fix: resolve npm audit vulnerabilities in action/ and replace dead gitpkg dependency

Replace cfn-guard dependency from gitpkg.vercel.app (which is permanently
returning 402 DEPLOYMENT_DISABLED) with a local file reference to
../guard/ts-lib. This works because CI checks out the full repo.

Add overrides in package.json to pin minimum safe versions for transitive
dependencies, ensuring fixes persist across lockfile regeneration:
- flatted: 3.4.2 (prototype pollution, DoS)
- ajv: 6.14.0 (ReDoS)
- micromatch: 4.0.8 (ReDoS)
- js-yaml: >=3.14.2 (prototype pollution)
- brace-expansion: >=1.1.13 (ReDoS)
- picomatch: >=2.3.2 (method injection, ReDoS)
- minimatch: >=3.1.5 (ReDoS, partial — prettier-eslint copy remains)
- @babel/helpers: >=7.26.10 (regex complexity)
- @eslint/plugin-kit: >=0.3.4 (ReDoS)

Remaining alerts:
- undici (production, via @actions/github) — requires breaking major bump
- minimatch 9.0.3 via prettier-eslint — requires breaking upgrade

Verified: npm run lint ✅, npm test ✅ (20/20 tests passed)

Author: Zee2413