Resolve vulnerabilities, upgrade @hapi/nes to v14, allow login via username or email

- Fix serialize-javascript RCE (copy-webpack-plugin 12→14)
- Fix brace-expansion DoS via npm overrides (brace-expansion >=5.0.5)
- Fix lodash code injection/prototype pollution (4.17.23→4.18.1)
- Upgrade @hapi/nes 13→14
- Login form now accepts username or email (issue #39)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: webbpinner