fix: patch 8 open Dependabot security alerts (#29)

## Summary

Resolves all 8 open Dependabot security alerts by updating
`pnpm.overrides` to force patched versions of vulnerable transitive dev
dependencies.

## Alerts Fixed

| Alert | Package | Vulnerability | Severity | Fix |
|-------|---------|--------------|----------|-----|
| #86 | serialize-javascript | CVE-2026-34043 (DoS via crafted objects)
| Medium (5.9) | >= 7.0.5 |
| #85, #84 | brace-expansion | CVE-2026-33750 (zero-step sequence hang)
| Medium (6.5) | 1.1.13 / 2.0.3 / 5.0.5 |
| #83 | yaml | CVE-2026-33532 (stack overflow via deep nesting) | Medium
(4.3) | >= 2.8.3 |
| #82, #81, #80, #79 | picomatch | CVE-2026-33671 (ReDoS),
CVE-2026-33672 (method injection) | High (7.5) / Medium (5.3) | 2.3.2 /
4.0.4 |

## Approach

Uses version-range selectors (`@^1`, `@^2`, `@^5`) with tilde (`~`)
constraints to keep overrides within compatible major versions. This
prevents `brace-expansion@5.x` (which dropped the default export) from
being forced onto `minimatch@9.x`/`3.x` consumers, which would break ESM
imports.

Fixes #79, #80, #81, #82, #83, #84, #85, #86

Author: BYK

package.json

@@ -9,9 +9,15 @@
   },
   "pnpm": {
     "overrides": {
-      "serialize-javascript": ">=7.0.3",
+      "serialize-javascript": ">=7.0.5",
       "diff": ">=8.0.3",
-      "flatted": ">=3.4.0"
+      "flatted": ">=3.4.0",
+      "brace-expansion@^1": "~1.1.13",
+      "brace-expansion@^2": "~2.0.3",
+      "brace-expansion@^5": ">=5.0.5",
+      "yaml": ">=2.8.3",
+      "picomatch@^2": "~2.3.2",
+      "picomatch@^4": ">=4.0.4"
     }
   },
   "devDependencies": {