fix: bump node-forge to ^1.4.0 to resolve CVEs (#746)

## Problem

`[email protected]` contains 4 CVEs (CVE-2026-33891, CVE-2026-33894,
CVE-2026-33896, CVE-2026-33895) flagged by AWS SAS Vendor Guidance. The
vulnerable version is pulled in as a direct devDependency in
`runtimes/package.json` and transitively through `[email protected]`.
Downstream consumers (`language-servers`, `amazon-q-vscode`, ECS Console
Assets) inherit this vulnerability via `@aws/language-server-runtimes`.

## Solution

- Bumped `node-forge` from `^1.3.1` to `^1.4.0` in
`runtimes/package.json`
- Added `"node-forge": "^1.4.0"` to root `package.json` overrides to
ensure the transitive copy from `win-ca` also resolves to `1.4.0`
- Regenerated `package-lock.json` confirming all `node-forge` instances
resolve to `1.4.0`


<!---
    REMINDER:
    - Read CONTRIBUTING.md first.
    - Add test coverage for your changes.
    - Link to related issues/commits.
    - Testing: how did you test your changes?
    - Screenshots if applicable
-->

## License

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

Author: ashishrp-aws