chore(deps): tighten Dependabot config — group vitest, ignore sonar v7

[h2devx]

Que cambia

• Drop `update-types: [minor, patch]` filter on the `vitest` group so MAJOR bumps are also batched. `vitest` and `@vitest/coverage-v8` are peer-dep'd by version; landing one without the other breaks develop.
• Add explicit `ignore` for `SonarSource/sonarqube-scan-action` MAJOR bumps. v7 reproducibly throws HTTP 401 against our self-hosted SonarQube 26.4 with a token that v6 accepts. Re-evaluate once the server is upgraded.

Por que

Closes the 3 problematic Dependabot PRs from the first weekly run:

• chore(ci)(deps): bump SonarSource/sonarqube-scan-action from 6 to 7 #5 SonarSource/sonarqube-scan-action 6→7 — auth incompatibility
• chore(deps-dev)(deps-dev): bump vitest from 3.2.4 to 4.1.5 in /code #9 vitest 3→4 — major bump that needs validation
• chore(deps-dev)(deps-dev): bump @vitest/coverage-v8 from 3.2.4 to 4.1.5 in /code #10 @vitest/coverage-v8 3→4 — twin of chore(deps-dev)(deps-dev): bump vitest from 3.2.4 to 4.1.5 in /code #9, must ship together

When Dependabot reopens vitest 4.x it will arrive as a single grouped PR.

Tipo

• chore — deps/CI config

Checklist

No production code touched. The config change applies on next Dependabot run.