chore(deps): bump astro to 6.3.7 and dashboard vite to 6.4.2 for security fixes

[vedrao]

Summary

Bumps two direct dependencies to resolve CVEs surfaced by a Snyk SCA scan of the monorepo, plus a lockfile refresh that sweeps up several transitive fixes that the bumps make reachable.

Direct dependency upgrades

• homepage/package.json: astro ^6.0.4 → ^6.1.6 (lockfile resolves to 6.3.7)
  • Fixes CVE-2026-41067 — Cross-site Scripting (XSS) in astro
• understand-anything-plugin/packages/dashboard/package.json: vite ^6.0.0 → ^6.4.2
  • Fixes CVE-2026-39363 — Missing Authentication for Critical Function (high)
  • Fixes CVE-2026-39365 — Directory Traversal

The dashboard vite fix is notable because per CLAUDE.md the dashboard dev server exposes a /file-content.json endpoint gated by an access token + graph-derived path allowlist — running it on a Vite version with a known directory-traversal CVE is exactly the case worth patching promptly.

Transitive fixes carried in by the lockfile refresh

• h3 1.15.6 → 1.15.11 (via astro) — clears Timing Attack, Directory Traversal, CRLF Injection
• defu 6.1.4 → 6.1.7 (via astro/h3) — clears Prototype Pollution (CVE-2026-35209)
• brace-expansion@2.0.2 removed from the dep graph — clears Infinite Loop (CVE-2026-33750)

Remaining known issues (not fixed here)

A follow-up bump of vitest / @vitest/coverage-v8 from 3.2.x to 3.3.x or 4.x would clear the remaining transitive findings (old vite@7.3.1, postcss@8.5.8, picomatch@4.0.3, brace-expansion@5.0.5 all pinned through vitest). That's a more invasive change because it can affect tests, so it's intentionally kept out of this PR.

Test plan

• pnpm install succeeds on a clean checkout
• pnpm --filter @understand-anything/core build succeeds
• pnpm --filter @understand-anything/dashboard build succeeds with vite 6.4.2
• pnpm --filter homepage build succeeds with astro 6.3.7
• Existing CI passes
• (Optional) Re-run snyk test --all-projects and confirm the 5 listed CVEs no longer appear

[Lum1104]

@vedrao rebased onto main to clear the lockfile conflict (PR #161 landed ESLint + lockfile changes earlier today). Hope you don't mind the maintainer-edit force-push.

Resolution: kept your package.json bumps verbatim, took the post-#161 lockfile as the base, then ran pnpm install to regenerate so both your bumps and the eslint devDeps are in one consistent lockfile. Resolved versions match what you proposed: astro@6.3.7, vite@6.4.2 in the dashboard. The vite@7.x that also shows up in the lockfile is a transitive from astro 6.3.7 / vitest — pnpm keeps them side-by-side, dashboard still resolves to 6.4.2.

Verified locally (post-rebase):

• pnpm lint — exit 0
• pnpm --filter @understand-anything/core build + tests — 670/670 pass
• pnpm --filter @understand-anything/skill build + tests — 775/775 pass
• pnpm --filter @understand-anything/dashboard build — clean, 7.4s
• pnpm --filter homepage build — clean, astro 6.3.7, 1.1s

Waiting on CI; will merge once it's green.