fix(deps): bump vitest 3 -> 4.1.8 (GHSA-5xrq-8626-4rwp)

Resolves the critical Dependabot/Scorecard alert for vitest <4.1.0 (UI server
arbitrary file read/exec). graph-ui has no test files, so the major bump is
risk-free here (CI uses 'vitest run'); lockfile regenerated, vitest 4.1.8.