fix: patch security vulnerabilities via pnpm overrides

Add pnpm overrides to patch the following security vulnerabilities:
- GHSA-96hv-2xvq-fx4p: ws memory exhaustion DoS (patched to >=8.18.0)
- GHSA-c2c7-rcm5-vvqj: picomatch ReDoS vulnerability (patched to >=4.0.2)
- GHSA-gv7w-rqvm-qjhr: esbuild binary integrity issue (patched to >=0.25.11)
- GHSA-fx2h-pf6j-xcff: vite server.fs.deny bypass (patched to >=7.3.6)
- GHSA-5xrq-8626-4rwp: vitest UI arbitrary file read (patched to >=3.1.0)

Note: react-router vulnerabilities (GHSA-49rj-9fvp-4h2h, GHSA-8x6r-g9mw-2r78,
GHSA-rxv8-25v2-qmq8) could not be patched due to Socket blocking react-router
7.15.0+ as recently published. These will need to be addressed separately when
stable versions pass Socket's security policy.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: ping-huang1

package.json

@@ -26,7 +26,12 @@
   "pnpm": {
     "overrides": {
       "fast-uri": ">=3.1.2",
-      "@babel/plugin-transform-modules-systemjs": ">=7.29.4"
+      "@babel/plugin-transform-modules-systemjs": ">=7.29.4",
+      "ws": ">=8.18.0",
+      "picomatch": ">=4.0.2",
+      "esbuild": ">=0.25.11",
+      "vite": ">=7.3.6",
+      "vitest": ">=3.1.0"
     }
   },
   "devDependencies": {