chore(deps): bump vulnerable transitive deps to resolve security alerts

[B4nan]

Summary

Resolve open Dependabot alerts in pnpm-lock.yaml.

In-range lockfile bumps: form-data 4.0.5 → 4.0.6 (high).

Via pnpm.overrides / direct pin (transitives were pinned by dev tooling — tsx, lerna, vitest):

• esbuild → ^0.28.1 (high + low)
• vite → ^8.0.16 (high + medium) — pinned as a direct devDependency because it's an auto-installed peer of vitest that overrides can't move
• tar → ^7.5.16 (medium)
• js-yaml (v4 line) → ^4.2.0 (medium), scoped to v4 so gray-matter's v3 is untouched

Verified: pnpm build succeeds and vitest runs green.

Not addressed

• js-yaml 3.14.2 — pulled by gray-matter, which pins the v3 line; forcing v4 would break it (the v4 API dropped safeLoad etc.). All dev/build-only.

🤖 Generated with Claude Code