Resolve 3 open Dependabot alerts (devalue high, glib medium, rand low)

[openidle-dev]

Three open Dependabot alerts on main (flagged during the v1.0.21 push). None are in app-runtime-critical paths, but all have published patches.

#	Severity	Package	Ecosystem	Manifest	Vulnerable	Patched
16	high	devalue	npm	website/package-lock.json	>= 5.6.3, <= 5.8.0	5.8.1
11	medium	glib	rust	src-tauri/Cargo.lock	>= 0.15.0, < 0.20.0	0.20.0
12	low	rand	rust	src-tauri/Cargo.lock	>= 0.7.0, < 0.8.6	0.8.6

Notes / context

• devalue (high) — "DoS via sparse array deserialization." Transitive dep of the Astro website (website/), not the desktop app. Likely pulled via Astro/SvelteKit-style serialization. Probably resolvable with a lockfile bump (npm update devalue in website/) or an overrides pin to 5.8.1.
• glib (medium) — "Unsoundness in Iterator/DoubleEndedIterator impls for glib::VariantStrIter." Transitive via the Linux WebKitGTK stack (gtk-rs). Bumping to 0.20.0 may be gated by what tauri/webkit2gtk pin — check whether a compatible upgrade exists without breaking the build.
• rand (low) — "Rand is unsound with a custom logger using rand::rng()." Transitive in the Rust tree; bump to 0.8.6.

Acceptance

• devalue ≥ 5.8.1 in website/package-lock.json
• rand ≥ 0.8.6 in src-tauri/Cargo.lock
• glib ≥ 0.20.0 in src-tauri/Cargo.lock (or document why it's blocked by the tauri/webkit2gtk pin)
• CI green (Frontend build + Rust check/clippy/test) and all three alerts auto-close

Per repo convention the patch PR should reference this issue.

[openidle-dev]

Investigated all three. Scoping update:

Fixed now — devalue (high) bumped 5.8.0 → 5.8.1 in PR #191. In range of astro's ^5.6.3, lockfile-only.

Blocked upstream (leaving this issue open to track):

• glib (medium) — tauri 2.11.1 → gtk 0.18.2 pins glib ^0.18. cargo update -p glib --precise 0.20.0 fails: "candidate versions found which didn't match: 0.20.0 … required by gtk v0.18.2". No 0.18.x patch exists; only 0.20.0. Can't advance until Tauri bumps gtk. Linux/WebKitGTK only.
• rand (low) — three copies in the tree (0.7.3 vulnerable, 0.8.6, 0.9.4). The 0.7.3 one is build-time only: phf_generator 0.8.0 → phf_codegen 0.8.0 → selectors 0.24.0 (build-dep) → kuchikiki → tauri-utils 2.9.1 → tauri-build/tauri. Not shipped in the binary; the advisory (unsound rand::rng() with a custom logger) is irrelevant to compile-time perfect-hash codegen. Pinned by Tauri's phf dependency.

Recommend keeping this open and re-checking after the next Tauri minor bump (which should pull newer gtk/phf and clear both). Happy to add a Dependabot ignore/allow rule for these two if we'd rather silence the noise until then.