deps: bump sass and codegen to fix vulnerable immutable version

[rohan-chaturvedi]

Summary

• Upgrade sass from 1.77.0 to 1.98.0
• Upgrade @graphql-codegen/cli from 5.0.0 to 6.2.1
• Upgrade @graphql-codegen/client-preset from 4.1.0 to 5.2.4
• Upgrade @graphql-codegen/typescript-react-apollo from 4.1.0 to 4.4.1
• Add graphql-sock ^1.0.0 (new peer dependency of client-preset v5)

This resolves Dependabot alert #282 — Prototype Pollution in immutable.

Context

Two transitive dependency chains pulled in vulnerable versions of immutable:

Path	Vulnerable version
sass → immutable	4.3.0
@graphql-codegen/client-preset → visitor-plugin-common → relay-operation-optimizer → @ardatan/relay-compiler → immutable	3.7.6

Simply bumping immutable via resolutions wasn't viable because @ardatan/relay-compiler@12 pinned immutable@~3.7.6. Upgrading the parent packages was necessary to move both chains to @ardatan/relay-compiler@13 and sass@1.98, which both depend on immutable@^5.1.5.

After upgrade

└─┬ @graphql-codegen/client-preset@5.2.4
│ └── immutable@5.1.5 (deduped)
└─┬ sass@1.98.0
└── immutable@5.1.5

Verification

• yarn codegen — GraphQL types regenerate successfully
• npx tsc --noEmit — zero TypeScript errors
• npx jest --no-coverage — 223/223 tests pass
• Staging Docker Compose build and runtime — all services start, UI renders correctly
• No .scss files in project source — sass upgrade has no direct styling impact
• npm ls immutable confirms only 5.1.5 remains

Test plan

• Verify all pages render without visual regressions (sass engine upgrade)
• Create, read, edit, and delete secrets (E2EE encryption/decryption path)
• Cross-environment secrets view renders correctly
• Toast notifications display properly (react-toastify uses scss internally)
• Signup and login flows complete without errors
• Sync integrations trigger and report status correctly
• Verify no runtime GraphQL type errors in browser console