Update packages to address vulnerabilities

[loreto]

Summary

Update packages in devbox repo to address any vulnerabilities:

• Updated drupal and other devbox examples
• Update to typeid/v2
• Update to latest dependencies on opensource/pkg (and by extension update the transitive extract/v3 dependency to extract/v4)

How was it tested?

Ran all tests but ... tests do seem to be hanging and timing out. Hoping someone has run into this issue to help debug and make sure the tests do pass.

Community Contribution License

All community contributions in this pull request are licensed to the project
maintainers under the terms of the
Apache 2 License.

By creating this pull request, I represent that I have the right to license the
contributions to the project maintainers under the Apache 2 License as stated in
the
Community Contribution License.

[Copilot]

Pull Request Overview

This PR updates various dependencies and example configurations to address security vulnerabilities and ensure compatibility with newer library versions.

• Bump core and devbox dependencies (typeid, pkg, envsec, extract, Drupal core, Docusaurus).
• Refactor identity provider to use typeid/v2 and add a parseAPIToken helper.
• Refresh Drupal example files with updated URLs, settings, and documentation comments.

Reviewed Changes

Copilot reviewed 9 out of 12 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
internal/devbox/providers/identity/identity.go	Switch to typeid/v2 and add parseAPIToken helper for API tokens
go.mod	Update go.jetify.com modules and bump indirect dependencies
examples/stacks/drupal/web/sites/example.sites.php	Update multi-site documentation link
examples/stacks/drupal/web/sites/development.services.yml	Add clarifying comments for development service overrides
examples/stacks/drupal/web/sites/default/default.settings.php	Refine database example names, update documentation URLs, add state caching setting
examples/stacks/drupal/web/sites/default/default.services.yml	Introduce security.enable_super_user and name_suffix parameters
examples/stacks/drupal/composer.json	Bump Drupal core package versions
examples/stacks/drupal/.gitattributes	Include PHPStan baseline in gitattributes
docs/app/package.json	Upgrade Docusaurus dependencies

Comments suppressed due to low confidence (4)

internal/devbox/providers/identity/identity.go:37

• [nitpick] Doc comments are typically only required for exported functions. Consider removing or repurposing this comment since parseAPIToken is unexported.

// parseAPIToken parses an API token string following the same pattern as other Parse functions

internal/devbox/providers/identity/identity.go:45

• [nitpick] For consistency and clarity, capitalize 'API' in the error message (e.g., "invalid API token ID: %s").

		return zero, fmt.Errorf("invalid api_token ID: %s", s)

examples/stacks/drupal/web/sites/default/default.settings.php:358

• The original comment included 'statistics' alongside logging and access management. Verify that dropping 'statistics' was intentional to keep documentation accurate.

 * to Drupal's logging and access management systems. In the most simple

go.mod:278

• The indirect requirement of the v1 typeid module alongside typeid/v2 may lead to confusion. If v1 is no longer used, consider removing this indirect dependency.

	go.jetify.com/typeid v1.3.1-0.20250708200829-05dce5112f3d // indirect

[savil]

🤔 CICD tests did pass