chore(deps): patch dependencies to resolve Dependabot alerts

[MykalMachon]

Summary of changes

Resolves all 25 open Dependabot alerts on the lockfile.

Two direct deps are bumped within their existing major:

• next ^15.5.9 → ^15.5.19 (clears 18 of the alerts)
• postcss ^8.2.10 → ^8.5.15

The rest are transitive, so a pnpm.overrides block forces them to patched versions: defu, js-yaml, picomatch, preact, serialize-javascript, tar-fs (2.x + 3.x), and uuid.

A few notes for review:

• serialize-javascript (6→7) and uuid (9→11) are major bumps. Both come only from build-time devDeps (@content-collections/* and mdx-bundler) and never ship to the browser. A full next build exercised both pipelines (306 pages, all guides) successfully.
• picomatch, js-yaml, and tar-fs overrides are scoped to their major (@4, @3, @2/@3) so they can't pull an unrelated major line up to an incompatible version.
• The overrides are a deliberate pin — once @content-collections/* and mdx-bundler update their own deps upstream, these can be dropped.

Build and typecheck both pass.

Docs

No documentation changes. pnpm.overrides added to package.json:

"pnpm": {
  "overrides": {
    "defu": "^6.1.7",
    "js-yaml@3": "^3.14.2",
    "picomatch@4": "^4.0.4",
    "postcss": "^8.5.15",
    "preact": "^10.27.3",
    "serialize-javascript": "^7.0.5",
    "tar-fs@2": "^2.1.4",
    "tar-fs@3": "^3.1.2",
    "uuid": "^11.1.1"
  }
}

🤖 Generated with Claude Code

[railway-app]

🚅 Deployed to the docs-pr-1183 environment in 🪄 *.railway.com

Service	Status	Web	Updated (UTC)
Docs Frontend	✅ Success (View Logs)	Web	Jun 4, 2026 at 4:14 pm

8 services not affected by this PR

• devicons
• OG
• Frontend Redis
• Turnout
• Meilisearch
• Geofeed
• Blog
• railway.com