Chore: bump dependencies after security alerts

[scode2277]

Summary of the dependency updated:

• Bump @aws-sdk/client-s3 and @aws-sdk/lib-storage to resolve vulnerable transitive fast-xml-parser
• Bump cspell to resolve vulnerable transitive flatted
• Bump vite to patch WebSocket arbitrary file read (we are actively affected due to --host 0.0.0.0)
• Remove @types/exceljs (deprecated; exceljs ships its own types)
• Bump axios from 1.13.2 to 1.14.0 to patch proto DoS in mergeConfig (unrelated to the 1.14.1 supply chain compromise)
• Bump hono and @hono/node-server to patch static path authorization bypass via encoded slashes
• Bump dompurify to patch mutation-XSS via re-contextualization
• Bump brace-expansion to patch zero-step sequence hang
• Bump picomatch to patch method injection in POSIX character classes

Frameworks PR Checklist

Thank you for contributing to the Security Frameworks! Before you open a PR, make sure to read information for contributors and take a look at the following checklist:

• Describe your changes, substitute this text with the information
• If you are touching an existing piece of content, tag current contributors from the attribution list
• If there is a steward for that framework, ask the steward to review it
• If you're modifying the general outline, make sure to update it in the vocs.config.ts adding the dev: true parameter
• If you need feedback for your content from the wider community, share the PR in our Discord
• Review changes to ensure there are no typos; see instructions below.

[frameworks-volunteer]

Model: z-ai/glm-5.1 Reasoning: medium Provider: openrouter

Security + QA review of dependency bump PR.

Security -- PASS

• No hardcoded secrets, tokens, or API keys
• No injection vectors, unsafe eval, or deserialization issues
• All bumps address legitimate CVEs:
  • axios 1.14.0 patches proto DoS in mergeConfig
  • vite bump patches WebSocket arbitrary file read (notably relevant since --host 0.0.0.0 is in use)
  • hono patches static path authorization bypass via encoded slashes
  • dompurify patches mutation-XSS via re-contextualization
  • brace-expansion patches zero-step sequence hang
  • picomatch patches method injection in POSIX character classes
• @types/exceljs removal is correct (deprecated; exceljs ships own types)

QA -- PASS

• Only 2 files changed (package.json + pnpm-lock.yaml), clean deps-only PR
• CI checks pass (lint, sidebar-reminder, Cloudflare Pages)
• @aws-sdk/client-s3 and lib-storage pinned to exact 3.1024.0 (caret removed) -- resolves vulnerable transitive fast-xml-parser
• axios pinned to exact 1.14.0 (not 1.14.1 which had the supply chain issue) -- correct choice
• cspell pinned to exact 9.8.0 -- resolves vulnerable transitive flatted

Note on pinning strategy: Caret ranges were removed from the bumped deps, pinning them to exact versions. This is reasonable for security-motivated bumps to prevent silently drifting to a new major that reintroduces vulns. Future feature bumps can restore the caret if desired.

Approved.