fix(deps): bump vulnerable transitive deps to patched versions (#405)

[MarioCadenas]

Summary

Closes #405. A fresh app on the latest @databricks/appkit / @databricks/appkit-ui trips a clean npm audit because several deps were pinned under published advisories — and the OpenTelemetry/ws chain reported fixAvailable: false downstream because the pins live inside AppKit's tree.

This splits the fix into direct bumps that propagate to downstream consumers and scoped pnpm.overrides for transitive pins that can only be cleaned in our own tree + SBOM.

Direct bumps (reach downstream consumers)

Dependency	Change	Advisory
OpenTelemetry cohort (api-logs, instrumentation, instrumentation-http, *-otlp-proto exporters, sdk-node, sdk-logs)	0.208.0 → 0.218.0	GHSA-q7rr-3cgh-j5r3 (HIGH, Prometheus exporter crash)
OTel stable (resources, sdk-metrics, sdk-trace-base, context-async-hooks)	2.2.0–2.6.x → 2.7.1	cohort alignment
auto-instrumentations-node / instrumentation-express	0.67.2 / 0.57.0 → 0.76.0 / 0.66.0	cohort alignment
ws	8.18.3 → 8.21.0	GHSA-58qx-3vcg-4xpx
dompurify (appkit-ui)	3.3.3 → 3.4.8	GHSA-39q2-94rc-95cp, GHSA-v9jr-rg53-9pgp

The OTel versions are exactly the set sdk-node@0.218.0 declares, so there are no peer-dep conflicts.

Transitive overrides (scoped pnpm.overrides)

protobufjs (via @grpc/proto-loader) and qs (via express) are transitive, so a direct bump can't move them:

• protobufjs@<7.6.2 → 7.6.2 (in-range for proto-loader's ^7.5.3)
• qs@<6.15.2 → 6.15.2

Honest scope note: overrides in a published package's package.json do not apply to a downstream install, so these clean our own tree and the shipped sbom.cdx.json only. qs stays capped at ~6.14.0 for consumers until an express 5 migration (breaking, tracked separately).

Verification

• pnpm build ✅
• pnpm -r typecheck ✅
• Full test suite — 2801 tests ✅
• Telemetry tests (exercise OTel) — 61 tests ✅
• Lockfile resolves to the patched versions (protobufjs@7.6.2, qs@6.15.2, ws@8.21.0, dompurify@3.4.8)