fix(security): patch express via path-to-regexp

As far as I can tell from the block post:
https://blakeembrey.com/posts/2024-09-web-redos/
this vulnerability should not affect releases of Puter before this
update because we do not have any routes with multiple parameters where
the second parameter does not start with '.' or '/'.

However, for the sake of good security hygiene and so `npm audit` looks
nice, we're upgrading the package. (better late than never)

Author: KernelDeimos