fix: pin vite to patched version

[raashish1601]

Summary

• Add a direct patched vite devDependency so pnpm resolves Vitest's Vite dependency away from the vulnerable range reported in High-severity CVEs via pnpm audit #2048.
• Refresh pnpm-lock.yaml accordingly.

Fixes #2048.

Validation

• corepack pnpm install
• corepack pnpm -r typecheck
• corepack pnpm audit --audit-level=high | Select-String vite returns no matches
• corepack pnpm -r lint still fails on existing baseline Prettier warnings across unrelated files

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/@modelcontextprotocol/client@2050

@modelcontextprotocol/server

npm i https://pkg.pr.new/@modelcontextprotocol/server@2050

@modelcontextprotocol/express

npm i https://pkg.pr.new/@modelcontextprotocol/express@2050

@modelcontextprotocol/fastify

npm i https://pkg.pr.new/@modelcontextprotocol/fastify@2050

@modelcontextprotocol/hono

npm i https://pkg.pr.new/@modelcontextprotocol/hono@2050

@modelcontextprotocol/node

npm i https://pkg.pr.new/@modelcontextprotocol/node@2050

commit: d6d23b5

[morozow]

This is a valid short-term CVE fix, but it also changes dependency ownership.
By adding Vite directly, the SDK workspace now has to maintain Vite alignment itself, although Vite is only needed through Vitest/tooling and not through the SDK runtime. Future Vitest/Vite compatibility changes or audit findings may therefore require direct maintenance in this repo.

That means future Vitest updates, Vite compatibility changes, or new Vite audit findings may require this SDK repo to keep adapting a direct Vite dependency. For a long-lived open-source SDK, this creates additional toolchain coupling that should probably be considered separately from the immediate severity fix.