fix(security): resolve Dependabot alerts and CodeQL findings

[rsaz]

Summary

• Add npm overrides for js-yaml@4.2.0 and undici@7.28.0 to clear the three open Dependabot alerts on main
• Bump semver to 7.8.4 (patch-level security/maintenance)
• Refactor src/dev/form.ts docker orchestration to use safeSpawn / safeSpawnSync instead of shell-string execSync, resolving the two open CodeQL shell-injection warnings without changing CLI behavior

Test plan

• npm ci
• npm test (522 passing)
• npm audit reports 0 vulnerabilities locally after lockfile refresh

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.29%. Comparing base (35c3388) to head (17edbd6).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #105   +/-   ##
=======================================
  Coverage   79.29%   79.29%           
=======================================
  Files          45       45           
  Lines        3704     3704           
  Branches     1118     1059   -59     
=======================================
  Hits         2937     2937           
  Misses        758      758           
  Partials        9        9           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.