fix: update vulnerable dependencies (glob, jws, tar, js-yaml)

[afarber]

TLDR

Fix npm audit security vulnerabilities by updating glob, jws, tar, tar-fs, and js-yaml to patched versions.

Dive Deeper

Updates the following packages to address security advisories:

Package	Before	After	Severity	Issue
glob	10.4.5	10.5.0	HIGH	Command injection (GHSA-5j98-mcp5-4vw2)
jws	3.2.2, 4.0.0	3.2.3, 4.0.1	HIGH	HMAC verification bypass (GHSA-869p-cjfg-cm3x)
tar	7.5.1	7.5.2	MODERATE	Race condition (GHSA-29xp-372q-xqph)
tar-fs	2.1.3	2.1.4	HIGH	Symlink bypass (GHSA-vj76-c3g6-qr5v)
js-yaml	3.14.1, 4.1.0	3.14.2, 4.1.1	MODERATE	Prototype pollution (GHSA-mh29-5h37-fv8m)

Reduces vulnerabilities from 12 (4 high, 8 moderate) to 7 (1 high, 6 moderate).

The remaining issues (MCP SDK DNS rebinding, esbuild/vite in dev deps) require breaking changes and will be addressed in follow-up PRs.

Reviewer Test Plan

Testing Matrix

	🍏	🪟	🐧
npm run	yes	❓	yes
npx	❓	❓	❓
Docker	❓	❓	❓
Podman	❓	-	-
Seatbelt	❓	-	-

Linked issues / bugs

Fixes #1188

[afarber]

Smoke test on Ubuntu 25.04:

[afarber]

Smoke test on macOS Tahoe 26.1:

[crisjc-e]

verify this PR change on windows use npm run and get the same conclusion [7 vulnerable left (1 high, 6 moderate)]

[afarber]

Yes, this PR does not resolve all problems, but at least closes few vulnerabilities

[pomelo-nwu]

Thanks both @afarber and @crisjc-e ! I'll go ahead and merge this PR.