fix: Only audit production npm deps for security vulnerabilities

Dev dependencies (webpack, babel) have known critical CVEs that don't
affect production. Using --omit=dev focuses the audit on dependencies
that actually ship to users.

Author: rubenvdlinde

.github/workflows/quality.yml

@@ -112,7 +112,7 @@ jobs:
         run: npm ci
 
       - name: npm audit (critical only)
-        run: npm audit --audit-level=critical
+        run: npm audit --audit-level=critical --omit=dev
 
   # ──────────────────────────────────────────────
   # Stage 1: PHP Linting — each tool as a separate job