fix(deps): resolve pnpm audit vulnerabilities (#16)

## Summary
- Add pnpm overrides to force patched transitive dependency versions
- **picomatch** `>=4.0.4` — fixes ReDoS + method injection
(GHSA-c2c7-rcm5-vvqj, GHSA-3v7f-55p6-f55p)
- **yaml** `>=2.8.3` — fixes stack overflow via deeply nested
collections (GHSA-48c2-rrv3-qjmp)
- **smol-toml** `>=1.6.1` — fixes DoS via consecutive commented lines
(GHSA-v3rj-xjv7-4jmq)
- **brace-expansion** `>=5.0.5` — fixes process hang via zero-step
sequences (GHSA-f886-m6hf-6m8v)
- Resolves all 5 unignored audit findings → only pre-existing ignored
CVEs remain

## Test plan
- [x] `./scripts/audit.sh` passes locally
- [x] CI lint passes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ben-miru

package.json

@@ -25,6 +25,10 @@
       "lodash": ">=4.17.23",
       "mdast-util-to-hast": ">=13.2.1",
       "minimatch": ">=9.0.7",
+      "picomatch": ">=4.0.4",
+      "smol-toml": ">=1.6.1",
+      "yaml": ">=2.8.3",
+      "brace-expansion": ">=5.0.5",
       "path-to-regexp": ">=0.1.12",
       "qs": ">=6.14.2",
       "send": ">=0.19.0",