Batch safe dependency updates

[mattwoberts]

Summary

• Batches all safe minor/patch npm dependency updates into a single PR, replacing 10 failing dependabot PRs
• All dependabot npm PRs were failing CI because dependabot incorrectly pruned optional peer deps from package-lock.json, causing npm ci to fail with "Missing: typescript@5.9.3 from lock file"
• Updates: dompurify (security), webpack, @babel/cli, @babel/core, @testing-library/react, @google-cloud/translate
• Fixes markdown test expectations for DOMPurify 3.3.2's changed HTML attribute ordering

Included updates (safe minor/patch)

Package	From	To
dompurify	^3.2.4	^3.3.2
webpack	5.94.0	5.105.4
@babel/cli	^7.26.4	^7.28.3
@babel/core	^7.26.0	^7.28.5
@testing-library/react	^16.0.1	^16.3.1
@google-cloud/translate	^9.1.0	^9.3.0

Excluded (risky — handle separately)

• @types/dompurify 2→3 (major version)
• @lingui/* 5.1→5.7 (large minor jump)
• tiptap-markdown 0.8→0.9 (pre-1.0 minor)
• @babel/preset-env/react/typescript (pinned, huge jump)
• @playwright/test 1.48→1.57 (large jump)

Replaces dependabot PRs

#1475, #1472, #1471, #1470, #1469, #1466, #1457, #1443, #1442, #1428

Test plan

• npm ci succeeds (simulates CI Docker build)
• make lint-ui passes (0 errors, 2 pre-existing warnings)
• make test-ui passes (117/117 tests)
• GitHub CI passes (test-ui, test-server, build, e2e)