Tagged aggregate of two Dependabot fixes:
  - starlette: GHSA-86qp-5c8j-p5mr (medium) — host header path poison
  - vitest:    GHSA-5xrq-8626-4rwp (critical, dev-only) — UI server FS access

Production code only touches starlette dependency; vitest is dev-only
but bumped to clear the critical alert. v4 breaking change required
rewriting 7 fake Worker mocks in deepsearch.test.js.