chore(deps): transitive bumps incl. @hono/node-server security fix (#43)

Recreates dependabot #29, which the bot closed as "no longer updatable"
while main's lockfile still carried `@hono/node-server@1.19.9` — below
the **GHSA-wc8c-qw6v-h7f6** (serve-static auth bypass) fix floor of
1.19.10.

- `@hono/node-server` 1.19.9 → **1.19.14** (security)
- `hono` 4.11.10 → 4.12.23
- `express-rate-limit` 8.2.1 → 8.5.2
- `rollup` 4.57.1 → 4.61.0

Lockfile-only, all transitive. Local sanity: typecheck + build + test
smoke green.

Author: bntvllnt