fix(security): resolve Dependabot and CodeQL vulnerabilities

[cl-efornaciari]

Summary

• Bumped axios to 1.13.5 across 14 package.json files (CVE-2026-25639)
• Bumped fastify to ^5.7.3 (CVE-2026-25223, CVE-2026-25224)
• Added workflow permissions to GitHub Actions workflows (CodeQL)
• Replaced Math.random() with crypto.randomInt() for secure randomness (CodeQL)
• Fixed incomplete string escaping in por-address-list addressManager (CodeQL)

Dependabot Alerts Addressed

• axios 1.13.4 -> 1.13.5 (CVE-2026-25639, DoS via proto): 14 manifests
• fastify -> ^5.7.3 (CVE-2026-25223, CVE-2026-25224): 2 manifests

CodeQL Alerts Addressed

• Missing workflow permissions: checks.yml, deploy.yml, release.yml
• Insecure randomness: nav-consulting authentication, bootstrap util, bootstrap cache
• Incomplete string escaping: por-address-list addressManager

Remaining (lockfile refresh needed)

• minimatch, tar, bn.js, ajv, undici, js-yaml, lodash, and other transitive deps need lockfile refresh
• @openzeppelin/contracts needs direct bump

Unfixable (no patched version)

• elliptic <= 6.6.1
• bigint-buffer <= 1.1.5
• lodash.template <= 4.5.0

Made with Cursor

[changeset-bot]

⚠️ No Changeset found

Latest commit: 5c6d7a3

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR