chore(security): close 13 dependabot alerts (Jun-17 triage wave) (#1323)

Three new overrides and five floor bumps close 13 of 20 open
Dependabot alerts on rocketride-org/rocketride-server. The remaining
7 alerts (3 cryptography HIGH + 2 nltk HIGH, all pip; plus dompurify
GHSA-x4vx-rjvf-j5p4 LOW + one other unpatched) are tracked separately.

  HIGH      #184  ws            < 8.21.0          → bump >=8.20.1 → >=8.21.0
  HIGH      #188  form-data     >= 4.0.0, < 4.0.6 →  >=4.0.6 <5  (new)
  HIGH      #190  protobufjs    <= 7.6.0          → bump >=7.5.5 → >=7.6.3
  MEDIUM    #189  protobufjs    <= 7.6.2          → (same fix as #190)
  MEDIUM    #186  js-yaml       <= 4.1.1          → bump >=4.1.1 → >=4.2.0
  MEDIUM    #187  tar           <= 7.5.15         →  >=7.5.16 <8 (new)
  MEDIUM    #201  markdown-it   <= 14.1.1         → bump >=14.1.1 → >=14.2.0
  MEDIUM    #194  dompurify     <= 3.4.5          → bump >=3.4.0 → >=3.4.9 (preserve <3.5.0)
  MEDIUM    #195  dompurify     <= 3.4.5          → (same fix)
  MEDIUM    #196  dompurify     < 3.4.7           → (same fix)
  MEDIUM    #198  dompurify     <= 3.4.6          → (same fix)
  LOW       #185  @babel/core   <= 7.29.0         →  >=7.29.6 <8 (new)
  LOW       #199  dompurify     >= 3.0.0, <= 3.4.7→ (same dompurify fix)
  LOW       #200  dompurify     < 3.4.9           → (same dompurify fix)

dompurify upper bound kept at `<3.5.0` to preserve the existing
narrow-major pin that was in the prior override.

Companion PR on rocketride-ai/rocketride-saas#265 covers the same
8 npm packages on the saas side.

Out of scope for this PR (no fix via pnpm.overrides):

  HIGH      #202, #203  nltk           pip, patched=— (no upstream patch)
  HIGH      #191, #192, #193  cryptography  pip, patched=48.0.1
                                       (needs Python deps update)
  LOW       #197  dompurify (GHSA-x4vx-rjvf-j5p4)  patched=—
                                       (no upstream patch)