chore: resolve all npm dependency vulnerabilities (#149)

* chore: resolve all npm dependency vulnerabilities

Add npm overrides to force safe versions of vulnerable transitive
dependencies pinned by react-scripts 5.0.1 (CRA) and jest-expo:

- sd-ui: overrides for minimatch, svgo, serialize-javascript, rollup,
  underscore, nth-check, postcss, webpack-dev-server, @tootallnate/once
- about: same overrides as sd-ui
- sd-mobile: override for @tootallnate/once

All three projects now report 0 vulnerabilities via npm audit.
sd-mobile tests verified passing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: use bounded tilde ranges for npm overrides

Replace unbounded >=X.Y.Z override ranges with ~X.Y.Z to prevent
resolving to incompatible future major versions. Pin serialize-javascript
to ~7.0.3 (the actual fix version; <=7.0.2 are all vulnerable).

All three projects remain at 0 npm audit vulnerabilities.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: remove webpack-dev-server override incompatible with CRA 5

Remove the webpack-dev-server ~5.2.1 override from sd-ui and about.
react-scripts 5.0.1 declares ^4.6.0 and v5 has breaking API changes
that would break the dev server. The v4 line has no patched release,
so the 2 remaining moderate-severity advisories (GHSA-9jgg-88mc-972h,
GHSA-4v9v-hfq4-rm2v) are dev-server-only and unfixable without
migrating off CRA.

Resolves @CodeRabbit feedback on webpack-dev-server version compatibility.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: jrandallsexton