chore: fix npm security vulnerabilities (#68)

## Summary

Resolves 6 security vulnerabilities in transitive npm dependencies
identified by Dependabot, by running `npm audit fix`.

## Changes

Updated locked versions in `package-lock.json` for the following
vulnerable packages:

| Package | Severity | CVE / Advisory |
|---------|----------|----------------|
| `hono` ≤4.12.3 | High | XSS via ErrorBoundary, cache deception, IP
spoofing, path traversal, cookie injection, SSE injection |
| `@hono/node-server` <1.19.10 | High | Authorization bypass via encoded
slashes in Serve Static Middleware |
| `rollup` 4.0.0–4.58.0 | High | Arbitrary file write via path traversal
|
| `minimatch` ≤3.1.3 | High | Multiple ReDoS vulnerabilities |
| `ajv` <8.18.0 | Moderate | ReDoS when using `$data` option |
| `qs` 6.7.0–6.14.1 | Low | `arrayLimit` bypass allowing denial of
service |

No changes to `package.json` — all fixes are transitive dependency
version updates in the lock file.

## Test Plan

- [x] `npm audit` reports 0 vulnerabilities after fix
- [x] All 90 unit tests pass (`npm test`)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Moderate risk because it upgrades runtime server deps (`hono`,
`@hono/node-server`) and build tooling (`rollup`), which could introduce
behavioral changes despite being patch/minor bumps.
> 
> **Overview**
> **Security-focused lockfile refresh.** Runs an `npm audit fix`-style
update that changes only `package-lock.json` to pull in non-vulnerable
transitive versions.
> 
> Notable bumps include `hono`/`@hono/node-server`, `rollup` (and its
platform binaries), plus ReDoS-related updates to `minimatch`, `ajv`,
and `qs`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
665c12c. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Author: jhamon