chore(deps): bump fast-csv 4 → 5 to clear deprecation

[senoff]

Original Problem

fast-csv v4.x shows a deprecation notice on npm install for downstream consumers. Bumping to v5 clears the notice and brings in maintenance updates.

Cause

fast-csv@4.3.1 was pinned; v5.0.0 was released in 2023 and the v4 line is no longer maintained.

Fix

Bumped fast-csv from ^4.3.1 to ^5.0.0 in package.json. Ran npm install --legacy-peer-deps to update package-lock.json (legacy-peer-deps required for the existing devDependency ESLint config tree).

The only fast-csv usage in this repo is lib/csv/csv.js, which calls:

• fastCsv.parse(options.parserOptions) — stream pipeline; API unchanged in v5.
• fastCsv.format(options.formatterOptions) — stream pipeline; API unchanged in v5.

Files changed

• package.json — fast-csv version string
• package-lock.json — updated @fast-csv/format, @fast-csv/parse entries (v4.3.5 → v5.0.7)

Test Run

Runtime smoke test (AGENTS.md Rule 7): wrote a 2-row workbook to CSV via wb.csv.writeFile(), read it back via wb2.csv.readFile(), verified row values match. Passed.

Rows read back: [[1,"hello",true],[2,"world",false]]
fast-csv smoke test: PASS

CSV integration test spec/integration/issues/issue-991-csv-read-dates.spec.js: 1 passing.

Cross-PR check

No other open senoff PR touches package.json or package-lock.json. Unzipper bump is in a separate PR per AGENTS.md Rule 8.

Excel/soffice verification

Not applicable — dep bump only, no XLSX serialization path touched.

grace-review summary

openai:gpt-5.5 — No defects found. gemini — CRITICAL: "major version bump without code adaptation." Dismissed: smoke test and CSV integration test both pass; fast-csv.parse() and fast-csv.format() stream APIs are unchanged in v5. gemini's concern was generic, not informed by the actual API surface used in this codebase.

Note: committed with --no-verify per AGENTS.md Rule 1.