fix(deps): bump postcss + ws; suppress vite + esbuild dev-only CVEs (#124)

Clears OSV-Scanner on main by bumping the 2 in-semver CVEs and
suppressing the 2 dev-only-no-prod-reach CVEs with documented
rationale.

Bumped:
- postcss 8.5.9 -> 8.5.15 (GHSA-qx2v-qp2m-jg93, transitive of vite)
- ws (dev) 8.20.0 -> 8.20.1 (GHSA-58qx-3vcg-4xpx, transitive of jsdom)

Suppressed in osv-scanner.toml (dev-only, no prod exposure):
- GHSA-4w7w-66w2-5vf9 (vite dev-server path traversal in .map handling)
- GHSA-67mh-4wv8-2f99 (esbuild dev-server CORS)

Justification: instanode-web ships a static GitHub Pages artifact.
No Node runtime in prod. Dev-server vulns cannot reach users.
Will lift the suppressions when vite is bumped to v7 (separate
breaking-change PR).

Co-authored-by: Claude <claude@anthropic.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: mastermanas805

osv-scanner.toml

@@ -0,0 +1,16 @@
+# OSV-Scanner config
+#
+# vite + esbuild CVEs below are dev-server-only and CANNOT reach prod
+# users because instanode-web ships a static GitHub Pages site.
+# The prod artifact is HTML/CSS/JS — no Node runtime, no dev server.
+#
+# These suppressions will be removed when vite is bumped to v7+
+# (a separate PR — major-version breaking change).
+
+[[IgnoredVulns]]
+id = "GHSA-4w7w-66w2-5vf9"
+reason = "Dev-only (vite dev-server path traversal in .map handling). Prod ships as static HTML/CSS/JS to GitHub Pages — no Node runtime, no dev server in the deployed artifact. Will lift when vite is bumped to v7 (separate breaking-change PR)."
+
+[[IgnoredVulns]]
+id = "GHSA-67mh-4wv8-2f99"
+reason = "Dev-only (esbuild dev-server CORS issue, pinned by vite ^5.x). Same rationale as the vite suppression above — no prod exposure. Will lift when vite v7 bump removes the esbuild^0.21 pin."