fix: restore open-url browser links while respecting CVE-2025-11953

[thymikee]

Summary

Fixes #2812 by replacing the ESM-only strict-url-sanitise dependency in /open-url with local URL validation that preserves normal React Native welcome-screen links while rejecting Windows shell metacharacter payloads.

Removes the dependency from cli-server-api and refactors the middleware tests around a reusable request helper.

Validation

• yarn build
• yarn test packages/cli-server-api/src/__tests__/openURLMiddleware.test.ts --runInBand -u
• Verified against /Users/thymikee/Developer/RNCLI83: https://reactnative.dev/docs/tutorial returned 200 and opened Safari; https://evil.com?|calc.exe and https://example.com/?a=%¾TA% returned 400.

[thymikee]

Checked this against the 20.1.1 security change from #2758. This PR keeps the same regression coverage for CVE-2025-11953: non-string URLs are rejected, and the three attack vectors from #2758 are still rejected with 400: invalid hostname command substitution (https://www.$(calc.exe).com/foo), Windows pipe separator (https://evil.com?|calc.exe), and env-var expansion/exfiltration (https://example.com/?a=%¾TA%). The focused middleware test passes with those cases plus the React Native welcome-screen links.