chore: update CLI dependencies

[sorccu]

Summary

• Remove unnecessary dependencies (@types/glob, duplicate simple-git-hooks, unused config/@types/config in create-cli)
• Upgrade TypeScript from 5.3 to 6.0 with all required tsconfig adaptations
• Upgrade ESLint from 9 to 10 and fix all new rule violations (preserve-caught-error, no-useless-assignment)
• Update all semver-compatible dependencies to latest
• Update major versions where safe: oclif packages, cross-env 7→10, commitlint 17→20, proxy-from-env 1→2, jwt-decode 3→4, @types/archiver 6→7, globals 16→17, @stylistic/eslint-plugin 5.2→5.10
• Fix all known npm audit vulnerabilities in transitive dependencies
• Move ts-node from devDependencies to optional peer dependency, replace with jiti in build scripts
• Update vitest 3.1.2 → 3.2.4 (v4 has a Windows bug with file URL drive letters in Module Runner)

TypeScript 6 migration notes

TypeScript 6 required several adaptations:

• rootDirs → rootDir: TS 6 requires explicit rootDir when sources come from a single directory. This moved tsconfig.tsbuildinfo from dist/ to the project root, requiring updates to clean scripts and .gitignore.
• types default changed to []: Added explicit types: ["node"] since @types/node is no longer auto-included.
• skipLibCheck: true: Added to work around a transitive lru-cache types incompatibility (their Map iterator types use void instead of undefined). Will be resolved properly when we bump to glob@13 (requires Node 20+).
• moduleResolution: "node10" deprecated: TS 6 errors on the implicit "node10" default when module: "commonjs". This breaks ts-node at runtime since it picks up the nearest tsconfig. Fixed with ignoreDeprecations: "6.0" in both the ts-node loader compilerOptions (conditionally, only when user's TS is >= 6) and create-cli's tsconfig. We'll handle this properly in the next major release by dropping ts-node entirely in favor of jiti.

Not updated — requires Node 20+ minimum version bump

These packages require node >= 20 which conflicts with our current ^18.19.0 || >=20.5.0 engine range:

• config 3.3.12 → 4.4.1
• glob 10.5.0 → 13.0.6
• rimraf 5.0.10 → 6.1.3
• lint-staged 15.5.2 → 16.4.0
• minimatch 9.0.9 → 10.2.5
• dotenv 16.6.1 → 17.4.2

Not updated — requires ESM migration

These packages went ESM-only in their latest major versions. They are blocked until we migrate the CLI to ESM output:

• chalk 4.1.2 → 5.6.2
• conf 10.2.0 → 15.1.0
• indent-string 4.0.0 → 5.0.0
• log-symbols 4.1.0 → 7.0.1
• open 8.4.2 → 11.0.0
• ora 5.4.1 → 9.4.0
• p-queue 6.6.2 → 9.2.0
• nanoid 3.3.12 → 5.1.11
• execa 5.1.1 → 9.6.1 (create-cli)
• passwd-user 3.0.0 → 4.0.0 (create-cli)
• uuid 11.1.1 → 14.0.0

Not updated — upstream bug

• vitest 3.2.4 → 4.1.5: Vitest 4's Module Runner generates incorrect file URLs on Windows (missing drive letter), breaking createRequire calls. Staying on latest v3 until fixed upstream.

Not updated — intentionally held

• @types/node kept at v22 to match our supported Node runtime versions

Test plan

• npm run lint passes
• npm run test --workspace packages/cli — all tests pass
• npm run prepare --workspace packages/create-cli builds successfully
• npm audit — 0 vulnerabilities
• CI — all checks passing (lint, unit tests, e2e tests on Ubuntu and Windows)

🤖 Generated with Claude Code