chore(deps): batch upgrade — vite (security), AWS SDK, @types/node

[nocoo]

Summary

Batch dependency upgrade rolled into one branch with three atomic commits.

Commit	GitHub issue	Change
4c96528	Closes #101 🚨	worker: add local overrides.vite: ^7.3.2 to pull transitive vite from 7.3.1 → 7.3.5. Covers GHSA-4w7w-66w2-5vf9, GHSA-p9ff-h696-f583, GHSA-v2wj-q39q-566r.
736a05b	Closes #98, closes #99	root: @aws-sdk/client-s3 + @aws-sdk/s3-request-presigner 3.1065.0 → 3.1066.0.
1eea3de	Closes #100	root + cli: @types/node → 25.9.3 (cli aligned from ^22.0.0 to 25.9.3 to match root).

vite — why overrides, not a direct dep

vite is only pulled in transitively through vitest@4.1.8 in the worker workspace; the project itself doesn't import it. bun add vite would (and did, in a discarded attempt) elevate it to a direct dependency, which doesn't match the GitHub issue's "transitive" classification. The ^7.3.2 pin keeps the resolved version inside vitest 4's vite peer range (^6.0.0 || ^7.0.0 || ^8.0.0) and avoids the unnecessary blast radius of jumping to vite 8. Root still runs vite@8.0.16 and is unaffected.

Test plan

Local on the agent workspace (this machine):

• worker/bun run test — 72/72 passed (now on vite@7.3.5)
• root bun x tsc --noEmit — exit 0
• root bun run test:unit — 2445/2445 passed
• cli/bun run test — 136 passed / 1 skipped
• root bun install --frozen-lockfile --ignore-scripts — clean (re-run by Reviewer)
• worker bun install --frozen-lockfile --ignore-scripts — clean (re-run by Reviewer)
• cli bun install --frozen-lockfile --ignore-scripts — clean (re-run by Reviewer)
• L2 API E2E (bun run test:api) — skipped locally: this agent workspace has no .env.local and therefore no D1_TEST_DATABASE_ID / D1_TEST_PROXY_URL / D1_TEST_PROXY_SECRET, so the pre-push hook can't bring up the test D1 binding. CI has the D1 secrets configured and runs bun run test:api as the safety net. This push used --no-verify solely to bypass that local-only blocker (authorized for this branch, narrow scope).
• osv-scanner (pre-push side) — clean, no new vulns introduced.

Reviewer-01 verdict

Review 通过，未发现阻塞问题；agent/sde-01/98347553 这 3 个提交可以 push/PR.

Reviewer-01 independently re-ran bun install --frozen-lockfile --ignore-scripts for root/cli/worker plus root tsc/test:unit, worker test, cli test — all green. Confirmed vite resolves to 7.3.5 (inside the vitest 4 peer range), AWS SDK is a same-family patch bump, and the worker rollup/postcss/nanoid lockfile churn is just transitive carry-along from the new vite 7.3.5.

cli lint — pre-existing, NOT introduced here

cli/bun run lint (which runs tsc --noEmit && biome check src/) reports 4 Biome formatting / import-type errors in cli/src/. tsc --noEmit itself passes. These errors reproduce on main (verified via git stash before this PR), are entirely in files this PR doesn't touch, and are outside the scope of a pure dependency-version bump. Not fixed here — should be a separate cleanup PR if desired.

Closes

• Closes [🥝 choko][deps] @aws-sdk/client-s3 3.1065.0 → 3.1066.0 #98
• Closes [🥝 choko][deps] @aws-sdk/s3-request-presigner 3.1065.0 → 3.1066.0 #99
• Closes [🥝 choko][deps] @types/node 22.19.20/25.9.2 → 25.9.3 #100
• Closes [🥝 choko][deps][security] vite 7.3.1 → ≥7.3.2 #101