Migrate package management from pnpm to Bun and refresh vulnerable dependencies

[Copilot]

This updates the repo to use Bun as the package manager and script runner in place of pnpm, while keeping the existing runtime and test stack intact. It also refreshes the dependency set to current compatible versions and removes the audit findings reported in the project.

• Package management

  • switch repository metadata from pnpm to bun
  • remove pnpm-only enforcement/config (only-allow, .npmrc, pnpm-lock.yaml)
  • keep the application on Node.js and keep tests on Vitest

• Dependency updates

  • bump the TypeScript / ESLint / Vitest toolchain to the latest compatible releases
  • remove the unused direct npm dependency
  • add targeted overrides for vulnerable transitive packages:
    • flatted
    • picomatch

• CI and container flow

  • replace pnpm setup in GitHub Actions with Bun setup
  • update workflow commands from pnpm to bun
  • update the Docker build to install dependencies and build with Bun

• Developer workflow and docs

  • update README and CONTRIBUTING to use Bun commands
  • update VS Code Vitest command integration to run through Bun

Example of the intended behavior after this change:

{
  "packageManager": "bun@1.3.11",
  "scripts": {
    "test": "vitest run",
    "test:watch": "vitest",
    "build": "tsc"
  },
  "overrides": {
    "flatted": "3.4.2",
    "picomatch": "4.0.4"
  }
}

This means:

• dependencies install with bun install
• scripts run with bun run ...
• tests still execute through Vitest, not Bun’s test runner