Update vulnerable npm lockfile dependencies

[stephentoub]

This updates the npm lockfiles flagged by Dependabot so the resolved transitive dependencies move to patched versions. The existing package ranges already allow the safe versions, so no manifest dependency ranges needed to change.

Summary

• Refresh nodejs/package-lock.json to resolve patched lodash and vite versions.
• Refresh test/harness/package-lock.json to resolve patched @hono/node-server, fast-uri, hono, qs, and vite versions.
• Keep the change lockfile-only to minimize package surface area.

Validation

• npm audit --omit=optional --audit-level=low in nodejs
• npm audit --omit=optional --audit-level=low in test/harness
• npm run typecheck in nodejs
• npm test in test/harness

Note: a full local nodejs test run hit an unrelated E2E hang/failure path and generated snapshot diffs, which were reverted.

[Copilot]

Copilot wasn't able to review any files in this pull request.

Files not reviewed (2)

• nodejs/package-lock.json: Language not supported
• test/harness/package-lock.json: Language not supported

[github-actions]

Cross-SDK Consistency Review ✅

This PR only updates npm lockfile files (nodejs/package-lock.json and test/harness/package-lock.json) to resolve security vulnerabilities in transitive dependencies. No SDK API changes were made, so there are no cross-SDK consistency concerns.

These lockfile updates are Node.js/npm-specific artifacts with no equivalent in the Python, Go, .NET, or Java SDKs.

Generated by SDK Consistency Review Agent for issue #1415 · ● 875.4K · ◷