Bump esbuild, koa, and octokit to fix audit

[r100-stack]

Changes

Fixes audit:

• GHSA-593f-38f6-jp5m
• GHSA-xx4v-prfh-6cgc
• GHSA-rmvr-2pp2-xj38
• GHSA-h5c3-5r3r-rr8q
• GHSA-67mh-4wv8-2f99

Fixes audit by bumping koa, esbuild, and octokit. Used a pnpm overrides for esbuild since even the latest @vanilla-extract/integration (a subdep in the remix playground) uses an old `esbuild version.

pnpm why esbuild in playgrounds/remix:

devDependencies:
@remix-run/dev 2.16.0
├─┬ @vanilla-extract/integration 6.5.0 👈
│ ├── esbuild 0.17.6
│ ├─┬ vite 6.2.0
│ │ └── esbuild 0.25.0
│ └─┬ vite-node 1.6.1
│   └─┬ vite 6.2.0
│     └── esbuild 0.25.0
├── esbuild 0.17.6
├─┬ esbuild-plugins-node-modules-polyfill 1.6.3
│ └── esbuild 0.17.6 peer
├─┬ vite 6.2.0 peer
│ └── esbuild 0.25.0
└─┬ vite-node 3.0.0-beta.2
  └─┬ vite 6.2.0
    └── esbuild 0.25.0
vite 6.2.0
└── esbuild 0.25.0
vite-tsconfig-paths 5.1.4
└─┬ vite 6.2.0 peer
  └── esbuild 0.25.0

Since we updated octokit by a major version, not sure if will break anything in publish-packages.mjs and thus in the release script and in the CD workflow.

Also, there are some deps that are not at their latest version (e.g. vite, vitest, astro, etc.). Thus, their esbuild version ranges may not include [email protected]. So, the esbuild pnpm overrides applies to them. Thus, added an after-PR TODO to update deps to their latest versions soon. (more info)

Testing

• Audit passes
• CI passes

Added an after-PR TODO removing the pnpm override.

Docs

No changeset since it seems to only be related to dev dependencies.

After PR TODO

• Try removing esbuild pnpm override when @vanilla-extract/integration supports esbuild@>=0.25.0.
• Update more deps to latest versions. (#2447 (comment))

[r100-stack]

Tried to update the packages (e.g. vite and astro) to avoid using the pnpm override. But looks like even the latest version of some other packages don't include the latest esbuild version in their range.

Updated the PR description accordingly.