chore: resolve dependabot security alerts

[MarshallOfSound]

Safe-only sweep of open Dependabot security alerts. All changes are lockfile-only (yarn up -R) within existing semver ranges — no package.json changes, no resolutions added.

Package	Strategy	Version change
brace-expansion	yarn up -R (in-range)	1.1.12 → 1.1.13, 2.0.1 → 2.0.3
picomatch	yarn up -R (in-range)	4.0.3 → 4.0.4
flatted	yarn up -R (in-range)	3.4.1 → 3.4.2
tar	yarn up -R (in-range)	7.5.10 → 7.5.13
minimatch	yarn up -R (in-range)	3.1.2 → 3.1.5, 9.0.3/9.0.5 → 9.0.9, 10.0.3 → 10.2.4
glob	yarn up -R (in-range)	10.4.5 → 10.5.0, 11.0.3 → 11.1.0
ajv	yarn up -R (in-range)	6.12.6 → 6.14.0
markdown-it	yarn up -R (in-range)	14.1.0 → 14.1.1
yaml	yarn up -R (in-range)	2.8.1 → 2.8.3

Flagged (not changed)

• lodash (devDependency) — patched version 4.18.0 was published 2026-03-31 and is blocked by npmMinimalAgeGate: 10080 (1 week). Can be bumped once it clears the gate.
• @xmldom/xmldom (via plist) — patched version 0.8.12 was published 2026-03-29 and is blocked by npmMinimalAgeGate. Can be refreshed with yarn up -R @xmldom/xmldom once it clears the gate.

yarn install --immutable passes. No new peer dependency warnings (the existing @types/node warning predates this change).