Security: update vulnerable dependencies and align overrides with 26_1

- Align pnpm.overrides with 26_1 branch for cherry-pick compatibility
- Add 50+ security overrides for transitive dependencies
- Add overrides for vite@5, webpack-dev-server, react-router,
  @babel/helpers, @babel/runtime, js-yaml, storybook, and Angular 19.x
- Update node-forge, tar, rollup, qs, axios override ranges
- Reduces pnpm audit from 201 to 16 vulnerabilities
- Remaining 16 are unfixable: Angular 17.x (6), babel-traverse,
  terser, request, esbuild, parcel, elliptic

Author: Claude Bot

package.json

@@ -64,18 +64,81 @@
   ],
   "pnpm": {
     "overrides": {
-      "@devexpress/callsite-record@^4.1.6": "4.1.6",
+      "@devexpress/callsite-record@^4.1.6": "4.1.7",
+      "basic-ftp@<5.2.0": "~5.2.0",
+      "@isaacs/brace-expansion@<=5.0.0": "^5.0.1",
+      "@modelcontextprotocol/sdk@>=1.10.0 <=1.25.3": "^1.26.0",
       "form-data@<2.5.4": "2.5.5",
       "form-data@>=4.0.0 <4.0.4": "^4.0.5",
       "pbkdf2@<=3.1.2": "^3.1.3",
       "sha.js@<=2.4.11": "^2.4.12",
       "rollup@<2.79.2": "^4.53.3",
+      "rollup@>=4.0.0 <4.59.0": "^4.59.0",
       "json5@<1.0.2": "^2.2.3",
-      "axios@<1.8.2": "^1.13.2",
+      "axios@<=1.13.4": "^1.13.5",
       "braces@<3.0.3": "^3.0.3",
       "semver@<5.7.2": "^5.7.2",
+      "qs": ">=6.14.2",
       "glob@>=10.2.0 <10.5.0": "^10.5.0",
-      "node-forge@<1.3.2": "^1.3.2"
+      "node-forge@<1.4.0": "1.4.0",
+      "vite@>=6.0.0 <6.4.1": "^6.4.1",
+      "tar@<=7.5.9": "^7.5.10",
+      "underscore@<=1.13.7": "^1.13.8",
+      "hono@<4.12.4": "^4.12.4",
+      "@hono/node-server@<1.19.10": "^1.19.10",
+      "express-rate-limit@>=8.2.0 <8.2.2": "^8.2.2",
+      "immutable@>=5.0.0 <5.1.5": "^5.1.5",
+      "minimatch@<3.1.5": "3.1.5",
+      "minimatch@>=4.0.0 <4.2.5": "4.2.5",
+      "minimatch@>=5.0.0 <5.1.8": "5.1.8",
+      "minimatch@>=9.0.0 <9.0.7": "9.0.9",
+      "minimatch@>=10.0.0 <10.2.4": "10.2.4",
+      "picomatch@>=2.0.0 <2.3.2": "2.3.2",
+      "picomatch@>=4.0.0 <4.0.4": "4.0.4",
+      "path-to-regexp@0.1.12": "0.1.13",
+      "path-to-regexp@>=8.0.0 <8.4.0": "8.4.0",
+      "serialize-javascript@<=7.0.2": "7.0.5",
+      "flatted@<3.4.0": "^3.4.0",
+      "undici@<7.24.0": "^7.24.0",
+      "socket.io-parser@>=4.0.0 <4.2.6": "^4.2.6",
+      "lodash@<4.18.1": "4.18.1",
+      "lodash.template@<4.18.1": "4.18.1",
+      "bn.js@<4.12.3": "4.12.3",
+      "bn.js@>=5.0.0 <5.2.3": "5.2.3",
+      "brace-expansion@<1.1.13": "1.1.13",
+      "brace-expansion@>=2.0.0 <2.0.3": "2.0.3",
+      "cookie@<0.7.0": "^0.7.0",
+      "diff@>=4.0.0 <4.0.4": "4.0.4",
+      "diff@>=5.0.0 <5.2.2": "5.2.2",
+      "dompurify@<=3.3.1": "^3.3.2",
+      "@eslint/plugin-kit@<0.3.4": "^0.3.4",
+      "http-proxy-middleware@>=1.3.0 <2.0.9": "^2.0.9",
+      "immutable@>=4.0.0-rc.1 <4.3.8": "^4.3.8",
+      "jspdf@<=4.2.0": "^4.2.1",
+      "js-yaml@>=4.0.0 <4.1.1": "^4.1.1",
+      "micromatch@<4.0.8": "^4.0.8",
+      "nanoid@<3.3.8": "^3.3.8",
+      "on-headers@<1.1.0": "^1.1.0",
+      "ajv@<6.14.0": "6.14.0",
+      "ajv@>=7.0.0-alpha.0 <8.18.0": "^8.18.0",
+      "yaml@>=1.0.0 <1.10.3": "1.10.3",
+      "yaml@>=2.0.0 <2.8.3": "2.8.3",
+      "tmp@<=0.2.3": "^0.2.4",
+      "@tootallnate/once@<3.0.1": "^3.0.1",
+      "tough-cookie@<4.1.3": "^4.1.3",
+      "webpack@>=5.49.0 <=5.104.0": "^5.104.1",
+      "vite@>=5.0.0 <=5.4.20": "^5.4.21",
+      "webpack-dev-server@<=5.2.0": "^5.2.1",
+      "react-router@>=6.0.0 <6.30.2": "^6.30.2",
+      "@remix-run/router@<=1.23.1": "^1.23.2",
+      "@babel/helpers@<7.26.10": "^7.26.10",
+      "@babel/runtime@<7.26.10": "^7.26.10",
+      "js-yaml@<3.14.2": "3.14.2",
+      "@angular/common@>=19.0.0 <19.2.16": "^19.2.20",
+      "@angular/core@>=19.0.0-next.0 <19.2.20": "^19.2.20",
+      "@angular/compiler@>=19.0.0-next.0 <19.2.20": "^19.2.20",
+      "@angular/platform-server@>=19.0.0-next.0 <19.2.20": "^19.2.20",
+      "storybook@>=10.0.0-beta.0 <10.2.10": "^10.2.10"
     }
   },
   "packageManager": "pnpm@9.15.4"