MT#64579 Reduce npm audit vulnerabilities from 132 to 30

- Removed `crypto-browserify` from package.json and quasar.config.js
  (unused webpack polyfill that was bundling vulnerable bn.js and
  elliptic into the production build)

Bumped up packages:
* glob
* globals
* jest
* @quasar/app-webpack

Yarn resolutions added
- `serialize-javascript: ^7.0.3` — fixes high-severity RCE vulnerability
  via RegExp.flags/Date.toISOString() (CVE in terser-webpack-plugin and
  @quasar/ssr-helpers paths)
- `**/postcss-svgo/svgo: ^4.0.1` — fixes high-severity Billion Laughs
  DoS (XML entity expansion) in cssnano's SVG optimization pipeline
- `dot-object/minimatch: ^3.1.2` — fixes high-severity ReDoS in
  dot-object's glob dependency
- `**/flatted: 3.4.0` — fixes high-severity unbounded recursion DoS
  in eslint and eslint-webpack-plugin's caching layer

What remains (30 vulnerabilities — all upstream-blocked)
The remaining vulnerabilities are entirely confined to dev-only
tooling and cannot be fixed without upstream releases:
- minimatch ReDoS across jest, @vue/test-utils, jest-serializer-vue,
  @quasar/app-webpack, @quasar/quasar-app-extension-testing-unit-jest
- ajv ReDoS across eslint, eslint-webpack-plugin, @quasar/app-webpack
- webpack SSRF (buildHttp feature, not used in this project)
- qs DoS in webpack-dev-server's express (local dev only)
- esbuild dev server CORS issue (local dev only)
- vue-template-compiler XSS (no patch available upstream)
- tmp symlink issue, @tootallnate/once control flow (test tooling only)

Change-Id: I72f34757538f97bb3495a57d7f0263df58102f1e
(cherry picked from commit 1ebe3c0683)
(cherry picked from commit dda9bff6a4)

package.json

@@ -34,7 +34,6 @@
     "axios": "1.13.5",
     "content-disposition": "^1.0.1",
     "core-js": "^3.47.0",
-    "crypto-browserify": "3.12.1",
     "decode-uri-component": "^0.4.0",
     "eslint-plugin-no-relative-import-paths": "1.6.1",
     "eslint-plugin-unused-imports": "4.3.0",
@@ -64,7 +63,7 @@
   "devDependencies": {
     "@babel/eslint-parser": "^7.28.5",
     "@babel/plugin-transform-private-methods": "7.27.1",
-    "@quasar/app-webpack": "4.3.1",
+    "@quasar/app-webpack": "4.4.1",
     "@quasar/cli": "2.5.0",
     "@quasar/quasar-app-extension-testing": "2.2.0",
     "@quasar/quasar-app-extension-testing-unit-jest": "3.0.3",
@@ -84,21 +83,20 @@
     "eslint-plugin-quasar": "1.1.0",
     "eslint-plugin-vue": "10.6.2",
     "eslint-webpack-plugin": "5.0.2",
-    "glob": "13.0.1",
+    "glob": "13.0.6",
-    "globals": "16.5.0",
+    "globals": "17.4.0",
     "is-valid-glob": "1.0.0",
-    "jest": "30.2.0",
+    "jest": "30.3.0",
     "jest-serializer-vue": "3.1.0",
     "js-yaml": "4.1.1",
     "uuid": "13.0.0",
     "vue-wait-vue3": "1.5.3"
   },
   "resolutions": {
-    "@isaacs/brace-expansion": "5.0.1",
+    "serialize-javascript": "^7.0.3",
-    "qs": "6.14.1",
+    "**/postcss-svgo/svgo": "^4.0.1",
-    "tar": "7.5.7",
+    "dot-object/minimatch": "^3.1.2",
-    "lodash": "4.17.23",
+     "**/flatted": "3.4.0"
-    "lodash-es": "4.17.23"
   },
   "browserslist": [
     "last 10 Chrome versions",

quasar.config.js

@@ -135,7 +135,6 @@ export default async function (ctx) {
             // https://quasar.dev/quasar-cli/handling-webpack
             extendWebpack (cfg) {
                 cfg.resolve.fallback = {
-                    crypto: 'crypto-browserify',
                     stream: 'stream-browserify',
                     vm: false
                 }