build(deps): bump dependencies to clear Dependabot security alerts

Refresh uv.lock and the npm lockfile to pull patched versions of
vulnerable (mostly transitive) dependencies flagged by Dependabot.

Python (uv lock --upgrade): pillow 12.2.0, tornado 6.5.7, urllib3 2.7.0,
python-multipart 0.0.32, requests 2.34.2, idna 3.18, cryptography 48.0.0,
pygments 2.20.0, pytest 9.0.3, black 26.5.1, and starlette 1.2.1 /
fastapi 0.136.3 (starlette moved to 1.x; fastapi bumped to match).

npm: vitest ^2 -> ^4.1.8, which pulls patched vite/esbuild (dev-only
test toolchain). `npm audit` now reports 0 vulnerabilities.

Not fixable: diskcache (5.6.3) has an open advisory with no patched
release yet — left as-is.

Verified: 88 Python tests (offline) + 59 JS tests pass; app boot smoke
test green on the starlette 1.x / fastapi upgrade.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: jeandet