Patch GUI PostCSS advisory

Pin the standalone GUI Vite dev dependency to 8.0.9 and regenerate both GUI lockfiles so PostCSS resolves above the vulnerable range reported by Dependabot alert #35.

Constraint: Dependabot alert GHSA-qx2v-qp2m-jg93/CVE-2026-41305 is scoped to gui/pnpm-lock.yaml and PostCSS < 8.5.10
Constraint: Keep the dependency change narrow and avoid new runtime dependencies
Rejected: Ignore the standalone GUI lock | Dependabot alerts on that manifest directly
Confidence: high
Scope-risk: narrow
Directive: Keep gui/package-lock.json and gui/pnpm-lock.yaml in sync when changing GUI dev tooling
Tested: pnpm install --frozen-lockfile
Tested: cd gui && pnpm install --frozen-lockfile --ignore-workspace
Tested: cd gui && npm audit --audit-level=moderate
Tested: cd gui && pnpm audit --audit-level moderate
Tested: cd gui && npm run build
Tested: pnpm build
Tested: git diff --check
Related: PR #403
Related: Dependabot alert #35

Author: simongonzalezdc

gui/package-lock.json

@@ -17,6 +17,6 @@
     "@types/react-dom": "^19.2.3",
     "@vitejs/plugin-react": "^6.0.1",
     "typescript": "^5.9.3",
-    "vite": "^8.0.5"
+    "vite": "8.0.9"
   }
 }