chore: security audit — clear dependabot alerts via pnpm overrides

Clears all 37 open Dependabot alerts on main (v2). Sibling to #1780 which
did the same for v1.x.

Approach: pnpm overrides only — no catalog floor bumps. The ^-range floors
are compatibility statements; consumers already get latest on fresh install,
and our floors don't protect their lockfiles. Raising peer dep floors (hono)
would be a soft breaking change that isn't ours to make.

Changes:
- Moved resolutions from package.json → pnpm-workspace.yaml overrides
- Added 17 range-targeted overrides forcing patched versions of transitive
  deps in our lockfile (ajv, hono, @hono/node-server, minimatch, picomatch,
  brace-expansion, rollup, flatted, markdown-it, qs, yaml, undici,
  express-rate-limit)
- Bumped better-auth ^1.4.17 → ^1.4.22 in examples (clears kysely/undici
  transitives)
- Exempted 4 packages from 7-day minimumReleaseAge for fresh security patches

Result: pnpm audit 44 → 0 vulnerabilities. No published-package API changes.

Author: felixweinberger

package.json

@@ -77,8 +77,5 @@
         "vitest": "catalog:devTools",
         "ws": "catalog:devTools",
         "zod": "catalog:runtimeShared"
-    },
-    "resolutions": {
-        "strip-ansi": "6.0.1"
     }
 }