Refresh js/package-lock.json with compatible bumps

[jpcottin]

Refreshes js/package-lock.json so every transitive dep moves to the latest version compatible with the existing ^x.y.z ranges in js/package.json. No top-level dep crosses a major-version boundary.

Top-level package versions before / after

Package	Before	After
firebase	7.19.0	7.24.0
axios	1.4.0	1.16.1
@mui/material	5.13.1	5.18.0
@mui/icons-material	5.11.16	5.18.0
@mui/styles	5.13.1	5.18.0
@mui/lab	5.0.0-alpha.130	5.0.0-alpha.177
@emotion/react	11.11.0	11.14.0
@emotion/styled	11.11.0	11.14.1
react / react-dom / react-scripts / android-emulator-webrtc	—	unchanged

The 1400+ transitive bumps cover the same security patches that were proposed individually as #297, #304, #307, #310, #315, #321, #324, #326, #340, #380, #381, and the more recent rollups #394, #395.

Notably not in this PR: the firebase 7 → 12 jump that #394 / #395 propose. Firebase v9 ships a redesigned modular SDK; the current js/src/ code uses the v7 namespaced API (and the deprecated @react-firebase/auth package targets the same), so a major-version bump would force a follow-up migration that's worth its own focused PR.

Test plan

• npm install inside node:20-bookworm-slim resolves cleanly (1426 packages).
• CI=true npm run build produces a clean production bundle: 237.96 kB main.js, 557 B main.css. (Source-map warnings from the Firebase auth polyfill are cosmetic and unchanged from the prior lockfile.)
• js/package.json is untouched; no top-level dep crosses a major.

Follow-ups (not in this PR)

• Firebase 7 → 12 modular-API migration (would supersede the firebase line above and let us drop the deprecated @react-firebase/auth).
• React 17 → 18/19, MUI 5 → 7, react-scripts → Vite — also major-version moves out of scope here.