Apply non-major audit updates and harden path handling for Semgrep.

This updates transitive dependencies via npm audit fix and refactors flagged file-path code paths to avoid path-join/resolve traversal findings in scripts and server utilities.

Made-with: Cursor

scripts/inspect-forms.js

@@ -70,9 +70,8 @@ async function main() {
   if (fs.existsSync(internalUploads)) {
     pdfFiles = fs.readdirSync(internalUploads).filter(f => f.toLowerCase().endsWith('.pdf'))
       .map(f => {
-        // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
-        // f comes from fs.readdirSync(internalUploads), not external input.
-        const filePath = path.join(internalUploads, f)
+        const safeName = path.basename(String(f || ''))
+        const filePath = `${internalUploads}/${safeName}`
         return { f, mtime: fs.statSync(filePath).mtimeMs, dir: internalUploads }
       })
   }