🧷 chore: Pin TanStack Dependency Versions

[danny-avila]

Summary

See TanStack/router#7383

I pinned TanStack dependency versions to the safe versions already resolved in bun.lock to reduce exposure to the active TanStack npm supply-chain incident.

• Pinned all direct @tanstack/* dependencies in package.json to exact versions already present in bun.lock.
• Added overrides for the resolved TanStack Router/Start dependency graph so transitive ranges cannot drift to compromised latest versions.
• Updated the root workspace entries in bun.lock to mirror the exact dependency specs without changing resolved package artifacts.

Change Type

• Bug fix (non-breaking change which fixes an issue)

Testing

I validated the metadata-only change without installing or updating packages after the override patch.

Test Configuration:

• Ran node -e 'JSON.parse(require("fs").readFileSync("package.json", "utf8")); console.log("package.json ok")'
• Ran git diff --check -- package.json bun.lock
• Scanned package.json, bun.lock, node_modules/.bun, and node_modules/@tanstack for the reported compromised TanStack versions; no matches were found.

Checklist

• My code adheres to this project's style guidelines
• I have performed a self-review of my own code
• My changes do not introduce new warnings