chore(deps): patch Dependabot vulns (Python + JS)

Python (pyproject.toml + uv.lock):
- aiohttp 3.14.0 -> 3.14.1 (8 alerts: medium+low)
- cryptography -> 49.0.0 (high, floor 48.0.1)
- langchain -> 1.3.10 (medium, floor 1.3.9)
- langsmith -> 0.8.18 (high)
- starlette 1.2.1 -> 1.3.1 (high+low, transitive)
- pydantic-settings 2.12.0 -> 2.14.2 (medium, transitive)
- torch 2.10.0 -> 2.12.1 (low, transitive; py>=3.14 only)

JS (web/, dual lockfile npm+pnpm in sync):
- vite ^8.0.5 -> ^8.0.16 (high+medium)
- js-yaml -> 4.2.0 (medium, override >=4.2.0 <5)
- form-data -> 4.0.6 (high, override)

Unfixable (no upstream patch, left + reported):
- chromadb critical <=1.5.9 (1.5.9 is latest)
- PyPDF2 medium (deprecated; needs pypdf migration)

Verified: uv sync + import check, pnpm frozen-lockfile, vite build.

web/package.json

@@ -17,6 +17,8 @@
     ]
   },
   "overrides": {
+    "js-yaml": ">=4.2.0 <5",
+    "form-data": ">=4.0.6",
     "@radix-ui/react-focus-scope": "1.1.7",
     "flatted": ">=3.4.2",
     "follow-redirects": ">=1.16.0",
@@ -83,7 +85,7 @@
     "tailwind-merge": "^3.2.0",
     "tailwindcss": "^4.1.5",
     "uuidjs": "^5.1.0",
-    "vite": "^8.0.5",
+    "vite": "^8.0.16",
     "zod": "^3.24.4"
   },
   "devDependencies": {
@@ -115,6 +117,8 @@
   "packageManager": "pnpm@8.9.2+sha512.b9d35fe91b2a5854dadc43034a3e7b2e675fa4b56e20e8e09ef078fa553c18f8aed44051e7b36e8b8dd435f97eb0c44c4ff3b44fc7c6fa7d21e1fac17bbe661e",
   "pnpm": {
     "overrides": {
+      "js-yaml": ">=4.2.0 <5",
+      "form-data": ">=4.0.6",
       "minimatch@>=3.0.0 <3.1.3": "3.1.3",
       "minimatch@>=9.0.0 <9.0.7": "9.0.7",
       "picomatch@>=2.0.0 <2.3.2": "2.3.2",