fix(webapp): upgrade posthog-node to v5, drop axios + stale override (#3801)

Follow-up to #3796, which bumped the slack-client axios paths but left
posthog-node's transitive `axios@1.15.1` in place.

`posthog-node` 4.17.1 → 5.35.6. v5 drops the axios dependency entirely
(it's now fetch-based via `@posthog/core`), so posthog's old axios path
disappears. With #3796 already on main (webapp + d3 references on
`@slack/web-api@7.16.0`), nothing else pins the old line, so the
now-dead `axios@>=1.0.0 <1.15.0` override is removed and axios resolves
to a single patched `1.16.1` repo-wide. This closes the remaining axios
advisories.

Compat: the webapp's usage in `telemetry.server.ts` (`new PostHog(key, {
host })`, `.identify`, `.groupIdentify`, `.capture`) is all object-form
API that v5 preserves; `pnpm run typecheck --filter webapp` passes.

Node: posthog-node v5 requires Node `^20.20.0 || >=22.22.0`. We run
20.20.0 in dev (`.nvmrc`), CI, and the published Docker image
(`node:20.20-bullseye-slim`), so we're compliant.

Author: nicktrn

.server-changes/bump-posthog-node-v5.md

@@ -0,0 +1,6 @@
+---
+area: webapp
+type: fix
+---
+
+Upgrade posthog-node to v5 (drops its axios dependency) and remove the now-stale axios override so axios resolves to patched 1.16.1

apps/webapp/package.json

@@ -183,7 +183,7 @@
     "p-retry": "^4.6.1",
     "parse-duration": "^2.1.0",
     "posthog-js": "^1.93.3",
-    "posthog-node": "4.17.1",
+    "posthog-node": "5.35.6",
     "prism-react-renderer": "^2.3.1",
     "prismjs": "^1.30.0",
     "prom-client": "^15.1.0",

package.json

@@ -96,7 +96,6 @@
       "form-data@^2": "2.5.4",
       "form-data@^3": "3.0.4",
       "form-data@^4": "4.0.4",
-      "axios@>=1.0.0 <1.15.0": "^1.15.0",
       "js-yaml@>=3.0.0 <3.14.2": "3.14.2",
       "js-yaml@>=4.0.0 <4.1.1": "4.1.1",
       "jws@<3.2.3": "3.2.3",