build(deps): pin patched transitive dependency versions

[dev-jodee]

Summary

• Added targeted pnpm.overrides to pin patched transitives for open npm alerts:
  • ajv@^6.0.0 -> 6.14.0
  • brace-expansion@^1.0.0 -> 1.1.13
  • brace-expansion@^2.0.0 -> 2.0.3
  • flatted@^3.0.0 -> 3.4.2
  • h3@^1.0.0 -> 1.15.9
  • lodash@^4.0.0 -> 4.17.23
  • minimatch@^3.0.0 -> 3.1.4
  • minimatch@^9.0.0 -> 9.0.7
  • socket.io-parser@^4.0.0 -> 4.2.6
• Regenerated pnpm-lock.yaml with pnpm install --lockfile-only.
• Updated Rust lockfile-resolvable alerts in Cargo.lock:
  • keccak 0.1.5 -> 0.1.6
  • quinn-proto 0.11.13 -> 0.11.14

Fixed Alerts (Targeted)

• #4, #6, #7, #8, #9, #10, #11, #12, #13, #14, #16, #23, #25, #26, #28, #36, #37

Test Plan

• gh api ID sweep verified 19 currently-open alerts before this PR and identified patchability.
• pnpm install --lockfile-only -> exit 0
• rg checks confirmed vulnerable npm versions removed from lockfile:
  • removed: ajv@6.12.6, minimatch@3.1.2, minimatch@9.0.5, flatted@3.3.3, lodash@4.17.21, socket.io-parser@4.2.5, h3@1.15.6, brace-expansion@1.1.12, brace-expansion@2.0.2
  • present: ajv@6.14.0, minimatch@3.1.4, minimatch@9.0.7, flatted@3.4.2, lodash@4.17.23, socket.io-parser@4.2.6, h3@1.15.9, brace-expansion@1.1.13
• cargo update -p keccak --precise 0.1.6 -> exit 0
• cargo update -p quinn-proto --precise 0.11.14 -> exit 0
• cargo tree -i keccak shows keccak v0.1.6
• cargo tree -i quinn-proto shows quinn-proto v0.11.14
• cargo audit --json -> exit 0, vulnerabilities.found = false
• pnpm audit --json -> exit 1 with remaining advisories only in bigint-buffer and elliptic

Remaining Unresolved Alerts

• #15 (elliptic): no patched release published (first_patched_version: none)
• #21 (bigint-buffer): no patched release published (first_patched_version: none)