fix: remediate dependabot dependency alerts

[aron23]

Summary

• update ts to resolve the reported yaml, picomatch, and transitive brace-expansion vulnerabilities
• bump examples/cdk-multilang to aws-cdk-lib@2.245.0, which clears the bundled yaml alert
• refresh Python security pins so cryptography moves to 46.0.6 and requests moves to 2.33.0

Impact

• addresses 4 of the 6 currently open Dependabot alerts shown on the repo
• also fixes the direct cryptography issue surfaced by the repo's Python audit during validation
• keeps the branch a descendant of both staging and premain, so it can merge forward cleanly through the release chain

Remaining upstream blockers

• examples/cdk-multilang: the latest published aws-cdk-lib (2.245.0) still bundles brace-expansion@5.0.3, so the final moderate alert in that example cannot be cleared locally yet
• py: Pygments 2.19.2 is the latest published release and pip-audit still reports CVE-2026-4539, so that low-severity alert also remains upstream-blocked

Validation

• npm audit --prefix ts --audit-level=low
• npm audit --prefix examples/cdk-multilang --audit-level=low (one remaining upstream brace-expansion alert)
• bash scripts/sec-pip-audit.sh (one remaining upstream Pygments alert)
• bash scripts/verify-branch-release-supply-chain.sh
• git merge-base --is-ancestor origin/staging HEAD
• git merge-base --is-ancestor origin/premain HEAD