Fix npm audit findings that can be addressed without broad major dependency upgrades. Update affected `vitest`, `uuid`, and `qs` dependencies or overrides so the lockfile no longer includes vulnerable resolved versions. Avoid using `npm audit fix --force`, because it also attempts major upgrades for Astro and Cypress. The Astro vulnerability doesn't affect Canvas, and the upgrade will be handled in https://git.drupalcode.org/project/canvas/-/work_items/3588803. Cypress shouldn't be upgraded to the next major if we can avoid it. We should be phasing it out in favor of Playwright.