-quote	1.8.1 → 1.8.4	GHSA-w7jw-789q-3m8p
#76	qs	6.14.2 → 6.15.2	GHSA-q8mj-m7cp-5q26
#73	webpack-dev-server	5.2.2 → 5.2.4	GHSA-79cf-xcqc-c78w
— (npm audit)	ws	8.18.0 → 8.21.0	GHSA-58qx-3vcg-4xpx

Alert #75 (uuid) — dismissed, not patched

sockjs pins uuid@^8 so no compatible patched version exists, and the vulnerable code is unused: the advisory (GHSA-w5hq-g745-h8pq) affects v3/v5/v6 with a caller-provided buf, while sockjs only calls uuid.v4() with no arguments. Dismissed on the alert with reason vulnerable code is not actually used.

Dependabot config

Added an npm package-ecosystem entry to dependabot.yml (monthly, grouped into a single PR) — previously only github-actions was covered, which is why these alerts never got automatic fix PRs.

Verification

• npm run build succeeds; webpack emits identical assets ("compared for emit")
• npm audit reports 0 vulnerabilities outside the dismissed uuid/sockjs chain

🤖 Generated with Claude Code

[github-actions]

🚀 Deployed on https://6a289b3021455b9d4282554e--hungry-lovelace-7d0512.netlify.app

[Copilot]

Pull request overview

This PR addresses Dependabot/npm audit security findings by updating transitive npm devDependency packages (primarily under webpack-dev-server) and adds Dependabot coverage for the npm ecosystem so future npm updates are automated.

Changes:

• Updated package-lock.json to pick up patched transitive dependency versions (e.g., webpack-dev-server, shell-quote, qs, ws).
• Documented the dependency/security maintenance work in the changelog under Unreleased → CI.
• Expanded .github/dependabot.yml to include monthly npm version updates, grouped into a single PR.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File	Description
package-lock.json	Lockfile-only updates to pull in patched transitive npm dev/build-time dependencies.
CHANGELOG.md	Notes the Dependabot/npm audit remediation and new npm Dependabot coverage under Unreleased CI.
.github/dependabot.yml	Adds npm ecosystem updates (monthly) with grouping to reduce PR noise.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@875b967). Learn more about missing BASE report.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #399   +/-   ##
=======================================
  Coverage        ?   47.75%           
=======================================
  Files           ?        2           
  Lines           ?      423           
  Branches        ?        0           
=======================================
  Hits            ?      202           
  Misses          ?      221           
  Partials        ?        0           

Flag	Coverage Δ
pytests	47.75% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🎭 Visual Regression Test Results

 103 passed
 3 skipped

Details

 106 tests across 1 suite
 3 minutes, 38 seconds
 f43fa58

Skipped tests

desktop-chrome › theme.spec.ts › Visual Regression Tests › prob-matrix - full page screenshot
mobile-chrome › theme.spec.ts › Visual Regression Tests › prob-matrix - full page screenshot
mobile-chrome › theme.spec.ts › Theme Features › f-string interpolation styling