fix: refresh dependency and CI security metadata

[bbingz]

This is a smaller slice split out of the broader security hardening draft PR (#3895). It keeps the scope limited to dependency/security metadata plus the minimal CI/build hygiene needed to validate those updates in the existing Azure pipeline.

Changes:

• refresh root npm security metadata by adding a lockfile, replacing vulnerable gulp build tooling, and declaring package metadata/license
• migrate the gulp build script away from removed vulnerable packages and make OSS upload tasks skip safely when PR secrets are unavailable
• add auditable npm metadata for src/SSCMS.Web
• update vulnerable/deprecated .NET package references and test packages
• add a test WebApplicationFactory configuration so the upgraded web integration tests run with an isolated test security key
• ignore generated ASP.NET data-protection key files
• remove unstable ApplicationIcon build inputs from CLI/Web projects and skip Docker image push outside master

Validation run locally:

• /opt/homebrew/opt/dotnet@8/bin/dotnet restore sscms.sln
• /opt/homebrew/opt/dotnet@8/bin/dotnet list /Users/bing/-Code-/cms-pr-dependency-hygiene/sscms.sln package --vulnerable --include-transitive -> no vulnerable packages
• /opt/homebrew/opt/dotnet@8/bin/dotnet list /Users/bing/-Code-/cms-pr-dependency-hygiene/sscms.sln package --deprecated -> no deprecated packages
• npm audit --json at repo root -> 0 vulnerabilities
• npm audit --json in src/SSCMS.Web -> 0 vulnerabilities
• npm ci -> passed, 0 vulnerabilities
• node -e "require(./'gulpfile.js'); console.log('gulpfile ok')" -> passed
• /opt/homebrew/opt/dotnet@8/bin/dotnet publish src/SSCMS.Cli/SSCMS.Cli.csproj -c Release -o /tmp/sscms-cli-publish-check -> passed
• /opt/homebrew/opt/dotnet@8/bin/dotnet publish src/SSCMS.Web/SSCMS.Web.csproj -c Release -o /tmp/sscms-web-publish-check -> passed
• /opt/homebrew/opt/dotnet@8/bin/dotnet test tests/SSCMS.Web.Tests/SSCMS.Web.Tests.csproj -c Release --no-restore -> passed, 2/2 tests; xUnit1051 warnings only