fix: patch CVE-2025-8020 multicast SSRF bypass in private-ip

[zcaceres]

Summary

• Removes vulnerable private-ip dependency (CVE-2025-8020) which fails to block multicast addresses (224.0.0.0/4), enabling SSRF bypass
• Replaces with self-contained isReservedIP() function covering all IANA reserved IPv4/IPv6 ranges using Node's net module
• IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) recursively validate the embedded v4 address
• Non-IP input fails closed (blocked by default)
• Zero new dependencies

Test plan

• 125 new tests in src/isReservedIP.test.ts:
  • Unit tests for every reserved IPv4 range (0/8, 10/8, 100.64/10, 127/8, 169.254/16, 172.16/12, 192.0.0/24, 192.0.2/24, 192.88.99/24, 192.168/16, 198.18/15, 198.51.100/24, 203.0.113/24, 224/4 multicast, 240/4 reserved)
  • Boundary IP tests at range edges
  • IPv6 reserved ranges (loopback, unspecified, mapped, NAT64, discard, documentation, Teredo, 6to4, unique local, link-local, multicast)
  • Public IP allow-list verification
  • Invalid input fail-closed behavior
  • Integration tests: Fetcher blocks multicast in URLs, DNS resolution, post-redirect, and IPv6 variants
• All 214 existing + new tests pass