fix: bump axios to ^1.16.0 in typescript SDK

Loosens the exact `1.13.6` pin (originally added in #631 to block the
compromised `1.14.1` release) so consumers can pick up axios security
patches via `npm update` / `npm audit fix`.

Picks up:
- GHSA-fvcv-3m26-pcqx (CVE-2026-40175): Cloud Metadata Exfiltration
  via Header Injection — patched in 1.15.0
- GHSA-3p68-rc4w-qgx5 (CVE-2025-62718): NO_PROXY Hostname
  Normalization Bypass leading to SSRF — patched in 1.15.0

Both advisories were published after `1.13.6` was pinned. The
`^1.16.0` range excludes the compromised `1.14.x` line and allows
future patch releases.

Closes #681

Author: ParakhJaggi

examples/typescript/pnpm-lock.yaml

@@ -0,0 +1,7 @@
+---
+"@coinbase/cdp-sdk": patch
+---
+
+Bump axios from `1.13.6` to `^1.16.0` in `typescript/src/package.json` to pick up security fixes for [GHSA-fvcv-3m26-pcqx](https://github.com/advisories/GHSA-fvcv-3m26-pcqx) (Cloud Metadata Exfiltration via Header Injection) and [GHSA-3p68-rc4w-qgx5](https://github.com/advisories/GHSA-3p68-rc4w-qgx5) (NO_PROXY Hostname Normalization Bypass leading to SSRF), both patched in `1.15.0`. The exact `1.13.6` pin (originally added in #631 to block the compromised `1.14.1` release) prevented consumers from receiving these patches via `npm update` / `npm audit fix`. A semver range allows future patch bumps without re-pinning. `1.14.x` is excluded by `^1.16.0`.
+
+Closes #681.

typescript/.changeset/green-sites-peel.md

@@ -23,7 +23,7 @@
     "@solana-program/token": "^0.9.0",
     "@solana/kit": "^5.5.1",
     "abitype": "1.0.6",
-    "axios": "1.13.6",
+    "axios": "^1.16.0",
     "axios-retry": "^4.5.0",
     "bs58": "^6.0.0",
     "jose": "^6.2.0",