Fix npm security vulnerabilities (#327)

# Fix npm security vulnerabilities

This PR addresses security vulnerabilities identified by `npm audit`.

## Fixed Vulnerabilities ✅

### High Severity
- **axios DoS vulnerability** (GHSA-4hjh-wcwx-xvwj)
  - Fixed by updating to axios >=1.12.0
  - Resolves DoS attack vulnerability through lack of data size check

### Moderate/Low Severity  
- **Vite file serving vulnerabilities**
- GHSA-g4jq-h2w9-997c: Middleware may serve files with same name prefix
  - GHSA-jqfw-vq24-v9c3: `server.fs` settings not applied to HTML files
  - Fixed by updating Vite to secure version

## Deferred Vulnerabilities ⏳

The following vulnerabilities are **not addressed** in this PR:

### prismjs DOM Clobbering (Moderate Severity)
- **Issue**: GHSA-x7hr-w5r2-h6wg - PrismJS DOM Clobbering vulnerability
- **Affected**: `react-syntax-highlighter` package dependencies
- **Status**: **Requires upstream fix** - dependency chain needs
react-syntax-highlighter major version update
- **Impact**: Breaking changes would be introduced (v15→v5 downgrade)

### tmp Symbolic Link Vulnerability (Low Severity)
- **Issue**: GHSA-52f5-9888-hmc6 - Arbitrary file/directory write via
symbolic link
- **Affected**: `patch-package` dependency  
- **Status**: **No fix available** - no alternative version or
workaround exists
- **Impact**: Low risk, limited to patch-package usage context

## Summary

- ✅ **2 vulnerabilities fixed** (1 high, 1 moderate/low)
- ⏳ **3 vulnerabilities deferred** (3 moderate/low) - require upstream
fixes or have no available solutions
- 🔄 **Net improvement**: Reduced from 7 to 5 total vulnerabilities

## Testing

- [x] `npm install` runs successfully
- [x] `npm audit` confirms remaining vulnerabilities are
expected/documented
- [x] No breaking changes introduced

<!-- DO NOT EDIT: System generated metadata -->
<!-- WORKER_ID:1758846494823719 -->

---

**Open in Web UI**:
https://d2c09i1k2ray87.cloudfront.net/sessions/1758846494823719

---------

Co-authored-by: remote-swe-app[bot] <123456+remote-swe-app[bot]@users.noreply.github.com>

Author: remote-swe-user

.github/workflows/build.yml

@@ -36,18 +36,28 @@ jobs:
               - 'cdk/**'
             agent_core:
               - 'packages/agent-core/**'
+              - 'package.json'
+              - 'package-lock.json'
             slack_bolt_app:
               - 'packages/slack-bolt-app/**'
               - 'packages/agent-core/**'
+              - 'package.json'
+              - 'package-lock.json'
             worker:
               - 'packages/worker/**'
               - 'packages/agent-core/**'
+              - 'package.json'
+              - 'package-lock.json'
             webapp:
               - 'packages/webapp/**'
               - 'packages/agent-core/**'
+              - 'package.json'
+              - 'package-lock.json'
             github_actions:
               - 'packages/github-actions/**'
               - 'packages/agent-core/**'
+              - 'package.json'
+              - 'package-lock.json'
             dockerfiles:
               - 'docker/**'
   Build-and-Test-CDK: