fix: override protobufjs to resolve critical vulnerability

[TaprootFreak]

Summary

Override protobufjs to >=7.5.5 to fix all 3 critical npm audit vulnerabilities reported in the release PR #3581.

Problem

npm audit reports 3 critical vulnerabilities, all caused by the same root issue: protobufjs < 7.5.5 is affected by GHSA-xq3m-2v4x-88gg — an arbitrary code execution vulnerability where a crafted protobuf message can execute arbitrary JavaScript code during parsing.

The 3 critical findings are:

1. protobufjs@6.11.4 — directly affected
2. @grpc/proto-loader@0.6.13 — pulls in vulnerable protobufjs 6.x
3. @firebase/firestore@3.13.0 — depends on both affected grpc packages

Root Cause

The vulnerable protobufjs versions are deeply nested transitive dependencies that cannot be updated by bumping direct dependencies:

@dhedge/v2-sdk@1.11.1
  └── @lyrafinance/lyra-js@0.0.20
        └── firebase@9.23.0
              └── @firebase/firestore@3.13.0
                    ├── @grpc/proto-loader@0.6.13 → protobufjs@6.11.4  ❌ critical
                    └── @grpc/grpc-js@1.7.3
                          └── @grpc/proto-loader@0.7.15 → protobufjs@7.5.4  ❌ critical

@buildonspark/spark-sdk@0.6.7
  └── nice-grpc@2.1.14
        └── @grpc/grpc-js@1.14.3
              └── @grpc/proto-loader@0.8.0 → protobufjs@7.5.4  ❌ critical

• @lyrafinance/lyra-js is unmaintained and pins firebase@^9.9.4
• Even upgrading @dhedge/v2-sdk to v2.x doesn't help — it still depends on @lyrafinance/lyra-js@^0.0.20
• The intermediate packages don't offer versions that resolve the transitive vulnerability

Fix

Add an npm override in package.json:

"overrides": {
  "protobufjs": ">=7.5.5"
}

This forces all nested protobufjs instances (including the 6.x one) to resolve to a patched version. This is consistent with the existing override pattern already used in this project for body-parser, qs, semver, multer, and others.

Verification

Check	Result
npm audit critical	0 (was 3)
ESLint	✅ pass
Prettier	✅ pass
Build	✅ pass
Tests	✅ 927 passed (66 suites)