Fix npm audit findings that can be addressed without broad major dependency upgrades. Update affected dependencies or overrides so the lockfile no longer includes vulnerable resolved versions. Avoid using `npm audit fix --force`, because it also attempts major upgrades for **Astro** and **Cypress**. The Astro vulnerability doesn't affect Canvas, and the upgrade will be handled in https://git.drupalcode.org/project/canvas/-/work_items/3588803. Cypress shouldn't be upgraded to the next major if we can avoid it. We should be phasing it out in favor of Playwright. We should also avoid **esbuild**.