fix(deps): address Semgrep supply chain security findings (#3927)

## Summary

Addresses Semgrep supply chain findings in keep-core across Go modules
and JavaScript lock files.

## Go modules

The go-ethereum upgrade (CVE-2026-22862, CVE-2026-22868, CVE-2026-26314)
was attempted but reverted -- the new version requires CGO support not
available in the Alpine-based CI environment. This will be addressed in
a separate PR.

**Known limitations (require separate PRs):**
- **go-ethereum CVE-2026-22862, CVE-2026-22868, CVE-2026-26314**:
Upgrade to v1.17.2 reverted due to CGO/Alpine blocker. Separate PR
needed with Dockerfile changes.
- **btcd CVE-2024-38365**: Upgrading btcd to v0.24.0+ requires removing
the `replace` workaround that redirects `btcd` and `btcd/v2` to
compatible versions for transitive deps using the old btcec API. The
existing `replace => v0.22.3` predates the v0.23 rewrite where this bug
was introduced.
- **tss-lib GHSA-h24c-6p6p-m3vx**: Already mitigated -- `replace`
directive uses `github.com/threshold-network/tss-lib` fork instead of
the vulnerable `bnb-chain/tss-lib`.

## JavaScript

| Package | Fix | CVEs/MALs |
|---|---|---|
| `scrypt-shim@0.1.0` (ecdsa, random-beacon) | Direct yarn.lock pin to
npm security placeholder `0.0.1-security` | MAL-2022-5972 |
| `get-func-name@2.0.0` (ecdsa, random-beacon) | Direct yarn.lock pin to
`2.0.2` (yarn projects -- `overrides` field is npm-only and ignored by
yarn) | CVE-2023-43646 |
| `get-func-name@2.0.0` (solidity-v1, token-stakedrop, dashboard) | npm
`overrides` `>=2.0.2` | CVE-2023-43646 |
| `http-cache-semantics@4.0.x` | npm `overrides` `>=4.1.1` in dashboard,
solidity-v1, token-stakedrop | CVE-2022-25881 |
| `axios@0.21.2` (dashboard) | Direct upgrade to `^1.8.2` |
CVE-2026-25639 |
| `terser@4.6.3` (dashboard) | npm `overrides` `>=4.8.1` |
CVE-2022-25858 |
| `decompress@4.2.0` (dashboard) | npm `overrides` `>=4.2.1` |
CVE-2020-12265 |
| `bsock@0.1.9` (token-stakedrop) | `overrides` `>=0.1.10` for
non-bundled path; **bundled copy inside bcoin fork cannot be
overridden** | CVE-2023-50475 |

## Test plan

- [ ] Go build passes (`go build ./...`)
- [ ] CI passes
- [ ] Semgrep scan shows reduced findings

Author: piotr-roslaniec

.gitmodules

@@ -1,3 +1,3 @@
 [submodule "token-stakedrop/merkle-distributor"]
 	path = token-stakedrop/merkle-distributor
-	url = https://github.com/keep-network/merkle-distributor.git
+	url = https://github.com/threshold-network/merkle-distributor.git

solidity-v1/dashboard/package-lock.json

@@ -17,7 +17,7 @@
     "@walletconnect/keyvaluestorage": "1.0.2",
     "@walletconnect/modal": "2.5.9",
     "@walletconnect/web3-subprovider": "^1.3.6",
-    "axios": "^0.21.2",
+    "axios": "^1.8.2",
     "bignumber.js": "9.0.0",
     "copy-to-clipboard": "^3.3.1",
     "ethereumjs-common": "^1.5.0",
@@ -76,5 +76,11 @@
     "not dead",
     "not ie <= 11",
     "not op_mini all"
-  ]
+  ],
+  "overrides": {
+    "http-cache-semantics": "^4.1.1",
+    "get-func-name": "^2.0.2",
+    "terser": "^4.8.1",
+    "decompress": "^4.2.1"
+  }
 }