ci: fix trivy scan vulnerabilities via npm overrides

Update overrides for transitive dependencies flagged by Trivy:
- axios: ^1.8.2 -> ^1.13.5 (CVE-2026-25639)
- tar: ^6.2.1 -> ^7.5.11 (6 CVEs)
- basic-ftp: ^5.2.0 (CVE-2026-27699, CRITICAL)
- flatted: ^3.4.0 (CVE-2026-32141)
- serialize-javascript: ^7.0.3 (GHSA-5c6j-r48x-rmvq)
- @isaacs/brace-expansion: ^5.0.1 (CVE-2026-25547)
- underscore: ^1.13.8 (CVE-2026-27601)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: pranavjain97