Fix Security deps

[oscarmorrison]

Fix dependency security vulnerabilities

Summary

Addresses Dependabot security alerts by bumping vulnerable dependencies and adding Yarn resolutions so transitive dependencies resolve to patched versions.

Changes

Direct dependency updates

• diff: ^3.5.0 → ^3.5.1 (CVE-2026-24001 – DoS in parsePatch/applyPatch)
• lodash: ^4.17.10 → ^4.17.23 (CVE-2025-13465 – prototype pollution in _.unset/_.omit)

Resolutions (root and example)

Package	Version	Advisory / CVEs
pbkdf2	3.1.3	CVE-2025-6547 (critical)
semver	5.7.2	CVE-2022-25883 (ReDoS)
url-parse	1.5.9	CVE-2022-0691, CVE-2021-3664, CVE-2021-27515, CVE-2020-8124
diff	3.5.1	CVE-2026-24001
tar	7.5.7	CVE-2026-24842, CVE-2026-23950, CVE-2026-23745
lodash	4.17.23	CVE-2025-13465
qs	6.14.1	CVE-2025-15284
node-forge	1.3.2	CVE-2025-66030, CVE-2025-12816

Unfixable

• elliptic: No patched version available (advisory first_patched_version is null). Remains a known limitation until upstream provides a fix.

Verification

• yarn install run at root and in example/
• yarn run build succeeds

[breadthe]

LGTM

Ran yarn install in root & example/

Ran yarn build