rewrite-javascript: fix npm audit vulnerabilities (#7926)

Resolve all 7 advisories reported by npm audit (1 critical, 4 high,
2 moderate) in rewrite-javascript/rewrite. Prefer bumping direct
dependencies over pinning transitive ones; use overrides only where the
direct parent is already at its latest version.

Direct dependency bumps:
- picomatch ^4.0.3 -> ^4.0.4 (ReDoS, glob injection)
- yaml ^2.6.1 -> ^2.9.0 (stack overflow on deeply nested collections)
- vitest ^4.0.18 -> ^4.1.8 (UI server arbitrary file read/exec); this
  also pulls fixed vite (path traversal) and postcss (XSS) transitively

Overrides (parent already at latest, range already allows the patch):
- tmp ^0.2.7 (via tmp-promise@3.0.3; path traversal)
- lodash ^4.18.1 (via benchmark@2.1.4; prototype pollution, code injection)

Author: knutwannheden