Pin @hpcc-js/wasm to 2.30.0 to fix webview CSP error

@hpcc-js/wasm v2.31.0 introduced a new Function() call in its
Emscripten-generated graphviz.js glue code. This violates the webview
Content Security Policy, which allows 'wasm-unsafe-eval' but not
'unsafe-eval'.

Pin to 2.30.0 (the last version without new Function()) via a scoped
npm override on d3-graphviz. Version 2.30.0 still satisfies
d3-graphviz's ^2.20.0 requirement.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: cklin

extensions/ql-vscode/package-lock.json

@@ -15,7 +15,7 @@
   "engines": {
     "vscode": "^1.90.0",
     "node": "^22.21.1",
-    "npm": ">=7.20.6"
+    "npm": ">=8.3.0"
   },
   "categories": [
     "Programming Languages"
@@ -2188,6 +2188,11 @@
     "vite": "^7.3.2",
     "vite-node": "^5.3.0"
   },
+  "overrides": {
+    "d3-graphviz": {
+      "@hpcc-js/wasm": "2.30.0"
+    }
+  },
   "lint-staged": {
     "./**/*.{json,css,scss}": [
       "prettier --write"