deps: bump @oclif/plugin-plugins to resolve picomatch and brace-expansion advisories

[tlowrimore-heroku]

Summary

Bumps @oclif/plugin-plugins from ^5.4.58 to ^5.4.64 to clear three open Dependabot advisories that share a common root cause: the previously-resolved @oclif/plugin-plugins@5.4.58 bundles npm@10.9.6, whose node-gyp/tinyglobby chain pinned picomatch@4.0.3 and whose bundled minimatch@9.0.9 pinned brace-expansion@2.0.2. The new version pulls npm@11.14.0, which transitively resolves all three packages to patched versions.

After this change:

• picomatch → 4.0.4 (was 4.0.3)
• brace-expansion → 5.0.5 on the affected chain (was 2.0.2)

No overrides are introduced — this is a same-major patch bump of a direct dependency.

Advisories closed

• https://github.com/heroku/cli/security/dependabot/271 — GHSA-c2c7-rcm5-vvqj (picomatch ReDoS via extglob, HIGH, CVSS 7.5)
• https://github.com/heroku/cli/security/dependabot/272 — GHSA-3v7f-55p6-f55p (picomatch POSIX-class prototype/method injection, MEDIUM, CVSS 5.3)
• https://github.com/heroku/cli/security/dependabot/279 — GHSA-f886-m6hf-6m8v (brace-expansion zero-step DoS, MEDIUM, CVSS 6.5)

Risk notes

• Bundled npm jumps 10.9.6 → 11.14.0; bundled node-gyp jumps 11.5.0 → 12.3.0. These are higher-major bumps, but they are bundled inside @oclif/plugin-plugins and only invoked when the CLI installs/updates user plugins.
• npm@11 requires Node.js ^20.17.0 || >=22.9.0. Current engines.node already satisfies this.
• All other picomatch / brace-expansion instances in the tree were already on patched versions; this PR only changes the one vulnerable subtree.

Test plan

• npm install clean
• npm ls picomatch --all shows only 4.0.4 and 2.3.2
• npm ls brace-expansion --all shows no 2.0.2
• npm run build succeeds
• npm run lint succeeds (0 errors)
• npm test passes (1955 passing)
• Manual smoke test of plugin install/update flows: heroku plugins:install <plugin>, heroku plugins, heroku plugins:uninstall <plugin>

[jdodson]

Approved.