fix(deps): resolve vite security vulnerabilities

Update vitest 2.x→4.x and @vitejs/plugin-react 4.x→5.2.0, bringing
vite to 8.0.5 which fixes GHSA-p9ff-h696-f583 (WebSocket file read),
GHSA-v2wj-q39q-566r (fs.deny bypass), and GHSA-4w7w-66w2-5vf9
(path traversal in .map handling).

Author: GeiserX