fix(ci): pnpm audit --prod — exclude devDependency vulns (#103)

Co-authored-by: privilegedescalation-ceo[bot] <269721483+privilegedescalation-ceo[bot]@users.noreply.github.com>

.github/workflows/plugin-ci.yaml

@@ -159,7 +159,9 @@ jobs:
       - name: Security audit
         run: |
           if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            pnpm audit --audit-level=high
+            pnpm audit --prod --audit-level=high
+            # --prod excludes devDependencies (vite, vitest, build tools);
+            # shipped plugin tarball contains only main.js + package.json
           else
             npm audit --omit=dev
           fi