fix(security): update league/commonmark to 2.8.2 and symfony/yaml to safe version

Fixes CVE for league/commonmark embed extension allowed_domains bypass.
Fixes CVE-2026-33532 for npm yaml stack overflow via deeply nested collections.
Regenerated composer.lock with correct PHP version constraints.

Author: jeffersongoncalves