Bump JS deps to resolve all open Dependabot alerts

[IEvangelist]

Bump JS deps to resolve all open Dependabot alerts

Summary

Closes the two open Dependabot alerts on this repo by bumping the two JavaScript lockfile-based manifests via npm overrides.

Alerts addressed

File	Package	Vuln range	Bumped to	Severity	GHSA	Alert
samples/polyglot-task-queue/api/package-lock.json	qs	< 6.15.2	6.15.2	medium	GHSA-r2pq-mvjr-w5xj	#480
samples/aspire-with-javascript/AspireJavaScript.Angular/package-lock.json	webpack-dev-server	<= 5.2.3	5.2.4	medium	GHSA-79cf-xcqc-c78w	#474

How each manifest was updated

• samples/polyglot-task-queue/api - qs is a transitive (via express). Added an overrides block that pins qs to ^6.15.2, then regenerated package-lock.json with npm install --package-lock-only. The diff is a one-line version + integrity bump.
• samples/aspire-with-javascript/AspireJavaScript.Angular - webpack-dev-server is a transitive (via @angular-devkit/build-angular). Added an entry to the existing overrides block ("webpack-dev-server": "^5.2.4"), then regenerated package-lock.json with npm install --package-lock-only --legacy-peer-deps (matching the existing lockfile generation; the typescript@~6.0.3 vs @angular-devkit/build-angular peer-dep mismatch is pre-existing and unrelated). Only the webpack-dev-server package + a few transitively-removed @emnapi/* peer-optional entries change.

Validation

For each updated manifest, npm install --package-lock-only --no-audit --no-fund succeeds against the configured mirror, and every vulnerable version is gone from the resolved tree:

samples/polyglot-task-queue/api/package-lock.json:
  OK  qs = 6.15.2 (expected >= 6.15.2)

samples/aspire-with-javascript/AspireJavaScript.Angular/package-lock.json:
  OK  webpack-dev-server = 5.2.4 (expected >= 5.2.4)

Risk notes for reviewers

• Both packages are dev-/runtime-only transitives - no direct dependency is changed.
• webpack-dev-server 5.2.4 is a patch bump (5.2.3 -> 5.2.4). No public API changes.
• qs 6.15.2 is a patch bump (6.15.1 -> 6.15.2). No public API changes.

[Copilot]

Pull request overview

This PR resolves the repo’s remaining open Dependabot alerts by pinning patched versions of two vulnerable transitive JavaScript dependencies via npm overrides, and updating the corresponding lockfiles to reflect the new resolutions.

Changes:

• Add an npm override for qs in samples/polyglot-task-queue/api and update package-lock.json to qs@6.15.2.
• Extend the existing npm overrides in samples/aspire-with-javascript/AspireJavaScript.Angular to force webpack-dev-server@^5.2.4 and update package-lock.json to webpack-dev-server@5.2.4 (with related lockfile pruning).

Reviewed changes

Copilot reviewed 2 out of 4 changed files in this pull request and generated no comments.

File	Description
samples/polyglot-task-queue/api/package.json	Adds npm overrides entry to force qs to a patched version.
samples/polyglot-task-queue/api/package-lock.json	Updates resolved qs package entry to 6.15.2.
samples/aspire-with-javascript/AspireJavaScript.Angular/package.json	Adds webpack-dev-server to existing overrides to force patched version.
samples/aspire-with-javascript/AspireJavaScript.Angular/package-lock.json	Updates resolved webpack-dev-server to 5.2.4 and removes now-unneeded optional peer entries.

Files not reviewed (2)

• samples/aspire-with-javascript/AspireJavaScript.Angular/package-lock.json: Language not supported
• samples/polyglot-task-queue/api/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[IEvangelist]

Drive-by validation comment - GitHub won't let me approve my own PR:

• Windows CI passes, license/cla passes.
• The Build & Test Samples (ubuntu-latest) failure is pre-existing on main (run 26499954285 on commit dd2df8d and earlier runs all show the same Resource 'angular' failed to start error caused by angular-installer exiting with code 1). Same regression is hitting every recent commit on main, so the failure is not introduced by this PR.
• Diff is confined to the two lockfiles plus matching overrides entries; no behavior changes.
• Addresses Dependabot alerts:
  • Bump the grpc group across 1 directory with 5 updates #474 (webpack-dev-server <= 5.2.3 -> 5.2.4 in AspireJavaScript.Angular)
  • Bump send and express in /samples/AspireWithNode/NodeFrontend #480 (qs < 6.15.2 -> 6.15.2 in polyglot-task-queue/api)

Ready for a maintainer review/merge once the main regression is sorted (independent of this PR).