fix(ci): replace sed version bump with npm version to prevent script corruption

[Kyzgor]

• What kind of change does this PR introduce?

  Bug fix (CI / release tooling).

• What is the current behavior? (link: CI workflow uses a regexp replace and changed the version script #89)

  The publish workflow (.github/workflows/node_sdk_publish.yaml) bumps the package version before
  publishing with a greedy sed:

  sed -i "s/\"version\": \".*\"/\"version\": \"${{ github.event.release.tag_name }}\"/" package.json
  

  This regex matches every "version": key in package.json, not just the top-level field. The
  scripts block contains "version": "standard-version" (a standard-version lifecycle hook
  invoked by prepare-release: run-s reset-hard test cov:check doc:html version doc:publish). The
  sed run overwrites that script with the release version string. The corruption already happened
  (introduced in commit 2abe31f) and is still live on main today — scripts.version is
  "2.5.2" instead of "standard-version", so the version step of prepare-release is broken.

• What is the new behavior (if this is a feature change)?

  The bump step uses npm's JSON-aware tooling, which only mutates the top-level version field:

  npm version "${{ github.event.release.tag_name }}" --no-git-tag-version --allow-same-version --ignore-scripts
  

  • --no-git-tag-version — no commit/tag created in CI.
  • --ignore-scripts — does not fire the version lifecycle script (standard-version) during the bump.
  • --allow-same-version — tolerates re-runs / a tag equal to the current version.

  package.json's scripts.version is also restored from the corrupted "2.5.2" back to
  "standard-version". This matches the fix suggested in CI workflow uses a regexp replace and changed the version script #89.

• Other information:

  Reproduced before/after (same input package.json, tag 9.9.9)

  # input: top-level version = 2.7.5 , scripts.version = "standard-version"
  
  # (A) old sed  → corrupts BOTH:
  sed -i 's/"version": ".*"/"version": "9.9.9"/' package.json
    line 3:  "version": "9.9.9"
    line 50: "version": "9.9.9"          # scripts.version destroyed
  
  # (B) new npm version  → top-level only:
  npm version 9.9.9 --no-git-tag-version --allow-same-version --ignore-scripts   # → v9.9.9
    line 3:  "version": "9.9.9"
    line 50: "version": "standard-version"   # preserved
  # diff vs input: only the top-level version changed; no git tag/commit; no lifecycle script fired
  

  What's NOT in this PR: no broader rewrite of the publish workflow, no standard-version
  automated-release wiring, no dependency changes, no source changes. (A separate, unrelated issue:
  prepare-release also references doc:html/doc:publish scripts that aren't defined — out of
  scope here.)

  The security/snyk (permit) check shows ERROR; this is an external/integration issue on fork PRs
  (this PR adds no dependencies and changes only CI config + a script string). A maintainer re-run or
  waiver would clear it.

  Fixes CI workflow uses a regexp replace and changed the version script #89

[Kyzgor]

The security/snyk (permit) check is in an ERROR state here. This PR changes no dependencies — it only edits the publish workflow's version-bump step and restores a corrupted scripts.version string in package.json — so this looks like an external/integration failure on the Snyk side for fork PRs rather than a vulnerability introduced by the change. Could a maintainer re-run it (or waive it for this fork PR)? Happy to help if anything is needed on my end.