) (#230)

## Summary

Consolidated dependency refresh that clears the open esbuild CVE and
folds in all 5 open Dependabot PRs (#210–#214) plus the remaining
outdated minors/patches.

**Why one branch instead of merging the 5 Dependabot PRs:** branch
protection on `main` is `strict` + linear-history + squash-only. Merging
the 5 PRs one at a time forces each survivor to rebase against a changed
`pnpm-lock.yaml` and re-run the full CI matrix — a 5-cycle cascade.
Folding them into one validated branch is a single CI cycle; the
Dependabot PRs then close as superseded.

## Security
- **esbuild → 0.28.1** via pnpm override (`>=0.27.3 <0.28.1` → `0.28.1`)
— clears **GHSA-g7r4-m6w7-qqqr** (LOW, dev-server path traversal via `\`
on Windows). Dependabot **could not** auto-fix this: `astro` pins
`esbuild@^0.27.3` and never widens it, so the security update returned
`security_update_not_possible`. Override follows the existing `devalue`
security-override pattern in `pnpm-workspace.yaml`. OSV scan after the
bump: **no issues**.

## Bumps (none breaking)
| Package | From | To | Covered Dependabot PR |
|---|---|---|---|
| astro | 6.4.4 | 6.4.6 | #210 |
| @astrojs/starlight | 0.39.3 | 0.40.0 | #211 |
| @aws-sdk/client-bedrock-runtime | 3.1064.0 | 3.1068.0 | #212 |
| @aws-sdk/client-sagemaker-runtime | 3.1064.0 | 3.1068.0 | #213 |
| starlight-page-actions | 0.6.0 | 0.6.1 | #214 |
| @biomejs/biome | 2.4.16 | 2.5.0 | — |
| @ladybugdb/core | 0.16.1 | 0.17.1 | — |
| piscina | 5.1.4 | 5.2.0 | — |
| sharp | 0.34.5 | 0.35.1 | — |
| starlight-links-validator | 0.24.0 | 0.24.1 | — |
| @types/node | 25.9.2 | 25.9.3 | — |
| commitizen | 4.3.1 | 4.3.2 | — |

Ran `biome migrate` for the 2.5.0 bump: `recommended: true` → `preset:
"recommended"`, schema → 2.5.0.

## Held — both require Node 24; repo is Node 22 + `engine-strict=true`
- **license-checker-rseidelsohn 4 → 5**: engines `node >=24`. Powers the
required `licenses` CI gate, which runs on Node 22 → install would fail.
**Hard blocker until the repo baselines to Node 24.**
- **write-file-atomic 7 → 8**: only change is narrowing the Node floor
to `^22.22.2`, conflicting with the declared `engines.node: >=22.12.0`;
no functional or security benefit.

## Validation (local, mirrors required CI checks)
| Gate | Result |
|---|---|
| frozen-lockfile install | ✅ no drift |
| build (all packages) | ✅ |
| lint (biome 2.5.0) | ✅ 0 infos |
| typecheck (CI-mirror, excl. docs) | ✅ |
| test (19 packages) | ✅ 0 fail, 0 `not ok` |
| banned-strings | ✅ |
| license allowlist | ✅ |
| OSV scan | ✅ no issues |
| astro docs build | ✅ 64 pages, links valid |

## After merge
Close #210–#214 as superseded (the squash commit folds them all in). The
esbuild override resolves itself when astro widens its esbuild range
(likely 6.5+); revisit then.

🤖 Generated with [Bonk](https://github.com/theagenticguy/opencodehub) —
OpenCodeHub nightly maintenance