chore: resolve dependabot security alerts

[MarshallOfSound]

Safe-only sweep of open Dependabot security alerts. All changes are transitive lockfile refreshes (yarn up -R) within existing semver ranges — no package.json changes, no resolutions entries, no major bumps.

Package	Strategy	Version change
picomatch	yarn up -R (transitive, in-range)	4.0.3 → 4.0.4
tar	yarn up -R (transitive, in-range)	7.5.10 → 7.5.13
minimatch	yarn up -R (transitive, in-range)	9.0.5 → 9.0.9
glob	yarn up -R (transitive, in-range)	10.4.5 → 10.5.0

Incidental in-range bumps pulled in by the above: brace-expansion@2.0.1 → 2.0.3, glob@7.1.6 → 7.2.3.

All picked versions satisfy the 7-day npmMinimalAgeGate. yarn install --immutable passes with no new peer-dependency warnings.

Flagged (not changed)

None — all four alerts resolved via in-range transitive refresh.