security(deps): bump fast-uri to 3.1.2

[ArthurSilvaCW]

Summary

Bumps fast-uri from 3.1.0 to 3.1.2 in figma/Plugin-Centaury Contents/package-lock.json to resolve high-severity host confusion and path traversal vulnerabilities.

Source alerts

• Dependabot alerts: 72, 73, 74, 75
• GHSA: GHSA-q3j6-qgpj-74h6, GHSA-v39h-62p7-jpjc
• CVE: CVE-2026-6321, CVE-2026-6322

Dependency changes

• fast-uri: 3.1.0 → 3.1.2 (transitive dependency via ajv → webpack / terser-webpack-plugin / ajv-formats)
• Only package-lock.json changed; no application code changes.

Validation

cd "figma/Plugin-Centaury Contents"
npm ci --ignore-scripts
npm run build
node -e "console.log(require('fast-uri/package.json').version)"
npm audit --json

Results:

• npm ci passes (273 packages installed).
• npm run build passes (webpack 5.105.4 compiled successfully).
• Version proof: 3.1.2 installed.
• npm audit no longer flags fast-uri.

Caveats / out of scope

• Residual npm audit findings remain for lodash, picomatch, and postcss in the same lockfile; these are separate advisories and out of scope for this PR.
• No test suite is configured in this package; validation relies on clean install and production build.
• The repo reports 12 total Dependabot findings on the default branch; this PR addresses only the fast-uri cluster.

Rollback

Revert commit 6fde199 or checkout the previous package-lock.json version and run npm ci --ignore-scripts.

[cloudwalk-review-agent]

Dependency bump looks correct and scoped.

• package-lock.json updates fast-uri from 3.1.0 to 3.1.2 with matching tarball/integrity changes.
• No app/runtime code paths were modified, so regression risk is limited to dependency behavior.
• This aligns with the stated security remediation for known advisories on fast-uri.

Given the diff and validation notes (npm ci, build success, installed version check, audit improvement), I don’t see a concrete blocking issue in this PR.