fix(deps): address security vulnerabilities in vite, picomatch, and defu (#791)

## Summary

Resolve 10 open Dependabot alerts (5 high, 5 medium) across 3 transitive
dependencies.

- **vite**: 7.3.0 → 7.3.2 (main), 6.4.1 → 6.4.2 (docs) — arbitrary file
read via WebSocket, `server.fs.deny` bypass, path traversal in `.map`
handling
- **picomatch**: 2.3.1 → 2.3.2 (pnpm override), 4.0.3 → 4.0.4 — ReDoS
via extglob quantifiers, method injection in POSIX character classes
- **defu**: 6.1.4 → 6.1.7 (pnpm override in docs) — prototype pollution
via `__proto__` key

## Approach

- Added `"picomatch@<3": "^2.3.2"` override in `package.json` — the 2.x
line is pinned deep in `@sentry/esbuild-plugin` → `unplugin@1.0.1` →
`chokidar` and can't be bumped via direct deps
- Added `"defu": "^6.1.5"` override in `docs/package.json` — locked via
`astro` → `unstorage` → `h3` → `defu`
- vite and picomatch 4.x resolved naturally via lockfile regeneration
(existing semver ranges permit the patched versions)

## CVEs addressed

CVE-2026-39363, CVE-2026-39364, CVE-2026-39365, CVE-2026-33671,
CVE-2026-33672, CVE-2026-35209

Author: BYK

docs/package.json

@@ -18,7 +18,8 @@
       "devalue": "^5.6.4",
       "rollup": "^4.59.0",
       "svgo": "^4.0.1",
-      "smol-toml": "^1.6.1"
+      "smol-toml": "^1.6.1",
+      "defu": "^6.1.5"
     }
   }
 }

docs/pnpm-lock.yaml

@@ -107,7 +107,8 @@
       "minimatch": "^10.2.1",
       "ajv@<6.14.0": "^6.14.0",
       "rollup": "^4.59.0",
-      "flatted": "^3.4.2"
+      "flatted": "^3.4.2",
+      "picomatch@<3": "^2.3.2"
     }
   }
 }