chore(deps): bump postcss to 8.5.12 to clear GHSA-qx2v-qp2m-jg93

  Moderate-severity advisory: PostCSS < 8.5.10 has an XSS via an
  unescaped </style> sequence in its CSS Stringify output. Caret range
  in package.json already accepts 8.5.12, so this is a lockfile-only
  bump (npm audit fix). Build verified clean.

  Vite, autoprefixer, and @tailwindcss/postcss all dedupe onto the same
  8.5.12 — no nested copies left in node_modules.

  Note: Bambuddy doesn't pass user-controlled CSS through PostCSS at
  runtime (PostCSS is build-time-only), so the practical impact even on
  older versions was nil. This is hygiene + clearing the npm audit
  warning.

frontend/package-lock.json

@@ -6442,9 +6442,9 @@
       }
     },
     "node_modules/postcss": {
-      "version": "8.5.6",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz",
-      "integrity": "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==",
+      "version": "8.5.12",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.12.tgz",
+      "integrity": "sha512-W62t/Se6rA0Az3DfCL0AqJwXuKwBeYg6nOaIgzP+xZ7N5BFCI7DYi1qs6ygUYT6rvfi6t9k65UMLJC+PHZpDAA==",
       "dev": true,
       "funding": [
         {
@@ -6460,7 +6460,6 @@
           "url": "https://github.com/sponsors/ai"
         }
       ],
-      "license": "MIT",
       "dependencies": {
         "nanoid": "^3.3.11",
         "picocolors": "^1.1.1",