fix(deps): pin fast-uri to 3.1.2 to close GHSA-q3j6-qgpj-74h6 / GHSA-v39h-62p7-jpjc (#909)

Add a pnpm override so the transitive `fast-uri` (pulled in via
`openapi-typescript > @redocly/openapi-core > @redocly/ajv`) resolves to
3.1.2. The previously locked 3.1.0 is affected by two high-severity
advisories:

- CVE-2026-6321 (GHSA-q3j6-qgpj-74h6): path traversal via percent-encoded
  dot segments in `normalize()` / `equal()`.
- CVE-2026-6322 (GHSA-v39h-62p7-jpjc): host confusion via percent-encoded
  authority delimiters.

`pnpm audit` now reports 0 vulnerabilities for the sdks workspace.
`docs/` and `tests/javascript/` audits are already clean.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

Author: Pangjiping

sdks/package.json

@@ -17,7 +17,8 @@
       "picomatch@^4.0.0": "4.0.4",
       "brace-expansion@^1.0.0": "1.1.13",
       "brace-expansion@^2.0.0": "2.0.3",
-      "flatted@^3.0.0": "3.4.2"
+      "flatted@^3.0.0": "3.4.2",
+      "fast-uri@^3.0.0": "3.1.2"
     }
   },
   "devDependencies": {