Adds scoped overrides for shell-quote (GHSA-w7jw-789q-3m8p, critical),
undici (4 CVEs, high), ws (GHSA-96hv-2xvq-fx4p, high — distinct from the
CVE already fixed in #92/#94), js-yaml (GHSA-h67p-54hq-rp68, moderate,
two incompatible majors need separate scopes), and tar
(GHSA-vmf3-w455-68vh, moderate). All 5 are dev-tooling-only (Expo CLI,
Metro, react-devtools-core) with no runtime app code path.
Verified: npm audit clean on all 5 packages, smoke test passes, Metro
Bundler boots and serves /status normally after the ws bump (the only
scope touching Fast Refresh/dev-middleware runtime).
Fixes#95, Fixes#96, Fixes#97, Fixes#98, Fixes#99
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>