chore(deps): bump vulnerable website deps to resolve security alerts (#1973)

Lockfile-only bumps in the docs website (`website/pnpm-lock.yaml`) to
resolve Dependabot security alerts. No `package.json` changes; performed
via `pnpm update ... -r`.

### Fixed
| Package | Old → New | Severity |
| --- | --- | --- |
| shell-quote | 1.8.3 → 1.8.4 | **CRITICAL** |
| form-data | 4.0.5 → 4.0.6 | High |
| ws (v7 line) | 7.5.10 → 7.5.11 | High |
| ws (v8 line) | 8.20.0 → 8.21.0 | High |
| @babel/core | 7.29.6 → 7.29.7 | Moderate |
| dompurify | 3.3.3 → 3.4.10 | Moderate |
| joi | 17.13.3 → 17.13.4 | Moderate |
| js-yaml | 4.1.1 → 4.2.0 | Moderate |
| launch-editor | 2.13.2 → 2.14.1 | Moderate |
| markdown-it | 14.1.1 → 14.2.0 | Moderate |

The bulk of the lockfile diff is benign `@babel/core@...` peer-key churn
(the version is embedded as a peer suffix across many dependency keys).

### Not addressed here
- **js-yaml 3.14.2** — pulled in transitively by `gray-matter@4.0.3`,
which pins the v3 line. It cannot be moved to v4 without an override
(out of scope; lockfile-only update keeps it). The v4 line was bumped to
the patched 4.2.0.
- One dompurify advisory has no fix listed upstream; bumping to 3.4.10
covers the fixable advisories.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Author: B4nan