chore(deps): npm audit fix for high/medium security alerts

Bumps transitive npm dependencies via `npm audit fix` (no breaking changes):
- @hono/node-server 1.19.9 -> 1.19.14 (auth bypass via encoded slashes; serveStatic bypass)
- hono 4.11.7 -> 4.12.17 (multiple: serveStatic file access, cookie/SSE injection, IP matching, etc.)
- express-rate-limit 8.2.1 -> 8.5.0 (IPv4-mapped IPv6 bypass)
- path-to-regexp -> 8.4.2 (DoS via sequential optional groups / multi-wildcard ReDoS)
- rollup 4.52.5 -> 4.60.3 (arbitrary file write via path traversal)
- minimatch (3.x, 9.x, 10.x) -> patched (multiple ReDoS)
- brace-expansion -> patched (zero-step DoS)
- ajv 8.17.1 -> 8.20.0 (ReDoS in $data option)
- qs 6.14.1 -> 6.15.1 (arrayLimit bypass DoS)
- postcss 8.5.6 -> 8.5.14 (XSS in stringify output)

Build and tests pass across all TS workspaces. Remaining 7 moderate dev-only
alerts (vitest/vite/esbuild chain) require a major vitest 4.x bump and are
out of scope here.

Supersedes the contents of dependabot PR #3377 (minimatch 10.0.1 -> 10.2.1).

Author: olaservo