fix(deps): patch 6 build-dependency CVEs (astro/vite/js-yaml/devalue)

[enyineer]

Follow-up to #362 (merged): clears the 6 pre-existing Security (Trivy) CVEs in build-tooling deps, without the full-re-resolve breakage an earlier attempt hit.

What

Package	From → To	CVE
astro (docs)	6.4.2 → 6.4.8	CVE-2026-54298, CVE-2026-54299
vite (docs-scoped)	7.3.2 → 7.3.6	CVE-2026-53632, CVE-2026-53571
devalue (via astro)	5.8.0 → 5.8.1	CVE-2026-42570
js-yaml (v4)	4.1.1 → 4.2.0	CVE-2026-53550

How (and why it's safe)

A full rm bun.lock && bun install fixes the CVEs but bumps the frontend's vite@8.0.16→8.1.0 and rolldown@1.0.3→1.1.3, which breaks the frontend build (and pinning them back didn't help — a third transitive dep regressed). So this is a targeted bump:

• docs/package.json: astro ^6.4.6 + a docs-scoped vite ^7.3.5 devDep → only the docs tree gets the fixes; the frontend workspace's vite@8 is a separate resolution, untouched.
• Root package.json: a js-yaml ^4.2.0 devDep pins the v4 instance, and the 5 nested @astrojs/* / @changesets/parse / @eslint/eslintrc js-yaml@4.1.1 lockfile entries are removed so they dedupe to 4.2.0. read-yaml-file's js-yaml@3.14.2 (uses the removed safeLoad, and Trivy did not flag it) stays on v3.

Net: a 3-file diff; the frontend's vite@8.0.16 + rolldown@1.0.3 are byte-for-byte unchanged.

Verification (local)

• bun install --frozen-lockfile — consistent.
• Frontend build ✓ and docs build ✓ (the build the earlier full-re-resolve broke).
• bun run typecheck ✓, bun run lint ✓, bun test core/scripts (incl. docs-index drift guard) ✓.
• Clean-reinstall: no vite@7.3.2 / js-yaml@4.1.1 / astro@6.4.2 / devalue@5.8.0 / rolldown@1.1.3 remain in node_modules.

🤖 Generated with Claude Code

https://claude.ai/code/session_011v4Nr8YnMGMRziVhgqTc1z

[changeset-bot]

⚠️ No Changeset found

Latest commit: 56cb5e0

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

❌ PR Checks Failed

Check	Status
Typecheck	✅ Passed
Lint	✅ Passed
Deps	❌ Failed
Test	✅ Passed
Integration	✅ Passed
Security	✅ Passed
E2E	✅ Passed

❌ Dependency Alignment Errors

── syncpack alignment ──
$ syncpack lint
= Unified external dependencies (issue #245) - must share one range ============
   4x vite
      ✘ ^7.3.5 → ^8.0.16 in docs/package.json at .devDependencies (DiffersToHighestOrLowestSemver)
✗ Issues found
error: script "deps:check" exited with code 1

── managed-override drift ──
$ bun run scripts/audit-overrides.ts --check
✓ 8 security + 4 intentional override(s) documented and consistent.

How to fix: The same external dependency is declared at divergent ranges across workspace package.json files. Run bun run deps:fix to auto-align them to the shared range (then bun install and commit), or run bun run deps:check locally to see the mismatches. The enforced set lives in .syncpackrc.json.

@enyineer The above code quality issues were found in this PR. Please fix them before merging.

[github-actions]

✅ All PR Checks Passed

Check	Status
Typecheck	✅ Passed
Lint	✅ Passed
Deps	✅ Passed
Test	✅ Passed
Integration	✅ Passed
Security	✅ Passed
E2E	✅ Passed

@enyineer All quality checks have passed. This PR is ready for your review.