security: pin @tanstack/* away from GHSA-g7cv-rxg3-hmpx malware

Caret ranges previously resolved into the malicious versions published
2026-05-11 19:20-19:26 UTC (1.169.5/1.169.8 react-router, 1.167.38/
1.167.41 router-plugin, etc.). Pinned direct deps to exact known-clean
pre-malicious versions and added `overrides` for transitive @tanstack/*
deps so no sub-dependency can drift into a bad patch.

Bump to the clean follow-up releases once TanStack publishes them
(tracked in TanStack/router#7383).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: kevinccbsg