[code-infra] Update dependencies to resolve Dependabot security alerts

[Janpot]

Resolves open Dependabot security alerts by bumping affected dependencies to patched versions (transitive dev/build deps, plus React Router and the vitest stack).

Next.js is intentionally held at 16.1.7: the patched 16.2.x line is blocked by an upstream webpack MDX build regression (vercel/next.js#91735), so the Next.js advisories stay open for now. The @tanstack/start-server-core / h3 alerts come only from the examples workspace and will resolve once examples are removed (#4759). Nothing in the published package runtime changes.

[pkg-pr-new]

• base-ui-tanstack-start

• vite-css-base-ui-example

  pnpm add https://pkg.pr.new/mui/base-ui/@base-ui/react@4988
  

  pnpm add https://pkg.pr.new/mui/base-ui/@base-ui/utils@4988
  

commit: 55a04f5

[code-infra-dashboard]

Bundle size

Bundle	Parsed size	Gzip size
@base-ui/react	0B(0.00%)	0B(0.00%)

Details of bundle changes

Performance

Total duration: 1,147.77 ms -87.78 ms^(-7.1%) | Renders: 50 ⁽⁺⁰⁾ | Paint: 1,756.18 ms -101.78 ms^(-5.5%)

Test	Duration	Renders
Checkbox mount (500 instances)	48.87 ms ▼-43.73 ms(-47.2%)	1 (+0)

11 tests within noise — details

---

Check out the code infra dashboard for more information about this PR.

[netlify]

✅ Deploy Preview for base-ui ready!

Name	Link
🔨 Latest commit	55a04f5
🔍 Latest deploy log	https://app.netlify.com/projects/base-ui/deploys/6a2821d4099832000864d009
😎 Deploy Preview	https://deploy-preview-4988--base-ui.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.