fix(deps): pin transitive esbuild to 0.28.1 to clear dev-server advisory (#1021)

vite pulls esbuild ^0.27.0, which is affected by GHSA-g7r4-m6w7-qqqr
(arbitrary file read via the dev server on Windows). esbuild is not a
direct dependency, so force it to the patched 0.28.1 via a pnpm override.

Author: sdserranog