Refresh repo dependencies

[kvz]

Why:
Dependabot currently has a narrow lockfile PR for brace-expansion (#416), while the repo has a broader set of transitive dependency alerts on main. This consolidates the feasible dependency refresh into one tested PR so we can clear the lockfile noise together instead of spending CI/review cycles on one-off bumps.

What:

• Refreshes root/tooling dependencies: @biomejs/biome, @types/node, @vitest/coverage-v8, jest-diff, knip, and vitest.
• Refreshes package dependencies/dev dependencies across workspaces, including p-queue, nock, and shared @types/node ranges.
• Refreshes scoped and unscoped transitive lockfile resolutions, including the alerts for brace-expansion, @hono/node-server, path-to-regexp, picomatch, tar, minimatch, ajv, qs, and glob.
• Removes the test-only temp dependency and replaces it with native Node temp-directory helpers so the deprecated rimraf@2/glob@7/inflight chain drops out of the audit.
• Adds .changeset/deps-refresh.md with patch release notes for @transloadit/node, transloadit, and @transloadit/mcp-server; generated package changelogs will be updated by the post-merge Version Packages PR.
• Updates the Biome schema URL to match the upgraded Biome patch.
• Supersedes Dependabot PR build(deps): bump brace-expansion from 2.0.1 to 5.0.6 #416.

Held back:

• got: stayed on 14.6.6. The got v15 release requires Node.js 22 and switches to native FormData; this repo still publishes @transloadit/node/transloadit for Node 20+, and the attempted bump failed unit tests with Non-native FormData is not supported. Source: https://github.com/sindresorhus/got/releases/tag/v15.0.0
• zod in @transloadit/node/transloadit: stayed on 3.25.76. The attempted v4 bump failed during SDK schema import on Zod internals (def.shape is not a function), and the Zod v4 migration guide documents broad breaking changes plus undocumented internal API changes. Source: https://zod.dev/v4/changelog
• Internal @transloadit/* workspace ranges were left alone; Yarn reports multiple workspace-vs-registry upgrade strategies there, and this repo’s release/version flow owns those ranges.

Post-review release path:

• Do not publish before human review and merge of this PR.
• After merge, the Release workflow should open/update the Changesets “Version Packages” PR.
• Review the Version Packages PR # Releases section for @transloadit/node, transloadit, and @transloadit/mcp-server, ensure CI is green, then squash-merge that version PR.
• Publishing should happen through the repo’s trusted-publishing Release workflow. Verify afterwards with npm view @transloadit/node version, npm view transloadit version, and npm view @transloadit/mcp-server version.

Validation:

• corepack yarn check (rerun after changeset)
• corepack yarn verify:full (rerun after changeset; passed on rerun after one transient notify-url-relay network-test failure)
• corepack yarn workspace @transloadit/node test:unit
• corepack yarn npm audit -A -R --severity low (No audit suggestions)
• corepack yarn install --immutable
• git diff --check --cached
• ~/code/dotfiles/bin/council.ts review (No issues found.)
• PR CI green after changeset commit