fix: remove vulnerable biome@0.3.3 from production dependencies

- biome was incorrectly listed in dependencies (should be devDependency only)
- biome@0.3.3 had transitive dependencies on vulnerable packages:
  - request@2.88.2 → form-data@2.3.3 (critical: unsafe random)
  - request → qs, tough-cookie (moderate vulnerabilities)
  - inquirer-promise → lodash (critical: prototype pollution)
- Removed biome from dependencies; @biomejs/biome@1.9.4 already in devDependencies
- Audit result: 0 vulnerabilities (was 9: 3 critical, 6 moderate)

Author: test