Update client dependencies

[rongxin-liu]

Summary

• Updates client npm dependency pins and regenerates client/package-lock.json.
• Refreshes React/React Router, Connect RPC, Storybook, Tailwind, ESLint, Prettier, and related tooling packages.
• Adds an esbuild@0.28.1 override so the resolved dependency tree passes npm audit without downgrading Storybook.

Validation

• source bin/activate-hermit && just gen
• source bin/activate-hermit && just format
• cd client && ../bin/npm audit --audit-level=low
• cd client && ../bin/npm ls esbuild
• cd client && ../bin/npm run build
• cd client && ../bin/npx vitest run
• cd client && ../bin/npm run build-storybook
• git push pre-push hook: client typecheck

[github-actions]

🔐 Codex Security Review

Note: This is an automated security-focused code review generated by Codex.
It should be used as a supplementary check alongside human review.
False positives are possible - use your judgment.

Scope summary

• Reviewed pull request diff only (75933fce45c269e41e0ba2b30cd33825b0389fa7...1792560c0db0608e147a05e08fe416547316d56d, exact PR three-dot diff)
• Model: gpt-5.5

💡 Click "edited" above to see previous reviews for this PR.

---

Review Summary

Overall Risk: LOW

Findings

[LOW] Global esbuild override bypasses Storybook’s declared compatibility range

• Category: Reliability
• Location: client/package.json:93
• Description: The new top-level esbuild override forces all transitive consumers to 0.28.1. In the resulting lockfile, storybook@10.4.4 still declares esbuild only through ^0.27.0, and npm --prefix client ls esbuild --package-lock-only --all reports Storybook using esbuild@0.28.1 overridden.
• Impact: Storybook dev/build may fail after a clean install if Storybook relies on esbuild behavior from its declared supported range. This primarily affects npm run storybook, npm run build-storybook, and any CI covering those scripts.
• Recommendation: Remove the global override or scope it only to packages that declare compatibility with 0.28.x. If the override is intentional, verify with a clean install plus npm run build-storybook and npm run build.

Notes

Review scope was limited to .git/codex-review.diff, which only changes client/package.json and client/package-lock.json. I did not find auth, SQLi, command injection, network discovery, plugin-boundary, cryptostealing/pool-hijack, infrastructure, Rust, Python, or protobuf changes in this PR diff.

---

_{Generated by Codex Security Review |
Triggered by: @rongxin-liu |
Review workflow run}

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.