chore: bump dev deps to clear Dependabot alerts

[StefanoGuerrini]

Summary

Conservative within-major bump of all dev deps (plus the one runtime dep, fastq) via pnpm up. No breaking changes expected — all tests pass, build is clean, biome check is clean.

Dep changes

Package	Before	After
tsup	8.1.0	8.5.1
msw	2.3.1	2.13.4
vitest	1.6.0	1.6.1
typescript	5.4.5	5.9.3
@types/node	20.14.2	20.19.39
@types/async-retry	1.4.8	1.4.9
fastq (runtime)	1.17.1	1.20.1

Dependabot impact

Clears 6 of 9 open alerts transitively, including all 4 HIGH-severity ones:

Alert	Pkg	Before → After	Status
#38	glob HIGH	(removed transitively)	✅
#41	rollup HIGH	4.22.x → 4.60.2	✅
#43	minimatch HIGH	(removed transitively)	✅
#45	picomatch MED	2.3.x → 4.0.4	✅
#53	rollup HIGH	4.22.x → 4.60.2	✅
#54	cookie LOW	0.6.x → 1.1.1	✅
#59	esbuild MED	mixed (tsup's is 0.27.7 ✅; vite still ships 0.21.5)	partial
#48	vite MED	5.4.21 (still vulnerable range)	stays — needs vitest major bump
#60	tsup LOW	8.5.1 (no upstream fix)	stays

Side fix

TypeScript 5.9 enforces the standardized import-attributes syntax. Replaced the legacy form in two files:

-import packageJson from "../package.json" assert { type: "json" };
+import packageJson from "../package.json" with { type: "json" };

Test plan

• pnpm check passes
• pnpm test — 13 tests pass (4 files)
• pnpm build — dist emitted cleanly (CJS + ESM + DTS)
• CI green on PR

Follow-ups (separate PRs)

• Bump vitest to 3.x to pick up fixed vite 6.x → clears #48.
• Watch upstream tsup for a fix → clears #60.