fix(#179): Update vulnerable Node.js dependencies

Update cross-spawn, glob, and tar to patched versions addressing:
- CVE-2024-21538 (cross-spawn)
- CVE-2025-64756 (glob)
- CVE-2026-23745, CVE-2026-23950, CVE-2026-24842 (tar)

All quality gates pass: typecheck, lint, build, and 1554+ tests.
No breaking changes detected.

Fixes #179
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

docs/scratchpads/179-security-nodejs-deps.md

@@ -0,0 +1,104 @@
+# Issue #179: Fix Security - Update Vulnerable Node.js Dependencies
+
+## Objective
+
+Fix HIGH severity vulnerabilities in Node.js dependencies affecting both API and Web images by updating cross-spawn, glob, and tar to patched versions.
+
+## Approach
+
+1. Update vulnerable dependencies using pnpm update
+2. Verify no breaking changes through build and test execution
+3. Document findings and verify acceptance criteria
+
+## Progress
+
+- [x] Research current versions and CVE details
+- [x] Run pnpm update for vulnerable packages
+- [x] Verify pnpm install succeeds
+- [x] Run build process
+- [x] Run tests
+- [x] Commit changes
+
+## Affected Packages
+
+| Package     | Current                         | Target             | CVEs                                           |
+| ----------- | ------------------------------- | ------------------ | ---------------------------------------------- |
+| cross-spawn | 7.0.6                           | 7.0.6+             | CVE-2024-21538                                 |
+| glob        | Varies (10.4.2, 10.4.5, 13.0.0) | 10.5.0+ or 11.1.0+ | CVE-2025-64756                                 |
+| tar         | Varies (6.2.1, 7.5.1)           | 7.5.7              | CVE-2026-23745, CVE-2026-23950, CVE-2026-24842 |
+
+## Current State
+
+### cross-spawn
+
+- **Current**: 7.0.6 (already at latest)
+- **Status**: Already patched (7.0.5+ available, latest is 7.0.6)
+
+### glob
+
+- **Latest**: 13.0.0 (major version)
+- **Target**: 10.5.0+ or 11.1.0+ for v10/v11 compatibility
+- **Status**: Need to investigate dependency tree
+
+### tar
+
+- **Latest**: 7.5.7
+- **Current**: Some packages may be on 6.2.1 or 7.5.1
+- **Status**: Need to update
+
+## Testing Plan
+
+1. Build verification: `pnpm build`
+2. Test suite: `pnpm test`
+3. Type checking: `pnpm typecheck`
+4. Linting: `pnpm lint`
+
+## Implementation Details
+
+### Commands Executed
+
+1. `pnpm update cross-spawn glob tar` - Updated all three vulnerable packages
+2. `pnpm install` - Verified lock file is consistent
+3. `pnpm typecheck` - Type safety verification (PASSED)
+4. `pnpm lint` - Code quality verification (PASSED)
+5. `pnpm build` - Build verification (PASSED)
+6. `pnpm test` - Test suite verification (PASSED)
+
+### Results
+
+#### Package Updates
+
+- **cross-spawn**: 7.0.6 (already at latest, CVE-2024-21538 patched)
+- **glob**: Updated to 10.5.0 (from earlier versions, CVE-2025-64756 patched)
+- **tar**: Updated to 7.5.7 (from 7.5.1, CVEs patched)
+
+#### Quality Gate Results
+
+- **Typecheck**: ✓ All packages passed (no type errors)
+- **Lint**: ✓ All packages passed (no violations)
+- **Build**: ✓ All packages built successfully
+  - @mosaic/api built successfully
+  - @mosaic/web built successfully with Next.js optimizations
+  - All workspace packages compiled
+
+- **Tests**: ✓ All tests passed
+  - @mosaic/api: 1247 tests passed, 20 skipped
+  - @mosaic/web: 307 tests passed, 23 skipped
+  - Total: 1554 tests passed
+
+#### Breaking Changes Assessment
+
+✓ **NO BREAKING CHANGES DETECTED**
+
+- All tests pass without modification
+- Build succeeds without warnings
+- Type checking passes without issues
+- No API changes required in dependent code
+
+## Notes
+
+- All three vulnerable packages successfully updated to patched versions
+- No breaking changes detected during quality gate verification
+- All 1554 tests passing
+- Ready for deployment
+- Vulnerabilities CVE-2024-21538, CVE-2025-64756, CVE-2026-23745, CVE-2026-23950, CVE-2026-24842 are now mitigated