fix(security): resolve high-severity vulnerabilities in qs and valibot

Address 2 high-severity vulnerabilities identified by npm audit:

1. CVE-2025-15284 (qs): DoS via arrayLimit bypass in bracket notation
   - Added npm overrides to force qs@6.14.1
   - Upstream fix pending: cypress-io/request#97
   - Tracked in #145 for override removal once upstream releases

2. CVE-2025-66020 (valibot): ReDoS in EMOJI_REGEX
   - Updated react-router 7.9.4 → 7.11.0
   - Updated @react-router/dev 7.9.4 → 7.11.0
   - These updates pull in valibot@1.2.0 (fixed version)

Both vulnerabilities affect dev dependencies only (Cypress and React Router dev tooling).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: taearls