fix: upgrade happy-dom and pin transitive deps to fix known CVEs

Addresses three advisories identified by npm audit:

- @happy-dom/global-registrator: ^15.11.0 → ^20.9.0
  GHSA-37j7-fg3j-429f (critical) — VM context escape → RCE
  GHSA-6q6h-j7hj-3r64 (high)     — unsanitized export names executed as code
  GHSA-w4gp-fjgq-3q4g (high)     — fetch credentials leak

- rollup (transitive, via overrides): 3.29.5 → 3.30.0
  GHSA-mw96-cpmx-2vgc (high) — arbitrary file write via path traversal

- postcss (transitive, via overrides): 8.5.6 → 8.5.14
  GHSA-qx2v-qp2m-jg93 (moderate) — XSS via unescaped </style> in output

happy-dom v20 requires a document URL when using relative-URL fetch calls,
so GlobalRegistrator.register() is updated to pass url: 'http://localhost/'
as recommended by the library. Test pass/fail counts are unchanged (38/293
failures are all pre-existing and caused by the absent WASM build artifact).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: brentrockwood

bun.lock

@@ -12,7 +12,7 @@
 import { GlobalRegistrator } from '@happy-dom/global-registrator';
 
 // Register Happy DOM globals (window, document, etc.)
-GlobalRegistrator.register();
+GlobalRegistrator.register({ url: 'http://localhost/' });
 
 // Mock Canvas 2D Context
 // Happy DOM doesn't provide canvas rendering APIs, so we mock them for testing.

happydom.ts

@@ -42,6 +42,10 @@
   "publishConfig": {
     "access": "public"
   },
+  "overrides": {
+    "rollup": "^3.30.0",
+    "postcss": "^8.5.10"
+  },
   "scripts": {
     "dev": "vite --port 8000",
     "demo": "node demo/bin/demo.js",
@@ -63,7 +67,7 @@
   },
   "devDependencies": {
     "@biomejs/biome": "^1.9.4",
-    "@happy-dom/global-registrator": "^15.11.0",
+    "@happy-dom/global-registrator": "^20.9.0",
     "@types/bun": "^1.3.2",
     "@xterm/headless": "^5.5.0",
     "@xterm/xterm": "^5.5.0",