chore: resolve dependabot security alerts

[MarshallOfSound]

Safe-only sweep of open Dependabot security alerts. Only lockfile refreshes and same-major resolutions were applied — nothing that changes runtime behavior.

Resolved

Package	Strategy	Version change
picomatch	yarn up -R (in-range)	4.0.3 → 4.0.4
minimatch (3.x)	yarn up -R (in-range)	3.1.2 → 3.1.5
minimatch (9.x)	yarn up -R + scoped resolution	9.0.3 / 9.0.5 → 9.0.9
glob	yarn up -R (in-range)	10.4.5 → 10.5.0

The scoped resolution (@typescript-eslint/typescript-estree@npm:6.21.0/minimatch → ^9.0.7) is needed because typescript-estree@6.21.0 pins minimatch@9.0.3 exactly; the override stays within the same major.

Flagged (not changed)

Package	Reason
lodash	Fix is 4.18.0 (published 2026-03-31) — blocked by the 7-day npmMinimalAgeGate; revisit once it ages in.
undici	No patched 5.x; reaching ^6.24.0 needs @actions/http-client@>=3.0.2, which requires major bumps of direct deps @actions/core and @actions/github.
@octokit/request	Pulled in via @actions/github@5.1.1 → @octokit/core@3.6.0; fix requires @actions/github@^6 (direct dep major bump).
@octokit/plugin-paginate-rest	Same as above — requires @actions/github@^6.
@octokit/request-error	Same as above — requires @actions/github@^6.

The @actions/* major bumps are likely fine here since everything is bundled into dist/, but they're out of scope for a safe-only sweep and should land separately with a rebuild.