Upgrade Soroban SDK in stellar-demo-staking example contract

[pasevin]

Summary

The Soroban demo contract under `examples/basic-react-app/contracts/stellar-demo-staking` is pinned to `soroban-sdk` v22, which transitively brings in vulnerable versions of `stellar-xdr` (22.1.0) and `soroban-env-host` (22.1.3). Both have open Dependabot advisories that can only be resolved by bumping the SDK majors.

Context

Two open Dependabot alerts on `examples/basic-react-app/contracts/stellar-demo-staking/Cargo.lock`:

Advisory	Package	Current → Patched	Severity
GHSA-x57h-xx53-v53w	`stellar-xdr`	22.1.0 → 25.0.1	moderate
GHSA-pm4j-7r4q-ccg8	`soroban-env-host`	22.1.3 → 26.0.0	low

Neither is exploitable in the demo's current usage — `soroban-env-host` runs inside Stellar validators (not in our build), and `stellar-xdr`'s `StringM::from_str` bypass only matters if the contract parses untrusted XDR strings, which the staking demo doesn't. The alerts are being dismissed in the Security tab in the meantime.

Why upgrade anyway

• Keeps the demo contract aligned with current Soroban tooling and protocol version
• Removes a recurring source of Dependabot noise on the example contract
• Future contributors copying this example get an up-to-date starting point

Goal

Bump `soroban-sdk` from v22 to a current major (v25 or v26) in:

• `examples/basic-react-app/contracts/stellar-demo-staking/Cargo.toml`
• the matching `Cargo.lock`

Scope

• Update `soroban-sdk` version in `Cargo.toml`
• `cargo update` to refresh `stellar-xdr`, `soroban-env-host`, and friends
• Adjust contract source for any breaking host-API or type changes between SDK majors
• Verify the contract still builds (`cargo build --target wasm32-unknown-unknown --release`) and tests pass
• Smoke-test deployment locally (Stellar testnet) before merging
• Update any README / quickstart instructions that reference the SDK version

Notes

• Priority: low — example/demo code only, not published as a package
• Not a release blocker for any `@openzeppelin/ui-*` package