fix(security): upgrade vitest to v3 to patch esbuild CVE; use hello@ sender

- Bump vitest ^2.1.0 → ^3.2.0 everywhere (root, apps/web, shared-types)
  vitest 3 pulls vite 6 which ships esbuild >=0.25 — fixes the
  GHSA-67mh-4wv8-2f99 vulnerabilities that were failing npm audit CI
- Change default EMAIL_FROM to hello@pairux.com

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: ralyodio

apps/web/package.json

@@ -53,6 +53,6 @@
     "sharp": "^0.34.5",
     "tailwindcss": "^4.0.0",
     "typescript": "^5.7.0",
-    "vitest": "^2.1.0"
+    "vitest": "^3.2.0"
   }
 }

apps/web/src/app/actions/email.ts

@@ -48,7 +48,7 @@ export async function sendBulkEmail(input: {
   const resendApiKey = process.env.RESEND_API_KEY;
   if (!resendApiKey) return { ok: false, error: 'RESEND_API_KEY is not configured.' };
 
-  const defaultFrom = process.env.EMAIL_FROM ?? 'PairUX <noreply@pairux.com>';
+  const defaultFrom = process.env.EMAIL_FROM ?? 'PairUX <hello@pairux.com>';
 
   // Fetch all user emails via the admin auth API (service role bypasses RLS).
   const svc = serviceClient();

package.json

@@ -58,7 +58,7 @@
     "@eslint/js": "^9.17.0",
     "@next/eslint-plugin-next": "^15.1.0",
     "@types/node": "^22.10.0",
-    "@vitest/coverage-v8": "^2.1.0",
+    "@vitest/coverage-v8": "^3.2.0",
     "eslint": "^9.17.0",
     "eslint-config-prettier": "^9.1.0",
     "eslint-plugin-react": "^7.37.0",
@@ -68,7 +68,7 @@
     "turbo": "^2.3.0",
     "typescript": "^5.7.0",
     "typescript-eslint": "^8.18.0",
-    "vitest": "^2.1.0"
+    "vitest": "^3.2.0"
   },
   "repository": {
     "type": "git",

packages/shared-types/package.json

@@ -36,6 +36,6 @@
   },
   "devDependencies": {
     "typescript": "^5.7.0",
-    "vitest": "^2.1.0"
+    "vitest": "^3.2.0"
   }
 }