[Issue #611] dependency updates

[jcrichlake]

Summary

• Fixes [Security] Resolve template and example dependabot warnings #611
• Time to review: 10 minutes

Changes proposed

• Updated TypeSpec packages from ~1.5.0/~0.75.0 to ~1.9.0/~0.79.0 in both the express-js and quickstart templates
• Updated several dev dependencies (@eslint/js, @types/node, typescript-eslint, @vitest/eslint-plugin) to latest patch/minor versions
• Bumped @common-grants/core from ^0.2.3 to ^0.2.4 in the express-js template
• Added pnpm override rules to both templates and the root workspace to pin vulnerable transitive dependencies (e.g. vite, defu, rollup, qs, tar, yaml, ajv,
  brace-expansion)
• Migrated express-js template from package-lock.json / .eslintrc.js to pnpm-lock.yaml / eslint.config.js
• Added pnpm-lock.yaml to the quickstart template scaffold in template.json
• Pinned packageManager field to pnpm@10.18.3 in both templates
• Updated lock files for express-js, quickstart, fast-api, and the Python examples

Context for reviewers

These are routine dependency updates to address security advisories in transitive dependencies. The pnpm overrides force patched versions of packages with known CVEs (e.g. vite,
qs, tar, rollup, yaml). The migration from package-lock.json to pnpm-lock.yaml in the express-js template aligns with the workspace's use of pnpm.

Verification: lock files were regenerated after applying the overrides and dependency bumps. The vite fix required removing an extraneous plugin and patching the config directly.

Additional information

There is a small change where folks will have to run pnpm install after running tsp init This change has been documented within a readme.

[github-actions]

🚀 Website Preview Deployed!

Preview your changes at: https://cg-pr-663.billy-daly.workers.dev

This preview will be automatically deleted when the PR is closed.