chore: fix dependabot security alerts (#446)

Bump transitive dependency overrides/resolutions across all 11 apps:
- minimatch 9.0.6 → 9.0.7
- tar 7.5.8 → 7.5.11
- hono 4.11.x → 4.12.7
- undici 6.23.0 → 6.24.0
- socket.io-parser 4.2.6 (new override)
- picomatch 2.3.2 (new override for 3 apps)
- yaml 2.8.3 (new override for 3 apps)

Unfixable alerts (no patched version): elliptic, bigint-buffer, ip.
pos-app undici left unchanged (nested @vercel/node override).

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>