security: fix critical and high priority npm vulnerabilities

Fix Dependabot alerts:
- Alert #92 (CRITICAL): form-data < 2.5.4 → upgraded to 4.0.5
- Alert #103 (HIGH): glob vulnerable to command injection → ≥10.5.0
- Alert #108 (HIGH): qs DoS vulnerability → upgraded to 6.14.1

Added pnpm overrides to enforce secure versions across dependency tree.
Build and dependency installation verified successful.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

web/package.json

@@ -70,6 +70,7 @@
       "tunnel-agent@<0.6.0": ">=0.6.0",
       "qs@<6.0.4": ">=6.0.4",
       "qs@<1.0.0": ">=1.0.0",
+      "qs@<6.14.1": ">=6.14.1",
       "hawk@<3.1.3": ">=3.1.3",
       "http-signature@<0.10.0": ">=0.10.0",
       "request@>=2.2.6 <2.47.0": ">=2.68.0",
@@ -79,7 +80,9 @@
       "qs@<6.2.4": ">=6.2.4",
       "cookie@<0.7.0": ">=0.7.0",
       "tough-cookie@<4.1.3": ">=4.1.3",
-      "nanoid@<3.3.8": ">=3.3.8"
+      "nanoid@<3.3.8": ">=3.3.8",
+      "form-data@<2.5.4": ">=2.5.4",
+      "glob@>=10.2.0 <10.5.0": ">=10.5.0"
     },
     "onlyBuiltDependencies": [
       "esbuild",