fix: resolve npm security advisories across all sub-packages

[Copilot]

Multiple high/critical CVEs across all four npm packages (48+ total vulnerabilities), stemming from outdated direct and transitive dependencies.

Dependency upgrades

• All packages: axios → 1.13.6, express → 4.22.1 (fixes CSRF, SSRF, DoS, body-parser, cookie vulns)
• notifier: twilio → 4.23.0
• pangeagpt-client: parcel → 2.16.4
• pangeagpt-server: openai 3.x → 4.x (v3 bundled a vulnerable internal axios); body-parser → 1.20.4
• teams-bot: @microsoft/teamsfx 2.x → 4.x (fixes @azure/identity EoP); botbuilder → 4.23.3; added overrides for tough-cookie and xml2js to patch prototype pollution in azurite's transitive deps

Code changes for breaking API upgrades

pangeagpt-server/server.js — openai v3 → v4:

// Before
const { Configuration, OpenAIApi } = require("openai");
const openai = new OpenAIApi(new Configuration({ apiKey: process.env.OPENAI_API_KEY }));
const resp = await openai.createChatCompletion({ model, messages, temperature });
resp.data.choices[0].message.content;

// After
const { OpenAI } = require("openai");
const openai = new OpenAI({ apiKey: process.env.OPENAI_API_KEY });
const resp = await openai.chat.completions.create({ model, messages, temperature });
resp.choices[0].message.content;

teams-bot/.../initialize.js — teamsfx v2 → v4 renamed the adapter:

// Before
const { BotBuilderCloudAdapter } = require("@microsoft/teamsfx");
// After
const { AgentBuilderCloudAdapter } = require("@microsoft/teamsfx");

Remaining issues

5 vulnerabilities remain in teams-bot, all inside the azurite devDependency (@azure/ms-rest-js pinning old axios 0.x and @azure/identity 3.x). These are unfixable without an upstream azurite release and are dev-only (not deployed).

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.