Fix Dependabot alerts: minimatch, rollup, lodash

[noahd1]

Summary

Batch fix for 4 low-risk Dependabot security alerts. All vulnerable packages are transitive dev dependencies with no direct usage in the codebase.

Alerts resolved

Alert	Package	Severity	GHSA	Fix
#24	minimatch 3.1.2 → 3.1.5	High (CVSS 7.5)	GHSA-7r86-cg39-jmmj	npm update
#23	rollup 2.79.2 → 2.80.0	High (CVSS 0.0)	GHSA-mw96-cpmx-2vgc	npm override (scoped to @crxjs/vite-plugin)
#22	rollup 4.43.0 → 4.59.0	High (CVSS 0.0)	GHSA-mw96-cpmx-2vgc	npm update
#15	lodash 4.17.21 → 4.17.23	Medium (CVSS 6.5)	GHSA-xxjr-mmjv-4gpg	npm update

Risk assessment

• All fixes are patch/minor version bumps of transitive dev dependencies
• No breaking changes: rollup 2.80.0 is the final v2 patch, rollup 4.59.0 is a minor bump within vite's ^4.43.0 range, minimatch and lodash are patch bumps
• No code changes required — only package.json overrides and lockfile updates
• rollup v2 override is scoped to @crxjs/vite-plugin to avoid affecting the top-level rollup v4 used by vite

Test plan

• npx tsc --noEmit passes
• npm run build succeeds (both Chrome and Firefox)
• npm ls rollup shows 4.59.0 (top-level) and 2.80.0 (@crxjs nested)
• npm ls minimatch shows 3.1.5
• npm ls lodash shows 4.17.23

🤖 Generated with Claude Code

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}