chore(deps): add pnpm overrides to fix transitive dependency vulnerabilities (#17095)

## Summary
Adds pnpm overrides to force patched versions of transitive dependencies
that have known security vulnerabilities.
## Changes
### New overrides added:
| Package | Version | CVEs Fixed | Severity |
|---------|---------|------------|----------|
| `immutable` | ^5.1.5 | CVE-2026-29063 | HIGH - Prototype Pollution |
| `flatted` | ^3.4.2 | CVE-2026-33228, CVE-2026-32141 | HIGH - Prototype
Pollution + DoS |
| `rollup` | ^4.59.0 | CVE-2026-27606 | HIGH - Arbitrary File Write |
| `fast-xml-parser` | ^5.5.7 | CVE-2026-33036, CVE-2026-33349 |
HIGH/MEDIUM - Entity Expansion Bypass |
| `undici` | ^6.24.0 | CVE-2026-1526, CVE-2026-2229, CVE-2026-1527,
CVE-2026-1525 | HIGH/MEDIUM - WebSocket + CRLF Injection |
### Intentionally NOT included:
| Package | Reason |
|---------|--------|
| `minimatch` | Forcing v3→v9 breaks ESLint plugins (removed default
export, brace-expansion v1→v2). Will be fixed properly in ESLint 9
migration. |
### Why overrides?
These are all **transitive dependencies** - we don't control them
directly in `package.json`. They're pulled in by:
- **ESLint ecosystem** → flatted
- **AWS SDK** → fast-xml-parser
- **Vite/Rollup** → rollup
- **Sass** → immutable
- **Codecov plugin** → undici
Using `pnpm.overrides` forces the patched versions to be used regardless
of what the parent packages specify.
## Testing
- [x] `pnpm install` succeeds
- [x] `pnpm lint:eslint` passes (0 errors, only pre-existing warnings)
- [x] `pnpm test:ci` passes (149 tests)
- [ ] CI will validate full build
## Fixes
- https://github.com/getsentry/sentry-docs/security/dependabot/266
- https://github.com/getsentry/sentry-docs/security/dependabot/274
- https://github.com/getsentry/sentry-docs/security/dependabot/267
- https://github.com/getsentry/sentry-docs/security/dependabot/251
- https://github.com/getsentry/sentry-docs/security/dependabot/272
- https://github.com/getsentry/sentry-docs/security/dependabot/276
- https://github.com/getsentry/sentry-docs/security/dependabot/260
- https://github.com/getsentry/sentry-docs/security/dependabot/271
- https://github.com/getsentry/sentry-docs/security/dependabot/270
- https://github.com/getsentry/sentry-docs/security/dependabot/269
- https://github.com/getsentry/sentry-docs/security/dependabot/268
- https://github.com/getsentry/sentry-docs/security/dependabot/242

Co-authored-by: Shannon Anahata <shannonanahata@gmail.com>

Author: sfanahata

package.json

@@ -165,7 +165,12 @@
     "overrides": {
       "dompurify": "3.3.2",
       "@types/dompurify": "3.0.5",
-      "@types/node": "^22"
+      "@types/node": "^22",
+      "immutable": "^5.1.5",
+      "flatted": "^3.4.2",
+      "rollup": "^4.59.0",
+      "fast-xml-parser": "^5.5.7",
+      "undici": "^6.24.0"
     },
     "onlyBuiltDependencies": [
       "@parcel/watcher",