Fix critical and high dependency alerts

[lancewillett]

Summary

• Update firebase/php-jwt to a PHP 7.3-compatible 6.x release to clear the critical JWT advisory without changing the repo's advertised PHP 7.3 runtime floor.
• Update the vulnerable Composer dev tree, including illuminate/database, phpunit/phpunit, nesbot/carbon, PHPCS tooling, and Psalm, so current Composer can install the lockfile.
• Remove the mock APNS server's vulnerable uuid dependency and generate the test APNS ID with Node's built-in crypto module instead.
• Update the CI workflow for current Composer/GitHub Actions behavior and pin touched actions by commit SHA.

Validation

• composer install --prefer-dist --no-progress
• composer validate
• composer audit --locked --ignore-severity=low --abandoned=ignore
• cd tests/MockAPNSServer && yarn install --frozen-lockfile && yarn audit --level low --groups dependencies
• php -d error_reporting=6143 vendor/bin/phpcs -s --ignore=tests/MockAPNSServer/node_modules/
• php -d error_reporting=6143 vendor/bin/phpunit --coverage-clover coverage/coverage.xml --coverage-html coverage --exclude e2e
• E2E PHPUnit with the mock APNS server running on Node 12
• ruby -e "require 'yaml'; YAML.load_file('.github/workflows/CI.yml')"
• git diff --check

Notes

• composer audit --locked still reports the low-severity firebase/php-jwt advisory fixed in 7.x. Moving to php-jwt 7.x requires PHP 8.0+, so this PR keeps the PHP 7.3 contract and clears the critical/high/medium Composer advisories.
• The CI Build and Test job currently runs the full PHPUnit suite successfully and generates coverage, then fails while uploading coverage through the legacy CodeClimate reporter path. The old CodeClimate binary URL now returns 404, so this PR uses the archived reporter release with a pinned checksum; the upload still exits non-zero and likely needs an owner decision on the stale CodeClimate required checks.