fix(www): bump vite/esbuild to clear dev-server security advisories

[peaktwilight]

Clears the remaining Dependabot alerts in www/ not covered by #525/#526, via non-breaking npm audit fix.

Alert	Fix
#14 vite server.fs.deny bypass (High)	vite 7.3.2 → 7.3.5
#15 launch-editor NTLMv2 (Moderate)	transitive of vite → fixed by the bump
esbuild	0.27.4 → 0.27.7

Remaining (intentionally not fixed): #11 esbuild arbitrary file read (Low) lives in astro's bundled esbuild — only npm audit fix --force clears it, which breaks/downgrades astro. Not worth it: it's a dev-server-only, Windows-only file read on a static marketing site that builds on Linux CI.

Site builds clean (19 pages, astro build Complete). All bumps are dev/build tooling — no production runtime impact.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• www/package-lock.json is excluded by !**/package-lock.json

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 633a574f-f2f3-4c98-9f31-0bd3a694d7b1

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/www-vite-esbuild-advisories

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}