security: squash audit issues around toolkit

[gilescope]

Overview

Fixed audit issues around toolkit js dependencies.

🗹 TODO before merging

• Ready

📌 Submission Checklist

• All commits are signed off (git commit -s) for the DCO
• Changes are backward-compatible (or flagged if breaking)
• Pull request description explains why the change is needed
• Self-reviewed the diff
• I have included a change file, or skipped for this reason:
• If the changes introduce a new feature, I have bumped the node minor version
• Update documentation (if relevant)
• Updated AGENTS.md if build commands, architecture, or workflows changed
• No new todos introduced

🧪 Testing Evidence

Please describe any additional testing aside from CI:

• Additional tests are provided (if possible)

🔱 Fork Strategy

• Node Runtime Update
• Node Client Update
• Other:
• N/A

Links

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b51c47492a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep toolkit packages on an unauthenticated registry

In clean toolkit builds, +toolkit-js-prep runs npm ci before the only GITHUB_TOKEN-backed command (npm run compact), and the repo has no .npmrc that authenticates npm to GitHub Packages. The new npm.pkg.github.com/download/... tarball URLs require GitHub Packages npm authentication even for public packages, so a cache-miss CI or local Earthly build will fail while installing these @midnight-ntwrk/* packages; keep these lockfile entries on registry.npmjs.org or configure npm auth before npm ci.

Useful? React with 👍 / 👎.