fix(deps): address Dependabot security alerts (#1165)

## Summary

- Bump **aiohttp** 3.13.3 → 3.13.5 (10 alerts: header injection, SSRF,
DoS)
- Bump **anthropic** 0.74.1 → 0.88.0 (2 alerts: sandbox escape, file
permissions)
- Bump **fastmcp** 2.14.3 → 2.14.6 (3 alerts: SSRF, OAuth bypass,
command injection)
- Bump **pygments** 2.19.2 → 2.20.0 (1 alert: ReDoS)
- Bump **docker/docker** 28.5.1 → 28.5.2 (latest available; v29.3.1 fix
not yet released on this module path)
- Bump **lodash-es** to >=4.18.0 via npm override in docs (2 alerts:
code injection, prototype pollution)

Addresses Dependabot alerts: #143–#160

### Not fixable yet

- **docker/docker** alerts #134, #135: fix requires v29.3.1 which hasn't
been released on the `github.com/docker/docker` Go module path. Bumped
to latest available (28.5.2).

## Test plan

- [ ] Runner tests pass
- [ ] `docs` site builds (`cd docs && npm run build`)
- [ ] `ambient-api-server` builds (`cd components/ambient-api-server &&
go build ./...`)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Updated multiple project dependencies across the application stack to
maintain compatibility and system stability.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: jeremyeder

components/ambient-api-server/go.mod

@@ -38,7 +38,7 @@ require (
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/distribution v2.8.2+incompatible // indirect
-	github.com/docker/docker v28.5.1+incompatible // indirect
+	github.com/docker/docker v28.5.2+incompatible // indirect
 	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-healthcheck v0.1.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect

components/ambient-api-server/go.sum

@@ -107,8 +107,8 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
 github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v28.5.1+incompatible h1:Bm8DchhSD2J6PsFzxC35TZo4TLGR2PdW/E69rU45NhM=
-github.com/docker/docker v28.5.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM=
+github.com/docker/docker v28.5.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
 github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-healthcheck v0.1.0 h1:6ZrRr63F5LLsPwSlbZgjgoxNu+o1VlMIhCQWgbfrgU0=

components/runners/ambient-runner/pyproject.toml

@@ -20,7 +20,7 @@ dependencies = [
 
 [project.optional-dependencies]
 claude = [
-  "anthropic[vertex]>=0.86.0",
+  "anthropic[vertex]>=0.88.0",
   "claude-agent-sdk>=0.1.50",
 ]
 observability = [