fix(deps): consolidate dependency security fixes

[kemister85]

Summary

• Upgrade http-server from ^0.12.3 to ^14.1.1 — v14 no longer uses ecstatic, eliminating that attack surface
• Remove ecstatic devDependency (no longer needed)
• Add yarn resolutions for 11 transitive vulnerabilities that cannot be fixed via direct dependency upgrades:

Package	Resolution	Advisory
brace-expansion	>=1.1.13	ReDoS + zero-step hang
convict	>=6.2.5	Prototype pollution
follow-redirects	>=1.16.0	GHSA-r4q5-vmmm-2653
handlebars	>=4.7.9	Multiple security fixes
js-yaml	>=4.1.1	Code execution via load()
liquidjs	>=10.25.5	GHSA-v273-448j-v4qj
lodash	>=4.18.1	Prototype pollution + template injection
minimatch	>=3.1.4	ReDoS
picomatch	>=2.3.2	GHSA-3v7f-55p6-f55p
qs	>=6.14.2	Prototype pollution
sha.js	>=2.4.12	Collision vulnerability

Result: yarn audit reports 0 vulnerabilities. Build and serve both work.

Supersedes

This PR consolidates and replaces the following open PRs:

• DOC-3386: Fix dependency vulnerabilities via http-server upgrade and minimal resolutions #4028 — fix/dependency-security-resolutions (http-server upgrade + resolutions)
• fix(deps): follow-redirects — GHSA-r4q5-vmmm-2653 (medium) #4093 — dependabot-autopilot/alert-95 (follow-redirects)
• fix(deps): liquidjs — GHSA-v273-448j-v4qj (medium) #4094 — dependabot-autopilot/alert-94 (liquidjs)
• fix(deps): picomatch — GHSA-3v7f-55p6-f55p (medium) #4102 — dependabot-autopilot/alert-75 (picomatch)
• Bump lodash from 4.17.21 to 4.18.1 #4120 — dependabot/npm_and_yarn/lodash-4.18.1 (lodash)
• Bump handlebars from 4.7.7 to 4.7.9 #4121 — dependabot/npm_and_yarn/handlebars-4.7.9 (handlebars)
• Bump follow-redirects from 1.15.6 to 1.16.0 #4122 — dependabot/npm_and_yarn/follow-redirects-1.16.0 (follow-redirects)

Once this PR merges, those 7 PRs can be closed.

Test plan

• yarn install — lockfile regenerated successfully
• yarn audit — 0 vulnerabilities
• yarn build:production — Antora build passes