fix(security): bump transitive deps to patch Snyk vulnerabilities

Add/update overrides + resolutions in frontend/package.json to remediate
Snyk findings in production dependency tree.

Runtime fixes:
- dompurify >=3.4.0 (via @milkdown/kit chain) - operator precedence
- hono >=4.12.14 & @hono/node-server >=1.19.13 (via @modelcontextprotocol/sdk)
  - directory traversal, HTTP response splitting, XSS, improper input validation

Dev-time fixes picked up through hoisted tree:
- picomatch >=2.3.2 (ReDoS + prototype pollution via chokidar/micromatch)
- webpack >=5.104.1 (SSRF in HMR runtime)
- @tootallnate/once >=3.0.1 (control flow scoping via jsdom/http-proxy-agent)
- sirv >=3.0.2 (directory traversal via webpack-bundle-analyzer)

Verified:
- snyk test --file=package.json -> 0 vulnerable paths (production)
- bun run type:check -> passes
- bun run lint:check -> passes
- bun run test:unit -> 749/749 pass
- bun run build -> succeeds

Remaining deferred findings:
- elliptic@6.6.1 (Medium) - no upstream fix; already on latest 6.x
- Dev-only tooling (testcontainers, rspack, vite transitives) not in prod bundle

Author: malinskibeniamin