deps: close 14 dependabot alerts via pnpm overrides

- hono ^4.12.14 (HTML injection, cookie bypass, path traversal, IP matching, serveStatic bypass)
- @hono/node-server ^1.19.13 (serveStatic bypass)
- vite ^8.0.5 (fs.deny bypass, arbitrary file read, .map path traversal)
- picomatch@2 ^2.3.2 + picomatch@4 ^4.0.4 (ReDoS, glob method injection)

Also bumps shadcn 4.1.1 → 4.3.0 and vitest 4.1.0 → 4.1.4 as a side
effect of the pnpm update that teed this up. Tests + build pass.

Author: rgbkrk

package.json

@@ -22,7 +22,7 @@
     "rehype-slug": "^6.0.0",
     "remark-frontmatter": "^5.0.0",
     "remark-gfm": "^4.0.1",
-    "shadcn": "^4.1.1",
+    "shadcn": "^4.3.0",
     "tailwind-merge": "^3.4.0",
     "tw-animate-css": "^1.4.0"
   },
@@ -37,9 +37,9 @@
     "autoprefixer": "^10.4.17",
     "jsdom": "^28.1.0",
     "postcss": "^8.4.33",
-    "tailwindcss": "^3.4.0",
+    "tailwindcss": "^3.4.19",
     "typescript": "^5.3.3",
-    "vitest": "^4.1.0"
+    "vitest": "^4.1.4"
   },
   "homepage": "https://github.com/nteract/nteract.io#readme",
   "license": "BSD-3-Clause",
@@ -54,5 +54,14 @@
     "test": "vitest run",
     "test:watch": "vitest"
   },
-  "packageManager": "[email protected]+sha512.2b5753de015d480eeb88f5b5b61e0051f05b4301808a82ec8b840c9d2adf7748eb352c83f5c1593ca703ff1017295bc3fdd3119abb9686efc96b9fcb18200937"
+  "packageManager": "[email protected]+sha512.2b5753de015d480eeb88f5b5b61e0051f05b4301808a82ec8b840c9d2adf7748eb352c83f5c1593ca703ff1017295bc3fdd3119abb9686efc96b9fcb18200937",
+  "pnpm": {
+    "overrides": {
+      "hono": "^4.12.14",
+      "@hono/node-server": "^1.19.13",
+      "vite": "^8.0.5",
+      "picomatch@2": "^2.3.2",
+      "picomatch@4": "^4.0.4"
+    }
+  }
 }