chore(security): production hardening and vulnerability fixes

[wallydz]

• Upgraded vulnerable dependencies (esbuild, minimatch, keyring, rand, reqwest)
• Added CodeQL workflow for static code analysis
• Verified no hardcoded secrets in the repository
• Reviewed auto-updater, permissions, and telemetry

This PR addresses critical vulnerabilities and improves the security posture of the VPN.ht desktop app.

Fixes #1102341 (esbuild CORS vulnerability)
Fixes #1113371 (minimatch ReDoS vulnerability)

Description

Brief description of the changes in this PR.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Performance improvement
• Security enhancement
• Code refactoring

Related Issues

Fixes #(issue number)
Closes #(issue number)

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

Security Checklist

• No hardcoded secrets or credentials
• Input validation is implemented
• Error messages do not leak sensitive information
• Principle of least privilege is followed

Testing

• Manual testing performed
• Unit tests added/updated
• Integration tests added/updated
• UI tests pass (if applicable)

Screenshots (if applicable)

Add screenshots to help explain your changes.

Additional Context

Add any other context about the pull request here.