chore: consolidate dependabot and npm audit dependency updates

[Copilot]

Summary

• reviewed open Dependabot dependency PRs and open dependency-update issues
• bumped vulnerable dependency ranges in manifests (undici, minimatch) and updated root security overrides (brace-expansion, tar, @tootallnate/once, js-yaml)
• regenerated lockfiles across root and affected packages

Validation

• npm run audit-all passes (all package-level audit checks clean)
• npm run lint passes
• npm run build passes
• npm test still fails in this environment on existing network-dependent postman-echo.com tests

[salmanmkc]

@copilot should we do package releases and readme bumps in this PR following semver rules? or should we prep them in a separate pr? Are there any breaking changes we should be cautious of?

[Copilot]

@copilot should we do package releases and readme bumps in this PR following semver rules? or should we prep them in a separate pr? Are there any breaking changes we should be cautious of?

I’d keep releases/readme version bumps in a separate PR. This PR should stay as dependency remediation; then do a focused release PR with changelog/readme/version updates. Based on commit ba2e192, these are semver-safe dependency bumps (undici/minimatch patch/minor within major), so no intentional breaking API changes are expected. The main caution is validating runtime compatibility in release CI (especially transitive/tooling overrides like tar) before publishing.