[codex] Refresh vulnerable dev dependency cluster

[Jesssullivan]

What changed

• refreshed the vulnerable dev-toolchain cluster to current compatible versions:
  • vite -> ^6.4.2
  • vitest -> ^4.1.4
  • svelte -> ^5.55.4
  • svelte-check -> ^4.4.6
  • @fast-check/vitest -> ^0.4.0
• tightened the older broad specifiers for @sveltejs/package and @sveltejs/vite-plugin-svelte to the currently validated ranges already in use
• added a minimal pnpm override forcing picomatch ^4.0.4 so the remaining transitive advisory clears without a bigger toolchain migration
• refreshed the lockfile to the resolved patched graph (devalue 5.7.1, picomatch 4.0.4, vite 6.4.2, vitest 4.1.4)

Why

The repo still had 6 open Dependabot/npm audit alerts, concentrated in the dev toolchain rather than the published runtime package surface. The goal here is to clear that vulnerability cluster with the smallest safe dependency move, not to do a broad framework upgrade.

Impact

• local advisory checks now return clean
• the refreshed dependency graph still passes both package-manager and Bazel validation lanes
• the Vitest adapter now matches the upgraded Vitest major instead of relying on an out-of-range peer

Validation

• pnpm audit --prod --dev
• pnpm run check:release-metadata
• pnpm run build
• pnpm run check
• pnpm run test
• pnpm run check:package
• npx --yes @bazel/bazelisk build //:pkg //:typecheck //:test --verbose_failures
• npm_config_cache=/tmp/tinyvectors-npm-cache npm publish --dry-run --ignore-scripts --access public ./bazel-bin/pkg

Notes

• stacked on top of [codex] Add authoritative CI and Bazel publish flow #14 (jess/tin-168-add-blocking-ci-and-bazel-publish-parity)
• this is the vulnerability-remediation slice for TIN-169