chore: reduce high severity yarn audit findings

[forge0x]

Summary

• Updates direct security-sensitive dependencies to patched versions (axios, express, body-parser, cookie, jsonwebtoken, mongoose, @google-cloud/storage, @grpc/proto-loader, etc.)
• Adds Yarn resolutions for vulnerable transitive packages that are still pulled in by older tooling/runtime dependencies
• Keeps the resolution set compatible with install/build tooling after the chore: fix main TypeScript baseline #346 typecheck cleanup

Audit impact

Before:

• 500 total advisories
• 18 critical, 238 high, 195 moderate, 49 low

After:

• 47 total advisories
• 0 critical, 0 high, 28 moderate, 19 low
• yarn audit --level high emits no high/critical advisories

Verification

Rebased on current main after #346.

• yarn install --frozen-lockfile ✅
• yarn build ✅
• yarn tsc-check-noimplicitany ✅
• yarn tsc-check ✅
• npx prettier --check package.json ✅
• yarn audit --level high ✅ no high/critical advisories

Notes

• yarn audit --level high exits non-zero because Yarn v1 reports remaining low/moderate advisories in the summary, but the JSON audit stream contains no high/critical auditAdvisory entries.
• This PR intentionally uses Yarn resolutions for some transitive fixes because several vulnerable packages are buried under older dependency chains like ln-service, spectaql, api/oas, and older toolchain packages.

[forge0x]

Rebased onto current main after #346 and force-pushed e1c7e1d34.

Verification after rebase:

• yarn install --frozen-lockfile ✅
• yarn build ✅
• yarn tsc-check-noimplicitany ✅
• yarn tsc-check ✅
• npx prettier --check package.json ✅
• yarn audit --level high ✅ no high/critical advisories in JSON audit stream

GitHub reports the branch as mergeable now; current blocked state appears to be review/check gating rather than conflicts.