security: resolve all 5 Dependabot alerts via overrides + update

- flatted 3.3.3→3.4.2 (CVE-2026-33228 prototype pollution, CVE-2026-32141 DoS)
- fast-xml-parser 5.3.6→5.5.8 (CVE-2026-27942, CVE-2026-33036, CVE-2026-26278)
- picomatch 2.3.2→4.0.4 (CVE-2026-33672 method injection)
- Add npm overrides for flatted + picomatch (transitive via eslint/vitest)
- Update @aws-sdk/* to pull fixed fast-xml-parser

Author: Partha-dev01