chore(deps): refresh dependencies and patch DoS advisories

[hakula139]

Summary

Refresh dependencies across both ecosystems and clear the two open Dependabot DoS advisories (#7, #8).

• Rust: cargo update (77 crates, semver-compatible) plus two direct major bumps — nix 0.30 → 0.31 and toml 0.8 → 1. Both have narrow usage (nix only killpg/Pid/Signal in bash.rs; toml only from_str deserialization), so the migrations are no-ops at the call sites.
• Node: pnpm update --latest (cspell 10.0.1, markdownlint-cli2 0.22.1) plus pnpm overrides forcing the patched js-yaml and markdown-it.

Design decisions

• DoS fix needs an override, not a direct bump. Both js-yaml and markdown-it reach the tree only transitively through markdownlint-cli2@0.22.1, which still pins the vulnerable versions, so overrides is the only way to force the patched releases.
• js-yaml capped at ^4.2.0, not >=4.2.0. The latest is 5.1.0, but 5.x drops the default ESM export markdownlint-cli2 imports, which breaks pnpm lint. The advisory is patched in 4.2.0, so the 4.x line fixes the alert without breakage.
• ratatui / crossterm / syntect left on their current majors. They are already at their newest major; only nix and toml had a clean newer major among our direct deps.

Changes

File	Description
Cargo.toml	Bump nix 0.30 → 0.31, toml 0.8 → 1
Cargo.lock	Relock; cargo update across 77 crates
package.json	cspell ^10.0.1, markdownlint-cli2 ^0.22.1, pnpm overrides for the DoS deps
pnpm-lock.yaml	Relock onto patched + latest versions

Test plan

• cargo fmt --all --check — clean
• cargo clippy --all-targets -- -D warnings — zero warnings
• cargo test — 2094 pass
• pnpm lint — 48 files, 0 errors
• pnpm spellcheck — 184 files, 0 issues
• No js-yaml@4.1.1 / markdown-it@14.1.1 left in the lock

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!