Security: bump vulnerable dependencies (Dependabot Tiers 1-3)

RubyGems (bundle update --conservative jwt devise faraday):
  - jwt 3.1.2 → 3.2.0  (CVE-2026-45736: empty-key HMAC bypass)
  - devise 5.0.3 → 5.0.4  (CVE-2026-40295: open redirect via referrer)
  - faraday 2.14.1 → 2.14.2  (CVE-2026-33637: protocol-relative URI)

npm direct deps (yarn upgrade):
  - @eid-easy/eideasy-widget 2.171.0 → 2.174.0, pulling
    browser-client 2.135.0 → 2.140.0 which updates
    axios 1.8.2 → 1.16.1 (clears all 14 axios CVEs incl. prototype
    pollution, SSRF, DoS, header injection)
  - rollbar 2.26.4 → 2.26.5  (CVE-2025-62517: prototype pollution)
  - webpack-dev-server 5.2.3 → 5.2.4  (CVE-2026-6402: cross-origin src)
  - postcss ^8.4.31 → ^8.5.10, resolved to 8.5.15  (CVE-2026-41305: XSS)

npm transitive (yarn resolutions + postcss direct-dep bump):
  cross-spawn → 7.0.6, flatted → 3.4.2, glob → 10.5.0,
  immutable → 4.3.8, js-yaml → 4.1.1, lodash → 4.18.1,
  markdown-it → 14.1.1, micromatch → 4.0.8, nanoid → 3.3.12,
  picomatch → 2.3.2, postcss → 8.5.15, svgo → 3.3.3

Remaining open alerts (multi-major transitive, build-tool DoS only,
near-zero production impact): minimatch (3.x/9.x), semver (6.x/7.x),
yaml (1.x/2.x), brace-expansion (1.x/2.x), serialize-javascript
(6→7 major), ws (7.x), Vue 2 (eideasy-widget 2.x, needs 3.x migration).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Gemfile.lock

@@ -161,7 +161,7 @@ GEM
       irb (~> 1.10)
       reline (>= 0.3.8)
     declarative (0.0.20)
-    devise (5.0.3)
+    devise (5.0.4)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 7.0)
@@ -195,7 +195,7 @@ GEM
       railties (>= 6.1.0)
     faker (3.6.1)
       i18n (>= 1.8.11, < 2)
-    faraday (2.14.1)
+    faraday (2.14.2)
       faraday-net_http (>= 2.0, < 3.5)
       json
       logger
@@ -277,7 +277,7 @@ GEM
       reline (>= 0.4.2)
     jmespath (1.6.2)
     json (2.19.3)
-    jwt (3.1.2)
+    jwt (3.2.0)
       base64
     language_server-protocol (3.17.0.5)
     launchy (3.1.1)

package.json

@@ -48,7 +48,7 @@
     "daisyui": "^3.9.4",
     "driver.js": "^1.3.5",
     "mini-css-extract-plugin": "^2.10.0",
-    "postcss": "^8.4.31",
+    "postcss": "^8.5.10",
     "postcss-import": "^15.1.0",
     "postcss-loader": "^7.3.0",
     "qr-creator": "^1.0.0",
@@ -85,6 +85,20 @@
   "browserslist": [
     "last 5 years"
   ],
+  "resolutions": {
+    "cross-spawn": "7.0.6",
+    "flatted": "3.4.2",
+    "glob": "10.5.0",
+    "immutable": "4.3.8",
+    "js-yaml": "4.1.1",
+    "lodash": "4.18.1",
+    "markdown-it": "14.1.1",
+    "micromatch": "4.0.8",
+    "nanoid": "3.3.12",
+    "picomatch": "2.3.2",
+    "postcss": "8.5.15",
+    "svgo": "3.3.3"
+  },
   "devDependencies": {
     "@babel/eslint-parser": "^7.21.8",
     "babel-eslint": "^10.1.0",