Fix prototype pollution key handling and bundle dependency updates

[pqt]

Summary

• Filter __proto__, constructor, and prototype from merge key enumeration to avoid scoped prototype pollution from parsed JSON input.
• Add regression coverage for top-level and nested parsed JSON prototype-pollution payloads.
• Bundle the currently open Dependabot dependency bumps into one branch: @digitak/esrun, @forcir/eslint-config, @forcir/tsconfig, eslint, rimraf, and tsup.
• Migrate local lint configuration to ESLint 9 flat config via FlatCompat, moving .eslintignore entries into eslint.config.cjs.
• Add pnpm lint-package overrides needed because the standalone ESLint 9 Dependabot PR is not green with the older transitive lint plugin versions.

Root Cause

objectKeys() returned every enumerable key from parsed objects. When merge() later assigned an enumerable __proto__ key onto a normal object accumulator, JavaScript routed the write through the prototype setter and changed the returned merged object's prototype.

Validation

• pnpm format
• pnpm lint
• pnpm test
• pnpm build
• Manual ESM and CJS repro checks against dist/ confirmed parsed __proto__ input no longer changes the returned object's prototype.

Notes

This PR supersedes the open Dependabot PRs #43, #44, #45, #46, #47, and #48. PR #48 was failing as a pure dependency bump, so this branch includes the small ESLint 9 compatibility work needed for CI to pass.