fix(security): upgrade CLI deps and add overrides (#2952)

- Upgrade @modelcontextprotocol/sdk 1.24.0 → 1.25.2 (CVE-2026-0621
ReDoS)
- Upgrade tar 7.4.3 → 7.5.4+ (CVE-2026-23950 race condition)
- Add pnpm overrides for transitive deps:
  - qs <6.14.0 → 6.14.0 (CVE-2025-15284 DoS)
  - systeminformation <5.27.14 → 5.27.14 (CVE-2025-68154 cmd injection)
  - lodash <4.17.23 → 4.17.23 (CVE-2025-13465 prototype pollution)

---------

Co-authored-by: nicktrn <55853254+nicktrn@users.noreply.github.com>

Author: D-K-P

package.json

@@ -94,7 +94,10 @@
       "axios@1.9.0": ">=1.12.0",
       "js-yaml@>=3.0.0 <3.14.2": "3.14.2",
       "js-yaml@>=4.0.0 <4.1.1": "4.1.1",
-      "jws@<3.2.3": "3.2.3"
+      "jws@<3.2.3": "3.2.3",
+      "qs@>=6.0.0 <6.14.1": "6.14.1",
+      "systeminformation@>=5.0.0 <5.27.14": "5.27.14",
+      "lodash@>=4.0.0 <4.17.23": "4.17.23"
     },
     "onlyBuiltDependencies": [
       "@depot/cli",

packages/cli-v3/package.json

@@ -83,7 +83,7 @@
   "dependencies": {
     "@clack/prompts": "0.11.0",
     "@depot/cli": "0.0.1-cli.2.80.0",
-    "@modelcontextprotocol/sdk": "^1.24.0",
+    "@modelcontextprotocol/sdk": "^1.25.2",
     "@opentelemetry/api": "1.9.0",
     "@opentelemetry/api-logs": "0.203.0",
     "@opentelemetry/exporter-trace-otlp-http": "0.203.0",
@@ -138,7 +138,7 @@
     "std-env": "^3.7.0",
     "strip-ansi": "^7.1.0",
     "supports-color": "^10.0.0",
-    "tar": "^7.4.3",
+    "tar": "^7.5.4",
     "tiny-invariant": "^1.2.0",
     "tinyexec": "^0.3.1",
     "tinyglobby": "^0.2.10",