build(deps): pin patched transitive dependency versions

[dev-jodee]

Summary

• Added root pnpm.overrides to pin patched transitive versions:
  • handlebars@^4.0.0 -> 4.7.9
  • picomatch@^2.0.0 -> 2.3.2
  • picomatch@^4.0.0 -> 4.0.4
• Regenerated pnpm-lock.yaml with pnpm install --lockfile-only.
• Resolved baseline Dependabot alert IDs targeted in this remediation: #30, #31, #33, #34, #35.

Test Plan

• git status --short (clean baseline before edits)
• gh api '/repos/solana-program/rewards/dependabot/alerts?state=open&per_page=100' --paginate --slurp -> 5 open alerts
• jq extraction confirmed all 5 were transitive npm alerts with patched versions available
• pnpm install --lockfile-only -> exit 0
• rg -n "picomatch@2\.3\.1|picomatch@4\.0\.3|handlebars@4\.7\.8" pnpm-lock.yaml -> no matches
• rg -n "picomatch@2\.3\.2|picomatch@4\.0\.4|handlebars@4\.7\.9" pnpm-lock.yaml -> matches present
• pnpm audit --json -> exit 1 (remaining advisories outside this targeted remediation set)

Remaining Unresolved Alerts

• Baseline Dependabot alerts in scope (#30, #31, #33, #34, #35): no unpatchable entries; each had a published patched version and was lockfile-resolved in this branch.
• Additional npm advisories still reported by pnpm audit are outside this specific lockfile remediation set and require separate upstream dependency upgrade work.