feat(deps): upgrade upstream dependencies (#1646)

## Summary

- Bump rolldown to `v1.0.2` and vite to `v8.0.13`, plus vitest `4.1.7`
and the oxc/oxlint/oxfmt toolchain.
- Bump oxc Rust crates `0.128.0 -> 0.132.0` and pin Rust toolchain to
`nightly-2026-03-15`.
- Drop the workspace-local `@rolldown/pluginutils` build and consume it
as a transitive dep of rolldown, repointing the licensing/build paths
and updating `@voidzero-dev/vite-plus-core` exports.
- Refresh oxlint/parser-driven snapshots and quiet a few new
`unicorn/consistent-function-scoping` lint hits.

## Dependency updates

| Package | From | To |
| --- | --- | --- |
| `rolldown` | `ac5c710` | `v1.0.2 (f2757ed)` |
| `vite` | `66f3194` | `v8.0.13 (a46f11a)` |
| `vitest` | `4.1.6` | `4.1.7` |
| `oxfmt` | `0.48.0` | `0.51.0` |
| `oxlint` | `1.63.0` | `1.66.0` |
| `oxlint-tsgolint` | `0.22.1` | `0.23.0` |
| `@oxc-project/runtime` | `0.129.0` | `0.132.0` |
| `@oxc-project/types` | `0.129.0` | `0.132.0` |
| `oxc-minify` | `0.129.0` | `0.132.0` |
| `oxc-parser` | `0.129.0` | `0.132.0` |
| `oxc-transform` | `0.129.0` | `0.132.0` |
| `@vitejs/devtools` | `0.1.21` | `0.1.24` |

<details><summary>Unchanged dependencies</summary>

- `tsdown`: `0.22.0`
- `@oxc-node/cli`: `0.1.0`
- `@oxc-node/core`: `0.1.0`

</details>

## Code changes

- `Cargo.toml`: bump oxc workspace crates `0.128.0 -> 0.132.0`; bump
`dashmap`, `jsonschema`, `mimalloc-safe`, and `pnp` minor versions.
- `rust-toolchain.toml`: bump nightly channel to `nightly-2026-03-15`.
- `.github/actions/build-upstream/action.yml`, `package.json`: drop the
standalone `pnpm --filter @rolldown/pluginutils build` step.
- `pnpm-workspace.yaml`: add `@rolldown/pluginutils` to the catalog,
remove its `workspace:` override, bump `vitest-dev` override to
`^4.1.7`, and sync transitive deps (`remeda`, `rolldown-plugin-dts`,
`rollup`, `semver`, `tsx`, `valibot`, `vitepress-plugin-graphviz`,
`ws`).
- `packages/core/build.ts`, `packages/tools/src/sync-remote-deps.ts`:
repoint pluginutils sources to
`rolldown/packages/rolldown/node_modules/@rolldown/pluginutils` and its
colocated `LICENSE`.
- `packages/core/package.json`: collapse
`./rolldown/pluginutils[/filter]` exports to direct `.mjs` entries; bump
`@vitejs/devtools` and `bundledVersions` (vite/rolldown).
- `packages/test/package.json`: bump `@vitest/*` packages and
`vitest-dev` to `4.1.7`.
-
`packages/cli/snap-tests/{bin-oxlint-wrapper,command-helper}/snap.txt`:
include new oxlint `--debug=OPTIONS` help entry.
-
`packages/cli/snap-tests/{build-vite-env,synthetic-build-cache-disabled}/snap.txt`:
refresh built asset hash.
-
`packages/cli/snap-tests-global/command-staged-broken-config/snap.txt`:
update parser error prefix (`[PARSE_ERROR] Unexpected token`).
- `packages/cli/src/create/__tests__/org-tarball.spec.ts`,
`packages/prompts/src/{group-multi-select,progress-bar,select-key}.ts`:
add `unicorn/consistent-function-scoping` eslint-disable lines for
intentionally inlined helpers.
- `packages/tools/.upstream-versions.json`: pinned upstream hashes for
rolldown/vite.

## Build status

- `sync-remote-and-build`: failure
- `build-upstream`: failure

---------

Co-authored-by: voidzero-guard[bot] <278573678+voidzero-guard[bot]@users.noreply.github.com>
Co-authored-by: MK <fengmk2@gmail.com>

Author: voidzero-guard[bot]

.github/actions/build-upstream/action.yml

@@ -62,7 +62,6 @@ runs:
     - name: Build upstream TypeScript packages
       shell: bash
       run: |
-        pnpm --filter @rolldown/pluginutils build
         pnpm --filter rolldown build-node
         pnpm --filter vite build-types
         pnpm --filter "@voidzero-dev/*" build

.github/workflows/security.yml

@@ -20,5 +20,29 @@ jobs:
   security:
     name: Security Analysis
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
+      # Checkout self and clone upstream rolldown so the bundled cargo-deny check
+      # inside security-action can resolve workspace members that reference
+      # `rolldown/crates/*`. Then clear origin so security-action's nested
+      # taiki-e/checkout-action can re-add it without conflict.
+      - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
+
+      - name: Output rolldown hash
+        id: upstream-versions
+        shell: bash
+        run: node -e "console.log('ROLLDOWN_HASH=' + require('./packages/tools/.upstream-versions.json').rolldown.hash)" >> $GITHUB_OUTPUT
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: rolldown/rolldown
+          path: rolldown
+          ref: ${{ steps.upstream-versions.outputs.ROLLDOWN_HASH }}
+          persist-credentials: false
+
+      - name: Clear git origin for nested checkout
+        shell: bash
+        run: git remote remove origin
+
       - uses: oxc-project/security-action@77e230508eccbb400b23746dab6c573a8ea7483e # v1.0.5