chore: remediate runtime HTTP advisories

[bntvllnt]

Summary

• Pins the scoped runtime/HTTP transitive advisories from chore: remediate residual runtime dependency advisories from superseded #359 #361 through root pnpm.overrides.
• Regenerates pnpm-lock.yaml for the scoped packages only: hono, @hono/node-server, express-rate-limit, axios, follow-redirects, fast-uri, and ip-address.
• Leaves PostCSS/Vite/lodash/flatted/parser utility advisories out of scope for their dedicated routes.

Fixes #361

Audit evidence

pnpm audit --json --audit-level moderate still exits 1 because unrelated advisories remain, but the #361 scoped runtime/HTTP modules are no longer reported.

Latest scoped check:

• audit summary: 1 low, 12 moderate, 13 high, 1 critical
• scoped advisories for hono, @hono/node-server, express-rate-limit, axios, follow-redirects, fast-uri, ip-address: 0

Remaining advisories are outside this issue's scope and include packages such as brace-expansion, flatted, handlebars, lodash, path-to-regexp, picomatch, postcss, and vite.

Validation

• pnpm install --frozen-lockfile --ignore-scripts
• pnpm audit --json --audit-level moderate — expected non-zero due out-of-scope advisories; scoped runtime/HTTP advisories: 0
• pnpm -F @vllnt/ui lint
• pnpm -F @vllnt/ui exec tsc --noEmit --project tsconfig.build.json
• pnpm build
• pnpm test:once — 216 files / 1215 tests passed

Notes

No publish, release, merge, or direct main edit performed.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
storybook	Ready	Preview, Comment	May 15, 2026 4:45am
ui.vllnt.ai	Canceled		May 15, 2026 4:45am

[bntvllnt]

Closing as superseded by #367, which is the canonical #361 runtime/HTTP dependency advisory remediation lane. Live re-check found the same package.json override scope and only lockfile formatting/noise differences, with no hidden divergent scope to preserve.