fix: batch simple dependency bumps

[lfarrel6]

Resolves COM-57

Summary

Batch dependency bumps addressing 2 CVEs.

Highest Severity: HIGH | Earliest SLA: 2026-05-19T17:42:52.465Z

---

1. CVE-2026-39364 — Vite server.fs.deny Bypass via Query Parameters

Severity: HIGH | CVSS: 0
SLA Deadline: 2026-05-19T17:42:52.465Z
Affected Package: vite >= 7.1.0, <= 7.3.1 → Fixed in 7.3.2
Dependabot Alert: https://github.com/evervault/3ds-example/security/dependabot/41

Files blocked by server.fs.deny (e.g. .env, *.crt) could be retrieved by appending special query parameters (?raw, ?import&raw, ?import&url&inline) to URLs, silently bypassing protection for sensitive files.

Fix: Bumped vite devDependency from ^7.1.12 to ^7.3.2 (resolved to 7.3.3).

---

2. CVE-2025-64118 — tar Uninitialized Memory Disclosure via tar.t({ sync: true })

Severity: MEDIUM | CVSS: 0
SLA Deadline: 2026-05-29T18:11:52.722Z
Affected Package: tar = 7.5.1 → Fixed in 7.5.2
Dependabot Alert: https://github.com/evervault/3ds-example/security/dependabot/23

When tar.t/tar.list is called with { sync: true } and an onReadEntry handler, a race condition with concurrent file truncation could cause Node.js to return a buffer containing uninitialized process memory. tar is a transitive dependency via vite-plugin-vercel → @vercel/nft → @mapbox/node-pre-gyp → tar.

Fix: Added "tar": "^7.5.2" to pnpm.overrides in package.json (resolved to 7.5.15), following the same pattern already used for path-to-regexp and esbuild.

---

Changes

• package.json: bumped vite to ^7.3.2, added tar override ^7.5.2
• pnpm-lock.yaml: regenerated lockfile entries for vite and tar