chore(deps): pnpm overrides for vite/esbuild/postcss (close transitive CVEs)

Brings pnpm audit to zero (was 47 going in this session).

These three couldn't be cleanly bumped at the top level because they're
transitive deps of dev tools we can't touch yet:
- vite@8.0.0 came in via vitest@4.1.5 (which is the latest vitest);
  fixes Vite ".../fs.deny" bypass + arbitrary file read via dev-server
  WebSocket (both high).
- Older esbuild dupes came via tsx, drizzle-kit, vite, etc.; fixes
  esbuild dev-server CORS-bypass advisory.
- Older postcss dupes came via postcss-import / postcss-js / postcss-nested
  / postcss-load-config (all transitive of tailwindcss 3); fixes the
  unescaped </style> XSS in stringify output.

`pnpm.overrides` syntax in package.json forces the version everywhere.
Used an exact pin for vite (it's strict-pinned by vitest) and >= ranges
for the other two.

Also rolled esbuild dev dep back to 0.27.7 to satisfy vitest's peer
dep (vitest expects ^0.27.0; we'd briefly bumped to 0.28.0).

Tests: 1185/1185. pnpm audit: 0 vulnerabilities.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

package.json

@@ -115,7 +115,7 @@
     "autoprefixer": "^10.5.0",
     "dotenv": "^17.4.2",
     "drizzle-kit": "^0.31.10",
-    "esbuild": "^0.28.0",
+    "esbuild": "^0.27.7",
     "eslint": "^9.39.4",
     "eslint-config-next": "15.5.18",
     "eslint-config-prettier": "^10.1.8",
@@ -128,5 +128,12 @@
     "tsx": "^4.21.0",
     "typescript": "^6.0.3",
     "vitest": "^4.1.5"
+  },
+  "pnpm": {
+    "overrides": {
+      "vite": "8.0.5",
+      "esbuild": ">=0.25.0",
+      "postcss": ">=8.5.10"
+    }
   }
 }