build(deps): Fix GHSA-5gfm-wpxj-wjgq in node-forge, bump @rspack packages

Bump @rspack/cli and @rspack/core from 1.7.3 to 1.7.6 and
@rspack/plugin-react-refresh from 1.6.0 to 1.6.1.

The vulnerable node-forge@1.3.1 is introduced transitively via
@rspack/cli → @rspack/dev-server@1.1.5 → webpack-dev-server@5.2.2
→ selfsigned@2.4.1 → node-forge@^1. Since no 1.x version of
@rspack/dev-server yet pins webpack-dev-server@5.2.3 (which dropped
node-forge entirely), add a pnpm override forcing node-forge>=1.3.2
to resolve the vulnerability independently of the dep chain.

Co-Authored-By: Claude <noreply@anthropic.com>

Author: oioki

package.json

@@ -61,9 +61,9 @@
     "@react-types/shared": "3.33.0",
     "@remix-run/router": "1.23.2",
     "@rsdoctor/rspack-plugin": "1.5.0",
-    "@rspack/cli": "1.7.3",
-    "@rspack/core": "1.7.3",
-    "@rspack/plugin-react-refresh": "1.6.0",
+    "@rspack/cli": "1.7.6",
+    "@rspack/core": "1.7.6",
+    "@rspack/plugin-react-refresh": "1.6.1",
     "@sentry-internal/global-search": "^1.0.0",
     "@sentry-internal/rrweb": "2.40.0",
     "@sentry-internal/rrweb-player": "2.40.0",