fix(security): suppress CSRF false positive + upgrade next 15.5.19 + dep overrides

- Add .snyk policy file to suppress CSRF disabled false positive on JWT API chain
- Add inline documentation explaining why CSRF is intentionally disabled for stateless JWT
- Upgrade next.js 15.5.18 → 15.5.19 (latest stable 15.x patch)
- Upgrade eslint-config-next to match
- Add pnpm overrides for transitive CVEs: minimatch>=5.1.6, brace-expansion>=2.0.1, ajv>=8.17.1

cannamanage-frontend/package.json

@@ -56,7 +56,7 @@
     "emoji-picker-react": "4.12.2",
     "input-otp": "1.4.2",
     "lucide-react": "0.446.0",
-    "next": "15.5.18",
+    "next": "15.5.19",
     "next-auth": "5.0.0-beta.31",
     "next-intl": "^4.13.0",
     "react": "19.1.3",
@@ -88,7 +88,7 @@
     "@types/sockjs-client": "^1.5.4",
     "@vitejs/plugin-react": "^6.0.2",
     "eslint": "9.18.0",
-    "eslint-config-next": "15.5.18",
+    "eslint-config-next": "15.5.19",
     "eslint-config-prettier": "10.1.1",
     "eslint-plugin-prettier": "5.2.3",
     "jsdom": "^29.1.1",
@@ -107,6 +107,9 @@
     "@types/react": "19.0.12",
     "@types/react-dom": "19.0.4",
     "picomatch": ">=4.0.2",
-    "postcss": ">=8.4.31"
+    "postcss": ">=8.4.31",
+    "minimatch": ">=5.1.6",
+    "brace-expansion": ">=2.0.1",
+    "ajv": ">=8.17.1"
   }
 }