fix: resolve vulnerabilities in 11.0.0 (#3519)

* fix: update @modelcontextprotocol/sdk to resolve cross-client data leak vulnerability

Updates @modelcontextprotocol/sdk to version >=1.26.0 to address GHSA-345p-7cg4-v4c7,
which prevented cross-client data leaks via shared server/transport instance reuse.

* fix: update brace-expansion to resolve ReDoS vulnerability

Updates brace-expansion to version >=2.0.2 to address GHSA-v6h2-p8h4-qcjw,
which fixes a Regular Expression Denial of Service vulnerability.

* fix: update dependencies to resolve fast-xml-parser and js-yaml vulnerabilities

Runs npm audit fix to automatically update fast-xml-parser (>=5.3.4) to address
GHSA-37qj-frw5-hhjh (RangeError DoS) and js-yaml (>=4.1.1) to address
GHSA-mh29-5h37-fv8m (prototype pollution in merge).

* fix: update sinon to v21 to resolve diff DoS vulnerability

Updates sinon from v19 to v21 which includes diff v9, addressing GHSA-73rr-hh4g-fpgx
(Denial of Service vulnerability in parsePatch and applyPatch).

* fix issue with pathing

* fix: update mcp:start to work with @modelcontextprotocol/sdk v1.26+

The @heroku/mcp-server package's exports field doesn't define a main entry,
causing import.meta.resolve to fail. Updated to use a direct path to the
bin file instead. Also updated the corresponding test to match.

* stop installing sudo for now due to npm token issues

* Update minor patches in heroku packages, remove unused @heroku/eventsource

* update jsdiff

Author: eablack