fix(ci): pin pnpm@9.15.9 and refresh lockfile with security overrides

[isaquebock]

Summary

Fixes ERR_PNPM_LOCKFILE_CONFIG_MISMATCH in the Publish @aziontech/theme to NPM workflow (and any other CI job running pnpm install --frozen-lockfile).

Root cause

• CI uses pnpm 9 (pnpm/action-setup@v4 with version: 9), which reads pnpm.overrides from package.json.
• Local dev has been on pnpm 10/11, which silently ignores pnpm.overrides (it only reads overrides from pnpm-workspace.yaml).
• The lockfile was last regenerated with a newer pnpm, so it had no overrides: section. CI's pnpm 9 saw 13 overrides in package.json vs 0 in the lockfile → frozen install rejected the divergence.
• Side effect: the security overrides added in fix: audit packages #532 / fix: dep minimatch 9.0.0 added to overriders #544 were not actually being applied to transitive resolutions on local pnpm 11 installs.

Changes

• package.json
  • Add "packageManager": "pnpm@9.15.9" so Corepack pins every environment (CI + local) to the same pnpm version.
  • Remove the duplicate top-level "overrides" block. pnpm doesn't read it — only pnpm.overrides matters on pnpm 9. The npm-style top-level field was noise and made the mismatch harder to diagnose.
• pnpm-lock.yaml
  • Regenerated with pnpm 9.15.9. Now includes the overrides: section at the top (13 entries, matching pnpm.overrides) and applies them to transitive resolutions for the first time. Lockfile shrunk ~140 lines from deduping that overrides made possible.
• packages/theme/README.md
  • Tiny copy fix in the Features bullet.

Test plan

• pnpm install --frozen-lockfile with pnpm 9.15.9 → Lockfile is up to date (simulates the CI step that was failing).
• Confirmed overrides: block is present in pnpm-lock.yaml (line 7).
• CI green on this PR (Publish @aziontech/theme to NPM workflow won't run here — it's paths: packages/theme/** on main — but governance and package-webkit install paths exercise the same pnpm install --frozen-lockfile).
• After merge, verify the next push to main touching packages/theme/** completes the theme publish job.

Notes for reviewers

• Future-proofing: if/when the team wants to move to pnpm 10+, the migration is to relocate pnpm.overrides from package.json into pnpm-workspace.yaml and bump packageManager accordingly. Out of scope for this PR.