chore(deps): security and dependency updates

[jung-thomas]

Summary

Security and dependency updates resolving 10 of 46 known vulnerabilities, plus 28 in-range semver bumps and 3 dev-only major version updates.

Changes

npm audit fix (non-breaking)

Resolved 10 vulnerabilities; remaining issues require major upstream bumps in @sap/cds-dk's nested deps (puppeteer-core, @wdio/devtools-service stack).

npm update (in-range semver)

28 packages bumped within their declared semver range, notably:

• ws 8.20.1 → 8.21.0 (fixes GHSA-3h5v-q93c-6h6q, GHSA-58qx-3vcg-4xpx, GHSA-96hv-2xvq-fx4p)
• @inquirer/prompts 8.4.3 → 8.5.2
• @sap-cloud-sdk/resilience 4.6.0 → 4.7.0
• @sap/cds-dk 9.9.1 → 9.9.2
• @sap/eslint-plugin-cds 4.2.3 → 4.2.4
• body-parser 2.2.2 → 2.3.0
• eslint 10.3.0 → 10.5.0
• mocha 11.7.5 → 11.7.6
• multer 2.1.1 → 2.2.0
• ora 9.4.0 → 9.4.1
• uuid 14.0.0 → 14.0.1
• @wdio/* 9.27.1 → 9.29.0
• webdriverio 9.27.1 → 9.29.0

Dev-only major bumps

• sinon ^21 → ^22 — drops Node 18 support; project already requires ≥22
• chromedriver ^148 → ^150 — matches Chrome 150
• @types/node ^25 → ^26 — types only, no runtime impact

Verification

• ✅ npm run lint — clean
• ✅ npm test — 2193 passing, 16 pending, 0 regressions
  • 3 pre-existing UI test failures (tests/ui/*.ui.test.js) are unrelated — they require wdio run wdio.conf.js to provide the browser global but are picked up by mocha's glob on Windows due to case-insensitive *.Test.js matching against .ui.test.js.

Remaining vulnerabilities

Not addressed in this PR — all require major upstream bumps:

Production (16):

• exceljs (would drop to v3, breaking Excel export)
• @cap-js/telemetry / OpenTelemetry stack — no fix yet, awaiting upstream
• Nested js-yaml via nyc

Dev (21):

• @wdio/devtools-service would require downgrade to 8.x
• devtools@6 is breaking
• nyc@14 is breaking

The overrides block in package.json already pins axios and qs to neutralize transitive CVEs — same approach can be used here in a follow-up if specific advisories become urgent.