fix(build): resolve npm audit vulnerabilities via dependency overrides (#1200)

## Description

Resolve npm audit vulnerabilities by adding dependency overrides for
four transitive dependencies with known security issues:

- **picomatch@^2** → 2.3.2 — fixes ReDoS and method injection
vulnerabilities
- **picomatch@^4** → 4.0.4 — fixes ReDoS and method injection
vulnerabilities
- **smol-toml** → 1.6.1 — fixes DoS via commented lines
- **yaml** → 2.8.3 — fixes stack overflow via nested collections

Uses npm overrides instead of upgrading direct dependencies to avoid
breaking changes with markdownlint-cli2 and other consumers.

Also adds `smol` to the `.cspell.json` dictionary to accommodate the
`smol-toml` package name.

## Related Issue(s)

Fixes #1199

## Type of Change

Select all that apply:

**Code & Documentation:**

* [ ] Bug fix (non-breaking change fixing an issue)
* [ ] New feature (non-breaking change adding functionality)
* [ ] Breaking change (fix or feature causing existing functionality to
change)
* [ ] Documentation update

**Infrastructure & Configuration:**

* [ ] GitHub Actions workflow
* [ ] Linting configuration (markdown, PowerShell, etc.)
* [ ] Security configuration
* [ ] DevContainer configuration
* [x] Dependency update

**AI Artifacts:**

* [ ] Reviewed contribution with `prompt-builder` agent and addressed
all feedback
* [ ] Copilot instructions (`.github/instructions/*.instructions.md`)
* [ ] Copilot prompt (`.github/prompts/*.prompt.md`)
* [ ] Copilot agent (`.github/agents/*.agent.md`)
* [ ] Copilot skill (`.github/skills/*/SKILL.md`)

**Other:**

* [ ] Script/automation (`.ps1`, `.sh`, `.py`)
* [ ] Other (please describe):

## Testing

- Ran `npm audit` after applying overrides — returns 0 vulnerabilities
- Ran `npm install` to verify lock file resolves correctly with
overrides
- Confirmed no breaking changes to existing tooling

## Checklist

### Required Checks

* [x] Documentation is updated (if applicable)
* [x] Files follow existing naming conventions
* [x] Changes are backwards compatible (if applicable)
* [ ] Tests added for new functionality (if applicable)

### Required Automated Checks

The following validation commands must pass before merging:

* [x] Markdown linting: `npm run lint:md`
* [x] Spell checking: `npm run spell-check`
* [x] Frontmatter validation: `npm run lint:frontmatter`
* [x] Skill structure validation: `npm run validate:skills`
* [x] Link validation: `npm run lint:md-links`
* [x] PowerShell analysis: `npm run lint:ps`
* [x] Plugin freshness: `npm run plugin:generate`

## Security Considerations

* [x] This PR does not contain any sensitive or NDA information
* [x] Any new dependencies have been reviewed for security issues
* [x] Security-related scripts follow the principle of least privilege

## Additional Notes

All four overrides target dev dependencies only. The overrides pattern
is consistent with existing entries for `markdown-it`, `undici`, and
`yauzl` already present in `package.json`.

---------

Co-authored-by: Bill Berry <wbery@microsoft.com>

Author: WilliamBerryiii

.cspell.json

@@ -69,6 +69,7 @@
     "easyops",
     "hideable",
     "learning",
+    "smol",
     "ˈpræksɪs",
     "πρᾶξις",
     "agentic"