security: vulnerability remediation (#200)

## Vulnerability Remediation — 2026-04-02

### Fixed
| CVE | Package | Severity | Old Version | New Version | Manifest |
|-----|---------|----------|-------------|-------------|----------|
| CVE-2025-7783 | form-data | warn | 4.0.0 | 4.0.5 |
images/chromium-headful/client/package-lock.json |

### Skipped (non-actionable)
| Alert Type | Package | Severity | Reason |
|------------|---------|----------|--------|
| criticalCVE | @babel/traverse | warn | Dev-only transitive dependency
in the headful client build toolchain (`dev: true` in the lockfile); not
deployed to production. |

### Deferred (needs human review)
None.

### Verification
- `npm run build` in `images/chromium-headful/client`
- No `test` script exists in
`images/chromium-headful/client/package.json`
- Post-fix Socket rescan reports only the skipped dev-only
`@babel/traverse` alert

Made with [Cursor](https://cursor.com)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Updates `axios` and related transitive packages (`form-data`,
`follow-redirects`, `proxy-from-env`, and new helpers) which can subtly
affect HTTP request/redirect/proxy behavior in the headful client.
> 
> **Overview**
> **Updates the headful Chromium client’s HTTP dependency stack for
vulnerability remediation.**
> 
> Bumps `axios` to `^1.14.0` in `package.json` and refreshes
`package-lock.json`, pulling in newer transitive versions (notably
`form-data@4.0.5`, `follow-redirects@1.15.11`, `proxy-from-env@2.1.0`)
and additional small helper packages recorded in the lockfile.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
21b39a5. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Co-authored-by: kernel-internal[bot] <260533166+kernel-internal[bot]@users.noreply.github.com>

Author: kernel-internal[bot]