fix(deps): npm audit fix — patch lodash, path-to-regexp, socket.io-parser (#69)

* fix(deps): resolve npm audit vulnerabilities

Run npm audit fix to address lodash code injection/prototype pollution,
path-to-regexp ReDoS, and socket.io-parser unbounded attachments.
Remaining pm2 ReDoS has no fix available upstream.

* fix(deps): rerun npm audit fix and clarify checklist note

- Re-ran npm audit fix on top of the merged main; lockfile now reflects
  the latest auto-fix state (still 3 vulnerabilities: vite via
  dependabot #75, pm2 ReDoS no upstream fix, request SSRF requires
  breaking fs-js-lite upgrade).
- PLAN.md: rewrite the resolved checklist note to make the partial-fix
  state unambiguous — explicitly call out which vulnerabilities are
  fixed and which are risk-accepted, addressing the Copilot review
  comment about the inconsistent 'fixed but unfixed' wording.

Author: atomantic

PLAN.md

@@ -408,7 +408,7 @@ Summary: 105 findings across 60+ files. 1 shared utility to extract (SSE Manager
 
 ### Security & Secrets
 - [x] ~~[CRITICAL] server/src/index.ts — Server binds to 0.0.0.0. Fix: bind to localhost, configurable via env.~~ (Fixed: defaults to localhost)
-- [x] ~~[CRITICAL] `package.json` — npm audit: form-data, react-router, qs, pm2 vulnerabilities. Fix: npm audit fix.~~ (Fixed: picomatch 2.3.1→2.3.2/4.0.3→4.0.4, socket.io-parser 4.2.5→4.2.6. Remaining: pm2 ReDoS has no fix available; request SSRF requires breaking change to fs-js-lite)
+- [x] ~~[CRITICAL] `package.json` — npm audit: form-data, react-router, qs, pm2 vulnerabilities. Fix: npm audit fix.~~ (Fixed via successive `npm audit fix` runs: lodash, path-to-regexp, picomatch 2.3.1→2.3.2/4.0.3→4.0.4, socket.io-parser 4.2.5→4.2.6. Risk-accepted (no upstream fix yet): pm2 ReDoS, request SSRF via fs-js-lite — both require breaking-change upgrades)
 - [x] ~~[HIGH] server/src/routes/genealogy-provider.routes.ts — Predictable ID via Date.now(). Fix: use ULID/UUID.~~ (Fixed: crypto.randomUUID())
 - [x] ~~[HIGH] server/src/middleware/errorHandler.ts — Stack traces leaked to logs. Fix: sanitize in production.~~ (Fixed: gated by NODE_ENV)
 - [x] ~~[HIGH] server/src/routes/browser.routes.ts — FS auth token returned in JSON.~~ (Documented: acceptable for local-only tool with short-lived tokens)