chore: resolve dependabot security alerts

[MarshallOfSound]

Safe-only sweep of open Dependabot security alerts. All changes are lockfile-only transitive refreshes within existing semver ranges (yarn up -R); no package.json ranges were touched and no resolutions were added.

Package	Strategy	Version change
brace-expansion	yarn up -R (transitive, within ^2.0.2)	2.0.2 → 2.0.3
picomatch	yarn up -R (transitive, within ^4.0.3)	4.0.3 → 4.0.4
tar	yarn up -R (transitive, within ^7.4.3)	7.5.10 → 7.5.13
markdown-it	yarn up -R (transitive, within ^14.1.0)	14.1.0 → 14.1.1
yaml	yarn up -R (transitive, within ^2.8.1)	2.8.2 → 2.8.3

markdown-it and yaml were surfaced by yarn npm audit rather than Dependabot but were trivially resolvable in-range, so they're included.

Flagged (not changed)

• lodash (direct dep, 2 advisories — GHSA-r5fr-rjxr-66jc high, GHSA-f23m-r3pf-42rh moderate): first patched version is 4.18.0, published 2026-03-31. Blocked by npmMinimalAgeGate: 10080 (7 days) in .yarnrc.yml. The bump is in-range for ^4.17.11 and can land once the age gate clears (~2026-04-07).

Verification

• yarn install --immutable passes
• yarn npm audit --all --recursive: 2 remaining advisories (both lodash, see above)
• No new peer-dependency warnings (the pre-existing @types/node peer warning is unchanged)

[electron-npm-package-publisher]

🎉 This PR is included in version 9.1.6 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀