Fix all Dependabot security vulnerabilities

[Copilot]

Resolves all open Dependabot security alerts across Go and npm packages. Covers both direct dependency upgrades and transitive vulnerability fixes via overrides.

Go (backend/services/bulkdata/http)

• golang.org/x/crypto 0.35.0 → 0.45.0 (SSH GSSAPI DoS, SSH agent panic)
• golang.org/x/sys 0.30.0 → 0.38.0

npm (backend/services/utils/socketio)

• express 4.18.2 → 4.22.1
• Added overrides to force qs@^6.14.2 and body-parser@^1.20.4 (DoS via arrayLimit bypass — express 4.x pins qs@~6.14.0, which can't self-resolve)

npm (frontend)

• next 14.2.30 → 15.5.12 (HTTP request deserialization DoS; required major version jump — 14.x has no backport)
• koa 3.0.1 → 3.0.3 (Content-Type sniffing, Referer normalization)
• js-yaml 4.1.0 → 4.1.1 (prototype pollution in << merge)
• eslint 8.34.0 → 8.57.1, eslint-config-next 14.2.4 → 15.5.12
• Added overrides to force safe versions of transitive devDep vulnerabilities that eslint 8.x cannot self-resolve:

"overrides": {
  "minimatch": "^10.2.2",
  "brace-expansion": "^2.0.2",
  "glob": "^11.0.0",
  "rimraf": "^5.0.10",
  "ajv": "^8.18.0"
}

npm audit returns 0 vulnerabilities in both npm workspaces. All Go modules verified clean against the advisory DB.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.