local-harden: override serialize-javascript >=7.0.5

Why: vite-plugin-pwa -> workbox-build -> @rollup/plugin-terser pulls
serialize-javascript <=7.0.4, which has GHSA-5c6j-r48x-rmvq (RCE) and
GHSA-qj8w-gfj5-8c6v (DoS). Build-time only; no runtime exposure. The
override breaks the chain without downgrading vite-plugin-pwa.

Local fork carry-patch — not for upstream PR until vite-plugin-pwa
updates its workbox-build pin.

web/package-lock.json

@@ -12,7 +12,7 @@
         "@emotion/react": "^11.11.0",
         "@emotion/styled": "^11.11.0",
         "@mui/icons-material": "^5.4.2",
-        "@mui/material": "*",
+        "@mui/material": "latest",
         "dexie": "^3.2.1",
         "dexie-react-hooks": "^1.1.1",
         "humanize-duration": "^3.27.3",
@@ -20,8 +20,8 @@
         "i18next-browser-languagedetector": "^6.1.4",
         "i18next-http-backend": "^3.0.5",
         "js-base64": "^3.7.2",
-        "react": "*",
-        "react-dom": "*",
+        "react": "latest",
+        "react-dom": "latest",
         "react-i18next": "^11.16.2",
         "react-infinite-scroll-component": "^6.1.0",
         "react-remark": "^2.1.0",
@@ -7234,16 +7234,6 @@
       ],
       "license": "MIT"
     },
-    "node_modules/randombytes": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/randombytes/-/randombytes-2.1.0.tgz",
-      "integrity": "sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "safe-buffer": "^5.1.0"
-      }
-    },
     "node_modules/react": {
       "version": "19.2.5",
       "resolved": "https://registry.npmjs.org/react/-/react-19.2.5.tgz",
@@ -7684,27 +7674,6 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
-    "node_modules/safe-buffer": {
-      "version": "5.2.1",
-      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
-      "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==",
-      "dev": true,
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/feross"
-        },
-        {
-          "type": "patreon",
-          "url": "https://www.patreon.com/feross"
-        },
-        {
-          "type": "consulting",
-          "url": "https://feross.org/support"
-        }
-      ],
-      "license": "MIT"
-    },
     "node_modules/safe-push-apply": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/safe-push-apply/-/safe-push-apply-1.0.0.tgz",
@@ -7757,13 +7726,13 @@
       }
     },
     "node_modules/serialize-javascript": {
-      "version": "6.0.2",
-      "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.2.tgz",
-      "integrity": "sha512-Saa1xPByTTq2gdeFZYLLo+RFE35NHZkAbqZeWNd3BpzppeVisAqpDjcp8dyf6uIvEqJRd46jemmyA4iFIeVk8g==",
+      "version": "7.0.5",
+      "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-7.0.5.tgz",
+      "integrity": "sha512-F4LcB0UqUl1zErq+1nYEEzSHJnIwb3AF2XWB94b+afhrekOUijwooAYqFyRbjYkm2PAKBabx6oYv/xDxNi8IBw==",
       "dev": true,
       "license": "BSD-3-Clause",
-      "dependencies": {
-        "randombytes": "^2.1.0"
+      "engines": {
+        "node": ">=20.0.0"
       }
     },
     "node_modules/set-function-length": {

web/package.json

@@ -47,6 +47,9 @@
     "vite": "^6.4.2",
     "vite-plugin-pwa": "^1.0.0"
   },
+  "overrides": {
+    "serialize-javascript": ">=7.0.5"
+  },
   "browserslist": {
     "production": [
       ">0.2%",