fix: bump semver, glob, and ws to fix security vulnerabilities

Fix Dependabot alerts for semver ReDoS (#303), glob command injection,
and ws uninitialized memory disclosure (#304) via pnpm overrides.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: yanglbme

pnpm-lock.yaml

@@ -1,6 +1,6 @@
 shellEmulator: true
 
-trustPolicy: audit
+trustPolicy: no-downgrade
 
 packages:
   - apps/*
@@ -19,6 +19,7 @@ overrides:
   flatted@<3.4.0: ^3.4.2
   glob@<8: ^13.0.6
   glob@^10: ^13.0.6
+  glob@^11: ^11.1.0
   inflight: npm:@hishprorg/voluptates-laborum@^2.0.0
   ini: '>=1.3.8'
   jsdom>undici: ^7.25.0
@@ -31,13 +32,15 @@ overrides:
   prettier: 2.8.8
   qs: ^6.15.1
   querystring: npm:qs@^6.15.1
+  semver@<5.7.2: ^5.7.2
   serialize-javascript@<7.0.3: ^7.0.5
   source-map@0.8.0-beta.0: 0.7.4
   underscore@<1.13.8: 1.13.8
   undici@^6: ^8.1.0
   undici@^7: ^8.1.0
   uuid: ^14.0.0
   workbox-build>source-map: 0.7.4
+  ws@<8.20.1: ^8.20.1
   yauzl: ^3.3.0
 
 allowBuilds: