fix(deps): deduplicate google-auth-library to fix release build

[zapolsky]

Problem

Commit 1ad2615 ("Version Packages" #1250) turned ~15 CI checks red, all from a single root cause.

The package-lock.json regeneration floated the hoisted root google-auth-library to 10.7.0, while googleapis-common@8.0.2 pins it to exactly 10.5.0. That left two physical v10 copies in the tree → two distinct OAuth2Client types → error TS2345 in the backend:

• apps/backend/.../google-sheets/adapters/google-sheets-api.adapter.ts — google.sheets({ version: 'v4', auth })
• apps/backend/.../bigquery/services/bigquery-storage-resource-browser.service.ts — google.bigquery({ version: 'v2', auth })

The backend imports OAuth2Client directly from google-auth-library (root copy), but googleapis expects the type from googleapis-common's nested copy. Since almost every job starts with build:dep (which compiles the backend), the single build error cascaded into the tests, linters, publish, and all E2E jobs.

Fix

Scoped npm override in the root package.json:

"googleapis-common": { "google-auth-library": "^10.1.0" }

googleapis-common now reuses the root copy. The ^10.1.0 range (rather than a pinned 10.7.0) auto-tracks the root on future lockfile regenerations, so the tree stays deduplicated. The separate v9 cluster (@google-cloud/logging/pubsub, google-gax — all 9.15.1) is left untouched.

In package-lock.json, the duplicate google-auth-library@10.5.0 and its now-orphaned gcp-metadata/gtoken entries are removed (minimal diff).

Verification

Check	Result
npm ci (same as CI)	✅ exit 0, 0 vulnerabilities
Deduplication	✅ single root google-auth-library@10.7.0
Backend build (TS2345)	✅ gone
Full owox build (CI step repro)	✅ exit 0

ℹ️ npm ls google-auth-library will report invalid (the override intentionally violates googleapis-common's exact pin) — cosmetic only; it does not affect npm ci/build/publish, and CI never runs a bare npm ls.