fix(security): bump vitest to ^4.1.6

[alexgomezlf]

Adds pnpm override for vitest to enforce >=4.1.6, patching the XSS vulnerability (CVE-2026-47428) where the otelCarrier query parameter was injected directly into an inline module script. Resolves TFS #674755.

[bzajzon-laserfiche]

Review — bump vitest to ^4.1.6

Verdict: Approve — correct, minimal, and CI-verified. Two minor cleanups worth doing before merge.

What it does

Adds vitest: ^4.1.6 to the root pnpm.overrides. This forces every workspace's vitest (declared ^4.1.2 in all four packages) to resolve to 4.1.9, clearing the Veracode flag for CVE-2026-47428 (critical XSS → RCE in vitest browser mode via an unsanitized otelCarrier query param injected as inline script; fixed in 4.1.6).

Correctness — verified

• Root override is the standard pnpm pattern to force a security floor monorepo-wide; ^4.1.6 resolves to 4.1.9. ✅
• Lockfile in sync (all @vitest/* snapshots → 4.1.9); CI is frozen-lockfile and build_libraries + test_libraries both pass. ✅
• Low actual exposure: the vulnerable @vitest/browser isn't installed (browser configs use environment: 'jsdom', not real browser mode) — so this is scan-clearing rather than a reachable-path fix.

Minor cleanups before merge

1. Drop the dummy commit to trigger build — squash it so merged history is just the one fix(security) commit.
2. Optional consistency nit: the four package vitest specifiers still read ^4.1.2. The override makes that harmless, but bumping them to ^4.1.6 too would keep the declared dep from drifting below the override floor. Not blocking.

[bzajzon-laserfiche]

Approve — correct, minimal, CI-verified. See review notes above; the two cleanups are non-blocking.