Bump multer 1.4.5-lts.1 -> ^2.0.1 (DoS CVEs)

multer 1.x is affected by CVE-2025-47944/47935/48997/7338 (malformed
multipart crashes the process / leaks memory). 2.x raises catchable
errors instead. Usage (diskStorage + .single("file")) is unchanged.
Commit the server lockfile so the Dockerfile's npm-ci path pins the fix.

server/package.json

@@ -12,7 +12,7 @@
     "cors": "^2.8.5",
     "cookie-parser": "^1.4.6",
     "express": "^4.21.0",
-    "multer": "^1.4.5-lts.1",
+    "multer": "^2.0.1",
     "undici": "^6.21.0"
   }
 }