fix(deps): bump azure-pipelines-task-lib to 5.2.11 to clear vulns

[tembleking]

The Azure DevOps extension shipped a vulnerable azure-pipelines-task-lib@^4.10.0, which a prospect flagged before adopting it. npm audit reported 5 vulns (2 high, 3 moderate), all transitive through the task lib: minimatch ReDoS (high), follow-redirects auth-header leak, brace-expansion ReDoS, and a uuid bounds-check issue.

Bumping the lib to the latest stable 5.2.11 clears the high + most moderate findings. v5 is the correct target since the task already runs on the Node20_1 execution handler. The TS API used by the task (getInput, setResult, tool, ToolRunner, …) is unchanged across v4→v5 and tsc compiles clean.

follow-redirects / brace-expansion were patched via lockfile refresh. Both lockfiles regenerated.

Remaining: 1 moderate uuid advisory (GHSA-w5hq-g745-h8pq) is left and non-exploitable. task-lib pins uuid ^3.0.1 and calls uuidV4() with no buf arg (vault.js:67); the advisory only affects v3/v5/v6 with a buf argument. The only patched line is uuid 11.1.1, which dropped the require('uuid/v4') deep-import task-lib depends on, so an override would break the lib.