chore: fix dependabot security alerts (#438)

* chore: fix dependabot security alerts for h3, activesupport, fast-xml-parser, and flatted

Update resolutions/overrides across all sub-projects to resolve open
Dependabot security alerts and dependency bumps:

- h3: 1.15.5 → 1.15.9 (SSE event injection vulnerability)
- activesupport: → 7.2.3.1 (DoS, ReDoS, XSS vulnerabilities)
- fast-xml-parser: 5.3.6 → 5.5.7
- flatted: add 3.4.2 resolution

Also relaxes activesupport Gemfile constraints in W3MEthers and
W3MEthers5 from '< 7.1.0' to '!= 7.1.0' to allow the security patch.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore: add < 8.0 upper bound to activesupport Gemfile constraints

Prevents future bundle updates from pulling activesupport 8.x which
could break iOS builds with the pinned CocoaPods versions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore: add yaml and picomatch resolutions to fix dependabot alerts

Adds resolutions/overrides for yaml@2.8.3 and picomatch@2.3.2 across
all projects to address security vulnerabilities flagged by Dependabot.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>