chore: Bump dependencies

[evict]

This updates most medium and all high & critical risk rated vulnerabilities in dependencies. These were reported by Dependabot.

Test plan

CI tests

[sqs]

@evict What did you run to add these? Was it manual? I see new deps added to devDependencies that we don't directly use. If the purpose of that was to pin transitive deps to a specific version, we should use package.json's resolutions property instead. Otherwise, the pinned but not-directly-used deps will be removed next time we run something like Knip to remove unused code and deps, and we could fall back to the unsafe dep versions.

[evict]

@evict What did you run to add these? Was it manual? I see new deps added to devDependencies that we don't directly use. If the purpose of that was to pin transitive deps to a specific version, we should use package.json's resolutions property instead. Otherwise, the pinned but not-directly-used deps will be removed next time we run something like Knip to remove unused code and deps, and we could fall back to the unsafe dep versions.

TIL, thank you! We updated it as dependabot recommended, which was indeed manual.

[philipp-spiess]

It looks like the inline snapshot formatter from vitest has gotten an update in one of the version bumps here. Should be fine to run pnpm test -u to update these.

My only recommendation is to try upgrading everything to latest versions instead of focusing only on the vulnerable sub-dependenceis to avoid having to use resolutions too much since it might make upgrading later feel more tedious. However if there's a lot of breaking changes, this should work too. Let's just be mindful about the change.

[philipp-spiess]

Change looks good to me. Let's see if we get CI to pass :D

feedback was adressed