fix: patch all 8 security vulnerabilities via pnpm overrides

Add pnpm overrides to patch the following security vulnerabilities:
- GHSA-96hv-2xvq-fx4p: ws memory exhaustion DoS (patched to >=8.18.0)
- GHSA-c2c7-rcm5-vvqj: picomatch ReDoS vulnerability (patched to >=4.0.2)
- GHSA-gv7w-rqvm-qjhr: esbuild binary integrity issue (patched to >=0.25.11)
- GHSA-fx2h-pf6j-xcff: vite server.fs.deny bypass (patched to >=7.3.6)
- GHSA-5xrq-8626-4rwp: vitest UI arbitrary file read (patched to >=3.1.0)
- GHSA-49rj-9fvp-4h2h: react-router RCE via turbo-stream (patched to 7.16.0)
- GHSA-8x6r-g9mw-2r78: react-router DoS via path expansion (patched to 7.16.0)
- GHSA-rxv8-25v2-qmq8: react-router DoS via single-fetch (patched to 7.16.0)

Note: react-router pinned to 7.16.0 (not >=7.15.0) because Socket blocks
7.17.0+ as recently published. 7.16.0 is 19 days old and patches all three
react-router vulnerabilities.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: ping-huang1

package.json

@@ -26,7 +26,13 @@
   "pnpm": {
     "overrides": {
       "fast-uri": ">=3.1.2",
-      "@babel/plugin-transform-modules-systemjs": ">=7.29.4"
+      "@babel/plugin-transform-modules-systemjs": ">=7.29.4",
+      "ws": ">=8.18.0",
+      "picomatch": ">=4.0.2",
+      "esbuild": ">=0.25.11",
+      "vite": ">=7.3.6",
+      "vitest": ">=3.1.0",
+      "react-router": "7.16.0"
     }
   },
   "devDependencies": {