d6e59cedd7
Resolve transitive Dependabot alerts on the web lockfile. esbuild >= 0.28.1 (GHSA-gv7w-rqvm-qjhr #239, GHSA-g7r4-m6w7-qqqr #238): Deno-module RCE via NPM_CONFIG_REGISTRY and Windows dev-server arbitrary file read. Forced via a pnpm-workspace override (esbuild is a regular dep of vite, so the override applies cleanly); bounded to <0.29 to stay on the verified line. vite 7.3.3 declares ^0.27.0, but the 0.28 JS API is unchanged for vite's usage -- verified by the full test run and web build. @vitest/browser >= 4.1.8 (GHSA-g8mr-85jm-7xhm #240): Browser Mode CDP bridge bypasses allowWrite/allowExec, enabling config overwrite -> RCE. Bumped the vitest devDep family (vitest, @vitest/browser-*, coverage-v8) from ^4.0.18 to ^4.1.8; resolves to 4.1.9. Verified: pnpm test (5685 passed), pnpm lint, pnpm build-web (exit 0). Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>