chore: upgrade deps and migrate semantic-release to npm trusted publishing

[TimoBechtel]

Summary

• upgraded dependencies to current latest compatible set and migrated for major changes
• migrated ESLint config from .eslintrc.cjs to flat config (eslint.config.js) for ESLint v9+
• migrated semantic-release workflow from NPM_TOKEN auth to npm Trusted Publishing via GitHub OIDC
• updated package.json repository metadata to canonical GitHub URL for npm provenance validation

Dependency/Migration Notes

• @timobechtel/style upgraded to 2.0.1 and ESLint config migrated per package migration docs (eslint.config.js, import-x resolver setup)
• semantic-release upgraded to 25.0.3 (includes @semantic-release/npm@13.1.1, Trusted Publishing capable)
• eslint@10 currently breaks with @timobechtel/style plugin stack; pinned to latest compatible eslint@9.39.3

CI/Release Changes

• .github/workflows/release.yml now includes:
  • permissions with id-token: write
  • actions/checkout@v4 with fetch-depth: 0
  • removed NPM_TOKEN from release env
  • kept GITHUB_TOKEN

Validation

• bun test passes
• bunx tsc --noEmit passes
• bunx eslint . passes
• bunx semantic-release --dry-run --no-ci loads plugins successfully; full remote check is network-dependent

npm Trusted Publisher Configuration (Exact Values)

Configure this at:

• https://www.npmjs.com/package/prmt/access

Add a Trusted Publisher with:

• Provider: GitHub Actions
• Repository owner: TimoBechtel
• Repository name: prmt
• Workflow filename: release.yml
• Workflow path: .github/workflows/release.yml
• Branch: main
• Environment: (none)