fix(deps): override fast-uri and fast-xml-builder to patched versions

[hdamker]

What type of PR is this?

• bug

What this PR does / why we need it:

Closes 4 open Dependabot alerts on transitive dependencies in validation/ by pinning fast-uri and fast-xml-builder to patched versions via package.json overrides.

Alert	Package	CVE	Severity
#15	fast-uri	CVE-2026-6322 (host confusion via percent-encoded @ / :)	High
#14	fast-uri	CVE-2026-6321 (path traversal via percent-encoded dot segments)	High
#13	fast-xml-builder	CVE-2026-44665 (attribute-quote bypass)	High
#12	fast-xml-builder	CVE-2026-44664 (comment-regex bypass)	Medium

Both vulnerable packages are transitive — fast-uri under ajv, fast-xml-builder under fast-xml-parser. Parent ranges (ajv "fast-uri": "^3.0.1", fast-xml-parser "fast-xml-builder": "^1.1.5") already permit the patched versions but no upstream consumer release has shipped, so a package.json override is sufficient — no major bump of the direct deps needed. Same pattern as the existing lodash / postcss / protobufjs overrides added in tooling#265.

fast-xml-builder pinned to ~1.1.7 (not ^1.1.7) to stay on the patched 1.1.x line — 1.2.0 would otherwise introduce a brand-new xml-naming@0.1.0 transitive that the build has no use for.

Which issue(s) this PR fixes:

(no separate issue — Dependabot alerts auto-close on merge)

Special notes for reviewers:

Verification:

• npm audit reports 0 vulnerabilities
• 1011/1011 validation unit tests pass
• Redocly bundle smoke test on ReleaseTest/sample-service.yaml succeeds
• Same major versions of consumers (ajv 8.x, fast-xml-parser 5.7.x) — no behavior change expected

Should fold into the upcoming @v1-rc advance E2E alongside the other in-flight validation/ changes.

Changelog input

 release-note
 NONE

Additional documentation

docs
NONE

[Kevsy]

LGTM

[rartych]

LGTM