chore(deps): resolve Dependabot security advisories via pnpm overrides (#13441)

* chore(deps): resolve Dependabot security advisories via pnpm overrides

Clears the large majority of open Dependabot alerts across the repo by
pinning vulnerable (mostly transitive) dependencies to patched versions.

- Add per-major pnpm `overrides` to the root workspace and to each
  standalone example/tooling project (apps/examples/*, broken-link-checker)
  so every flagged transitive dep resolves to a non-vulnerable version.
  Per-major keys (e.g. minimatch@3 / minimatch@9) avoid forcing
  incompatible major upgrades.
- Bump direct devDependencies of published packages to patched versions:
  next-auth (next, nodemailer), @auth/core (postcss),
  @auth/drizzle-adapter (drizzle-orm), @auth/typeorm-adapter (typeorm),
  and the root vitest/playwright toolchain.
- Regenerate all affected lockfiles.

No runtime `dependencies` of the published packages were vulnerable; all
fixes are in devDependencies, peerDependencies, transitive deps, or the
non-published example apps. Verified: `turbo run build` passes for
next-auth and all @auth/* packages (qwik example excluded — its build is
broken independently of this change on Node 24).

Not addressed (require breaking major upgrades or have no fix):
@mikro-orm/core v5->v6, @builder.io/qwik 1.7->1.19 toolchain, and the
EOL request/useragent/tsup/vue-template-compiler chains.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* chore(deps): resolve Socket critical CVE alerts (qwik, qwik-city, mikro-orm)

- Override @builder.io/qwik to 1.19.1 (GHSA-p9x5-jp3h-96mm, unauthenticated
  RCE via server$ deserialization) and @builder.io/qwik-city to 1.19.2
  (GHSA-xqg6-98cw-gxhq prototype pollution, GHSA-qr9h-j6xg-2j72 DoS)
- Bump @mikro-orm/core override to 6.6.14 and move the mikro-orm adapter
  dev deps from v5 to v6.6.14 (GHSA-gwhv-j974-6fxm SQL injection affects
  < 6.6.10); widen peer range to ^5 || ^6
- Adapt adapter source/tests to MikroORM v6 API (driver option instead of
  type, onDelete -> deleteRule, mergeObjects -> mergeObjectProperties)
  while keeping v5-compatible options at runtime
- Use @mikro-orm/better-sqlite in tests (v6 @mikro-orm/sqlite depends on
  the native sqlite3 package, which no longer builds on Python 3.12+)
- Ignore vitest .snap files in .prettierignore so the pre-commit format
  hook does not fail on them

* chore(deps): bump drizzle-kit to 0.31 to match drizzle-orm 0.45 override

drizzle-kit 0.23 cannot read schemas with drizzle-orm 0.45.2 (forced by the
security override), so generate/migrate silently produced no tables and the
adapter tests failed with ER_NO_SUCH_TABLE in CI.

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: Bekacru

.github/broken-link-checker/package.json

@@ -27,5 +27,28 @@
     "@actions/core": "^1.10.1",
     "@actions/github": "^6.0.0",
     "broken-link-checker": "^0.7.8"
+  },
+  "pnpm": {
+    "overrides": {
+      "@octokit/plugin-paginate-rest@9": "9.2.2",
+      "@octokit/request-error@5": "5.1.1",
+      "@octokit/request@8": "8.4.1",
+      "ajv@6": "6.14.0",
+      "braces@3": "3.0.3",
+      "esbuild@0": "0.25.0",
+      "form-data@2": "2.5.4",
+      "glob@10": "10.5.0",
+      "minimatch@9": "9.0.7",
+      "picomatch@2": "2.3.2",
+      "qs@6": "6.14.1",
+      "robots-txt-guard@1": "1.0.2",
+      "rollup@4": "4.59.0",
+      "semver@5": "5.7.2",
+      "tmp@0": "0.2.6",
+      "tough-cookie@4": "4.1.3",
+      "undici@5": "5.29.0",
+      "undici@6": "6.24.0",
+      "uuid@11": "11.1.1"
+    }
   }
 }