chore(deps): clear all 27 advisories via fastify 5, vite 6, transitive overrides

Direct bumps: ws 8.21.0, vitest 3.2.6 (critical UI-server RCE), js-yaml 4.2.0.
Root pnpm.overrides: hono, undici, qs, fast-uri, react-router(-dom), @babel/core,
range-scoped esbuild, and a global vite pin (forces vitest onto Vite 6).
Major migrations with no code changes (API-audited): fastify 4 to 5 across
server/coder/control/booterm (+@fastify/websocket 11, @fastify/static 9.1.1),
vite 5 to 6 +@vitejs/plugin-react 4.7 in web. pnpm audit: no known vulnerabilities.
Suites green: contracts 29, server 599, coder 589, control 175, ion 104.

apps/control/package.json

@@ -13,13 +13,13 @@
   },
   "dependencies": {
     "@boocode/contracts": "workspace:*",
-    "@fastify/websocket": "^10.0.1",
+    "@fastify/websocket": "^11.0.0",
     "ajv": "^8.20.0",
     "ajv-formats": "^3.0.1",
-    "fastify": "^4.28.1",
-    "js-yaml": "^4.1.1",
+    "fastify": "^5.8.3",
+    "js-yaml": "^4.2.0",
     "postgres": "^3.4.4",
-    "ws": "^8.18.0",
+    "ws": "^8.21.0",
     "zod": "^3.23.8"
   },
   "devDependencies": {
@@ -28,7 +28,7 @@
     "@types/ws": "^8.5.10",
     "tsx": "^4.16.2",
     "typescript": "^5.5.0",
-    "vitest": "^3.0.0"
+    "vitest": "^3.2.6"
   },
   "license": "MIT"
 }