chore(deps): upgrade vite so esbuild ≥0.28.1, then drop the GHSA-gv7w-rqvm-qjhr audit ignore

[olivrg]

Context

PR #63 added a scoped pnpm.auditConfig.ignoreGhsas entry for GHSA-gv7w-rqvm-qjhr (esbuild RCE via NPM_CONFIG_REGISTRY, patched in esbuild >=0.28.1) to unblock the pnpm audit --audit-level=high CI gate.

esbuild is a build-time-only transitive dependency (tsup for the proxy build, vite for the dashboard build) and is not in the shipped @gethelio/proxy runtime, so the ignore is low-risk. But it is a temporary suppression, not a fix.

The proper fix (bumping esbuild to ^0.28.1 via a pnpm override) was tried and reverted: vite@6.4.2 cannot compile against esbuild 0.28 — the dashboard build fails with 600+ "Transforming destructuring … is not supported yet" errors. There is no patched esbuild below 0.28.1, so closing this requires a vite upgrade.

Task

• Upgrade vite (and tsup if needed) to a release whose esbuild dependency is >=0.28.1.
• Verify the dashboard build (pnpm --filter @gethelio/dashboard build) and the full pnpm build.
• Confirm pnpm audit --audit-level=high passes with esbuild on the patched line.
• Remove the pnpm.auditConfig.ignoreGhsas entry from root package.json.
• Smoke-test the dashboard UI (the bundle is what changes).

Notes

vite 6 → 7 is a major bump (Rollup / plugin API surface), so budget for some breakage in the dashboard build config. Keep it isolated in its own PR.