chore(deps): combined dependabot dep bumps

[mtoy-googly-moogly]

Summary

Combines 5 open dependabot PRs into a single lockfile update so CI only runs once. Produced by running npm update on the target packages rather than merging the stale dependabot branches (which were based on older main and conflicted heavily).

Replaces:

• chore(deps): bump follow-redirects from 1.15.9 to 1.16.0 #167 follow-redirects 1.15.9 → 1.16.0
• chore(deps-dev): bump axios from 1.11.0 to 1.15.0 #165 axios 1.11.0 → 1.15.0
• chore(deps): bump fast-xml-parser, @aws-sdk/client-s3, @aws-sdk/client-sts and @aws-sdk/credential-provider-node #163 fast-xml-parser, @aws-sdk/client-s3, @aws-sdk/client-sts, @aws-sdk/credential-provider-node
• chore(deps-dev): bump brace-expansion from 1.1.12 to 1.1.13 #160 brace-expansion 1.1.12 → 1.1.13
• chore(deps-dev): bump picomatch from 2.3.1 to 2.3.2 #157 picomatch 2.3.1 → 2.3.2

Not included: #132 (eslint 8→9, gts 3→7, @typescript-eslint 5→8). Major-version bumps with known breaking changes (eslint flat config) — needs a dedicated review.

Test plan

• npm run build succeeds
• npm test passes (only the pre-existing packaged-version e2e mismatch fails, unrelated)
• CI green
• Close superseded dependabot PRs after merge

🤖 Generated with Claude Code