[codex] Fix high severity dependency alerts

[caseysilver-oai]

Summary

• Pin vulnerable npm dependencies through the existing root resolutions mechanism so the lockfile moves only to patched versions.
• Refresh pnpm-lock.yaml for @modelcontextprotocol/sdk, handlebars, path-to-regexp, picomatch, minimatch, flatted, rollup, and glob.
• Bump quinn-proto from 0.11.13 to 0.11.14 and refresh MODULE.bazel.lock.

Testing

• corepack pnpm --store-dir .pnpm-store install --frozen-lockfile --ignore-scripts
• corepack pnpm audit --audit-level high (passes; remaining advisories are low/moderate)
• corepack pnpm -r --filter ./sdk/typescript run build
• corepack pnpm exec eslint 'src/**/*.ts' 'tests/**/*.ts'
• cargo check --locked
• cargo build -p codex-cli
• bazel --output_user_root=/tmp/bazel-codex-dependabot --ignore_all_rc_files mod deps --lockfile_mode=error
• just fmt

Note: corepack pnpm -r --filter ./sdk/typescript run test was also attempted after building codex; it is blocked on this workstation by host-managed Codex MDM/auth state (approval_policy restrictions and ChatGPT/API-key mismatch), not by this dependency change.

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[caseysilver-oai]

I have read the CLA Document and I hereby sign the CLA

[rreichel3-oai]

Thanks for doing this!

[rreichel3-oai]

Any idea why we needed to add these to package.json for this bump?

[caseysilver-oai]

Most of these are transitive deps so we need to force the resolution to fix versions