fix: upgrade vite to 6.4.2 to address CVE-2026-39363

[davidkonigsberg]

Summary

Upgrades vite from 6.4.1 to 6.4.2 to resolve CVE-2026-39363 (High severity — Arbitrary File Read via Vite Dev Server WebSocket).

Previously vite was only a transitive dependency via vitest. This PR adds it as an explicit devDependency pinned to ^6.4.2 so npm resolves to at least the patched version.

Review & Testing Checklist for Human

• Consider whether adding vite to the overrides section (like the existing undici override) would be preferable to adding it as a direct devDependency
• Run npm audit to confirm zero vulnerabilities after merging
• Run npm test to verify vitest still works correctly with vite 6.4.2

Notes

• This is a dev-only dependency; the built dist/ action output is unaffected since vite is not bundled into the action.
• Patch-level bump only (6.4.1 → 6.4.2), so breakage risk is minimal.

Link to Devin session: https://app.devin.ai/sessions/0ed0f94cf14a47d9b94b00d65bb38fe8
Requested by: @davidkonigsberg

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring