fix(deps): resolve all Dependabot security alerts

- Bump litellm ~=1.82.0 → ~=1.83.0 (fixes CVE: auth bypass via OIDC
  cache key collision, privilege escalation via unrestricted proxy config)
- Bump fastmcp >=2.13.1 → >=3.2.0 (fixes CVE: SSRF & path traversal
  in OpenAPI provider)
- Add aiohttp>=3.13.4 constraint (fixes multiple HTTP-level CVEs:
  duplicate Host headers, header injection, multipart bypass, memory
  DoS, CRLF injection, cookie leaks, SSRF on Windows)
- Add npm override for lodash-es to 4.18.1 (fixes prototype pollution
  via array path bypass, code injection via template imports)
- Update fastmcp import path from deprecated fastmcp.server.openapi
  to fastmcp.server.providers.openapi

Closes #125, #124, #123, #122, #121, #120, #119, #118, #117, #116,
#115, #114, #113, #112, #111, #110, #109, #108, #107, #106, #105,
#104, #103, #102, #101, #100, #99, #98, #97, #96

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: gkorland

api/app_factory.py

@@ -12,7 +12,7 @@
 from starlette.middleware.sessions import SessionMiddleware
 from starlette.middleware.base import BaseHTTPMiddleware
 from fastmcp import FastMCP
-from fastmcp.server.openapi import MCPType, RouteMap
+from fastmcp.server.providers.openapi import MCPType, RouteMap
 
 from uvicorn.middleware.proxy_headers import ProxyHeadersMiddleware