Security patches across the dependency tree
Fixed all 12 known vulnerabilities including a high-severity react-router XSS and vite path traversal.
Upgraded react-router-dom to 7.18.1 (fixes multiple XSS, open redirect, CSRF, and DoS advisories), vite to 7.3.6 (fixes dev server path traversal and arbitrary file read), react and react-dom to 19.2.7, and cleaned up transitive dev dependencies (picomatch, minimatch, flatted, js-yaml, brace-expansion, postcss, rollup) via a fresh lockfile. npm audit now reports 0 vulnerabilities.