chore: track upstream fix for express-rate-limit -> ip-address advisory (GHSA-v2v4-37r5-5v8g)

[BODMAT]

Is your request related to a specific part of the project?
API dependencies and CI/CD Security Audit workflow.

Describe the technical task
Track and remove the temporary CI audit exception for GHSA-v2v4-37r5-5v8g once upstream dependencies are fixed.

Current state:

• npm audit reports a moderate advisory in ip-address (<=10.1.0).
• The vulnerable package is pulled transitively by express-rate-limit.
• Latest express-rate-limit still resolves ip-address@10.1.0, so this cannot be fully fixed from our side without forking/replacing the dependency.

We added a targeted CI workaround to ignore only this specific advisory while keeping all other moderate/high/critical vulnerabilities blocking.

Why is this task necessary?

• Keeps CI signal clean without masking unrelated vulnerabilities.
• Prevents recurring PR noise and blocked merges due to an upstream-only issue.
• Ensures we remove the exception as soon as upstream publishes a safe dependency graph.

Proposed implementation (optional)

• Monitor:
  • express-rate-limit releases/changelog
  • ip-address advisory status: GHSA-v2v4-37r5-5v8g
• When upstream is fixed:
  1. remove the targeted ignore logic from .github/workflows/ci.yml
  2. run npm install
  3. verify npm audit --audit-level=moderate passes without exceptions
  4. merge cleanup PR

Additional context

• Advisory: GHSA-v2v4-37r5-5v8g
• Related PR: