[ZEPPELIN-6401] Resolve all npm audit vulnerabilities in zeppelin-react

### What is this PR for?
Resolved all 16 npm audit vulnerabilities (8 high, 6 moderate, 2 low) in zeppelin-web-angular/projects/zeppelin-react.

Direct dependency upgrades:
- webpack 5.88.0 → 5.105.4 (moderate: DOM Clobbering XSS, SSRF)
- webpack-dev-server 4.15.0 → 5.2.3 (moderate: source code theft vulnerability)
- <at>antv/g2plot 2.4.35 → 2.3.32 (high: XSS, Path Traversal)
  - g2plot 2.4.35 pulls in fmin → rollup<at>2.x as transitive dependency, which has 2 high severity vulnerabilities
  - g2plot 2.3.32 does not depend on fmin, so rollup is removed entirely
  - No API breaking changes — Column, Line, Pie, Scatter all available in 2.3.32
- xlsx 0.18.5 → replaced with xlsx-js-style 1.2.0 (high: Prototype Pollution, ReDoS)
  - All versions of xlsx on npm are vulnerable with no patched version available
  - xlsx-js-style is an API-compatible community fork with the vulnerabilities fixed
- <at>types/xlsx 0.0.36 → removed (no longer needed after xlsx replacement)

Transitive dependency fixes (via npm audit fix):
- lodash 4.17.21 → 4.17.23 (moderate: Prototype Pollution)
- lodash-es 4.17.21 → 4.17.23 (moderate: Prototype Pollution)
- node-forge 1.3.1 → 1.3.3 (high: ASN.1 vulnerabilities)
- serialize-javascript — resolved via webpack upgrade (high: RCE, dep removed in newer terser-webpack-plugin)
- qs/express/body-parser — audit fix (moderate: DoS)
- ajv — audit fix (moderate: ReDoS)

Constraints:
- Node 18 environment maintained (serialize-javascript 7.x requires Node >= 20, resolved by upgrading webpack instead)

Verification:
- npm audit → 0 vulnerabilities
- npm run build → success

Related Dependabot PRs (redundant, to be closed):
- #5168, #5169, #5170, #5171, #5172, #5173


### What type of PR is it?
Hot Fix

### Todos

### What is the Jira issue?
ZEPPELIN-6401

### How should this be tested?

### Screenshots (if appropriate)

### Questions:
* Does the license files need to update? No
* Is there breaking changes for older versions? No
* Does this needs documentation? No

Closes #5176 from dididy/fix/zeppelin-react-audit.

Signed-off-by: ChanHo Lee <chanholee@apache.org>

Author: voidmatcha

.github/workflows/frontend.yml

@@ -30,6 +30,20 @@ permissions:
   contents: read # to fetch code (actions/checkout)
 
 jobs:
+  npm-audit:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: 'zeppelin-web-angular/.nvmrc'
+      # TODO: Add zeppelin-web-angular root audit after Angular version upgrade and stabilization
+      - name: Run npm audit on zeppelin-react
+        working-directory: zeppelin-web-angular/projects/zeppelin-react
+        run: npm ci --ignore-scripts && npm audit --audit-level=high
+
   run-e2e-tests-in-zeppelin-web:
     runs-on: ubuntu-24.04
     steps: